Netcat – hacker’s Swiss army knife
Despite released 25 years ago, Netcat remains as the fundamental network penetration testing tool. In simple words,
Netcat is utility which reads and writes data across network connections using
Connecting to a TCP/UDP Port
Netcat can run in either client or server mode. Let’s look at some examples in client mode. We can use it to connect to ant TCP/UDP port, which allow us to:
- check if port is open/closed
- connect to some network service manually
- read a banner
Let’s begin by using
nc to check if TCP port 80 is open on the server.
-n skips DNS name resolution
-v adds some verbosity.
$ nc -nv 10.10.10.10 80 (UNKNOWN) [127.0.0.1] 80 (http) open
Listening on a TCP/UDP Port
Listening on a TCP/UDP port using
nc is useful for network debugging. In this example I will create a simple chat between two hosts. It is required to run
nc both in a client
126.96.36.199 and server
First, run a listener on a server host.
-l stands for ‘listen’ and
-p for port number.
$ nc -lvnp 666 listening on [any] 666 ...
Next, on the other machine we have to connect to this port. If the connection succeeds, we can write a line of text in the terminal.
$ nc -nv 10.10.10.10 666 (UNKNOWN) [10.10.10.10] 666 (?) open This is message from the client
The text sent above will appear on the terminal of the server host:
$ nc -lvnp 666 listening on [any] 666 ... connect to [10.10.10.10] from <UNKNOWN> [188.8.131.52] 666 This is message from the client
We can send message in the other direction, too.
$ nc -lvnp 666 listening on [any] 666 ... connect to [10.10.10.10] from <UNKNOWN> [184.108.40.206] 666 This is message from the client This is another message from the server
$ nc -nv 10.10.10.10 666 (UNKNOWN) [10.10.10.10] 666 (?) open This is message from the client This is another message from the server
Netcat can be also used to transfer files between two hosts. It is extremely useful while penetration testing and administering servers. Note – the connections will not be encrypted. For a secure file sharing, take a look at this post about
We will use the same two servers as above. Connection setup will be also very similar. Establish a listener on a machine
10.10.10.10:666, but this time, instead of displaying content in a console, write all of the incoming stream straight to the file. The file we want to transfer will be bash script.
$ nc -lvnp 666 > output.sh listening on [any] 666 ...
On the other host send a file to the running server:
$ nc -nv 10.10.10.10 666 < /usr/share/script.sh (UNKNOWN) [10.10.10.10] 666 (?) open
As we can see below, the connection was established and our file should be saved in
output.sh. Note, that there is not such thing like progress bar, known in
wget. This time the file was small and transfer was quick, but in case when sending larger files, you have to be careful to not close connection before transfer is completed.
$ nc -lvnp 666 > output.sh listening on [any] 666 ... connect to [10.10.10.10] from <UNKNOWN> [220.127.116.11] 666
That’s all for this post. In the next one, I will write about
-e option in
nc which enables remote administration features, known as bind shell and reverse shell.