I just read this seemingly awesome book on netcat, and noticed that it is rarely mentioned on Suck-O. While I'm not sure about posting a tutorial, I figured I would compiled a list of some things I learned, and present them it in an, I feel, easy to read format for you.
Last read through... I feel like my eyes are bleeding!!!
What is Netcat?
Netcat is a small utility that reads and writes data over TCP and UDP connections. It is often referred to as, 'the Swiss Army Knife of TCP/UDP.' Netcats' versatility allows it to function in many ways, and while it is not the 'best' tool for any one task, it is a must have in any hackers toolbox.
Software Needed to preform the exercises I've presented:
Netcat (I used GNU netcat)
pv
dd
gzip
tar
ssh
vnc server
Netcat Syntax and Arguments: (straight from the manual using nc --help > file.txt)
connect to somewhere: nc [options] hostname port [port] ...
listen for inbound: nc -l -p port [options] [hostname] [port] ...
tunnel to somewhere: nc -L hostname:port -p port [options]
Mandatory arguments to long options are mandatory for short options too.
Options:
-c, --close close connection on EOF from stdin
-e, --exec=PROGRAM program to exec after connect
-g, --gateway=LIST source-routing hop point, up to 8
-G, --pointer=NUM source-routing pointer: 4, 8, 12, ...
-h, --help display this help and exit
-i, --interval=SECS delay interval for lines sent, ports scanned
-l, --listen listen mode, for inbound connects
-L, --tunnel=ADDRESS:PORT forward local port to remote address
-n, --dont-resolve numeric-only IP addresses, no DNS
-o, --output=FILE output hexdump traffic to FILE (implies -x)
-p, --local-port=NUM local port number
-r, --randomize randomize local and remote ports
-s, --source=ADDRESS local source address (ip or hostname)
-t, --tcp TCP mode (default)
-T, --telnet answer using TELNET negotiation
-u, --udp UDP mode
-v, --verbose verbose (use twice to be more verbose)
-V, --version output version information and exit
-x, --hexdump hexdump incoming and outgoing traffic
-w, --wait=SECS timeout for connects and final net reads
-z, --zero zero-I/O mode (used for scanning)
Remote port number can also be specified as range. Example: '1-1024'
Alibis:
I use the syntax XXX.XXX.XXX.XXX to refer to the machine you are connecting to.
I use [port] to refer the port you are connection to.
10 task using netcat:
Task 1
Create a client/server connection to chat from Box 1 to Box 2.
Box 1: nc -l -p [port]
Box 2: nc xxx.xxx.xxx.xxx -p [port]
In this case anything typed in either terminal is displayed on the other... not very exciting I know, but it is a step in the right direction to understanding the awesomeness that is netcat.
Try it out:
Open two terminals and open a server in one.
nc -l -p 1234
In the second open a client.
nc 127.0.0.1 1234
chat back and forth between the terminals by entering text and pressing enter.
ctrl+c to end the session in both boxes.
Task 2
Piping text into [filename.extension]
For this example we must be introduced to another feature of netcat, it's ability to have data piped to and from it using | < << > and >>.
Box 1: nc -l -p [port] > [filename.extension]
Box 2:
Create a file.
echo > [filename.extension] << EOF
text line 1
text line 2
EOF
Send [filename.extension] to Box 1:
cat [filename.extension] | nc xxx.xxx.xxx.xxx [port]
Task 3
Sending a file from Box 2 to Box 1.
Box 1: nc -l [port] > [file.extension]
Box 2: cat [filename.extension] | nc xxx.xxx.xxx.xxx [port]
In this example Box 2 will connect and push the file to Box 1, the disadvantage being there is no progress indicator built into netcat. This can be overcome by using a pipe monitor like pv and changing the syntax to.
Box 1: nc -l -p [port] | pv -b > [file.extension]
or the progress can be monitored on Box 2 with
Box 2: cat [file.extension] | pv -b | nc xxx.xxx.xxx.xxx [port]
Task 4
Port scanning (it's no NMAP, but it can get the job done)
Here we will use -v to output the data in txt and -z to transmit no data for TCP scans and very little for UDP scans making a quicker and quieter scan. You can opt to add a -w switch to leave a latency between ports.
to scan a port range without connection and see the output of the scan
nc -v -z xxx.xxx.xxx.xxx [port-port]
Task 5
Creating a partition backup and sending it remotely using gzip.
Box 1: dd if=/dev/[HD to image] | gzip -9 | nc -l [port]
Box 2: nc xxx.xxx.xxx.xxx [port] | pv -b > mypartition.img.gz
It's not pretty, but it works.
Task 6
Using tar to send critical files from Box 1 to Box 2:
Box 1: tar -cf - /[location of data] | nc -l -p [port]
Box 2: nc xxx.xxx.xxx.xxx [port] > [filename.tar.gz]
Notice we have replaced the name of the tar output with a -, this is because the data has to be piped through netcat. Don't forget you can pipe this through pv to monitor transfer progress like this:
Box 2: nc xxx.xxx.xxx.xxx [port] | pv -b > [filename.tar.gz]
Task 7
Using netcat with ssh
When transferring data across a local network it may be fine to leave it unencrypted, but maybe you want to transfer data over the internet. In this case ssh can be used to create a secure tunnel for your information to a vnc server running on your remote machine.
Box 1: ssh -f -L [local port]:xxx.xxx.xxx.xxx:[remote port] [VNC server] \
nc xxx.xxx.xxx.xxx [port] | pv -b > backup.iso
Box 2: cat [file] | nc -l -p [port]
Of note, you can add the -c blowfish to your ssh to encrypt your data as well, or you can add "sleep 10;" after the vnc server to make the tunnle auto-close when not in use.
Task 8
Banner Grabbing
nc -v -n [webserver] [port]
or
nc -vv [webserver] [port]
Task 9
Telnet
while netcat can be used to make telnet connections, it can also be piped so that repetitive task can be automated, and ended abruptly with ctrl+c.
nc [address] 23 <<<["telnet command"] > [filename]
if multiple commands are needed they can be written in a plain txt file and then called with netcat for execution.
nc [address] 23 < [commands.txt] > [filename]
Task 10
Running any process as a server.
Probably the most powerful function of netcat is to run processes as a server with the -e switch. An example of this would be to run bash remotely from Box 1 and connect to it using Box 2.
Box 1: nc -l -p [port] -e /bin/bash
Box 2: nc xxx.xxx.xxx.xxx [port]
Box 2 at this point can run bash from the cursor remotely.
Conclusion:
Netcat is a versatile and flexible program, worth experimenting with and using. These are not all its uses, just a selection of ones I thought would illustrate its power best, and that I've had a lot of fun with anyhow.
comments and criticisms welcome =)
Simply Netcat
Good point, the majority of the information was found in "Netcat Power Tools" the banner grabbing example was pulled from "Build Your Own Security Lab: A Field Guide to Network Testing" and the SSH tunnelling information was found in " SSH, the Secure Shell: The Definitive Guide" using SSH with netcat wasn't covered, but the setting up of the tunnel with VNC was, including the sleep option to make it autoclose for added security... which I thought was cool.moudy wrote:Why don;t you tell us the name of the book you mentioned in your post, it would be nice to get this book if I can find it.
I read a lot... if there's a call for it I would be happy to continue tutorializing my studies as they progress. Most of it is fairly basic, I just scratched the surface of netcat really, although again, as I learn more I'd be willing to share if there's an audience to justify the time =) writing it helps to solidify the data for me anyway, so it's really no trouble.
- computathug
- Administrator
- Posts: 2693
- Joined: 29 Mar 2007, 16:00
- 17
- Location: UK
- Contact: