Let's say I perform a nmap scan and discover a list of open ports.
If port 80 is opened, I will do this:
$ nc IP_ADDRESS 80
GET / HTTP/1.0
This will be a simple HTTP protocol request.
But what about other ports? Let's say I found a random port like 51236 is open. How do I communicate with it after a successful netcat connection?
You would need to communicate with commands that this service can handle. Let's say that you manage to connect to an open SMTP port, you would need to use SMTP commands (HELO, EHLO, MAIL FROM, RCPT TO, etc.) to interact with it. Same thing if you connect to a MySQL port, Redis port, etc.
I assume that your goal is service detection or possibly banner gabbing. Both of these are things that nmap does (among others), so the best way to understand how it works is to see how established tools do it.
nmap can detect which service is behind a given port by using the -sV flag. The procedure is simple: nmap sends a payload, then checks the response. Sometimes that response tells nmap what service is running.
For example, some HTTP servers will respond to invalid requests like this:
HTTP/1.0 400 Bad Request
Content-Type: text/html; charset=UTF-8
[...]
From this response, nmap can tell it's an HTTP server. But what if the server is less talkative and just closes the connection after an improper request? In this case, nmap will try out every single kind of payload that is known to nmap. So if a server only understands SMTP, nmap will try all kinds of payloads until it finally replies to a SMTP request.
Doing this by hand is possible, although very very tedious. You can attempt some common services by hand (HTTP, FTP, SMTP, etc.), but trying out every somewhat popular proprietary protocol will take time.
Banner Grabbing works in similar ways. Once you figured out what kind of service is on the other side, you will have to try to figure out the version of that software. Sometimes this is baked into the protocol in some way, and it will be easy for you to figure out that the other side is a server running nginx in version 1.10.0 or Minecraft in version 1.7.10. Other times, the server will not be very talkative, and perhaps you need to do some educated guessing.
For example, you could check which features are enabled. This could give you an indication as to how old the version is (e.g. feature X was introduced in version Y), and provide a lower bound. You could also check how the server responds to certain malformed requests.
Again, tools like nmap have big databases that can do all of this for you, so in practice, there is no reason to do this "by hand", at least not until you know established tools didn't find anything. And then again, it may just be some proprietary in-house software.
--version-all flag in tandem with -sV when trying to discover unknown services on non-standard ports. It tries all probes against every port, whereas I believe default behavior only tries things that are normally associated with the port. Obviously this is very loud.
– multithr3at3d
Feb 02 '20 at 21:55
There is no one answer to your question "How do I communicate with it after a successful netcat connection ?".
The only answer to such a generic question is "By sending the service the appropriate protocol commands/instructions".
The communication is SERVICE specific. If a TCP/UDP port is open and accepting a connection you need to know what service is running behind it before you can interact with it.
Once you know what service you're connecting to, you may be able to interact with it (at least to some extent). Someone posted a great example of SMTP (HELO, ELHO, MAIL FROM, RCPT TO, etc).
Also be aware a service can run on a non-standard port (as long as it has appropriate permissions) - your netcat example, connecting to port 80 (http) could be (ssh, telnet, FTP) or literally anything - you cannot assume port 80 is http.
