- January 22, 2016
- Posted by: romackinc
- Category: IT Security
Netcat is one of the older, more venerable applications that has been called the swiss army knife of network testing tools.
What is Netcat
Netcat is a tool that allows TCP or UDP IPV4 or IPV6 communication in a client/server model. It can be used as the server, or the client and can communicate with others servers. It can be used to test open ports, serve web pages, copy files, and even open remote shells (there are many other uses for netcat too).
Netcat is known as “nc” on cygwin64 and there are several variants that have other options such as ncat (which has ssl encryption). This tutorial will go over commands that the cygwin64 version is compiled with, using default options. Every example was tested on windows 7 using the cygwin nc or “netcat” version. By default netcat is not encrypted!
Some versions, or those that you self compile with special flags allow you to directly invoke a shell. Cygwin netcat doesn’t come with that flag enabled, but later on I’ll show you how to do the same thing.
Now that we know what options are available for our netcat build, lets see a few examples of how to use them.
Our Netcat Examples
Let’s assume we have 2 computers, 220.127.116.11 and 18.104.22.168 All of our examples will use these ips. You won’t be able to open a port lower than 1024 unless you are root, so in our examples we’ll use 7777 as the port. 22.214.171.124 will always be the server in the following examples. You usually need to type the 126.96.36.199 line first in netcat before you can type the 188.8.131.52 line.
Netcat for Hacking/Penetration
However, if you were penetrating a computer with a firewall that didn’t do application inspection you could setup a netcat server on a port that mimics something else like 80 or 22, which might be open, or even 53! Netcat won’t bind if there is already an application bound to that port though, so you would need to kill the current listener on that port then start up netcat in it’s place.
Basic Server/Client Port Test With Netcat
This allows you to type on host 184.108.40.206 and have it appear on 220.127.116.11 By itself this isn’t terribly useful, but it shows the basic client server usage and can be used to verify a port is open and allowed through a firewall, as long as that firewall isn’t doing application inspection. However, if you typed out the correct protocol statements by hand, netcat is capable of “faking” many protocols.
Port Scanning with Netcat
You can use this to scan ports, though nmap is much better at it. But you can also use netcat to see if a port is open (though lsof is probably better at that task too). In this netcat example we are specifying to start the scan on localhost at port 134 and continue to 136.
Whatever you type on either machine sends the text back and forth. It is essentially a chat program. Are you beginning to see why netcat is often called the swiss army knife of internet tools?
Copying Files Through Netcat
While this is not a secure method to transfer files, it’s a method! Think of how the trigger could be scripted on one computer to dump something else to another computer. Session cookies for example….
Manual Server Communication
Servers often only respond to the proper “knock”. Web servers for example want you to say “GET / HTTP/1.0\r\n\r\n” or they won’t respond. See what happens if you manually type in a response or “hand craft” http using netcat:
Verify Software Version
Most software says something when you knock on it. It can range from the simple prompt to the more elaborate banners or protocols. Many programs will tell you what version of software they are running. If you ever wanted to see the banner, simply netcat to it! Our netcat example uses the wait flag to make sure we get a banner.
Cloning a Drive/Partition with dd and nc
Perhaps you want to clone a hard drive across the network like ghost but you want to do with netcat and dd, which are two tools that come with most any Linux distro… here is how it’s done:
I would warn you don’t mess with this unless you understand what /dev/sda is!
WebServer for “error.html”
One example I found was someone hooking up a laptop to the ethernet that served their web page. They didn’t have time to configure an error page when the server crashed, so to prevent a flood of tech support calls they created a simple error page and then told netcat to serve the html to anyone that asked. I bet they saved a ton of frantic people calling to say the webserver was down.
Connect to IRC, Manual Commands
I will admit, I don’t know how to manually type the ident 113 codes that this irc server is looking for, but you could do an irc client via nc if you knew the commands:
Test IPv6 with Netcat
I’m a noob. I mean, I don’t use IPv6 yet. Are you a noob too? Take the IPv6 test and see if your network allows it! You can test IPv6 packets this way by using netcat.
Don’t kill Server on Disconnect
All of the examples so far are one shot commands. To make the connection persistent in netcat for cygwin, you have to use the -k flag. Other versions use a different flag to acheive the same results. Your netcat version might be different!
Test UDP with Netcat
In network tests we often want the client to “generate traffic” so we can see it in the logs. Knowing how to “fake” that traffic is actually useful. Here is how to fake udp traffic with netcat.
Tarring and Compressing through NC
SCP, FTP, or SFTP are all better suited to transferring files than netcat, but so you know netcat can transfer files, here is the way I’d do it:
I saved the best for last. This netcat example will open shell with the same privileges as the account that typed the netcat commands. It sues mkfifo to create a pipe and use some black magic to communicate through that pipe to the shell:
Using Expect to Script SMTP Session
The real power and danger of netcat is when it is used as a scripting tool. Here is a benign script (as is) that I found showing how to use the expect scripting language to trigger a netcat email.
Security Stance vs Netcat
The examples on this page illustrate the need for competent application firewall engineers to prevent netcat and other back door tools from hijacking ports for nefarious uses. Nearly any WAF would prevent netcat from being used in the ways shown, or make it much more difficult to use netcat to bypass firewalls. With that said, netcat is also a great tool that can be literally anything you want it to be.
Your Cool Netcat Examples
So what are some cool things you’ve done with netcat? I’d personally like to know! Fill out the comment and brag away! You might be interested in examples from Netcat Power Tools if you want more powerful examples and uses of netcat.
James Fraze is an IT Security Consultant with 20+ years in IT who contracts through Romack Inc and also writes IT related articles. James can be reached at http://digitalcrunch.com/contact.