Hello Friends

MCTS practice test such as 70-680, 70-685, 70-683, 70-620, 70-622, 70-640, 70-270, MCDST preactice test such as 70-271, and 70-272 are available in huge discount here.. You can save up to 50%. The discount is also available for other certification practice test, such as CCNA, LPIC, Adobe, GIAC, Sun, Oracle, and CompTIA. This is the Freedom sale. Make the most of it.

Click Here to get the discount.

Incident handling is the process of managing incidents in an Enterprise, Business, or an Organization. It involves the thinking of the prospective suitable to the enterprise and then the implementation of the prospective in a clean and manageable manner. It involves completing the incident report and presenting the conclusion to the management and providing ways to improve the process both from a technical and administrative aspect. Incident handling ensures that the overall process of an enterprise runs in an uninterrupted continuity.

There are six different phases of the Incident handling process, which are as follows:

1. Preparation phase
2. Identification phase
3. Containment phase
4. Eradication phase
5. Recovery phase
6. Lessons Learned phase

Netcat is a computer networking service for reading from and writing network connections using TCP or UDP. Netcat is designed to be a dependable “back-end” device that can be used candidly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and investigation tool since it can produce almost any kind of correlation one would need and has a number of built-in capabilities.

The common Netcat switches are as follows:

Features of Netcat: NetCat has the following features:

• Outbound or inbound connections, TCP or UDP, to or from any ports
• Full DNS forward/reverse checking, with appropriate warnings
• Ability to use any local source port
• Ability to use any locally-configured network source address
• Built-in port-scanning capabilities, with randomization
• Built-in loose source-routing capability
• Can read command line arguments from standard input
• Slow-send mode, one line every N seconds
• Hex dump of transmitted and received data
• Optional ability to let another program service established connections
• Optional telnet-options responder
• Featured tunneling mode which also allows special tunneling, such as UDP to TCP, with the possibility of specifying all network parameters (source port/interface, listening port/interface, and the remote host allowed to connect to the tunnel).

Netcat Examples:

• Opening a raw connection to port 25 is (like telnet) :

  nc mail.server.net 25

• Setting up a one-shot webserver on port 8080 to present a file:

  ( echo -e “HTTP/1.0 200 Ok\n\r”; cat some.file; ) | nc -q 1 -l -p 8080

  The file can then be accessed via a webbrowser under http://servername:8080/. Netcat only serves the file once to the first client that connects and then exits.

• Checking if UDP ports (-u) 80-90 are open on 192.168.0.1 using zero mode I/O (-z) :

  nc -vzu 192.168.0.1 80-90

• Pipe via UDP (-u) with a wait time (-w) of 1 second to ‘loggerhost’ on port 514:

  echo ‘<0>message’ | nc -w 1 -u loggerhost 514

• Portscanning:

  An uncommon use of netcat is port scanning. Netcat is not considered the best tool for this job, but it can be sufficient (a more advanced tool is Nmap)

  nc -v -n -z -w 1 192.168.1.2 1-1000

  The “-n” parameter here prevents DNS lookup, “-z” makes nc not to receive any data from the server, and “-w 1? makes the connection timeout after 1 second of inactivity.

• Proxying

  Another useful behavior is using netcat as a proxy. Both ports and hosts can be redirected. Look at this example:

  nc -l -p 12345 | nc www.google.com 80

  Port 12345 represents the request. This starts a nc server on port 12345 and all the connections get redirected to google.com:80. If a web browser makes a request to nc, the request will be sent to google but the response will not be sent to the web browser. That is because pipes are unidirectional. This can be worked around with a named pipe to redirect the input and output.

  mkfifo backpipe
  nc -l -p 12345 0backpipe

  On the Linux computer, also can use “-c” option.

  nc -l -p 12345 -c ‘nc www.google.com 80′

• Making any process a server:

  On a computer A with IP 192.168.1.2:

  nc -l -p 1234 -e /bin/bash

  The “-e” option spawns the executable with its input and output redirected via network socket.

It is one of the best method to dive in other system and retrieve the information. Atleast better then the dumbster diving. I am giving the list of the tools, which you can use to perform OS fingerprinting. Go ahead and experiment. Your comments are important for me.

• PRADS – Passive comprehensive TCP/IP stack fingerprinting and service detection.
• Ettercap – passive TCP/IP stack fingerprinting.
• NetworkMiner – passive DHCP and TCP/IP stack fingerprinting (combines p0f, Ettercap and Satori databases)
• Nmap – comprehensive active stack fingerprinting.
• p0f – comprehensive passive TCP/IP stack fingerprinting.
• PacketFence – PacketFence is an open-source network access control (NAC) system which provides the following features: registration, detection of abnormal network activities, proactive vulnerability scans, isolation of problematic devices, remediation through a captive portal, 802.1X, wireless integration and DHCP fingerprinting.
• Satori – passive CDP, DHCP, ICMP, HPSP, HTTP, TCP/IP and other stack fingerprinting.
• SinFP – single-port active/passive fingerprinting.
• XProbe2 – active TCP/IP stack fingerprinting.

pOf is one of its own kind type of tool. As the name suggests it is used for OS fingerprinting. P0f is a versatile passive OS fingerprinting tool. P0f can identify the system on machines that connect to your box, machines you connect to, and even machines that merely go through or near your box. All this even if the device is behind a fascist packet firewall.

P0f will also detect what the remote system is hooked up to (be it Ethernet, DSL, OC3, or avian carriers), how far it is located, what’s its uptime. The latest beta can also detect masquerade or illegal network hook-ups (useful for ISPs and corporate networks). P0f can detect certain types of packet filters and NAT setups, and sometimes can determine the name of the other guy’s ISP. Not a big deal? It’s still passive. It does not generate any network traffic. No name lookups, no traffic to the victim, no ARIN queries, no trace route.

NetworkMiner is a network forensic analysis tool (NFAT) for Windows. It is used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner is also used to parse PCAP files for off-line analysis and to regenerate or reassemble transmitted files and certificates from PCAP files.

The purpose of NetworkMiner is to collect data (such as forensic evidence) about hosts on the network rather than to collect data regarding the traffic on the network. The main view is host centric (information grouped per host) rather than packet centric (information showed as a list of packets/frames).

NetworkMiner performs OS fingerprinting based on TCP SYN and SYN+ACK packet by using OS fingerprinting databases from p0f (by Michal Zalewski) and Ettercap (by Alberto Ornaghi and Marco Valleri). NetworkMiner can also perform OS fingerprinting based on DHCP packets (which usually are broadcast packets) by making use of the Satori (by Eric Kollmann) OS fingerprinting database from FingerBank. NetworkMiner also uses the MAC-vendor list from Nmap (by Fyodor).

Another work to help my friend with his white paper. I am including overview because each topic can elaborate in long epic. I like to add topics as it gives me chance to post atomic topics later. I will surely come with the elaborate post for each atomic topic.

Remote hacking is the process of entering a target system remotely by using the advantage of vulnerability.

Remote Hacking Steps:

1. Information Gathering / Foot Printing
2. Port Scanning
3. OS Fingerprinting
4. Banner Grabbing
5. Vulnerability Assessment
6. Search & Build Exploit
7. Attack
8. Maintaining Access
9. Covering Tracks

A description of the various remote hacking steps is given below:

1. Information Gathering / Foot Printing: In this step, maximum details of the target host are searched and gathered. It is a very important part of remote hacking because more attacks can be performed by a hacker when he has more information about the target system. Information gathering is done with the help of the following steps:
   • Find the company details including the URL and IP address.
   • Use Google or other search engines for more information from different websites.
   • Find out the information about the target domain with the help of the whois command.
   • Find out the physical location of the victim (use www.ipmango.com)
2. Port Scanning: Port is a medium of communication between two computers and every service on a host is identified by a unique 16-bit number called a port.
   

   Port Number	Service
   7	Ping
   21	File Transfer Protocol (FTP)
   23	Telnet
   25	SMTP (Mail)
   43	WHOIS
   53	DNS
   80	HTTP
   110	POP3 (Mail Access)
   513	Rlogin
   8080	Proxy

   Port scanning is the first basic step to get the details of open ports on the target system. Port scanning is used to find a hackable server with a hole or vulnerability.

   A port scanner is a piece of software designed to search a network host for open ports. This is often used by administrators to check the security of their networks and by hackers to identify running services on a host with the view to compromising it. Port scanning is used to find the open ports, so that it is possible to search exploits related to that service and application.

   Some examples of port scanners are Nmap, Hping2, and Superscan.

3. OS Fingerprinting: OS (Operating System) Fingerprinting is a process to find out a victim’s operating system (Windows, Linux, UNIX).

   Tools: Nmap, NetScanTools Pro, P0f.

4. Banner Grabbing: Banner grabbing is an attack to find the brand and/or version of an operating system or application.

   OS Fingerprinting and Banner Grabbing are a part of port scanning.

5. Vulnerability Assessment: A vulnerability assessment is the process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a system. Examples of systems for which vulnerability assessments are performed for include, but are not limited to, nuclear power plants, information technology systems, energy supply systems, water supply systems, transportation systems, and communication systems.

   Vulnerability is the most reliable weakness that any programming code faces. These programming code may be buffer overflow, xss, sql injection, etc., and an exploit is a piece of malware code that takes advantage of a newly announced vulnerability in a software application, usually the operating system or a Web server.

   Vulnerability + Exploit = Hacking on remote machine

   Important Tools: Xcobra, NTOSpider, Nikto, Privoxy, Samurai, SPIKE Proxy, Nessus.

6. Search & Build Exploit: Information on vulnerability can be found with help of vulnerability archive sites.

   For exploit and final attack, download the source code format from the sites that can provide them. Some of the sites that can be used for downloading can be Microsoft, Adobe, or Mozilla.

7. Attack: In this step of Remote hacking, try to get reverse shell by launching the attack on a remote system.
8. Maintaining Access: A root kit or Trojan virus is placed for future remote access on the target system.
9. Covering Tracks: Covering Tracks is the last and important step of remote hacking, which includes the deletion of all logs on the remote system. In Linux or UNIX, all entries of the /var folder need to be deleted, and if it is a Windows operating system, all events and logs are deleted. This step is used by hackers to keep their identity anonymous.

Watch this video for Banner Grabbing in Linux (Back Track)……..

Lately I came up with a new methodical challenge. One of my friend is writing white paper on the effect of different tools used in hacking and penetration testing. He came to me with a weird kind of problem. He wants to categorize the password cracking tools according to their usage and effectiveness. It took my whole weekend to complete this work, but its worth like spending so much time. I learned what I thought never existed. Rare elites are out there in World. I am sharing the part of my work in this blog. KNOWLEDGE FOR ALL, ALL FOR KNOWLEDGE. I tried my best to omit any lame mistake and keep the content appropriate. I know many websites are also giving these lists but I tested each tool with my hands on practical experiences.

1. Cain and Abel :

Cain & Abel is a password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, recovering wireless network keys, revealing password boxes, uncovering cached passwords and analyzing routing protocols. The program does not exploit any software vulnerabilities or bugs that could not be fixed with little effort.

It can recover passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, revealing password boxes, uncovering cached passwords and analyzing routing protocols.

2. John the Ripper

It works on Windows, DOS, BeOS, and OpenVMS. Its primary purpose is to detect weak Unix passwords. Besides several crypt password hash types most commonly found on various Unix flavors, supported out of the box are Kerberos AFS and Windows NT/2000/XP/2003 LM hashes, plus several more with contributed patches.

3.THC Hydra :

When you need to brute force crack a remote authentication service, Hydra is often the tool of choice. It can perform rapid dictionary attacks against more then 30 protocols, including telnet, ftp, http, https, smb, several databases, and much more. Like THC Amap this release is from the fine folks at THC.

The project supports a wide range of services and protocols: TELNET, FTP, HTTP, HTTPS, HTTP-PROXY, SMB, SMBNT, MS-SQL, MYSQL, REXEC, RSH, RLOGIN, CVS, SNMP, SMTP-AUTH, SOCKS5, VNC, POP3, IMAP, NNTP, PCNFS, ICQ, SAP/R3, LDAP, PostgreSQL, Teamspeak, Cisco auth, Cisco enable, and Cisco AAA. It is licensed under version 2.0 of the GNU General Public License with the additional terms that the software may not be used for illegal purposes, and any commercial service or program that uses Hydra must give credit to THC.

4. Aircrack-ng:

Aircrack-ng is a network software suite consisting of a detector, packet sniffer, WEP and WPA/WPA2-PSK cracker and analysis tool for 802.11 wireless LANs. It works with any wireless card whose driver supports raw monitoring mode (for a list, visit the website of the project) and can sniff 802.11a, 802.11b and 802.11g traffic. The suite includes airodump (an 802.11 packet capture program), aireplay (an 802.11 packet injection program), aircrack (static WEP and WPA-PSK cracking), and airdecap (decrypts WEP/WPA capture files).

5. L0phtcrack:

L0phtCrack attempts to crack Windows passwords from hashes which it can obtain (given proper access) from stand-alone Windows workstations, networked servers, primary domain controllers, or Active Directory. In some cases it can sniff the hashes off the wire. It is used to test password strength and sometimes to recover lost Microsoft Windows passwords, by using dictionarybrute-force, hybrid attacks, and rainbow tables

External Links:

• L0phtCrack Website

6. AirSnort:

AirSnort is a wireless LAN (WLAN) tool that recovers encryption keys. AirSnort operates by passively monitoring transmissions. It uses Ciphertext Only Attack and captures approximately 5 to 10 million packets to decrypt the WEP keys.

External Links:

• AirSnort Homepage
• AirSnort Installation Guide on openSUSE10.1
• AirSnort Installation Guide on Windows

7. Solar Wind:

It includes various Security-related tools such as many network discovery scanners, an SNMP brute-force cracker, router password decryption, a TCP connection reset program, one of the fastest and easiest router config download/upload applications available and more.

External Links:

solarwind Official Website

8. PwdDump:

Pwdump is able to extract NTLM and LanMan hashes from a Windows target, regardless of whether Syskey is enabled. It is also capable of displaying password histories if they are available. In order to work, it must be run under an Administrator account, or be able to access an Administrator account on the computer where the hashes are to be dumped.

9. RainbowCrack:

The RainbowCrack tool is a hash cracker that makes use of a large-scale time-memory trade-off. A traditional brute force cracker tries all possible plaintexts one by one, which can be time consuming for complex passwords. RainbowCrack differs from “conventional” brute forcerainbow tables to reduce the length of time needed to crack a password drastically.

External Links:

crackers in that it uses large pre-computed tables called

• Project RainbowCrack – Developer’s official site.
• Rainbow Tables & Rainbow Crack tutorial

10. Brutus:

Brutus is one of the fastest, most flexible remote password crackers you can get your hands on – it’s also free. It is available for Windows 9x, NT and 2000, there is no UN*X version available although it is a possibility at some point in the future. It supports HTTP, POP3, FTP, SMB, TELNET, IMAP, NTP, and more.

External Links:

http://www.hoobie.net/brutus/

See this for John-The-Ripper, find the others on Youtube..

A rootkit is software that is installed on your server with the purpose of hiding the fact that your server has been compromised and providing access to your server so that the intruder can easily return. It is important to understand that in order for an intruder to install a rootkit they will have to have gained the rights to do so on your server. This means that the first line of defense is good security that prevents the installation of a rootkit.

The intruder could use a rootkit to hide the password cracker program that’s stealing your passwords and sending them back to the intruder. The intruder could also use a rootkit to hide a “back door” program that would give him easy access back into the compromised system.

There are at least six basic categories of rootkits which all serve the same purpose. They prevent the intruder’s malicious software from showing screen output to the unsuspecting user, and they prevent the malicious software from leaving traces in the system logs. They also prevent the malicious software from showing up in a “ps” or “top” process list.

Firmware rootkits
One of the most difficult rootkits to discover is the firmware rootkit that is placed in the code that exists in the ACPI or PCI cards or your system clock. Firmware rootkits can be installed in any flashable code on your motherboard or any cards that you install. The difficulties here will be that you cannot fix this by reinstalling your operating system or wiping your hard drives.

Virtualized rootkits change a computer’s boot-up sequence so that the rootkits get loaded instead of the operating system. Once the rootkits are running in memory, the original operating system loads and then runs in a virtual machine as a guest operating system. The rootkit can then intercept hardware calls from the original operating system in order to conceal the presence of any malicious software or activity.

Kernel rootkits
When Linux boots up, it loads kernel extensions, or modules. Loadable Kernel Module, or LKM rootkits, can modify these modules to make them do the intruder’s bidding. These are also very difficult to detect. They can subvert any attempt to detect them and can prevent removal. On the other hand, they can be prevented. On a known clean system, just recompile the Linux kernel without support for loadable kernel modules.

Boot Loader rootkits
In this rootkit the boot loader is replaced with a modified boot loader which is used to achieve the goals of the intruder.

Library rootkits
These rootkits work by modifying the operating system’s libraries that provide system calls. They will either patch the library files, hook onto them, or outright replace them.

Application level rootkits
These are sometimes referred to as “traditional” rootkits. That’s because they’re the oldest variety. Application level rootkits replace system utility programs with their own trojaned versions. On Linux, the affected system utilities include login, ls, du, netstat, ifconfig, ps and top. When the unsuspecting user invokes one of these counterfeit utilities, it’ll will do what the user wants done, but in the background, it will also do something for the intruder.

One way to check these utilities is to invoke them with the -/ option switch. If the command works with that switch, it’s an sign that its executable file is infected.

Rootkit Hunter
Rootkit Hunter performs a more comprehensive check than chkrootkit, and takes somewhat longer to run. If your distro’s package repository doesn’t have it, you can download it from the author’s website. The site is: http://rootkit.nl/projects or you can download it from sourceforge.net.

To perform a check of your system, enter:

rkhunter -c

Here is a typical summary which is listed at the end of the check.
System checks summary

This is important to learn. Couple of days back I experienced the threat more or less like it. That day I decided to fight with it and let my readers aware of this type of security. Its short and simple and easy to implement. Friends, prevention si better than the cure. Go through and please let me know your feedback.

Network security is a hot cake in contemporary IT industry scenario, and this trend will only increase in importance in the years ahead. Generally, all of the attention is focused to exterior threats and attacks, there are some steps we can take to prevent unwanted Cisco router access from within an organization (internal network).

Whether you want to limit what certain users can do and run on your routers, or prevent unauthorized users in your company from getting to config mode in the first place, here are four important yet simple steps you can take to do so.

Encrypt the passwords in your running configuration
This is a basic Cisco router security command that is often overlooked. It doesn’t do you any good to set passwords for your ISDN connection or Telnet connections if anyone who can see your router’s running configuration can see the passwords. By default, these passwords are displayed in your running config in clear text.

One simple command takes care of that. In global configuration mode, run service password-encryption. This command will encrypt all clear text passwords in your running configuration.

Set a console password
If I walked into your network room right now, could I sit down and start configuring your Cisco routers? If so, you need to set a console password. This password is a basic yet important step in limiting router access in your network. Go into line configuration mode with the command “line con 0”, and set a password with the password command.

Limit user capabilities with privilege level commands
Not everyone who has access to your routers should be able to do anything they want. With careful use of privilege levels, you can limit the commands given users can run on your routers.

Privilege levels can be a little clumsy at first, but with practice you’ll be tying your routers down as tight as you like. Visit http://www.cisco.com/univercd for documentation on configuring privilege levels.

Configure an “enable secret” password
It’s not uncommon for me to see a router that has an enable mode password set, but it’s in clear text.

By using “enable secret”, the enable mode password will automatically be encrypted. Remember, if you have an enable password and enable secret password set on the same router, the enable secret password takes precedence.

These four basic steps will help prevent unwanted router access from inside your network. If only preventing problems from outside your network was as simple!

THC Hydra is a fast network authentication cracker that supports many different services. Hydra was a software project developed by a German organization called The Hacker s Choice (THC). THC Hydra uses a dictionary attack to test for weak or simple passwords on one or many remote hosts running a variety of different services. It was designed as a proof-of-concept utility to demonstrate the ease of cracking poorly chosen passwords. The project supports a wide range of services and protocols: TELNET, FTP, HTTP, HTTPS, HTTP-PROXY, SMB, SMBNT, MS-SQL, MYSQL, REXEC, RSH, RLOGIN, CVS, SNMP, SMTP-AUTH, SOCKS5, VNC, POP3, IMAP, NNTP, PCNFS, ICQ, SAP/R3, LDAP, PostgreSQL, Teamspeak, Cisco auth, Cisco enable, and Cisco AAA.

Hydra can be download from here.

A virtual terminal terminal is an application service that:

1. Allows host terminals on a multi-user network to interact with other hosts regardless of terminal type and characteristics.
2. Allows remote log-on by local area network managers for the purpose of management,
3. Allows users to access information from another host processor for transaction processing,
4. Serves as a backup facility.

PuTTY is an example of a Virtual terminal.

ITU-T defines a virtual terminal protocol based on the OSI application layer protocols. However, the virtual terminal protocol is not widely used on the Internet.

Recently, when I was working on the penetration testing of CISCO Routers a fellow Cisco administrator told me about a tool he had used to reset a password on a router. He had forgotten the line vty password and the enable password. He could not log in to the router. He did, however, know the SNMP Read/Write password.

He decided to use a freeware tool called “Cisco SNMP Tool”. It can be downloaded from here. He was able to reset the passwords on the router so he could log in. He found that, without knowing the admin passwords, he could even upload and download the start and running configuration files. Amazingly, he could even reboot the router.

While googling I found one more fellow blogger who wrote a good post in this domain. I tried his steps and accomplish the job successfully. Find his post here.

This video may also help. See the related video too.

Security5 is an entry level professional certification for individuals interested in learning computer networking and security basics. This certification program insures an individual’s competency in basic security matters, such as the definitions and the safe implementation of Firewalls, ports, and Anti-virus software. The 5 in the Program name indicates the five components of IT Security, as defined by EC-Council:

• Intrusion Detection System (IDS)
• Firewalls
• Anti-Virus
• Networking
• Web Security

It takes lots of patience and strength to use this swiss army knife. I have to test everything, put everything on acid test. Then I thought why others suffer the same. This post will help people who want to see the true picture of netcat.

Netcat is a computer networking service for reading from and writing network connections using TCP or UDP. Netcat is designed to be a dependable “back-end” device that can be used candidly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and investigation tool since it can produce almost any kind of correlation one would need and has a number of built-in capabilities.

The common Netcat switches are as follows:

Features of Netcat: NetCat has the following features:

• Outbound or inbound connections, TCP or UDP, to or from any ports
• Full DNS forward/reverse checking, with appropriate warnings
• Ability to use any local source port
• Ability to use any locally-configured network source address
• Built-in port-scanning capabilities, with randomization
• Built-in loose source-routing capability
• Can read command line arguments from standard input
• Slow-send mode, one line every N seconds
• Hex dump of transmitted and received data
• Optional ability to let another program service established connections
• Optional telnet-options responder
• Featured tunneling mode which also allows special tunneling, such as UDP to TCP, with the possibility of specifying all network parameters (source port/interface, listening port/interface, and the remote host allowed to connect to the tunnel).

Netcat Examples:

• Opening a raw connection to port 25 is (like telnet) :

  nc mail.server.net 25

• Setting up a one-shot webserver on port 8080 to present a file:

  ( echo -e “HTTP/1.0 200 Ok\n\r”; cat some.file; ) | nc -q 1 -l -p 8080

  The file can then be accessed via a webbrowser under http://servername:8080/. Netcat only serves the file once to the first client that connects and then exits.

• Checking if UDP ports (-u) 80-90 are open on 192.168.0.1 using zero mode I/O (-z) :

  nc -vzu 192.168.0.1 80-90

• Pipe via UDP (-u) with a wait time (-w) of 1 second to ‘loggerhost’ on port 514:

  echo ‘<0>message’ | nc -w 1 -u loggerhost 514

• Portscanning:

  An uncommon use of netcat is port scanning. Netcat is not considered the best tool for this job, but it can be sufficient (a more advanced tool is Nmap)

  nc -v -n -z -w 1 192.168.1.2 1-1000

  The “-n” parameter here prevents DNS lookup, “-z” makes nc not to receive any data from the server, and “-w 1? makes the connection timeout after 1 second of inactivity.

• Proxying

  Another useful behavior is using netcat as a proxy. Both ports and hosts can be redirected. Look at this example:

  nc -l -p 12345 | nc www.google.com 80

  Port 12345 represents the request. This starts a nc server on port 12345 and all the connections get redirected to google.com:80. If a web browser makes a request to nc, the request will be sent to google but the response will not be sent to the web browser. That is because pipes are unidirectional. This can be worked around with a named pipe to redirect the input and output.

  mkfifo backpipe
  nc -l -p 12345 0backpipe

  On the Linux computer, also can use “-c” option.

  nc -l -p 12345 -c ‘nc www.google.com 80′

• Making any process a server:

  On a computer A with IP 192.168.1.2:

  nc -l -p 1234 -e /bin/bash

  Look these videos to get more idea..

  The “-e” option spawns the executable with its input and output redirected via network socket.