NETCAT Tutorial and Examples

FacebookTwitterGoogle+Share

Netcat is one of the older, more venerable applications that has been called the swiss army knife of network testing tools.

What is Netcat

Netcat is a tool that allows TCP or UDP IPV4 or IPV6 communication in a client/server model. It can be used as the server, or the client and can communicate with others servers. It can be used to test open ports, serve web pages, copy files, and even open remote shells (there are many other uses for netcat too).

Encryption, Etc

Netcat is known as “nc” on cygwin64 and there are several variants that have other options such as ncat (which has ssl encryption). This tutorial will go over commands that the cygwin64 version is compiled with, using default options. Every example was tested on windows 7 using the cygwin nc or “netcat” version. By default netcat is not encrypted!

Some versions, or those that you self compile with special flags allow you to directly invoke a shell. Cygwin netcat doesn’t come with that flag enabled, but later on I’ll show you how to do the same thing.

Netcat Help


$ nc -h
usage: nc [-46CDdhklnrtUuvz] [-I length] [-i interval] [-O length]
          [-P proxy_username] [-p source_port] [-s source] [-T ToS]
          [-V rtable] [-w timeout] [-X proxy_protocol]
          [-x proxy_address[:port]] [destination] [port]
        Command Summary:
                -4              Use IPv4
                -6              Use IPv6
                -D              Enable the debug socket option
                -d              Detach from stdin
                -h              This help text
                -I length       TCP receive buffer length
                -i secs         Delay interval for lines sent, ports scanned
                -k              Keep inbound sockets open for multiple connects
                -l              Listen mode, for inbound connects
                -n              Suppress name/port resolutions
                -O length       TCP send buffer length
                -P proxyuser    Username for proxy authentication
                -p port         Specify local port for remote connects
                -r              Randomize remote ports
                -s addr         Local source address
                -T toskeyword   Set IP Type of Service
                -C              Send CRLF as line-ending
                -t              Answer TELNET negotiation
                -U              Use UNIX domain socket
                -u              UDP mode
                -V rtable       Specify alternate routing table
                -v              Verbose
                -w secs         Timeout for connects and final net reads
                -X proto        Proxy protocol: "4", "5" (SOCKS) or "connect"
                -x addr[:port]  Specify proxy address and port
                -z              Zero-I/O mode [used for scanning]
        Port numbers can be individual or ranges: lo-hi [inclusive]

Now that we know what options are available for our netcat build, lets see a few examples of how to use them.

Our Netcat Examples

Let’s assume we have 2 computers, 2.2.2.2 and 1.1.1.1 All of our examples will use these ips. You won’t be able to open a port lower than 1024 unless you are root, so in our examples we’ll use 7777 as the port. 1.1.1.1 will always be the server in the following examples. You usually need to type the 1.1.1.1 line first in netcat before you can type the 2.2.2.2 line.

Netcat for Hacking/Penetration

However, if you were penetrating a computer with a firewall that didn’t do application inspection you could setup a netcat server on a port that mimics something else like 80 or 22, which might be open, or even 53! Netcat won’t bind if there is already an application bound to that port though, so you would need to kill the current listener on that port then start up netcat in it’s place.

Basic Server/Client Port Test With Netcat

This allows you to type on host 2.2.2.2 and have it appear on 1.1.1.1 By itself this isn’t terribly useful, but it shows the basic client server usage and can be used to verify a port is open and allowed through a firewall, as long as that firewall isn’t doing application inspection. However, if you typed out the correct protocol statements by hand, netcat is capable of “faking” many protocols.


1.1.1.1$ nc -l 7777
2.2.2.2$ nc 1.1.1.1 7777

Port Scanning with Netcat

You can use this to scan ports, though nmap is much better at it. But you can also use netcat to see if a port is open (though lsof is probably better at that task too). In this netcat example we are specifying to start the scan on localhost at port 134 and continue to 136.


$ nc -zv localhost 134-136
nc: connect to localhost port 134 (tcp) failed: Connection refused
Connection to localhost 135 port [tcp/epmap] succeeded!
nc: connect to localhost port 136 (tcp) failed: Connection refused

Netcat Chat

Whatever you type on either machine sends the text back and forth. It is essentially a chat program. Are you beginning to see why netcat is often called the swiss army knife of internet tools?


1.1.1.1$ nc -vl 7777
2.2.2.2$ nc 1.1.1.1 7777

Copying Files Through Netcat

While this is not a secure method to transfer files, it’s a method! Think of how the trigger could be scripted on one computer to dump something else to another computer. Session cookies for example….


1.1.1.1$ nc -l 7777 > outfile
1.1.1.2$ nc 1.1.1.1 7777 < infile

Manual Server Communication

Servers often only respond to the proper “knock”. Web servers for example want you to say “GET / HTTP/1.0\r\n\r\n” or they won’t respond. See what happens if you manually type in a response or “hand craft” http using netcat:


$ printf "GET / HTTP/1.0\r\n\r\n" | nc somehost.com 80
HTTP/1.1 302 Found
Date: Tue, 23 Jun 2015 02:00:39 GMT
Server: Apache
X-Powered-By: PHP/5.5.12-2ubuntu4.4
Location: http://somehost.com/wp-signup.php?new=
Content-Length: 0
Connection: close
Content-Type: text/html

Verify Software Version

Most software says something when you knock on it. It can range from the simple prompt to the more elaborate banners or protocols. Many programs will tell you what version of software they are running. If you ever wanted to see the banner, simply netcat to it! Our netcat example uses the wait flag to make sure we get a banner.


$ nc -w 5 digitalcrunch.com 22
SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-8

Cloning a Drive/Partition with dd and nc

Perhaps you want to clone a hard drive across the network like ghost but you want to do with netcat and dd, which are two tools that come with most any Linux distro… here is how it’s done:


1.1.1.1$ nc -l 7777 | dd of=/dev/sda
1.1.1.2$ dd if=/dev/sda | nc 1.1.1.1 7777

I would warn you don’t mess with this unless you understand what /dev/sda is!

WebServer for “error.html”

One example I found was someone hooking up a laptop to the ethernet that served their web page. They didn’t have time to configure an error page when the server crashed, so to prevent a flood of tech support calls they created a simple error page and then told netcat to serve the html to anyone that asked. I bet they saved a ton of frantic people calling to say the webserver was down.


1.1.1.1$ while true; do nc -l 80 < error.html ; done
1.1.1.2$ lynx 1.1.1.1

Connect to IRC, Manual Commands

I will admit, I don’t know how to manually type the ident 113 codes that this irc server is looking for, but you could do an irc client via nc if you knew the commands:


$ nc -v irc.sorcery.net 6667
Connection to irc.sorcery.net 6667 port [tcp/*] succeeded!
:ember.sorcery.net NOTICE * :*** Looking up your hostname...
:ember.sorcery.net NOTICE * :*** Found your hostname
.... snip

Test IPv6 with Netcat

I’m a noob. I mean, I don’t use IPv6 yet. Are you a noob too? Take the IPv6 test and see if your network allows it! You can test IPv6 packets this way by using netcat.


1.1.1.1$ nc -6 -l 7777
1.1.1.2$ nc -6 1.1.1.1 7777

Don’t kill Server on Disconnect

All of the examples so far are one shot commands. To make the connection persistent in netcat for cygwin, you have to use the -k flag. Other versions use a different flag to acheive the same results. Your netcat version might be different!


1.1.1.1$ nc -k -l 7777
1.1.1.2$ nc 1.1.1.1 7777

Test UDP with Netcat

In network tests we often want the client to “generate traffic” so we can see it in the logs. Knowing how to “fake” that traffic is actually useful. Here is how to fake udp traffic with netcat.


1.1.1.1$ nc -u -l 7777
1.1.1.2$ nc -u 1.1.1.1 7777

Tarring and Compressing through NC

SCP, FTP, or SFTP are all better suited to transferring files than netcat, but so you know netcat can transfer files, here is the way I’d do it:


1.1.1.1$ nc -l 7777 | tar xzvf -
1.1.1.2$ tar -czf - * | nc 1.1.1.1 7777

Remote Shell

I saved the best for last. This netcat example will open shell with the same privileges as the account that typed the netcat commands. It sues mkfifo to create a pipe and use some black magic to communicate through that pipe to the shell:


1.1.1.1$ mkfifo /tmp/ncfifo 
1.1.1.1$ cat /tmp/ncfifo | /bin/sh -i 2>&1 |nc -k -l 7777 > /tmp/ncfifo 
1.1.1.2$ nc 1.1.1.1 7777

or


1.1.1.1$ cat /tmp/ncfifo | cmd.exe -i 2>&1 |nc -k -l 7777 > /tmp/ncfifo 
1.1.1.2$ nc 1.1.1.1 7777

Using Expect to Script SMTP Session

The real power and danger of netcat is when it is used as a scripting tool. Here is a benign script (as is) that I found showing how to use the expect scripting language to trigger a netcat email.


#!/usr/bin/expect

set timeout 30
proc abort {} { exit 2 }

spawn nc -C mail.example.org 25
expect default abort "220 "
send "HELO example.com\r"
expect default abort "\n250 "
send "MAIL FROM:bar@example.org\r"
expect default abort "\n250 "
send "RCPT TO:foo@example.org\r"
expect default abort "\n250 "
send "DATA\r"
expect default abort "\n354 "
send "From: bar@example.org\r"
send "To: foo@example.com\r"
send "Subject: Test\r"
send "Date: Thu, 20 Dec 2012 12:00:00 +0000\r"
send "\r"
send "Testing\r"
send ".\r"
expect default abort "\n250 "
send "QUIT\r"

Security Stance vs Netcat

The examples on this page illustrate the need for competent application firewall engineers to prevent netcat and other back door tools from hijacking ports for nefarious uses. Nearly any WAF would prevent netcat from being used in the ways shown, or make it much more difficult to use netcat to bypass firewalls. With that said, netcat is also a great tool that can be literally anything you want it to be.

Your Cool Netcat Examples

So what are some cool things you’ve done with netcat? I’d personally like to know! Fill out the comment and brag away! You might be interested in examples from Netcat Power Tools if you want more powerful examples and uses of netcat.

Author

James Fraze is an IT Security Consultant with 20+ years in IT who contracts through Romack Inc and also writes IT related articles. James can be reached at http://digitalcrunch.com/contact.

Posted in IT Security.

Leave a Reply

Your email address will not be published. Required fields are marked *