What is Netcat? All NetCat Commands
By Chandan Singh
Netcat utility is often called “Swiss Army Knife”, in the good sense of the word. The
How to install NetCat?
If you have Debian or a system based on Debian, such as Ubuntu, do the following:
$ sudo aptitude install netcat
If you have Fedora or a Fedora based system such as CentOS, do:
$ sudo yum install netcat
If you have Slackware, FreeBSD, NetBSD, Solaris, or Mac, download the nc sources and do:
$ tar -zxf nc-version.tar.gz
$ cd nc-version
$ ./configure && sudo make install
Another way to do this on a Mac is if you have MacPorts:
$ sudo port install netcat
On Slackware, you can install it as a package from the package directory:
$ sudo installpkg nc-1.10-i386-1.tgz
If you have Windows, download from here.
How to use NetCat?
Let’s start with a few simple examples and then we will use them as basic ones.
If you remember, I said that netcat is a Swiss army knife. What would this knife be if it could not be used as an ordinary knife? This is why netcat can be used instead of the usual telnet:
$ nc www.google.com 80
In fact, it is more convenient than regular telnet, because you can terminate the connection at any time by pressing Ctrl + C and it processes binary data as normal (no escape sequences, nothing).
You can add the “-v” parameter to display the action results in more detail, and the (-vv) parameter to get statistics on how many bytes were transferred during the current connection session.
Netcat can be used as a server. If you run it as shown below, it will listen on port 12345 (on all interfaces):
$ nc -l -p 12345
Now if you connect to port 12345 of this host, everything you dial will be transferred to the remote side, which tells us that netcat can be used as a chat server. Run on one of the computers:
# On the computer A to IP 10.10.10.10
$ nc -l -p 12345
And connect to it from another:
# On The Computer B
$ nc 10.10.10.10 12345
Now both sides can talk!
This way of talking, when both parties can talk to each other makes it possible to use nc for I / O operations over the network! For example, you can send a whole directory from one computer to another by arranging the tar pipeline through nc on the first computer, and redirecting the output to another tar process on the second.
Suppose you want to send files from the directory / data of computer A with IP 192.168.1.10 to computer B (with any IP). It’s simple:
# On the computer A с IP 192.168.1.10
$ tar -cf - /data | nc -l -p 6666
# On the computer B
$ nc 192.168.1.10 6666 | tar -xf -
Do not forget to combine the pipeline with the Pipe Viewer , which was described in the previous article, to see the statistics of how fast the transfer takes place!
A single file can be sent easier:
# On the computer A с IP 192.168.1.10
$ cat file | nc -l -p 6666
# On the computer B
$ nc 192.168.1.10 6666 > file
You can even copy and restore the whole disk using nc:
# On the computer A with IP 192.168.1.10
$ cat /dev/hdb | nc -l -p 6666
# On the computer B
$ nc 192.168.1.10 6666 > /dev/hdb
Note: The “-l” option cannot be used with “-p” on Mac computers! The solution is simply to replace “-l -p 6666? on “-l 6666 ?. Like here:
# Now nc is listening on port 6666 for Mac computers
$ nc -l 6666
Exceptional use of netcat – port scan. Netcat is not the best tool for such work, but it copes with it (the best, of course, nmap):
$ nc -v -n -z -w 1 192.168.1.2 1-1000
(UNKNOWN) [192.168.1.2] 445 (microsoft-ds) open
(UNKNOWN) [192.168.1.2] 139 (netbios-ssn) open
(UNKNOWN) [192.168.1.2] 111 (sunrpc) open
(UNKNOWN) [192.168.1.2] 80 (www) open
(UNKNOWN) [192.168.1.2] 25 (smtp) : Connection timed out
(UNKNOWN) [192.168.1.2] 22 (ssh) open
The “-n” option prevents DNS lookups, “-z” does not wait for a server response, and “-w 1? sets the timeout for the connection to 1 second.
Another non-trivial use of netcat as a proxy. Both port and host can be redirected. Take a look at this example:
$ nc -l -p 12345 | nc www.google.com 80
This command starts nc on port 1234 and redirects all connections to google.com:80. If you now connect to this computer on port 12345 and make a request, you will find that you do not receive any data in response. This is correct because we have not established a bidirectional channel. If you add a second channel, you will receive your data on another port:
$ nc -l -p 12345 | nc www.google.com 80 | nc -l -p 12346
After sending a request to port 12345, receive your response data on port 12346.
Probably the most powerful feature of netcat is to run any process as a server:
$ nc -l -p 12345 -e /bin/bash
The “-e” option affects the execution of input and output redirected through a network socket. Now, if you connect to a host on port 12345, you can use bash:
$ nc localhost 12345
ls -las
total 4288
4 drwxr-xr-x 15 pkrumins users 4096 2009-02-17 07:47 .
4 drwxr-xr-x 4 pkrumins users 4096 2009-01-18 21:22 ..
8 -rw------- 1 pkrumins users 8192 2009-02-16 19:30 .bash_history
4 -rw-r--r-- 1 pkrumins users 220 2009-01-18 21:04 .bash_logout
...
The implications are that NetCat is a popular hacker tool and it can be used to make a backdoor very easily. On a Linux server, you can run /