Netcat – hacker’s Swiss army knife
Despite released 25 years ago, Netcat remains as the fundamental network penetration testing tool. In simple words, Netcat
is utility which reads and writes data across network connections using TCP
or UDP
protocols.
Connecting to a TCP/UDP Port
Netcat can run in either client or server mode. Let’s look at some examples in client mode. We can use it to connect to ant TCP/UDP port, which allow us to:
- check if port is open/closed
- connect to some network service manually
- read a banner
Let’s begin by using nc
to check if TCP port 80 is open on the server.
-n
skips DNS name resolution -v
adds some verbosity.
$ nc -nv 10.10.10.10 80 (UNKNOWN) [127.0.0.1] 80 (http) open
Listening on a TCP/UDP Port
Listening on a TCP/UDP port using nc
is useful for network debugging. In this example I will create a simple chat between two hosts. It is required to run nc
both in a client 11.11.11.11
and server 10.10.10.10
mode.
First, run a listener on a server host.
-l
stands for ‘listen’ and -p
for port number.
$ nc -lvnp 666 listening on [any] 666 ...
Next, on the other machine we have to connect to this port. If the connection succeeds, we can write a line of text in the terminal.
$ nc -nv 10.10.10.10 666 (UNKNOWN) [10.10.10.10] 666 (?) open This is message from the client
The text sent above will appear on the terminal of the server host:
$ nc -lvnp 666 listening on [any] 666 ... connect to [10.10.10.10] from <UNKNOWN> [11.11.11.11] 666 This is message from the client
We can send message in the other direction, too.
$ nc -lvnp 666 listening on [any] 666 ... connect to [10.10.10.10] from <UNKNOWN> [11.11.11.11] 666 This is message from the client This is another message from the server
$ nc -nv 10.10.10.10 666 (UNKNOWN) [10.10.10.10] 666 (?) open This is message from the client This is another message from the server
Transferring files
Netcat can be also used to transfer files between two hosts. It is extremely useful while penetration testing and administering servers. Note – the connections will not be encrypted. For a secure file sharing, take a look at this post about scp
.
We will use the same two servers as above. Connection setup will be also very similar. Establish a listener on a machine 10.10.10.10:666
, but this time, instead of displaying content in a console, write all of the incoming stream straight to the file. The file we want to transfer will be bash script.
$ nc -lvnp 666 > output.sh listening on [any] 666 ...
On the other host send a file to the running server:
$ nc -nv 10.10.10.10 666 < /usr/share/script.sh (UNKNOWN) [10.10.10.10] 666 (?) open
As we can see below, the connection was established and our file should be saved in output.sh
. Note, that there is not such thing like progress bar, known in curl
or wget
. This time the file was small and transfer was quick, but in case when sending larger files, you have to be careful to not close connection before transfer is completed.
$ nc -lvnp 666 > output.sh listening on [any] 666 ... connect to [10.10.10.10] from <UNKNOWN> [11.11.11.11] 666
-e option
That’s all for this post. In the next one, I will write about -e
option in nc
which enables remote administration features, known as bind shell and reverse shell.