Tools Software Engineers Should Know: 6 Things You Can Do with NetCat


In the second post of the tools series, I am going to cover netcat utility. It comes prepackaged on most of the linux distributions. The netcat utility is often referred to as a Swiss army knife of networking tools. It has a long list of features. Few of them are mentioned below.

  1. Outbound or inbound connections, TCP or UDP, to or from any ports
  2. Full DNS forward/reverse checking, with appropriate warnings
  3. Ability to use any local source port
  4. Built-in port-scanning capabilities

We will be learning netcat on a Ubuntu trusty 14.04 Vagrant virtual machine. You can create a new Vagrant virtual machine by first creating a new file Vagrantfile in a convenient directory.

Vagrant.configure("2") do |config|
  config.vm.box = "ubuntu/trusty64"
  config.vm.network "private_network", ip: "192.168.33.10"
end

You can create the virtual machine by running following command.

$ vagrant up

Once machine is created, you can ssh into it using the following command.

$ vagrant ssh

You don’t have to type $. $ signifies command prompt.

Once inside the Ubuntu box, your command-line prompt should look like following

vagrant@vagrant-ubuntu-trusty-64:~$

To check if netcat is present, you should type netcat and press enter. You should be greeted with following help output.

vagrant@vagrant-ubuntu-trusty-64:~$ netcat
This is nc from the netcat-openbsd package. An alternative nc is available
in the netcat-traditional package.
usage: nc [-46bCDdhjklnrStUuvZz] [-I length] [-i interval] [-O length]
      [-P proxy_username] [-p source_port] [-q seconds] [-s source]
      [-T toskeyword] [-V rtable] [-w timeout] [-X proxy_protocol]
      [-x proxy_address[:port]] [destination] [port]

One thing to notice in the above output is that the installed version of netcat on Ubuntu is netcat-openbsd. There are other variants of netcat as well but this post will focus on netcat-openbsd.

On most systems, we can use either netcat or nc interchangeably. They are aliases for the same command.

Using netcat

As mentioned in introductory text, netcat has multiple features. We will cover how to use each of the above mentioned features one by one.

How to use netcat to initiate TCP or UDP connection to a remote host

The most basic use of netcat is to initiate a TCP or UDP connection to a host on the specified port.

To open a TCP connection to Google.com we can type following command.

vagrant@vagrant-ubuntu-trusty-64:~$ netcat -v google.com 80

The response returned by the above command is:

Connection to google.com 80 port [tcp/http] succeeded!

The -v option tells netcat to print verbose output. If you don’t pass -v option then you will not see any text in the console.

The above will open a connection to the destination host and wait for user to make TCP request. We will cover how to make TCP request in next section.

You can exit the netcat program by pressing the Ctrl+c

To just test a connection you can pass -z option as shown below.

vagrant@vagrant-ubuntu-trusty-64:~$ netcat -zv google.com 80
Connection to google.com 80 port [tcp/http] succeeded!
vagrant@vagrant-ubuntu-trusty-64:~$

To test a UDP connection, you have to pass -u option as shown below.

vagrant@vagrant-ubuntu-trusty-64:~$ netcat -uzv iperf.it-north.net 5200
Connection to iperf.it-north.net 5200 port [udp/*] succeeded!

How to use netcat for port scanning

You can use netcat to scan open ports on a host. This is done by specifying a range of ports to scan as shown in the command below.

vagrant@vagrant-ubuntu-trusty-64:~$ netcat -zv scanme.nmap.org 1-25
netcat: connect to scanme.nmap.org port 1 (tcp) failed: Connection refused
netcat: connect to scanme.nmap.org port 1 (tcp) failed: Network is unreachable
netcat: connect to scanme.nmap.org port 2 (tcp) failed: Connection refused
netcat: connect to scanme.nmap.org port 2 (tcp) failed: Network is unreachable
netcat: connect to scanme.nmap.org port 3 (tcp) failed: Connection refused
netcat: connect to scanme.nmap.org port 3 (tcp) failed: Network is unreachable
netcat: connect to scanme.nmap.org port 4 (tcp) failed: Connection refused
netcat: connect to scanme.nmap.org port 4 (tcp) failed: Network is unreachable
netcat: connect to scanme.nmap.org port 5 (tcp) failed: Connection refused
netcat: connect to scanme.nmap.org port 5 (tcp) failed: Network is unreachable
netcat: connect to scanme.nmap.org port 6 (tcp) failed: Connection refused
netcat: connect to scanme.nmap.org port 6 (tcp) failed: Network is unreachable
netcat: connect to scanme.nmap.org port 7 (tcp) failed: Connection refused
netcat: connect to scanme.nmap.org port 7 (tcp) failed: Network is unreachable
netcat: connect to scanme.nmap.org port 8 (tcp) failed: Connection refused
netcat: connect to scanme.nmap.org port 8 (tcp) failed: Network is unreachable
netcat: connect to scanme.nmap.org port 9 (tcp) failed: Connection refused
netcat: connect to scanme.nmap.org port 9 (tcp) failed: Network is unreachable
netcat: connect to scanme.nmap.org port 10 (tcp) failed: Connection refused
netcat: connect to scanme.nmap.org port 10 (tcp) failed: Network is unreachable
netcat: connect to scanme.nmap.org port 11 (tcp) failed: Connection refused
netcat: connect to scanme.nmap.org port 11 (tcp) failed: Network is unreachable
netcat: connect to scanme.nmap.org port 12 (tcp) failed: Connection refused
netcat: connect to scanme.nmap.org port 12 (tcp) failed: Network is unreachable
netcat: connect to scanme.nmap.org port 13 (tcp) failed: Connection refused
netcat: connect to scanme.nmap.org port 13 (tcp) failed: Network is unreachable
netcat: connect to scanme.nmap.org port 14 (tcp) failed: Connection refused
netcat: connect to scanme.nmap.org port 14 (tcp) failed: Network is unreachable
netcat: connect to scanme.nmap.org port 15 (tcp) failed: Connection refused
netcat: connect to scanme.nmap.org port 15 (tcp) failed: Network is unreachable
netcat: connect to scanme.nmap.org port 16 (tcp) failed: Connection refused
netcat: connect to scanme.nmap.org port 16 (tcp) failed: Network is unreachable
netcat: connect to scanme.nmap.org port 17 (tcp) failed: Connection refused
netcat: connect to scanme.nmap.org port 17 (tcp) failed: Network is unreachable
netcat: connect to scanme.nmap.org port 18 (tcp) failed: Connection refused
netcat: connect to scanme.nmap.org port 18 (tcp) failed: Network is unreachable
netcat: connect to scanme.nmap.org port 19 (tcp) failed: Connection refused
netcat: connect to scanme.nmap.org port 19 (tcp) failed: Network is unreachable
netcat: connect to scanme.nmap.org port 20 (tcp) failed: Connection refused
netcat: connect to scanme.nmap.org port 20 (tcp) failed: Network is unreachable
netcat: connect to scanme.nmap.org port 21 (tcp) failed: Connection refused
netcat: connect to scanme.nmap.org port 21 (tcp) failed: Network is unreachable
Connection to scanme.nmap.org 22 port [tcp/ssh] succeeded!
netcat: connect to scanme.nmap.org port 23 (tcp) failed: Connection refused
netcat: connect to scanme.nmap.org port 23 (tcp) failed: Network is unreachable
netcat: connect to scanme.nmap.org port 24 (tcp) failed: Connection refused
netcat: connect to scanme.nmap.org port 24 (tcp) failed: Network is unreachable
netcat: connect to scanme.nmap.org port 25 (tcp) failed: Connection refused
netcat: connect to scanme.nmap.org port 25 (tcp) failed: Network is unreachable

As you can see from above output only port 22 is open.

If you try the above command with Google.com then it will hang. To overcome this, you should use -w option. The -w 1 makes the connection timeout after 1 second of inactivity.

$ netcat -zv -w1 google.com 1-25

How to make HTTP request using netcat

You can also make HTTP requests using netcat as shown below. The netcat opens a TCP connection and you can then make HTTP request by passing in messages expected format.

vagrant@vagrant-ubuntu-trusty-64:~$ printf "GET / HTTP/1.0\r\nHost: www.google.com\r\n\r\n" | netcat www.google.com 80
HTTP/1.0 200 OK
Date: Tue, 11 Jun 2019 18:08:54 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=ISO-8859-1
P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
Server: gws
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Set-Cookie: 1P_JAR=2019-06-11-18; expires=Thu, 11-Jul-2019 18:08:54 GMT; path=/; domain=.google.com
Set-Cookie: NID=185=G8x2dHhEdgcPm6GhKaSAvVLDDqt9rrBhmYbq9l-2bt-QG733DCmMPBjJ1OHfvRgB8GzmZXbJCZHlwK5UvFXj0MAN9E3i2SlH1aMznzJI8AF9gyLTjnuXWaiEr1lu2jI-1XgO3UWdnXdMXMq7YX3F1V7t7AdMXjCAYC93Hp9-QoQ; expires=Wed, 11-Dec-2019 18:08:54 GMT; path=/; domain=.google.com; HttpOnly
Accept-Ranges: none
Vary: Accept-Encoding

...

How to create a birectional channel with netcat

You can listen on a port for connections and send messages. To start netcat in server mode, you use -l option as shown below.

vagrant@vagrant-ubuntu-trusty-64:~$ netcat -l 8000

Now, you can open another shell and do vagrant ssh

Once inside vagrant you should be able to connect to server.

vagrant@vagrant-ubuntu-trusty-64:~$ netcat -v 127.0.0.1 8000

Now you will be able to send messages from both the server and client and other side will receive it.

Type a message and press ENTER. It will appear on both the local and remote screen. This works in the opposite direction as well.

You can press CTRL-D to close the TCP connection.

How to use netcat to banner grab

We can use Netcat to grab the banner of the web server that’s served up to new connections to identify what web-serving software the target is running.

This is done by first open a TCP connection to the remote host.

vagrant@vagrant-ubuntu-trusty-64:~$ netcat scanme.nmap.org 80

Once connected type HEAD / HTTP/1.1

The output of the above is shown below

HTTP/1.1 400 Bad Request
Date: Tue, 11 Jun 2019 18:32:54 GMT
Server: Apache/2.4.7 (Ubuntu)
Content-Length: 306
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
</p>
<hr>
<address>Apache/2.4.7 (Ubuntu) Server at scanme.nmap.org Port 80</address>
</body></html>

This tells that the remote server is running on Apache 2.4.7.

How to copy files between two machines

On your machine where you want to copy the file start netcat server using the following command.

nc -l 8000 | tar vzxf -

From the machine where you want to copy files you can run following command

tar vzcf - <files_or_directories> | nc first_machine_host 8000 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s