Netcat: Difference between revisions

netcat
Developer(s)	Hobbit
Stable release	1.10 / March 20, 1996
Operating system	UNIX
Type	Network utility
License	Permissive free software
Website	http://netcat.sourceforge.net/

Browse history interactively

← Previous edit Next edit →

Content deleted Content added

VisualWikitext

Inline

Revision as of 19:21, 5 November 2009

Netcat is a computer networking service for reading from and writing network connections using TCP or UDP. Netcat is designed to be a dependable “back-end” device that can be used candidly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and investigation tool, since it can produce almost any kind of correlation you would need and has a number of built-in capabilities.

In 2000 according to www.insecure.org Netcat was voted the second most functional network security tool. Also, in 2003 and 2006 it gained fourth place in the same category. Netcat is often referred to as a "Swiss-army knife for TCP/IP." Its list of features includes port scanning, transferring files, and port listening, and it can be used as a backdoor.

According to http://nc110.sourceforge.net/, some of netcat's major features are:

Outbound or inbound connections, TCP or UDP, to or from any ports
Full DNS forward/reverse checking, with appropriate warnings
Ability to use any local source port
Ability to use any locally-configured network source address
Built-in port-scanning capabilities, with randomization
Built-in loose source-routing capability
Can read command line arguments from standard input
Slow-send mode, one line every N seconds
Hex dump of transmitted and received data
Optional ability to let another program service established connections
Optional telnet-options responder
Featured tunneling mode which allows also special tunneling such as UDP to TCP, with the possibility of specifying all network parameters (source port/interface, listening port/interface, and the remote host allowed to connect to the tunnel.

Examples

Opening a raw connection to port 25 is (like telnet):

nc mail.server.net 25

Setting up a one-shot webserver on port 8080 to present a file

( echo "HTTP/1.0 200 Ok"; echo; cat some.file; ) | nc -q 1 -l -p 8080

The file can then be accessed via a webbrowser under http://servername:8080/. Netcat only serves the file once to the first client that connects and then exits.

Checking if UDP ports (-u) 80-90 are open on 192.168.0.1 using zero mode I/O (-z):

nc -vzu 192.168.0.1 80-90

Pipe via UDP (-u) with a wait time (-w) of 1 second to 'loggerhost' on port 514

echo '<0>message' | nc -w 1 -u loggerhost 514

Portscanning:

An uncommon use of netcat is port scanning. Netcat is not considered the best tool for this job, but it can be sufficient (a more advanced tool is Nmap)

nc -v -n -z -w 1 192.168.1.2 1-1000

The “-n” parameter here prevents DNS lookup, “-z” makes nc not to receive any data from the server, and “-w 1″ makes the connection timeout after 1 second of inactivity.

Proxying

Another useful behavior is using netcat as a proxy. Both ports and hosts can be redirected. Look at this example:

nc -l -p 12345 | nc www.google.com 80

Port 12345 represents the request

This starts a nc server on port 12345 and all the connections get redirected to google.com:80. If a web browser makes a request to nc, the request will be sent to google but the response will not be sent to the web browser. That is because pipes are unidirectional. This can be worked around with a named pipe to redirect the input and output.

mkfifo backpipe
nc -l -p 12345  0<backpipe | nc www.google.com 80 1>backpipe

Making any process a server:

On a computer A with IP 192.168.1.2:

nc -l -p 1234 -e /bin/bash

The “-e” option spawns the executable with its input and output redirected via network socket. It connects to computer A from any other computer on the same network:

nc 192.168.1.2 1234

ls -las

total 4288
4 drwxr-xr-x 15 pkrumins users 4096 2009-02-17 07:47 .
4 drwxr-xr-x 4 pkrumins users 4096 2009-01-18 21:22 ..
8 -rw------- 1 pkrumins users 8192 2009-02-16 19:30 .bash_history
4 -rw-r--r-- 1 pkrumins users 220 2009-01-18 21:04 .bash_logout
...

The consequences are that nc is a popular hacker tool as it is so easy to create a backdoor on any computer. On a Linux computer you may spawn /bin/bash and on a Windows computer cmd.exe to have total control over it.

Variants

The original version of netcat was a UNIX program. The last version (1.1) was released in March 1996 and is currently mirrored at http://nc110.sourceforge.net/.

There are several implementations on POSIX systems, including rewrites from scratch like GNU netcat or OpenBSD netcat (this last has also new features like IPv6 support). Mac OS X users can use the Netcat Darwin Port. There is also a Microsoft Windows version of netcat created by Chris Wysopal, and a Cygwin version is available.

Known ports for embedded systems includes versions for the Windows CE (named Netcat 4 wince) or for the iPhone. BusyBox includes by default a lightweight version of netcat.

Socat is a more complex cousin of netcat. It is larger and more flexible and has more options that must be configured for a given task.

Cryptcat is a version of netcat with integrated transport encryption capabilities.

On some systems, modified versions or similar netcat utilities go by the command name(s) nc, ncat, pnetcat, socat, sock, socket, sbd.

Middle 2009 the Nmap project announced another netcat incarnation called Ncat. It features new possibilities such as "Connection Brokering", TCP/UDP Redirection, SOCKS4 client and server support, ability to "Chain" Ncat processes, HTTP CONNECT proxying (and proxy chaining), SSL connect/listen support and IP address/connection filtering. Like Nmap, Ncat is cross-platform.

External links

OpenBSD nc(1) man page via OpenBSD
GNU netcat
Download Netcat for Windows | Jon Craton's blog about Netcat for Windows
Socat
Netcat for Windows CE (PocketPC, Windows Mobile)
Advanced Netcat Tutorial
Netcat - a couple of useful examples
Netcat useful examples
major features

References

[1] "Copyright file". Debian. Retrieved 2008-09-06.

[1]

@@ Line 61: / Line 61: @@
 ====Proxying====
-Another uncommon behavior is using netcat as a proxy. Both ports and hosts can be redirected. Look at this example:
+Another useful behavior is using netcat as a proxy. Both ports and hosts can be redirected. Look at this example:
  nc -l -p 12345 | nc www.google.com 80
@@ Line 67: / Line 67: @@
 Port 12345 represents the request
-This starts a nc server on port 12345 and all the connections get redirected to google.com:80. If it’s connected to that computer on port 12345 and a request is given, it will result that no data gets sent back. That’s correct, because it needs to be redirected by setting up a bidirectional pipe. In order to have bidirectional pipe an additional pipe needs to be added for data back and another port.
+This starts a nc server on port 12345 and all the connections get redirected to google.com:80. If a web browser makes a request to nc, the request will be sent to google but the response will not be sent to the web browser. That is  because [[Pipeline_(Unix)|pipes]] are unidirectional. This can be worked around with a [[named pipe]] to [[Redirection_(computing)|redirect]] the [[Standard_streams|input and output]].
+ mkfifo backpipe
- nc -l -p 12345 | nc www.google.com 80 | nc -l -p 12346
+ nc -l -p 12345  0<backpipe | nc www.google.com 80 1>backpipe
-Port 12346 represents the response
 ====Making any process a server:====

v t e Unix command-line interface programs and shell builtins
File system	cat chattr chmod chown chgrp cksum cmp cp dd du df file fuser ln ls mkdir mv pax pwd rm rmdir split tee touch type umask
Processes	at bg crontab fg kill nice ps time
User environment	env exit logname mesg talk tput uname who write
Text processing	awk basename comm csplit cut diff dirname ed ex fold head iconv join m4 more nl paste patch printf read sed sort strings tail tr troff uniq vi wc xargs
Shell builtins	alias cd echo test unset wait
Searching	find grep
Documentation	man
Software development	ar ctags lex make nm strip yacc
Miscellaneous	bc cal expr lp od sleep true and false
Categories Standard Unix programs Unix SUS2008 utilities List