NETCAT

netcat

Netcat or NC is a utility tool that uses TCP and UDP connections to read and write in a network

Netcat Fundamentals

nc [options] [host] [port]

By default, this will execute a port scan

nc -4 [options] [host] [port]

Use IPv4 addressing only

nc -6 [options] [host] [port]

Use IPv6 addressing only

nc -u [options] [host] [port]

UDP instead of TCP

nc -l [host] [port]

Listen for an incoming connection

nc -k -l [host] [port]

Continue listening after client has disconnected

nc -n [host] [port]

No DNS lookups

nc -p [host] [port]

Use specific source port

nc -s [host] [port]

Use source IP

nc -w [timeout] [host] [port]

Apply ‘n’ second timeout

nc -v [host] [port]

Verbose output

Port Scanning

nc -zv hostname.com 80

Scan a single TCP port

nc -zv hostname.com 80-84

Scan a range of ports

nc -zv hostname.com 80 84

Scan multiple ports

Client Examples

nc 192.168.0.1 5051 < filename.in

Transmit contents of file “filename.in”

nc 192.168.0.1 5051 > filename.out

Send incoming data to “filename.out”

Server Examples

netcat -l 5050

Listen for TCP connections (port 5050). Data received is directed to STDOUT. Data is captured and transmitted from STDOUT.

netcat -l 5051 > filename.out

Data received directed to “filename.out”

( echo -ne “HTTP/1.1 200 OK

Content-Length: $(wc -c <index.html)\r\n\r\n” ; cat index.html ) | nc -l 8080

Single use web server listening on port 8080

while : ; do ( echo -ne “HTTP/1.1 200 OK\r\nContent-Length: $(wc -c <index.html)\r\n\r\n” ; cat index.html; ) | nc -l -p 8080 ; done

Bash while loop restarts web server after each request

Simple Proxy

mknod backpipe p ; nc -l [proxy port] < backpipe | nc [destination host] [destination port] > pipe

Create a named pipe. Setup an a listener on proxy port. Forward requests from listener to a client which in-turn sends them onto the destination host. The client redirects the response from the destination host into the named pipe. The listener picks up the response from the named pipe and returns it. The named pipe thus allows the proxy to transmit data bi-directionally.

More Examples

Netcat Telnet

$ nc -v google.com 80

Connection to google.com 80 port [tcp/http] succeeded!

GET index.html HTTP/1.1

HTTP/1.1 302 Found

Location: http://www.google.com/

Cache-Control: private

Content-Type: text/html; charset=UTF-8

X-Content-Type-Options: nosniff

Date: Sat, 18 Aug 2012 06:03:04 GMT

Server: sffe

Content-Length: 219

X-XSS-Protection: 1; mode=block

<HTML><HEAD><meta http-equiv=”content-type” content=”text/html;charset=utf-8″>

<TITLE>302 Moved</TITLE></HEAD><BODY>

<H1>302 Moved</H1>

The document has moved

<A HREF=”http://www.google.com/”>here</A&gt;.

</BODY></HTML>

Netcat Simple Socket Servers

$ nc -l -v 1234

$ telnet localhost 1234

Trying 127.0.0.1…

Connected to localhost.

Escape character is ‘^]’.

abc

ting tongserver

After connecting we send some test message like abc and ting tong to the netcat socket server. The netcat socket server will echo the data received from the telnet client.

$ nc -l -v 5555

Connection from 127.0.0.1 port 5555 [tcp/rplay] accepted

abc

ting tong

Complete ECHO Server

 $ ncat -v -l -p 5555 -c ‘while true; do read i && echo [echo] $i; done

$ nc -l -v 1234 > data.txt

UDP Server

$ nc -v -ul 7000

Connect to this server using netcat from another terminal

$ nc localhost -u 7000

$ netstat | grep 7000

udp     0    0 localhost:42634      localhost:7000        ESTABLISHED

Netcat File transfer

One machine A – Send File

$ cat happy.txt | ncat -v -l -p 5555

Ncat: Version 5.21 ( http://nmap.org/ncat )

Ncat: Listening on 0.0.0.0:5555

On machine B – Receive File

$ ncat localhost 5555 > happy_copy.txt

Netcat Port Scanning

$ nc -v -n -z -w 1 192.168.1.2 75-85

nc: connect to 192.168.1.2 port 75 (tcp) failed: Connection refused

nc: connect to 192.168.1.2 port 76 (tcp) failed: Connection refused

nc: connect to 192.168.1.2 port 77 (tcp) failed: Connection refused

nc: connect to 192.168.1.2 port 78 (tcp) failed: Connection refused

nc: connect to 192.168.1.2 port 79 (tcp) failed: Connection refused

Connection to 192.168.1.2 80 port [tcp/*] succeeded!

nc: connect to 192.168.1.2 port 81 (tcp) failed: Connection refused

nc: connect to 192.168.1.2 port 82 (tcp) failed: Connection refused

nc: connect to 192.168.1.2 port 83 (tcp) failed: Connection refused

nc: connect to 192.168.1.2 port 84 (tcp) failed: Connection refused

nc: connect to 192.168.1.2 port 85 (tcp) failed: Connection refused

Netcat Linux Remote Shell/Backdoor

$ ncat -v -l -p 7777 -e /bin/bash

Connect to this bash shell using nc from another terminal

$ nc localhost 7777

Netcat Windows Remote Shell/Backdoor

C:\tools\nc>nc -v -l -n -p 8888 -e cmd.exe

listening on [any] 8888 …

connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 1182

Netcat Cloning Hard Drives & Partition

 $ nc -l -p 1234 | dd of=/dev/sda

Netcat as a Webserver

 $ while true; do nc -l -p 80 -q 1 < somepage.html; done

NETCAT Spoofing HTTP Headers

You can use netcat to request web pages:

nc ispconfig.org 80

You can then type in headers as follows:

 GET / HTTP/1.1

Host: ispconfig.org

Referrer: mypage.com

User-Agent: my-browser

server2:~# nc exampple.com 80

GET / HTTP/1.1

Host: example.com 

Referrer: mypage.com

User-Agent: my-browser

HTTP/1.1 200 OK

Date: Fri, 28 Nov 2008 14:11:49 GMT

Server: Apache/2.2.3 (Debian) mod_ssl/2.2.3 OpenSSL/0.9.8c

Last-Modified: Wed, 26 Nov 2008 19:34:17 GMT

ETag: “228c707-21b1-b6b7e040”

Accept-Ranges: bytes

Content-Length: 8625

Content-Type: text/html

[…]

Netcat Timeouts

Server :

nc -l 2389

Client :

$ nc -w 10 localhost 2389

Netcat IPV6 Connectivity

Server :

$ nc -4 -l 2389

Client :

$ nc -4 localhost 2389

Now, if we run the netstat command, we see :

$ netstat | grep 2389

tcp      0   0 localhost:2389       localhost:50851       ESTABLISHED

tcp      0   0 localhost:50851      localhost:2389        ESTABLISHED

Now, If we force nc to use IPV6 addresses –

Server :

$ nc -6 -l 2389

Client :

$ nc -6 localhost 2389

Now, if we run the netstat command, we see :

$ netstat | grep 2389

tcp6     0   0 localhost:2389        localhost:33234      ESTABLISHED

tcp6     0   0 localhost:33234       localhost:2389       ESTABLISHED

Force Netcat Server to Stay Up

This behaviour can be controlled by using the -k flag at the server side to force the server to stay up even after the client has disconnected.

$ nc -k -l 2389

Configure Netcat Client to Stay Up after EOF

 $ nc  -q 5  localhost 2389