Netcat
Netcat is a computer networking service for reading from and writing to network connections using TCP or UDP. Netcat is designed to be a dependable back-end that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and investigation tool, since it can produce almost any kind of correlation its user could need and has a number of built-in capabilities.
Netcat is often referred to as a "Swiss-army knife for TCP/IP". Its list of features includes port scanning, transferring files, and port listening, and it can be used as a backdoor.
Examples
- Opening a raw connection to port 25 (like SMTP)
nc mail.server.net 25
- Setting up a one-shot webserver on port 8080 to present the content of a file
{ echo -ne "HTTP/1.0 200 OK\r\nContent-Length: $(wc -c <some.file)\r\n\r\n"; cat some.file; } | nc -l 8080
The file can then be accessed via a webbrowser under http://servername:8080/. Netcat only serves the file once to the first client that connects and then exits, it also provides the content length for browsers that expect it. (This should work fine in a LAN, but probably may fail with any kind of firewall between.). Checking if UDP ports (-u) 80-90 are open on 192.168.0.1 using zero mode I/O (-z)
nc -vzu 192.168.0.1 80-90
Note that UDP tests will always show as "open". The -uz argument is useless. Test if UDP port is open: simple UDP server and client
This test is useful, if you have shell access to the server that should be tested, but you do not know whether there is a firewall blocking a specific UDP port on the server.
On the listening host, i.e. on the server whose port needs to be checked, do the following:
nc -ul 7000
On the sending host, do the following – note that servname is the hostname of the listening host:
nc -u servname 7000
If text typed on the sending host (type something and hit enter) is displayed also on the listening host, then the UDP port 7000 is open. If it is not open, you will get an error such as "Connection refused".
There is a caveat. On some machines, IPv6 may be the default IP version to use by netcat. Thus, the host specified by the hostname is contacted using IPv6, and the user might not know about this. Ports may appear closed in the test, even though they would be open when using IPv4. This can be difficult to notice and may cause the false impression that the port is blocked, while it is actually open. You can force the use of IPv4 by using adding -4 to the options of the nc commands. Pipe via UDP (-u) with a wait time (-w) of 1 second to 'loggerhost' on port 514
echo '<0>message' | nc -w 1 -u loggerhost 514
Port scanning
An uncommon use of netcat is port scanning. Netcat is not considered the best tool for this job, but it can be sufficient (a more advanced tool is nmap)
nc -v -n -z -w 1 192.168.1.2 1-1000
The "-n" parameter here prevents DNS lookup, "-z" makes nc not receive any data from the server, and "-w 1" makes the connection timeout after 1 second of inactivity. Proxying
Another useful behaviour is using netcat as a proxy. Both ports and hosts can be redirected. Look at this example:
nc -l 12345 | nc www.google.com 80
Port 12345 represents the request
This starts a nc server on port 12345 and all the connections get redirected to google.com:80. If a web browser makes a request to nc, the request will be sent to google but the response will not be sent to the web browser. That is because pipes are unidirectional. This can be worked around with a named pipe to redirect the input and output.
mkfifo backpipe nc -l 12345 0<backpipe | nc www.google.com 80 1>backpipe
The "-c" option may also be used with the 'ncat' implementation:[3]
ncat -l 12345 -c 'nc www.google.com 80'
Using a named pipe is a more reliable method because using "-c" option provides only a one-shot proxy.
Another useful feature is to proxy SSL connections. This way, the traffic can not be viewed in wire sniffing applications such as wireshark. This can be accomplished on UNIXes by utilizing mkfifo, netcat, and openssl.
mkfifo tmp mkfifo tmp2 nc -l 8080 -k > tmp < tmp2 & while [ 1 ] do openssl s_client -connect www.google.com:443 -quiet < tmp > tmp2 done
- Making any process a server
netcat can be used to make any process a network server. It can listen on a port and pipe the input it receives to that process. The -e option spawns the executable with its input and output redirected via network socket.
For example, it is possible to expose a bourne shell process to remote computers. To do so, on a computer A with IP 192.168.1.2, run this command:
nc -l -p 1234 -e /bin/sh
Then, from any other computer on the same network, one could run this nc command:
nc 192.168.1.2 1234 ls -las
And the output one would see might be like this:
total 4288 4 drwxr-xr-x 15 imsovain users 4096 2009-02-17 07:47 . 4 drwxr-xr-x 4 imsovain users 4096 2009-01-18 21:22 .. 8 -rw------- 1 imsovain users 8192 2009-02-16 19:30 .bash_history 4 -rw-r--r-- 1 imsovain users 220 2009-01-18 21:04 .bash_logout ...
In this way, the -e option can be used to create a rudimentary backdoor. Some administrators perceive this as a risk, and thus do not allow netcat on a computer. Port Forwarding or Port Mapping
On Linux, NetCat can be used for port forwarding. Below are nine different ways to do port forwarding in NetCat (-c switch not supported though - these work with the 'ncat' incarnation of netcat):
nc -l -p port1 -c ' nc -l -p port2' nc -l -p port1 -c ' nc host2 port2' nc -l -p port1 -c ' nc -u -l -p port2' nc -l -p port1 -c ' nc -u host2 port2' nc host1 port1 -c ' nc host2 port2' nc host1 port1 -c ' nc -u -l -p port2' nc host1 port1 -c ' nc -u host2 port2' nc -u -l -p port1 -c ' nc -u -l -p port2' nc -u -l -p port1 -c ' nc -u host2 port2'
