readme.txt (6728B)
1 Update 2011-09-17 - added -c option to send CRLF 2 3 4 UPDATE 12/27/04 security fix in -e option for Windows 5 6 Netcat 1.11 for NT - nc111nt.zip 7 8 The original version of Netcat was written by *hobbit* <hobbit@avian.org> 9 The NT version was done by Weld Pond <weld@vulnwatch.org> 10 11 Netcat for NT is the tcp/ip "Swiss Army knife" that never made it into any 12 of the resource kits. It has proved to be an extremely versatile tool on 13 the unix platform. So why should NT always be unix's poor cousin when it 14 comes to tcp/ip testing and exploration? I bet many NT admins out there 15 keep a unix box around to use tools such as Netcat or to test their systems 16 with the unix version of an NT vulnerability exploit. With Netcat for NT 17 part of that feeling disempowerment is over. 18 19 Included with this release is Hobbit's original description of the powers 20 of Netcat. In this document I will briefly describe some of the things an 21 NT admin might want to do and know about with Netcat on NT. For more 22 detailed technical information please read hobbit.txt included in the 23 nc11nt.zip archive. 24 25 Basic Features 26 27 * Outbound or inbound connections, TCP or UDP, to or from any ports 28 * Full DNS forward/reverse checking, with appropriate warnings 29 * Ability to use any local source port 30 * Ability to use any locally-configured network source address 31 * Built-in port-scanning capabilities, with randomizer 32 * Can read command line arguments from standard input 33 * Slow-send mode, one line every N seconds 34 * Hex dump of transmitted and received data 35 * Ability to let another program service established 36 connections 37 * Telnet-options responder 38 39 New for NT 40 41 * Ability to run in the background without a console window 42 * Ability to restart as a single-threaded server to handle a new 43 connection 44 45 46 A simple example of using Netcat is to pull down a web page from a web 47 server. With Netcat you get to see the full HTTP header so you can see 48 which web server a particular site is running. 49 50 Since NT has a rather anemic command processor, some of the things that are 51 easy in unix may be a bit more clunky in NT. For the web page example first 52 create a file get.txt that contains the following line and then a blank 53 line: 54 55 GET / HTTP/1.0 56 57 To use Netcat to retrieve the home page of a web site use the command: 58 nc -v www.website.com 80 < get.txt 59 60 You will see Netcat make a connection to port 80, send the text contained 61 in the file get.txt, and then output the web server's response to stdout. 62 The -v is for verbose. It tells you a little info about the connection 63 when it starts. 64 65 It is a bit easier to just open the connection and then type at the console 66 to do the same thing. 67 nc -v www.website.com 80 68 69 Then just type in GET / HTTP/1.0 and hit a couple of returns. You will 70 see the same thing as above. 71 72 A far more exciting thing to do is to get a quick shell going on a remote 73 machine by using the -l or "listen" option and the -e or "execute" 74 option. You run Netcat listening on particular port for a connection. 75 When a connection is made, Netcat executes the program of your choice 76 and connects the stdin and stdout of the program to the network connection. 77 78 nc -l -p 23 -t -e cmd.exe 79 80 will get Netcat listening on port 23 (telnet). When it gets connected to 81 by a client it will spawn a shell (cmd.exe). The -t option tells Netcat 82 to handle any telnet negotiation the client might expect. 83 84 This will allow you to telnet to the machine you have Netcat listening on 85 and get a cmd.exe shell when you connect. You could just as well use 86 Netcat instead of telnet: 87 88 nc xxx.xxx.xxx.xxx 23 89 90 will get the job done. There is no authentication on the listening side 91 so be a bit careful here. The shell is running with the permissions of the 92 process that started Netcat so be very careful. If you were to use the 93 AT program to schedule Netcat to run listening on a port with the 94 -e cmd.exe option, when you connected you would get a shell with user 95 NT AUTHORITY\SYSTEM. 96 97 The beauty of Netcat really shines when you realize that you can get it 98 listening on ANY port doing the same thing. Do a little exploring and 99 see if the firewall you may be behind lets port 53 through. Run Netcat 100 listening behind the firewall on port 53. 101 102 nc -L -p 53 -e cmd.exe 103 104 Then from outside the firewall connect to the listening machine: 105 106 nc -v xxx.xxx.xxx.xx 53 107 108 If you get a command prompt then you are executing commands on the 109 listening machine. Use 'exit' at the command prompt for a clean 110 disconnect. The -L (note the capital L) option will restart Netcat with 111 the same command line when the connection is terminated. This way you can 112 connect over and over to the same Netcat process. 113 114 A new feature for the NT version is the -d or detach from console flag. 115 This will let Netcat run without an ugly console window cluttering up the 116 screen or showing up in the task list. 117 118 You can even get Netcat to listen on the NETBIOS ports that are probably 119 running on most NT machines. This way you can get a connection to a 120 machine that may have port filtering enabled in the TCP/IP Security Network 121 control panel. Unlike Unix, NT does not seem to have any security around 122 which ports that user programs are allowed to bind to. This means any 123 user can run a program that will bind to the NETBIOS ports. 124 125 You will need to bind "in front of" some services that may already be 126 listening on those ports. An example is the NETBIOS Session Service that 127 is running on port 139 of NT machines that are sharing files. You need 128 to bind to a specific source address (one of the IP addresses of the 129 machine) to accomplish this. This gives Netcat priority over the NETBIOS 130 service which is at a lower priority because it is bound to ANY IP address. 131 This is done with the Netcat -s option: 132 133 nc -v -L -e cmd.exe -p 139 -s xxx.xxx.xxx.xxx 134 135 Now you can connect to the machine on port 139 and Netcat will field 136 the connection before NETBIOS does. You have effectively shut off 137 file sharing on this machine by the way. You have done this with just 138 user privileges to boot. 139 140 PROBLEMS with Netcat 1.1 for NT 141 142 There are a few known problems that will eventually be fixed. One is 143 the -w or timeout option. This works for final net reads but not 144 for connections. Another problem is using the -e option in UDP mode. 145 You may find that some of the features work on Windows 95. Most 146 of the listening features will not work on Windows 95 however. These will 147 be fixed in a later release. 148 149 Netcat is distributed with full source code so that people can build 150 upon this work. If you add something useful or discover something 151 interesting about NT TCP/IP let met know. 152 153 Weld Pond <weld@l0pht.com>, 2/2/98 154 155 156 157