Netcat has been called the TCP/IP swiss army knife and rightfully so. It can act as a service by listening for a connection, a client and connect to open ports, a port scanner, a tool used to fingerprint a connectable service, and much more. In this article I will touch on handful of these abilities.
So lets first assume that you have a Windows machine with nc.exe already on it (Which can be achieved through exploiting your target.) and an updated Backtrack instance. We can set the Windows machine to listen for a connection on port 1337.
In this example we used the -l, -v, and -p triggers to run netcat in listen mode on port 1337. -l (lowercase L) to tell Netcat to listen for a connection. -v told Netcat to be verbose with it’s output. -p gave Netcat the port to listen to for a connection request.
To connect to the Windows NC listener from Backtrack we use the -v and -n switches along with the IP address and port we want to connect to.
Just like above, the -v tells Netcat to be verbose and -n tells Netcat not to do a look up on the IP address. Now, what ever we type in the client on Backtrack…
…will be echoed to the Netcat session on the Windows machine.
There are many nefarious things you can do with this connection if setup on both ends of the connection correctly. This site has a few walk-throughs that outline how to eavesdrop on a compromised box. Be forewarned that anyone can connect to the boxes you compromise with Netcat as there isn’t an authentication mechanism.
Netcat can also act as a port scanner. Netcat is no replacement for Nmap but it does the job if you are not worried about being discreet. Netcat makes a complete connection, sending an ACK packet, when it does it’s scan. Nmap sends a RST packet after receiving a SYN-ACK response causing the connection to not be fully established which, for most systems, does not get logged.
Here we use the z, n, and v flags to tell Netcat to scan our IP (this can be a CIDR range as well) for TCP ports that fall in the range of 21 through 1000. -z puts Netcat into zero-I/O mode which is used for scanning. -n and -v are the same as above. To do a UDP scan we use the -u flag.
Banner grabbing allows you to fingerprint the application and OS that is running on an open port. Lets do a banner grab on the lokisec.com web server.
In the example above we used the following command:
nc lokisec.com 80
HEAD / HTTP/1.0
and two returns (press Enter twice).
This netted us information that lokisec.com is running an Apache 2.2.14 web server with PHP 5.3.2 on Ubuntu. This information can be used to narrow down your search for known vulnerabilities to exploit.
As you can see Netcat is a very robust tool with many features. If you would like to know more about Netcat take a look at their SourceForge project site.