Starting with Netcat in Backtrack

1. Starting with netcat in backtrack:
2. First we need to know what is netcat.
3.  
4. Definition: netcat: TCP/IP swiss army knife A simple Unix utility which reads and writes data across network connections using TCP or UDP protocol. It is designed to be a reliable "back-end" tool that can be used directly or easily driven by other programs and scripts. At the same time it is a feature-rich network debugging and exploration tool, since it can create almost any kind of connection you would need and has several interesting built-in capabilities.
5. In this document I introduce to the use of Netcat tool known as the Swiss Army knife of the TCP / IP under the GNU / Linux BackTrack.
6. * Help Netcat:
7. Open the konsole and write: nc -h
8. Appear the following:
9. root@bt:~# nc -h
10. [v1.10]
11. connect to somewhere: nc [-options] hostname port[s] [ports] ...
12. listen for inbound: nc -l -p port [-options] [hostname] [port]
13. options:
14. -c shell commands as `-e'; use /bin/sh to exec [dangerous!!]
15. -e filename program to exec after connect [dangerous!!]
16. -b allow broadcasts
17. -g gateway source-routing hop point[s], up to 8
18. -G num source-routing pointer: 4, 8, 12, ...
19. -h this cruft
20. -i secs delay interval for lines sent, ports scanned
21. -k set keepalive option on socket
22. -l listen mode, for inbound connects
23. -n numeric-only IP addresses, no DNS
24. -o file hex dump of traffic
25. -p port local port number
26. -r randomize local and remote ports
27. -q secs quit after EOF on stdin and delay of secs
28. -s addr local source address
29. -T tos set Type Of Service
30. -t answer TELNET negotiation
31. -u UDP mode
32. -v verbose [use twice to be more verbose]
33. -w secs timeout for connects and final net reads
34. -z zero-I/O mode [used for scanning]
35. port numbers can be individual or ranges: lo-hi [inclusive];
36. hyphens in port names must be backslash escaped (e.g. 'ftp\-data').
37. * Banner identification:
38.  
39. nc -v IP port Example I will use a false ip:
40.  
41. root@bt:~# nc -v 192.168.5.181 22
42. 192.168.5.131: inverse host lookup failed: Unknown
43. (UNKNOWN) [192.168.5.131] 22 (ssh) open
44. SSH-2.0-OpenSSH_5.1p1 Debian-3ubuntu1
45.  
46. root@bt:~# nc -v 192.168.5.181 80
47. 192.168.5.181: inverse host lookup failed: Unknown
48. (UNKNOWN) [192.168.5.131] 80 (http) connection refused
49.  
50. You can to use a tool for to see if a port is open
51.  
52. nc -v 192.168.5.181 80
53. 192.168.5.181: inverse host lookup failed: Unknown
54. (UNKNOWN) [192.168.5.131] 80 (http) connection refused
55. GET
56. <html><body><h1>It works!</h1></body></html>
57.  
58. I used get for to see the content than the server offer me.
59.  
60. * If you use telnet from the same form
61. root@bt:~# telnet 192.168.5.129 80
62. Trying 192.168.5.129...
63. Connected to 192.168.5.129...
64. Escape character is '^]'.
65. GET
66. <html><body><h1>It works!</h1></body></html>Connection closed by foreign host.
67.  
68. If we compares netcat with telnet, netcat is more complete than telnet.
69.  
70. =========================================================================================================
71.  
72. * Petitions with Netcat / Telnet> Differences:
73.  
74. nc -v IP 80 < /ruta/file.txt
75.  
76. First show how we can create a small text file:
77.  
78. root@bt:~# nano/etc/pet_get.txt
79.  
80. Appear the following:
81.  
82. GNU nano 2.0.6 File: /etc/pet_get.txt
83.  
84. Which may contain a request that this case will GET
85.  
86. root@bt:~# nano/etc/pet_get.txt
87.  
88. I'm simply creating a file called pet_get.txt
89.  
90. And with netcat proceeds to use the same request that was previously done as follows:
91.  
92. root@bt:~# nc 192.168.5.129 80 < /etc/pe
93. pear.conf pet_get.text
94.  
95. But I'm telling you now include the file I just created
96.  
97. Now we write the following:
98.  
99. root@bt:~# nc 192.168.5.129 80 < /etc/pet_get.text
100. and appear for example this:
101.  
102. <html><body><h1>It works!</h1></body></html>
103.  
104. Then see how it interacts with external files
105.  
106. If we we tried to do this same process with telnet going to meet one of his limitations do not allow us to interact or add external files. Example:
107.  
108. root@bt:~# telnet 192.168.5.129 80 < /etc/pet_get.txt
109. Trying 192.168.5.129...
110. Connected to 192.168.5.129...
111. Escape character is '^]'.
112. Connection closed by foreign host
113.  
114. =========================================================================================================
115.  
116. * Netcat in listening mode and executing shell:
117. nc -l Port -e /bin/bash
118.  
119. root@bt:~# nc -l -p 12345 -e /bin/bash
120.  
121. We select a port in this example I write 12345 and open another console and digit:
122.  
123. root@bt:~# nc -l -p 12345
124.  
125. And that when it receives a connection run the shell of the system. In this case I'm using two systems where one left to hear and the other made ​​the connection
126.  
127. root@bt:~# nc -l -p 12345
128. pwd
129. /root
130. whoami
131. root
132. ifconfig
133.  
134. Here appear all the data.
135.  
136. =========================================================================================================
137.  
138. * Netcat as port scanner:
139.  
140. nc -z -v IP port-range
141.  
142. For my example I will used a port range from 1 up 100
143.  
144. root@bt:~# nc -z -v 192.168.5.129 1-100
145. 192.168.5.129 inverse host look up failed: Unknown host
146. (UNKNOWN) [192.168.5.129] 80 (http) open
147. (UNKNOWN) [192.168.5.129] 22 (ssh) open
148.  
149. Just enough to give the order and select a target IP and port range audited, then I will show the extent to which these ports are open.
150.  
151.  
152. =========================================================================================================
153.  
154. Well this was a small introduction to Netcat. Hope you find it useful.
155.  
156. Greetings.
157.  
158. By Netikerty Asenet