In the second post of the tools series, I am going to cover netcat utility. It comes prepackaged on most of the linux distributions. The netcat utility is often referred to as a Swiss army knife of networking tools. It has a long list of features. Few of them are mentioned below.
- Outbound or inbound connections, TCP or UDP, to or from any ports
- Full DNS forward/reverse checking, with appropriate warnings
- Ability to use any local source port
- Built-in port-scanning capabilities
We will be learning netcat on a Ubuntu trusty 14.04 Vagrant virtual machine. You can create a new Vagrant virtual machine by first creating a new file Vagrantfile in a convenient directory.
Vagrant.configure("2") do |config|
config.vm.box = "ubuntu/trusty64"
config.vm.network "private_network", ip: "192.168.33.10"
end
You can create the virtual machine by running following command.
$ vagrant up
Once machine is created, you can ssh into it using the following command.
$ vagrant ssh
You don’t have to type
$.$signifies command prompt.
Once inside the Ubuntu box, your command-line prompt should look like following
vagrant@vagrant-ubuntu-trusty-64:~$
To check if netcat is present, you should type netcat and press enter. You should be greeted with following help output.
vagrant@vagrant-ubuntu-trusty-64:~$ netcat
This is nc from the netcat-openbsd package. An alternative nc is available
in the netcat-traditional package.
usage: nc [-46bCDdhjklnrStUuvZz] [-I length] [-i interval] [-O length]
[-P proxy_username] [-p source_port] [-q seconds] [-s source]
[-T toskeyword] [-V rtable] [-w timeout] [-X proxy_protocol]
[-x proxy_address[:port]] [destination] [port]
One thing to notice in the above output is that the installed version of netcat on Ubuntu is netcat-openbsd. There are other variants of netcat as well but this post will focus on netcat-openbsd.
On most systems, we can use either
netcatorncinterchangeably. They are aliases for the same command.
Using netcat
As mentioned in introductory text, netcat has multiple features. We will cover how to use each of the above mentioned features one by one.
How to use netcat to initiate TCP or UDP connection to a remote host
The most basic use of netcat is to initiate a TCP or UDP connection to a host on the specified port.
To open a TCP connection to Google.com we can type following command.
vagrant@vagrant-ubuntu-trusty-64:~$ netcat -v google.com 80
The response returned by the above command is:
Connection to google.com 80 port [tcp/http] succeeded!
The -v option tells netcat to print verbose output. If you don’t pass -v option then you will not see any text in the console.
The above will open a connection to the destination host and wait for user to make TCP request. We will cover how to make TCP request in next section.
You can exit the netcat program by pressing the Ctrl+c
To just test a connection you can pass -z option as shown below.
vagrant@vagrant-ubuntu-trusty-64:~$ netcat -zv google.com 80 Connection to google.com 80 port [tcp/http] succeeded! vagrant@vagrant-ubuntu-trusty-64:~$
To test a UDP connection, you have to pass -u option as shown below.
vagrant@vagrant-ubuntu-trusty-64:~$ netcat -uzv iperf.it-north.net 5200 Connection to iperf.it-north.net 5200 port [udp/*] succeeded!
How to use netcat for port scanning
You can use netcat to scan open ports on a host. This is done by specifying a range of ports to scan as shown in the command below.
vagrant@vagrant-ubuntu-trusty-64:~$ netcat -zv scanme.nmap.org 1-25
netcat: connect to scanme.nmap.org port 1 (tcp) failed: Connection refused netcat: connect to scanme.nmap.org port 1 (tcp) failed: Network is unreachable netcat: connect to scanme.nmap.org port 2 (tcp) failed: Connection refused netcat: connect to scanme.nmap.org port 2 (tcp) failed: Network is unreachable netcat: connect to scanme.nmap.org port 3 (tcp) failed: Connection refused netcat: connect to scanme.nmap.org port 3 (tcp) failed: Network is unreachable netcat: connect to scanme.nmap.org port 4 (tcp) failed: Connection refused netcat: connect to scanme.nmap.org port 4 (tcp) failed: Network is unreachable netcat: connect to scanme.nmap.org port 5 (tcp) failed: Connection refused netcat: connect to scanme.nmap.org port 5 (tcp) failed: Network is unreachable netcat: connect to scanme.nmap.org port 6 (tcp) failed: Connection refused netcat: connect to scanme.nmap.org port 6 (tcp) failed: Network is unreachable netcat: connect to scanme.nmap.org port 7 (tcp) failed: Connection refused netcat: connect to scanme.nmap.org port 7 (tcp) failed: Network is unreachable netcat: connect to scanme.nmap.org port 8 (tcp) failed: Connection refused netcat: connect to scanme.nmap.org port 8 (tcp) failed: Network is unreachable netcat: connect to scanme.nmap.org port 9 (tcp) failed: Connection refused netcat: connect to scanme.nmap.org port 9 (tcp) failed: Network is unreachable netcat: connect to scanme.nmap.org port 10 (tcp) failed: Connection refused netcat: connect to scanme.nmap.org port 10 (tcp) failed: Network is unreachable netcat: connect to scanme.nmap.org port 11 (tcp) failed: Connection refused netcat: connect to scanme.nmap.org port 11 (tcp) failed: Network is unreachable netcat: connect to scanme.nmap.org port 12 (tcp) failed: Connection refused netcat: connect to scanme.nmap.org port 12 (tcp) failed: Network is unreachable netcat: connect to scanme.nmap.org port 13 (tcp) failed: Connection refused netcat: connect to scanme.nmap.org port 13 (tcp) failed: Network is unreachable netcat: connect to scanme.nmap.org port 14 (tcp) failed: Connection refused netcat: connect to scanme.nmap.org port 14 (tcp) failed: Network is unreachable netcat: connect to scanme.nmap.org port 15 (tcp) failed: Connection refused netcat: connect to scanme.nmap.org port 15 (tcp) failed: Network is unreachable netcat: connect to scanme.nmap.org port 16 (tcp) failed: Connection refused netcat: connect to scanme.nmap.org port 16 (tcp) failed: Network is unreachable netcat: connect to scanme.nmap.org port 17 (tcp) failed: Connection refused netcat: connect to scanme.nmap.org port 17 (tcp) failed: Network is unreachable netcat: connect to scanme.nmap.org port 18 (tcp) failed: Connection refused netcat: connect to scanme.nmap.org port 18 (tcp) failed: Network is unreachable netcat: connect to scanme.nmap.org port 19 (tcp) failed: Connection refused netcat: connect to scanme.nmap.org port 19 (tcp) failed: Network is unreachable netcat: connect to scanme.nmap.org port 20 (tcp) failed: Connection refused netcat: connect to scanme.nmap.org port 20 (tcp) failed: Network is unreachable netcat: connect to scanme.nmap.org port 21 (tcp) failed: Connection refused netcat: connect to scanme.nmap.org port 21 (tcp) failed: Network is unreachable Connection to scanme.nmap.org 22 port [tcp/ssh] succeeded! netcat: connect to scanme.nmap.org port 23 (tcp) failed: Connection refused netcat: connect to scanme.nmap.org port 23 (tcp) failed: Network is unreachable netcat: connect to scanme.nmap.org port 24 (tcp) failed: Connection refused netcat: connect to scanme.nmap.org port 24 (tcp) failed: Network is unreachable netcat: connect to scanme.nmap.org port 25 (tcp) failed: Connection refused netcat: connect to scanme.nmap.org port 25 (tcp) failed: Network is unreachable
As you can see from above output only port 22 is open.
If you try the above command with Google.com then it will hang. To overcome this, you should use -w option. The -w 1 makes the connection timeout after 1 second of inactivity.
$ netcat -zv -w1 google.com 1-25
How to make HTTP request using netcat
You can also make HTTP requests using netcat as shown below. The netcat opens a TCP connection and you can then make HTTP request by passing in messages expected format.
vagrant@vagrant-ubuntu-trusty-64:~$ printf "GET / HTTP/1.0\r\nHost: www.google.com\r\n\r\n" | netcat www.google.com 80
HTTP/1.0 200 OK Date: Tue, 11 Jun 2019 18:08:54 GMT Expires: -1 Cache-Control: private, max-age=0 Content-Type: text/html; charset=ISO-8859-1 P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Server: gws X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Set-Cookie: 1P_JAR=2019-06-11-18; expires=Thu, 11-Jul-2019 18:08:54 GMT; path=/; domain=.google.com Set-Cookie: NID=185=G8x2dHhEdgcPm6GhKaSAvVLDDqt9rrBhmYbq9l-2bt-QG733DCmMPBjJ1OHfvRgB8GzmZXbJCZHlwK5UvFXj0MAN9E3i2SlH1aMznzJI8AF9gyLTjnuXWaiEr1lu2jI-1XgO3UWdnXdMXMq7YX3F1V7t7AdMXjCAYC93Hp9-QoQ; expires=Wed, 11-Dec-2019 18:08:54 GMT; path=/; domain=.google.com; HttpOnly Accept-Ranges: none Vary: Accept-Encoding ...
How to create a birectional channel with netcat
You can listen on a port for connections and send messages. To start netcat in server mode, you use -l option as shown below.
vagrant@vagrant-ubuntu-trusty-64:~$ netcat -l 8000
Now, you can open another shell and do vagrant ssh
Once inside vagrant you should be able to connect to server.
vagrant@vagrant-ubuntu-trusty-64:~$ netcat -v 127.0.0.1 8000
Now you will be able to send messages from both the server and client and other side will receive it.
Type a message and press ENTER. It will appear on both the local and remote screen. This works in the opposite direction as well.
You can press CTRL-D to close the TCP connection.
How to use netcat to banner grab
We can use Netcat to grab the banner of the web server that’s served up to new connections to identify what web-serving software the target is running.
This is done by first open a TCP connection to the remote host.
vagrant@vagrant-ubuntu-trusty-64:~$ netcat scanme.nmap.org 80
Once connected type HEAD / HTTP/1.1
The output of the above is shown below
HTTP/1.1 400 Bad Request Date: Tue, 11 Jun 2019 18:32:54 GMT Server: Apache/2.4.7 (Ubuntu) Content-Length: 306 Connection: close Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>400 Bad Request</title> </head><body> <h1>Bad Request</h1> <p>Your browser sent a request that this server could not understand.<br /> </p> <hr> <address>Apache/2.4.7 (Ubuntu) Server at scanme.nmap.org Port 80</address> </body></html>
This tells that the remote server is running on Apache 2.4.7.
How to copy files between two machines
On your machine where you want to copy the file start netcat server using the following command.
nc -l 8000 | tar vzxf -
From the machine where you want to copy files you can run following command
tar vzcf - <files_or_directories> | nc first_machine_host 8000
Shekhar Gulati 