Netcat is one of those few tools–like nmap, Metasploit, Wireshark and few others– that every hacker should be familiar with. It is simple, elegant and has a multitude of uses.
For instance, netcat can be used to;
scan to see if a port is open on a remote system
pull the banner from a remote system
connect to a network service manually
remote administration
This lesson will be dedicated to learning to use netcat and its encrypted cousin, cryptcat. Later in your studies, we will find many uses for this simple tool.
Like so many applications in the Linux world, netcat runs in a client and server mode. This means that we must designate one side the server and one side the client, when using ncat.
I. Netcat Basics
Let’s start off by looking at the help screen for netcat. When using netcat, the command is simply “nc”. To get the help screen then, type;
kali > nc -h
Note a few key switches;
-e execute
-l listen mode
-n numeric mode (no DNS. Its faster)
-p designates the port
-u UDP mode
-v verbose output
II. Create a Simple TCP Connection
Netcat be used to create simple TCP or UDP connection to system to see whether the port and service available. So, for instance, if I wanted to connect to the SSH on another Kali system, I can type;
kali > nc -vn 192.168.1.103 22
As you can see, netcat was able to connect to OpenSSH on a remote server and the server advertised the service with its banner
(SSH-2.0-OpenSSH_4.7p1 Debian-8Ubuntu1).
III. Banner Grabbing
We can also use netcat to “grab” the banner on web servers by connecting to port 80 and then sending a HTTP / HEAD/1.0 request.
kali > nc -vn 192.168.1.103 80
HEAD / HTTP/1.0
Make certain to hit “Enter” a couple times after typing the HEAD request to pull the banner.
As you can see, we grabbed the banner of Apache 2.2.8 web server running on Ubuntu.
IV. Opening TCP connection between two machines for “chat”
Netcat is capable of creating a simple TCP or UDP connection between two computers and then open a communication channel between them. Let’s open a listener on the remote system first.
kali > nc -l -p6996
Then connect to that listener from a remote machine
kali > nc 192.168.1.105 6996
When it connects, I can then begin typing my message, such as “What is the best place to learn hacking?”
That message will then appear on the remote system with the listener. The listener machine can then respond, “Without a doubt, Hackers-Arise!”
…and then the remote machine receives the response!
In this way, we can create a private “chat room” between any two machines!
V. Transferring Files with Netcat
One of the simple wonders of netcat is its ability to transfer files between computers. By creating this simple connection, we can then use that connection to transfer files between two computers. This can be extremely useful as a network administrator and even more useful as a hacker. Netcat can be used to upload and download files from and to the target system.
Let’s create a file called “hacker_training”.
kali > echo “This is first module in Hacker Fundamentals at Hackers-Arise” > hacker_training
Then, let’s view the contents of that file using the Linux command “cat”.
kali > cat hacker_training
Now, let’s open a listener on the remote system.
kali > nc -l -p6996
Next, let’s send the file to the remote system.
kali > nc 192.168.1.103 6996 <hacker_training
Note, that we use the < to direct the file to netcat.
Finally, go back to our listening system and we should find that the file has been transferred and appears on the screen!
VI. Remote Administration with netcat
Probably the most malicious use of netcat– and the most effective for the hacker –is the ability to use netcat for remote administration. We can use netcat’s ability to execute commands to give the remote connection a shell on the listening system. We can do this in a Linux/Unix machine by making /bin/sh available to the remote connection with the -e (execute), like below. If we were connecting to a Windows machine, we could use cmd.exe (-e cmd.exe) instead of /bin/sh.
kali > nc -l -p6996 -e /bin/sh
Now when I connect to the remote machine, I should be able to get a shell on the remote system. Notice that when I connect to the remote system, I get just a blank line, no command prompt, nothing (if we connect to a Windows system, though, we will get the traditional Windows C: > prompt). This can be confusing to the novice.
If we then type “ls -l” , we get a directory listing from the directory that where we started the netcat listener on the remote system and when we enter “ifconfig”, we can see that it returns the IP address of our remote system.
VII. Cryptcat
Cryptcat is netcat’s encrypted cousin. This means that we can make a connection to a remote machine where all our traffic is encrypted with some of the strongest encryption algorithms available anywhere, Two-fish (Two-fish encryption is nearly as strong as AES). You can download it at www.cryptcat.sourceforge.net, but if you are using Kali, it is already installed. Although the switches are largely the same as netcat, the command is “cryptcat” rather than “nc”.