Netcat is a powerful tool that everyone should learn to use. I’ve only been aware of this tool for about a month now, and already I’m finding way to use it (or situations where it could be useful) at work.
Netcat is able to connect (read/write)to any port using TCP or UDP protocols. One can send and receive files, scan ports and you can even redirect standard input/output/errors with netcat. It’s also possible to use netcat for port redirection.
Here are few simple examples of the netcat syntax. Let’s look at transferring a text file from a Windows machine to a Linux machine. Of course, we’ll assume the Windows system has a copy of netcat.
First the Linux machine, receiving the file, needs to setup a listener.
linux~#nc -lvp 4444 > output.txt
Any traffic directed to port 4444 will be directed into the output.txt file.
Second, the Windows system will open a connection and send the text file.
C:\>nc -nv -Linux IP here- 4444 <>
The contents of test.txt will be piped into port 4444, and sent to our listening Linux machine.
Now netcat doesn’t have any “progress bar” to show when the transfer is completed, so you need to guess and kill the connection manually using the CTRL-C key combination.
Banner grabbing with netcat is pretty simple. All one needs to do is connect to the specified IP address and port. Once connected, depending on the port one used, commands can be issued to gather more information. Of course, all services will give out banners, and systems administrators can always remove the banner. Let’s look at how one can retrieve an SMTP banner.
linux~#nc -nv -IP address- 25
Sometimes, but not always, the SMTP server will give out information such as:
One can also type in commands once connected to verify the existence of users.
Another fun thing one can do with netcat, is command redirection. Using the “-e” switch, you can redirect standard input, output and error to a specific port. So we can essentially send a command shell via netcat so let’s do this.
Imagine 2 users on a the same network, John and Cindy. John needs Cindy’s assistance on his computer and wishes to send her a command shell over the network to her computer.
So let’s start by starting netcat on a particular port, and bind redirect our command shell to it.
From John’s computer:
C:\>nc -lvn 4444 -e cmd.exe
This will basically redirect all input/output & errors from cmd.exe to port 4444.
From Cindy’s computer:
Now that John’s netcat is waiting for a connection, all that Cindy needs to do is connect to John’s computer on port 4444 and she should receive the command prompt.
linux~#nc -nv -John’s ip here- 4444
This is called a bind shell. Try it and see…