Despite released 25 years ago, Netcat remains as the fundamental network penetration testing tool. In simple words, Netcat is utility which reads and writes data across network connections using TCP or UDP protocols.

Connecting to a TCP/UDP Port

Netcat can run in either client or server mode. Let’s look at some examples in client mode. We can use it to connect to ant TCP/UDP port, which allow us to:

• check if port is open/closed
• connect to some network service manually
• read a banner

Let’s begin by using nc to check if TCP port 80 is open on the server.

-n skips DNS name resolution -v adds some verbosity.

$ nc -nv 10.10.10.10 80
(UNKNOWN) [127.0.0.1] 80 (http) open

Listening on a TCP/UDP Port

Listening on a TCP/UDP port using nc is useful for network debugging. In this example I will create a simple chat between two hosts. It is required to run nc both in a client 11.11.11.11 and server 10.10.10.10 mode.

First, run a listener on a server host.

-l stands for ‘listen’ and -p for port number.

$ nc -lvnp 666
listening on [any] 666 ...

Next, on the other machine we have to connect to this port. If the connection succeeds, we can write a line of text in the terminal.

$ nc -nv 10.10.10.10 666
(UNKNOWN) [10.10.10.10] 666 (?) open
This is message from the client

The text sent above will appear on the terminal of the server host:

$ nc -lvnp 666
listening on [any] 666 ...
connect to [10.10.10.10] from <UNKNOWN> [11.11.11.11] 666
This is message from the client

We can send message in the other direction, too.

$ nc -lvnp 666
listening on [any] 666 ...
connect to [10.10.10.10] from <UNKNOWN> [11.11.11.11] 666
This is message from the client

This is another message from the server

$ nc -nv 10.10.10.10 666
(UNKNOWN) [10.10.10.10] 666 (?) open
This is message from the client

This is another message from the server

Transferring files

Netcat can be also used to transfer files between two hosts. It is extremely useful while penetration testing and administering servers. Note – the connections will not be encrypted. For a secure file sharing, take a look at this post about scp.

We will use the same two servers as above. Connection setup will be also very similar. Establish a listener on a machine 10.10.10.10:666, but this time, instead of displaying content in a console, write all of the incoming stream straight to the file. The file we want to transfer will be bash script.

$ nc -lvnp 666 > output.sh
listening on [any] 666 ...

On the other host send a file to the running server:

$ nc -nv 10.10.10.10 666 < /usr/share/script.sh
(UNKNOWN) [10.10.10.10] 666 (?) open

As we can see below, the connection was established and our file should be saved in output.sh. Note, that there is not such thing like progress bar, known in curl or wget. This time the file was small and transfer was quick, but in case when sending larger files, you have to be careful to not close connection before transfer is completed.

$ nc -lvnp 666 > output.sh
listening on [any] 666 ...
connect to [10.10.10.10] from <UNKNOWN> [11.11.11.11] 666

-e option

That’s all for this post. In the next one, I will write about -e option in nc which enables remote administration features, known as bind shell and reverse shell.