|
| 1 | +# netcat |
| 2 | +The source code is taken from https://joncraton.org/blog/46/netcat-for-windows/. This version includes the -e parameter. |
| 3 | + |
| 4 | +<h2>UPDATE 11/08/21</h2> |
| 5 | + |
| 6 | +Updated files to compile in Visual Studio 2019. Be sure to build the project as x86 to avoid errors. |
| 7 | + |
| 8 | +<h2>UPDATE 12/27/04</h2> |
| 9 | + |
| 10 | +security fix in -e option for Windows |
| 11 | + |
| 12 | +<h2>Netcat 1.11 for NT - nc111nt.zip</h2> |
| 13 | + |
| 14 | +The original version of Netcat was written by *hobbit * <[email protected]> |
| 15 | +The NT version was done by Weld Pond <[email protected]> |
| 16 | + |
| 17 | +Netcat for NT is the tcp/ip "Swiss Army knife" that never made it into any |
| 18 | +of the resource kits. It has proved to be an extremely versatile tool on |
| 19 | +the unix platform. So why should NT always be unix's poor cousin when it |
| 20 | +comes to tcp/ip testing and exploration? I bet many NT admins out there |
| 21 | +keep a unix box around to use tools such as Netcat or to test their systems |
| 22 | +with the unix version of an NT vulnerability exploit. With Netcat for NT |
| 23 | +part of that feeling disempowerment is over. |
| 24 | + |
| 25 | +Included with this release is Hobbit's original description of the powers |
| 26 | +of Netcat. In this document I will briefly describe some of the things an |
| 27 | +NT admin might want to do and know about with Netcat on NT. For more |
| 28 | +detailed technical information please read hobbit.txt included in the |
| 29 | +nc11nt.zip archive. |
| 30 | + |
| 31 | + Basic Features |
| 32 | + |
| 33 | + * Outbound or inbound connections, TCP or UDP, to or from any ports |
| 34 | + * Full DNS forward/reverse checking, with appropriate warnings |
| 35 | + * Ability to use any local source port |
| 36 | + * Ability to use any locally-configured network source address |
| 37 | + * Built-in port-scanning capabilities, with randomizer |
| 38 | + * Can read command line arguments from standard input |
| 39 | + * Slow-send mode, one line every N seconds |
| 40 | + * Hex dump of transmitted and received data |
| 41 | + * Ability to let another program service established |
| 42 | + connections |
| 43 | + * Telnet-options responder |
| 44 | + |
| 45 | + New for NT |
| 46 | + |
| 47 | + * Ability to run in the background without a console window |
| 48 | + * Ability to restart as a single-threaded server to handle a new |
| 49 | + connection |
| 50 | + |
| 51 | + |
| 52 | +A simple example of using Netcat is to pull down a web page from a web |
| 53 | +server. With Netcat you get to see the full HTTP header so you can see |
| 54 | +which web server a particular site is running. |
| 55 | + |
| 56 | +Since NT has a rather anemic command processor, some of the things that are |
| 57 | +easy in unix may be a bit more clunky in NT. For the web page example first |
| 58 | +create a file get.txt that contains the following line and then a blank |
| 59 | +line: |
| 60 | + |
| 61 | +<code>GET / HTTP/1.0</code> |
| 62 | + |
| 63 | +To use Netcat to retrieve the home page of a web site use the command: |
| 64 | +<code>nc -v www.website.com 80 < get.txt</code> |
| 65 | + |
| 66 | +You will see Netcat make a connection to port 80, send the text contained |
| 67 | +in the file get.txt, and then output the web server's response to stdout. |
| 68 | +The -v is for verbose. It tells you a little info about the connection |
| 69 | +when it starts. |
| 70 | + |
| 71 | +It is a bit easier to just open the connection and then type at the console |
| 72 | +to do the same thing. |
| 73 | +<code>nc -v www.website.com 80</code> |
| 74 | + |
| 75 | +Then just type in GET / HTTP/1.0 and hit a couple of returns. You will |
| 76 | +see the same thing as above. |
| 77 | + |
| 78 | +A far more exciting thing to do is to get a quick shell going on a remote |
| 79 | +machine by using the -l or "listen" option and the -e or "execute" |
| 80 | +option. You run Netcat listening on particular port for a connection. |
| 81 | +When a connection is made, Netcat executes the program of your choice |
| 82 | +and connects the stdin and stdout of the program to the network connection. |
| 83 | + |
| 84 | +<code>nc -l -p 23 -t -e cmd.exe</code> |
| 85 | + |
| 86 | +will get Netcat listening on port 23 (telnet). When it gets connected to |
| 87 | +by a client it will spawn a shell (cmd.exe). The -t option tells Netcat |
| 88 | +to handle any telnet negotiation the client might expect. |
| 89 | + |
| 90 | +This will allow you to telnet to the machine you have Netcat listening on |
| 91 | +and get a cmd.exe shell when you connect. You could just as well use |
| 92 | +Netcat instead of telnet: |
| 93 | + |
| 94 | +<code>nc xxx.xxx.xxx.xxx 23</code> |
| 95 | + |
| 96 | +will get the job done. There is no authentication on the listening side |
| 97 | +so be a bit careful here. The shell is running with the permissions of the |
| 98 | +process that started Netcat so be very careful. If you were to use the |
| 99 | +AT program to schedule Netcat to run listening on a port with the |
| 100 | +-e cmd.exe option, when you connected you would get a shell with user |
| 101 | +NT AUTHORITY\SYSTEM. |
| 102 | + |
| 103 | +The beauty of Netcat really shines when you realize that you can get it |
| 104 | +listening on ANY port doing the same thing. Do a little exploring and |
| 105 | +see if the firewall you may be behind lets port 53 through. Run Netcat |
| 106 | +listening behind the firewall on port 53. |
| 107 | + |
| 108 | +<code>nc -L -p 53 -e cmd.exe</code> |
| 109 | + |
| 110 | +Then from outside the firewall connect to the listening machine: |
| 111 | + |
| 112 | +<code>nc -v xxx.xxx.xxx.xx 53</code> |
| 113 | + |
| 114 | +If you get a command prompt then you are executing commands on the |
| 115 | +listening machine. Use 'exit' at the command prompt for a clean |
| 116 | +disconnect. The -L (note the capital L) option will restart Netcat with |
| 117 | +the same command line when the connection is terminated. This way you can |
| 118 | +connect over and over to the same Netcat process. |
| 119 | + |
| 120 | +A new feature for the NT version is the -d or detach from console flag. |
| 121 | +This will let Netcat run without an ugly console window cluttering up the |
| 122 | +screen or showing up in the task list. |
| 123 | + |
| 124 | +You can even get Netcat to listen on the NETBIOS ports that are probably |
| 125 | +running on most NT machines. This way you can get a connection to a |
| 126 | +machine that may have port filtering enabled in the TCP/IP Security Network |
| 127 | +control panel. Unlike Unix, NT does not seem to have any security around |
| 128 | +which ports that user programs are allowed to bind to. This means any |
| 129 | +user can run a program that will bind to the NETBIOS ports. |
| 130 | + |
| 131 | +You will need to bind "in front of" some services that may already be |
| 132 | +listening on those ports. An example is the NETBIOS Session Service that |
| 133 | +is running on port 139 of NT machines that are sharing files. You need |
| 134 | +to bind to a specific source address (one of the IP addresses of the |
| 135 | +machine) to accomplish this. This gives Netcat priority over the NETBIOS |
| 136 | +service which is at a lower priority because it is bound to ANY IP address. |
| 137 | +This is done with the Netcat -s option: |
| 138 | + |
| 139 | +<code>nc -v -L -e cmd.exe -p 139 -s xxx.xxx.xxx.xxx</code> |
| 140 | + |
| 141 | +Now you can connect to the machine on port 139 and Netcat will field |
| 142 | +the connection before NETBIOS does. You have effectively shut off |
| 143 | +file sharing on this machine by the way. You have done this with just |
| 144 | +user privileges to boot. |
| 145 | + |
| 146 | +PROBLEMS with Netcat 1.1 for NT |
| 147 | + |
| 148 | +There are a few known problems that will eventually be fixed. One is |
| 149 | +the -w or timeout option. This works for final net reads but not |
| 150 | +for connections. Another problem is using the -e option in UDP mode. |
| 151 | +You may find that some of the features work on Windows 95. Most |
| 152 | +of the listening features will not work on Windows 95 however. These will |
| 153 | +be fixed in a later release. |
| 154 | + |
| 155 | +Netcat is distributed with full source code so that people can build |
| 156 | +upon this work. If you add something useful or discover something |
| 157 | +interesting about NT TCP/IP let met know. |
| 158 | + |
| 159 | +Weld Pond <[email protected]>, 2/2/98 |
| 160 | + |
| 161 | + |
| 162 | + |
| 163 | + |
0 commit comments