Menu

Subscribe

Netcat basics and a few smart examples

The nc (or netcat) utility is used for just about anything under the sun involving TCP or UDP - manpage

Netcat is like a more powerful version of telnet, and is perfect to handle all kind of socket and simple network testing. With netcat you can eg. do port scanning, create a webserver, handle sockets in general, and do file transfering in its smartest way (heard of people using it for transfering disk clones piped from dd to nc).

Very basic ones

Telnet-like usage

Connection to port 80 at localhost (try with different hosts or urls):

$ nc localhost 80

Simplest socket server

Starting socket server on port 5000:

nc -l 5000

Chat functionality

If you combine these two and connect to the simple socket server, and write something it will appear on the other computer and vice versa.

Webserver

Very useful for simple html. Could be a test of port 80 in its simplest manner, or a maintenance page.

Create some html in a document (and call it eg. index.html), and run the following to make it listen on port 80 with content from your newly created index.html-file:

$ while true; do; sudo nc -l 80 < index.html; done

The while loop makes it possible to render the page for more than one connection.

Shell backdoor

Start socket

Listening socket at aarvik.dk:

$ ncat -v -l 2222 -e /bin/bash

With output on start and connection from client:

$ ncat -v -l 2222 -e /bin/bash
Ncat version 5.00 ( http://nmap.org/ncat )
Listening on 0.0.0.0:2222
Connection from 212.242.167.108.

Connect

How to connect to it from other machine (212.242.167.108):

$ nc aarvik.dk 2222

Output from commands:

$ nc aarvik.dk 2222
uname -a
Linux aarvik.dk 2.6.32-16-pve #1 SMP Mon Oct 22 08:38:13 CEST 2012 i686 GNU/Linux

Port scanning

Scanning through port 1-100 in this example:

$ nc -v -z aarvik.dk 1-100

Output:

nc: connectx to aarvik.dk port 1 (tcp) failed: Connection refused
nc: connectx to aarvik.dk port 2 (tcp) failed: Connection refused
nc: connectx to aarvik.dk port 3 (tcp) failed: Connection refused
nc: connectx to aarvik.dk port 4 (tcp) failed: Connection refused
nc: connectx to aarvik.dk port 5 (tcp) failed: Connection refused
nc: connectx to aarvik.dk port 6 (tcp) failed: Connection refused
nc: connectx to aarvik.dk port 7 (tcp) failed: Connection refused
nc: connectx to aarvik.dk port 8 (tcp) failed: Connection refused
nc: connectx to aarvik.dk port 9 (tcp) failed: Connection refused
nc: connectx to aarvik.dk port 10 (tcp) failed: Connection refused
nc: connectx to aarvik.dk port 11 (tcp) failed: Connection refused
nc: connectx to aarvik.dk port 12 (tcp) failed: Connection refused
nc: connectx to aarvik.dk port 13 (tcp) failed: Connection refused
nc: connectx to aarvik.dk port 14 (tcp) failed: Connection refused
nc: connectx to aarvik.dk port 15 (tcp) failed: Connection refused
nc: connectx to aarvik.dk port 16 (tcp) failed: Connection refused
nc: connectx to aarvik.dk port 17 (tcp) failed: Connection refused
nc: connectx to aarvik.dk port 18 (tcp) failed: Connection refused
nc: connectx to aarvik.dk port 19 (tcp) failed: Connection refused
nc: connectx to aarvik.dk port 20 (tcp) failed: Connection refused
nc: connectx to aarvik.dk port 21 (tcp) failed: Connection refused
found 0 associations
found 1 connections:
     1:    flags=82<CONNECTED,PREFERRED>
    outif en0
    src 10.0.0.4 port 49485
    dst 109.202.159.44 port 22
    rank info not available
    TCP aux info available

Connection to aarvik.dk port 22 [tcp/ssh] succeeded!
nc: connectx to aarvik.dk port 23 (tcp) failed: Connection refused
nc: connectx to aarvik.dk port 24 (tcp) failed: Connection refused
...

Transfer file

Lets start the socket server with the index.html file we made earlier:

$ nc -l 5000 < index.html

To connect from the client machine and get the file do:

$ nc aarvik.dk 5000 > index.html

To do the disk clone + transfer example i mentioned in the beginning it would be something like this from the server:

$ dd if=/dev/vda | nc -l 5000

To get the file from the client:

$ nc -n aarvik.dk 5000 | dd of=/dev/vda

Got some comments about how smart nc are with compressed directories and if you do not got space to hold the compressed dir on your partition. Then you can do something like the following, on the server:

$ nc -l 5000 | tar -xv

And on the client:

$ tar -cv /path/ | nc aarvik.dk 5000