Netcat 101

logo_blue250

I hear a lot about Netcat being a Swiss army knife for TCP/IP and i wanted to find out, what you can actually do with it. I will continue to add to this page so check back often.

Netcats Wikipedia page says “Netcat (often abbreviated to nc) is a computer networking service for reading from and writing to network connections using TCP or UDP. Netcat is designed to be a dependable back-end that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and investigation tool, since it can produce almost any kind of correlation its user could need and has a number of built-in capabilities.

Its list of features includes port scanning, transferring files, and port listening, and it can be used as a backdoor”.

How to install Netcat in Windows

You can download Netcat for Windows from joncraton.org. your anti-virus may flag this up as a virus because of what you can do with it, as long as you download it from the link above, just stop your antivirus prior to downloading it.

once downloaded just extract nc.exe from the zip folder and place it in your C:\WINDOWS directory.

Now open up command prompt and you should be able to test Netcat is working by running nc -h which should show you the Netcat help file.

SANS Netcat cheat sheet

Setup a quick unencrypted chat

Firstly set up one terminal to be a listener.

nc -l -p 31337
nc Netcat
-l Listen mode
-p Port

On another terminal type the command below which connects to the connection above, on the port specified. You can use either a IP address or a host name.

nc 192.168.0.6 31337

You should now be able to chat between both terminals.

Transfer files

You can quickly transfer a file between two terminals using the commands below, first setup your listener.

nc -v -w 30 -p 31337 -l < file.txt
-v Verbose
-w 30 Wait 30 seconds before timing out
-p Port
-l Listen mode
< Push file to connecting terminal
file.txt File you wish to send

On the other terminal type this command to connect to the listener and receive the file.

nc -v -w 2 192.168.0.6 31337 > file.txt

I have found that the session stays open even after the file has transferred and have to manually ctrl + c to kill the open session.

Banner Grabbing

You can also use Netcat to grab banners.

Banners are the welcome screens that divulge software version numbers and other system information on network hosts.

First we connect to a website on port 80 and then you need to issue a head request.

nc www.hempstutorials.co.uk 80
HTTP/1.1 200

You can also connect directly to a port to get some jucy information.

nc 192.168.0.6 22 (SSH Port)

Have a go grabbing Google’s headers.

nc www.google.com 80
GET / HTTP/1.1

Port Scanning

Netcat being used as a port scanner is ok but nowhere in the same league as Nmap.

nc -v -w 1 192.168.0.6 -z 1-1000
-v Verbose
-w Wait
-z zero i/o mode (used for scanning)
1-1000 scans ports from 1-1000

Remote Shells in Windows

Setup a Netcat listener on your windows box.

nc -Lp 31337 -vv -e cmd.exe
-Lp : listen Harder on port
-vv : more verbose output
-e inbound program the exec
cmd.exe is the program to execute.

Then connect to the listener from another terminal.

nc 192.168.0.6 31337

you should now be connected remotely to what ever program you specified in the listener.

Remote Shells From Linux

This is pretty much the same command as above but you are setting up bash in the listener.

nc -lp 31337 -e /bin/bash
-lp Listen on Port
-e Program to exec
/bin/bash is the program to execute

Then connect to the listener on the port specified.

nc 192.168.100.160 31337

Be aware when you remote into a linux box you dont get a promt like you do from windows.

Cryptcat

Cryptcat is basicly netcat using Two-Fish Encrytion it can be downloaded from any linux disto using apt-get install Cryptcat but found that its already installed in kali 2.0

We setup a listener first the only difference is we use the -k command and add a password.

cryptcat -k mypassword -l -p 1337
-k enables password used to encrypt the communication

then we connect to the listener using the same -k command using the same password we used in the listener.

cryptcat -k mypassword 10.73.31.124 1337

Making Processes Talk To Each Other

You can send a whole directory between terminals by using the commands below.

First we setup a listener by using tar to zip up the folder and piping that command into a Netcat listener.

tar -cf - /foldername | nc -l -p 1337
tar creates a archive folder
-cf Create File archive

On the second terminal we connect to the listener and pipe that into tar which then extracts the folders.

nc 192.168.0.6 1337 | tar -xf -
-xf Extract File

You can also copy just one file like we did in the transferring files section using catenate and piping that file into a Netcat listener.

cat file.txt | nc -l -p 1337

and connect to the listener just like we did before using  > and the name of the file.

nc 192.168.0.6 1337 > file.txt

To copy the whole hard drive use this command.

cat /dev/hdb | nc -l -p 1337

and on the second console type.

nc 192.168.0.6 1337 > /dev/hdb

Be aware its not recommended using netcat to transfer your entire disc. If there are any errors during transfer, its not going to tell you.

Using Netcat to Direct Network Traffic

You can use Netcat as a proxy.

nc - l -p 1337 | nc http://www.google.com 80

this will make Netcat listen on port 1337, and will pipe all connections to redirect to google.com on port 80. If we open our browser and go to 127.0.0.1:1337, we don’t get anything. Any in the terminal we get a bunch of gibberish (or try example.com which gives you some HTML for a 404 page.) Now, we’re just seeing this information in the terminal, in Netcat, because we haven’t told Netcat to pipe it back out to the browser. This is going to be a bidirectional pipe (Netcat pipes data on port 1337 to Google.com at port 80, which in turn will pipe info back out of Netcat on port 1338).

now we type.

nc -l -p 1337 | nc http://www.google.com 80 | nc -l -p 1338

Now in the browser type in 127.0.0.1:1337. Again, nothing. But, let’s now change that to 1338. It takes us directly to the site!

Other Commands

-g lets you force a data stream through your network to a certain path.

-G tracks that connection and can be used for troubleshooting network problems

-o this will dump data into a file of your choice and can be used as a sniffer for man-in-the-middle attack.

-s can be used to route

-t TCP mode

-u UDP mode

-r randomizing the local and remote ports.

5 thoughts on “Netcat 101

  1. Hey nice post! I hope it’s alright that I shared it
    on my Facebook, if not, no problem just tell me and I’ll delete it.

    Either way keep up the good work.

Leave a Reply

Your email address will not be published. Required fields are marked *