NetCat tutorial: Day1
Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: NetCat tutorial: Day1

  1. #1
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786

    NetCat tutorial: Day1

    NetCat Tutorial
    Day 1
    The basics

    This tut will be aimed at windows users who are also new to NetCat.
    NC comes stock with all the newer *nix systems along with documentation, (but not so with m$ OSs.) and has been available to linux users much longer than the windows port has been, and besides, I know windows better.

    NetCat for Windows systems can be downloaded here:

    http://www.atstake.com/research/tools.html

    netcat comes with the source code to allow you to select different options to compile in. The options im discussing here are compiled into this version.

    In the words of its creater Hobbit, its the Swiss Army knife of network utils

    With nc (NetCat) you have:

    A Tcp/IP client and server
    Port Scanner
    Firewall checker
    Remote Shell
    CGI vulnerability tester
    An IDS tool
    Telnet client/server
    It will even run scripts
    The limits are your imagination

    ****If you want to use both sides, client and server, on your own machine do an ipconfig and use your own ip addess to use to connect to the server on that port or just use the loop-back address, 127.0.0.1 and the port number. both work.****

    Its most basic use is client/server and it couldnt be easier to set up.

    At a command prompt enter:

    NC l p1234 [nc <options> <port number>] thats it!
    (NetCat Listen on port 1234)
    Its now waiting for a connection on port 1234.

    The -l means listen. Choosing this option will close the nc server after the first connection is finished. If you wanted the server to accept any future incoming connection and not end with one, you would set the L option instead, for listen and listen again:
    nc L p1234.

    On another machine go to a command prompt and enter:

    [NC <the Remote mach IP / URL> 1234]
    NC xxx.xxx.xxx.xxx 1234
    NC someurl.com 1234

    You now have a network pipeline working between these too computers. With it you can pipe (|) data back and forth

    (Note that on the client side the p is omitted and the port number placed at the end of the command. The p option is only used for declaring local ports, remote ports are placed after the IP address or URL.)

    The basic configuration by itself, isnt all that usefull. You can use it for 1 on 1 chat where anything you type on one side is echoed on the other end, or to transfer the contents of a directory or file. This doesnt require a network login to do, so this is either good or bad depending on your position.

    Pkzip c:\oproject\myproj.zip *.* |nc NCserveraddress 1234
    Or
    Type some.txt |nc theotherbox 1234

    On the receiving side NetCat must be running like this:
    nc l p1234 |pkunzip myproj.zip c:\backup
    or
    nc L -p1234 >> c:\some.txt
    I use the >> here to append to this file in case you want to transfer more than one text file.

    Fortunately, there are options for netcat that greatly increase its usefulness. The most popular being the e or execute option. If an nc server is started with this option, whenever a client connects an executable is run.
    Interesting to note here that this can also be a batch file.
    So, if you do:
    nc L p 1234 e cmd.exe
    you can connect to that mach from any other mach using that ip address and port number (and of course a client which could even be telnet) and get a command prompt on that machine, when your session is complete and you disconnect, nc restarts with the same options.

    As a port blocker:

    If you have port 139 open (or any other port associated with a service) you can block file sharing and instead send a message to anyone connecting:
    NC L s xxx.xxx.xxx.xxx p 139 e warning.bat

    Warning.bat:
    @echo off
    call netstat -n
    echo Now get the hell out of here lamer!
    Call netstat n >>nclog.txt

    When someone telnets to your 139 they will see a record of their connection and someone telling them to beat it, plus you keep a record in a text file and their connection is closed when the batch file (or other executable) finishes.

    To do this and catch the data before netbios gets it, you must anchor nc to this interface on that port. This is done with the -s and p options, which in this case would be the ip assigned to this connection (interface) and p 139. If netbios was not enabled the s option would not be necessary unless you had 2 interfaces (multi-homed)

    Even more aggressive strategies can be used on say, well known Trojan ports. Its up to your imagination and the law.

    A binary dump of transactions made in both directions can be kept with the o option naming a file to dump too after the option.
    nc L o nclog.txt p 1234

    (In the log file, outgoing data will start with >. Inbound with <.)

    If used with the d option it detaches from the console and runs in the background without showing itself on the taskbar.
    Nc L d o nclog p 1234
    Nc L d p 1234 e warning.bat

    Using the z option you can use nc as a port scanner:
    nc v z xxx.xxx.xxx.xxx 11024 5000-6000
    nc v -z -v someurl.com 1-1024 5000-6000

    this can be used with the -r and -w options to help make you more stealth.
    With r each port check comes from a different random local port and the ports being checked are also done in a random fashion
    -w allows you to set the time in seconds for time-outs . The default is 3

    nc will do a full fwd and reverse DNS lookup unless the -n option is used for (ip addy) Numbers only. Use this to save time

    -z tells netcat to attempt a connection but send no data, on all port listed. This can be done as 10-200 or 20 21 25 80 110
    -v is verbose to get debugging info. Its recommended it be used more than once to get more info, but in this case, using it only once will return only successful attempts
    names of services can be used instead of port numbers, but numbers are so much easier, im not even getting into that.

    Another method of getting information on a server is to pipe the quit command threw nc.
    Echo quit |nc v xxx.xxx.xxx.xxx 1-1024
    This can return many service names and version numbers. (one of the methods Satan employs)

    This should be enough to keep newbies to netcat, happy and busy for a while.

    In day 2, Ill cover more advanced topics like the use of scripts cgi scans and more

    Thanks for reading this far
    Bukhari:V3B48N826 The Prophet said, Isnt the witness of a woman equal to half of that of a man? The women said, Yes. He said, This is because of the deficiency of a womans mind.

  2. #2
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    Good tut.. netcat is just such a usefull tool (network swiss army knife as they say)...

    Ammo
    Credit travels up, blame travels down -- The Boss

  3. #3
    Senior Member n01100110's Avatar
    Join Date
    Jan 2002
    Posts
    350
    Well done tedob. , yes swiss army knife is right ammo.
    -N
    "Serenity is not the absence of conflict, but the ability to cope with it."

  4. #4
    Senior Member
    Join Date
    Apr 2002
    Posts
    324
    Fine post tedob1! I look forward to part deux.
    \"I may not agree with what you say, but I will defend to the death your right to say it.\"
    Sir Winston Churchill.

  5. #5
    Junior Member
    Join Date
    Nov 2001
    Posts
    8
    Cool post!, don't forget the reverse telnet technique.

  6. #6
    Banned
    Join Date
    Oct 2001
    Posts
    55
    A superb post!! waiting for Day2 to be released.

  7. #7
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    Yeah reverse telnet (or rather netcat here is quite usefull
    I used it to hack my own NT4 server that I had screwed NTFS permissions on C:\ -> Running C2config.exe on a french version left C:'s root with only SYSTEM full control!
    Used the scheduler to launch the reverse netcat (so netcat was running under SYSTEM) ... It was actually pretty cool

    Ammo
    Credit travels up, blame travels down -- The Boss

  8. #8
    Senior Member
    Join Date
    Jul 2001
    Posts
    461
    Nice work, you may also be interested in something called cryptcat which is netcat but with encryption.

    http://sourceforge.net/projects/cryptcat/

    or

    http://farm9.com/content/Free_Tools/Cryptcat

    have fun.

  9. #9
    Banned
    Join Date
    Jun 2002
    Posts
    458
    Yeah cool tut. I have been itching to use netcat for some times ever since I learned about the data transfer feature. But for some reason netcat doesn't work for me, I type in the commands and nothing happens, the screen just does nothing. Is it because I use a cable modem?

  10. #10
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    But for some reason netcat doesn't work for me, I type in the commands and nothing happens, the screen just does nothing
    What do you want it to do? When you start a netcat server, nothing happens, it just sits there and waits. when you connect a client to it, it also just sits there and waits for you to pipe something threw it, unless you have the server set to run a program on connect.

    if you give some specifics, like, what kind of data, moved from where to where, the commands you typed in, etc. i think someone here will help you out.
    Bukhari:V3B48N826 The Prophet said, Isnt the witness of a woman equal to half of that of a man? The women said, Yes. He said, This is because of the deficiency of a womans mind.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •