Simply Netcat

DON'T post new tutorials here! Please use the "Pending Submissions" board so the staff can review them first.
Post Reply
User avatar
lilrofl
Siliconoclast
Siliconoclast
Posts: 1363
Joined: 28 Jan 2009, 17:00
15
Location: California, USA
Contact:

Simply Netcat

Post by lilrofl »

I just read this seemingly awesome book on netcat, and noticed that it is rarely mentioned on Suck-O. While I'm not sure about posting a tutorial, I figured I would compiled a list of some things I learned, and present them it in an, I feel, easy to read format for you.

Last read through... I feel like my eyes are bleeding!!!

What is Netcat?

Netcat is a small utility that reads and writes data over TCP and UDP connections. It is often referred to as, 'the Swiss Army Knife of TCP/UDP.' Netcats' versatility allows it to function in many ways, and while it is not the 'best' tool for any one task, it is a must have in any hackers toolbox.

Software Needed to preform the exercises I've presented:
Netcat (I used GNU netcat)
pv
dd
gzip
tar
ssh
vnc server


Netcat Syntax and Arguments: (straight from the manual using nc --help > file.txt)

connect to somewhere: nc [options] hostname port [port] ...
listen for inbound: nc -l -p port [options] [hostname] [port] ...
tunnel to somewhere: nc -L hostname:port -p port [options]

Mandatory arguments to long options are mandatory for short options too.
Options:
-c, --close close connection on EOF from stdin
-e, --exec=PROGRAM program to exec after connect
-g, --gateway=LIST source-routing hop point, up to 8
-G, --pointer=NUM source-routing pointer: 4, 8, 12, ...
-h, --help display this help and exit
-i, --interval=SECS delay interval for lines sent, ports scanned
-l, --listen listen mode, for inbound connects
-L, --tunnel=ADDRESS:PORT forward local port to remote address
-n, --dont-resolve numeric-only IP addresses, no DNS
-o, --output=FILE output hexdump traffic to FILE (implies -x)
-p, --local-port=NUM local port number
-r, --randomize randomize local and remote ports
-s, --source=ADDRESS local source address (ip or hostname)
-t, --tcp TCP mode (default)
-T, --telnet answer using TELNET negotiation
-u, --udp UDP mode
-v, --verbose verbose (use twice to be more verbose)
-V, --version output version information and exit
-x, --hexdump hexdump incoming and outgoing traffic
-w, --wait=SECS timeout for connects and final net reads
-z, --zero zero-I/O mode (used for scanning)

Remote port number can also be specified as range. Example: '1-1024'

Alibis:
I use the syntax XXX.XXX.XXX.XXX to refer to the machine you are connecting to.
I use [port] to refer the port you are connection to.

10 task using netcat:

Task 1
Create a client/server connection to chat from Box 1 to Box 2.
Box 1: nc -l -p [port]
Box 2: nc xxx.xxx.xxx.xxx -p [port]

In this case anything typed in either terminal is displayed on the other... not very exciting I know, but it is a step in the right direction to understanding the awesomeness that is netcat.

Try it out:
Open two terminals and open a server in one.
nc -l -p 1234

In the second open a client.
nc 127.0.0.1 1234

chat back and forth between the terminals by entering text and pressing enter.
ctrl+c to end the session in both boxes.


Task 2
Piping text into [filename.extension]
For this example we must be introduced to another feature of netcat, it's ability to have data piped to and from it using | < << > and >>.

Box 1: nc -l -p [port] > [filename.extension]
Box 2:
Create a file.
echo > [filename.extension] << EOF
text line 1
text line 2
EOF

Send [filename.extension] to Box 1:
cat [filename.extension] | nc xxx.xxx.xxx.xxx [port]


Task 3
Sending a file from Box 2 to Box 1.
Box 1: nc -l [port] > [file.extension]
Box 2: cat [filename.extension] | nc xxx.xxx.xxx.xxx [port]

In this example Box 2 will connect and push the file to Box 1, the disadvantage being there is no progress indicator built into netcat. This can be overcome by using a pipe monitor like pv and changing the syntax to.

Box 1: nc -l -p [port] | pv -b > [file.extension]
or the progress can be monitored on Box 2 with
Box 2: cat [file.extension] | pv -b | nc xxx.xxx.xxx.xxx [port]

Task 4
Port scanning (it's no NMAP, but it can get the job done)
Here we will use -v to output the data in txt and -z to transmit no data for TCP scans and very little for UDP scans making a quicker and quieter scan. You can opt to add a -w switch to leave a latency between ports.

to scan a port range without connection and see the output of the scan
nc -v -z xxx.xxx.xxx.xxx [port-port]


Task 5
Creating a partition backup and sending it remotely using gzip.

Box 1: dd if=/dev/[HD to image] | gzip -9 | nc -l [port]
Box 2: nc xxx.xxx.xxx.xxx [port] | pv -b > mypartition.img.gz

It's not pretty, but it works.


Task 6
Using tar to send critical files from Box 1 to Box 2:

Box 1: tar -cf - /[location of data] | nc -l -p [port]
Box 2: nc xxx.xxx.xxx.xxx [port] > [filename.tar.gz]

Notice we have replaced the name of the tar output with a -, this is because the data has to be piped through netcat. Don't forget you can pipe this through pv to monitor transfer progress like this:

Box 2: nc xxx.xxx.xxx.xxx [port] | pv -b > [filename.tar.gz]


Task 7
Using netcat with ssh

When transferring data across a local network it may be fine to leave it unencrypted, but maybe you want to transfer data over the internet. In this case ssh can be used to create a secure tunnel for your information to a vnc server running on your remote machine.

Box 1: ssh -f -L [local port]:xxx.xxx.xxx.xxx:[remote port] [VNC server] \
nc xxx.xxx.xxx.xxx [port] | pv -b > backup.iso
Box 2: cat [file] | nc -l -p [port]

Of note, you can add the -c blowfish to your ssh to encrypt your data as well, or you can add "sleep 10;" after the vnc server to make the tunnle auto-close when not in use.

Task 8
Banner Grabbing

nc -v -n [webserver] [port]
or
nc -vv [webserver] [port]

Task 9
Telnet

while netcat can be used to make telnet connections, it can also be piped so that repetitive task can be automated, and ended abruptly with ctrl+c.

nc [address] 23 <<<["telnet command"] > [filename]

if multiple commands are needed they can be written in a plain txt file and then called with netcat for execution.

nc [address] 23 < [commands.txt] > [filename]

Task 10
Running any process as a server.
Probably the most powerful function of netcat is to run processes as a server with the -e switch. An example of this would be to run bash remotely from Box 1 and connect to it using Box 2.

Box 1: nc -l -p [port] -e /bin/bash
Box 2: nc xxx.xxx.xxx.xxx [port]

Box 2 at this point can run bash from the cursor remotely.


Conclusion:

Netcat is a versatile and flexible program, worth experimenting with and using. These are not all its uses, just a selection of ones I thought would illustrate its power best, and that I've had a lot of fun with anyhow.

comments and criticisms welcome =)

User avatar
maboroshi
Dr. Mab
Dr. Mab
Posts: 1624
Joined: 28 Aug 2005, 16:00
18

Nice

Post by maboroshi »

Nice I like it. Approved for Hacking tutorials

User avatar
DNR
Digital Mercenary
Digital Mercenary
Posts: 6114
Joined: 24 Feb 2006, 17:00
18
Location: Michigan USA
Contact:

Post by DNR »

*thumb*
-
He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.

User avatar
moudy
Technology Enthusiast
Technology Enthusiast
Posts: 688
Joined: 10 Feb 2009, 17:00
15
Location: Beirut, Lebanon

Post by moudy »

Nice work lilrofl :wink:
Why don;t you tell us the name of the book you mentioned in your post, it would be nice to get this book if I can find it.
mahmoud_shihab@hotmail.com

User avatar
lilrofl
Siliconoclast
Siliconoclast
Posts: 1363
Joined: 28 Jan 2009, 17:00
15
Location: California, USA
Contact:

Post by lilrofl »

moudy wrote:Why don;t you tell us the name of the book you mentioned in your post, it would be nice to get this book if I can find it.
Good point, the majority of the information was found in "Netcat Power Tools" the banner grabbing example was pulled from "Build Your Own Security Lab: A Field Guide to Network Testing" and the SSH tunnelling information was found in " SSH, the Secure Shell: The Definitive Guide" using SSH with netcat wasn't covered, but the setting up of the tunnel with VNC was, including the sleep option to make it autoclose for added security... which I thought was cool.

I read a lot... if there's a call for it I would be happy to continue tutorializing my studies as they progress. Most of it is fairly basic, I just scratched the surface of netcat really, although again, as I learn more I'd be willing to share if there's an audience to justify the time =) writing it helps to solidify the data for me anyway, so it's really no trouble.

User avatar
computathug
Administrator
Administrator
Posts: 2693
Joined: 29 Mar 2007, 16:00
17
Location: UK
Contact:

Post by computathug »

Nice tut buddy!

Thanks for sharing and caring lol :wink:
The devil can cite Scripture for his purpose.
-- William Shakespeare, "The Merchant of Venice"
https://tshirt-memes.com

User avatar
maboroshi
Dr. Mab
Dr. Mab
Posts: 1624
Joined: 28 Aug 2005, 16:00
18

Post by maboroshi »

lilrofl wrote: if there's a call for it I would be happy to continue tutorializing my studies as they progress.

Yes for sure please do :-)

User avatar
DNR
Digital Mercenary
Digital Mercenary
Posts: 6114
Joined: 24 Feb 2006, 17:00
18
Location: Michigan USA
Contact:

Post by DNR »

you have the right idea lilrofl - writing it out, sharing it, and explaining it to your peers is how you reinforce your study.


DNR
-
He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.

Post Reply