Netcat is a computer networking service for reading from and writing network connections using TCP or UDP. Netcat is designed to be a dependable “back-end” device that can be used candidly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and investigation tool, since it can produce almost any kind of correlation you would need and has a number of built-in capabilities.
Netcat is often referred to as a "Swiss-army knife for TCP/IP." Its list of features includes port scanning, transferring files, and port listening, and it can be used as a backdoor.
File Transfer
=========
Examples
Opening a raw connection to port 25 (like telnet)
nc mail.server.net 25
Setting up a one-shot webserver on port 8080 to present a file
{ echo -ne "HTTP/1.0 200 OK\r\n\r\n"; cat some.file; } | nc -l -p 8080
The file can then be accessed via a webbrowser under http://servername:8080/. Netcat only serves the file once to the first client that connects and then exits.
Checking if UDP ports (-u) 80-90 are open on 192.168.0.1 using zero mode I/O (-z)
nc -vzu 192.168.0.1 80-90
PS: UDP tests will always show as “open”. The -uz argument is useless.
Pipe via UDP (-u) with a wait time (-w) of 1 second to 'loggerhost' on port 514
echo '<0>message' | nc -w 1 -u loggerhost 514
Port scanning
An uncommon use of netcat is port scanning. Netcat is not considered the best tool for this job, but it can be sufficient (a more advanced tool is Nmap)
nc -v -n -z -w 1 192.168.1.2 1-1000
The “-n” parameter here prevents DNS lookup, “-z” makes nc not receive any data from the server, and “-w 1? makes the connection timeout after 1 second of inactivity.
Proxying
Another useful behavior is using netcat as a proxy. Both ports and hosts can be redirected. Look at this example:
nc -l 12345 | nc www.google.com 80
Port 12345 represents the request
This starts a nc server on port 12345 and all the connections get redirected to google.com:80. If a web browser makes a request to nc, the request will be sent to google but the response will not be sent to the web browser. That is because pipes are unidirectional. This can be worked around with a named pipe to redirect the input and output.
mkfifo backpipe
nc -l 12345 0<backpipe | nc www.google.com 80 1>backpipe
The "-c" option may also be used:
nc -l 12345 -c 'nc www.google.com 80'
Making any process a server
On a computer A with IP 192.168.1.2:
nc -l -p 1234 -e /bin/bash
The “-e” option spawns the executable with its input and output redirected via network socket. It connects to computer A from any other computer on the same network:
nc 192.168.1.2 1234
ls -las
total 4288
4 drwxr-xr-x 15 pkrumins users 4096 2009-02-17 07:47 .
4 drwxr-xr-x 4 pkrumins users 4096 2009-01-18 21:22 ..
8 -rw------- 1 pkrumins users 8192 2009-02-16 19:30 .bash_history
4 -rw-r--r-- 1 pkrumins users 220 2009-01-18 21:04 .bash_logout
...
The consequences are that nc is a popular cracker tool as it is so easy to create a backdoor on any computer. On a Linux computer you may spawn /bin/bash and on a Windows computer cmd.exe to have total control over it.
Port Forwarding or Port Mapping
On Linux, NetCat can be used for port forwarding. Below are nine different ways to do port forwarding in NetCat:
nc -l -p port1 -c ' nc -l -p port2'
nc -l -p port1 -c ' nc host2 port2'
nc -l -p port1 -c ' nc -u -l -p port2'
nc -l -p port1 -c ' nc -u host2 port2'
nc host1 port1 -c ' nc host2 port2'
nc host1 port1 -c ' nc -u -l -p port2'
nc host1 port1 -c ' nc -u host2 port2'
nc -u -l -p port1 -c ' nc -u -l -p port2'
nc -u -l -p port1 -c ' nc -u host2 port2'
Netcat is often referred to as a "Swiss-army knife for TCP/IP." Its list of features includes port scanning, transferring files, and port listening, and it can be used as a backdoor.
File Transfer
=========
Examples
Opening a raw connection to port 25 (like telnet)
nc mail.server.net 25
Setting up a one-shot webserver on port 8080 to present a file
{ echo -ne "HTTP/1.0 200 OK\r\n\r\n"; cat some.file; } | nc -l -p 8080
The file can then be accessed via a webbrowser under http://servername:8080/. Netcat only serves the file once to the first client that connects and then exits.
Checking if UDP ports (-u) 80-90 are open on 192.168.0.1 using zero mode I/O (-z)
nc -vzu 192.168.0.1 80-90
PS: UDP tests will always show as “open”. The -uz argument is useless.
Pipe via UDP (-u) with a wait time (-w) of 1 second to 'loggerhost' on port 514
echo '<0>message' | nc -w 1 -u loggerhost 514
Port scanning
An uncommon use of netcat is port scanning. Netcat is not considered the best tool for this job, but it can be sufficient (a more advanced tool is Nmap)
nc -v -n -z -w 1 192.168.1.2 1-1000
The “-n” parameter here prevents DNS lookup, “-z” makes nc not receive any data from the server, and “-w 1? makes the connection timeout after 1 second of inactivity.
Proxying
Another useful behavior is using netcat as a proxy. Both ports and hosts can be redirected. Look at this example:
nc -l 12345 | nc www.google.com 80
Port 12345 represents the request
This starts a nc server on port 12345 and all the connections get redirected to google.com:80. If a web browser makes a request to nc, the request will be sent to google but the response will not be sent to the web browser. That is because pipes are unidirectional. This can be worked around with a named pipe to redirect the input and output.
mkfifo backpipe
nc -l 12345 0<backpipe | nc www.google.com 80 1>backpipe
The "-c" option may also be used:
nc -l 12345 -c 'nc www.google.com 80'
Making any process a server
On a computer A with IP 192.168.1.2:
nc -l -p 1234 -e /bin/bash
The “-e” option spawns the executable with its input and output redirected via network socket. It connects to computer A from any other computer on the same network:
nc 192.168.1.2 1234
ls -las
total 4288
4 drwxr-xr-x 15 pkrumins users 4096 2009-02-17 07:47 .
4 drwxr-xr-x 4 pkrumins users 4096 2009-01-18 21:22 ..
8 -rw------- 1 pkrumins users 8192 2009-02-16 19:30 .bash_history
4 -rw-r--r-- 1 pkrumins users 220 2009-01-18 21:04 .bash_logout
...
The consequences are that nc is a popular cracker tool as it is so easy to create a backdoor on any computer. On a Linux computer you may spawn /bin/bash and on a Windows computer cmd.exe to have total control over it.
Port Forwarding or Port Mapping
On Linux, NetCat can be used for port forwarding. Below are nine different ways to do port forwarding in NetCat:
nc -l -p port1 -c ' nc -l -p port2'
nc -l -p port1 -c ' nc host2 port2'
nc -l -p port1 -c ' nc -u -l -p port2'
nc -l -p port1 -c ' nc -u host2 port2'
nc host1 port1 -c ' nc host2 port2'
nc host1 port1 -c ' nc -u -l -p port2'
nc host1 port1 -c ' nc -u host2 port2'
nc -u -l -p port1 -c ' nc -u -l -p port2'
nc -u -l -p port1 -c ' nc -u host2 port2'
No comments:
Post a Comment