Tips & Tricks with Netcat command on Linux

Netcat is a versatile networking utility which can be used for reading from and writing to TCP and UDP connections on arbitrary ports (as with other utilities used on Linux, ports below 1024 require root/sudo privileges). By default netcat uses TCP connections, but UDP can be specified with the -u flag. Netcat can be used as both a server and a client. When used as a server the -l flag is used to listen for a connection. Similar to the cat command, netcat can receive information from stdin and write to stdout making it great for workflows involving pipes and redirects. The nc command is typically used to evoke netcat for ease of use.

In this tutorial you will learn how to do the following with netcat:

  • make an HTTP request to grab a webpage
  • chat with friends across machines
  • copy files between machines
  • perform port scanning
  • view messages from netcat in a web-browser
  • create and connect to a reverse shell
Tips & Tricks with Netcat command on Linux

Tips & Tricks with Netcat command on Linux

Software requirements and conventions used

Software Requirements and Linux Command Line Conventions
Category Requirements, Conventions or Software Version Used
System Distribution-independent
Software Netcat
Other Root privileges to use ports below 1024
Conventions # – linux commands to be executed with root privileges either directly as a root user or by use of sudo command
$ – linux commands to be executed as a regular non-privileged user

Grabbing a Webpage

WARNING
Netcat connections are not encrypted. The following examples transmit data in the clear. Do not use netcat to transmit sensitive data on untrustworthy networks such as the internet and public wi-fi. If you need to transmit data securely, consider OpenSSH.

Netcat can be used to make arbitrary connections to network services. As a result, it can be used to make HTTP requests to a web-server much like a web-browser would. Let’s go ahead and grab the index page from google.com.
Enter the nc command followed by the host and the port you want to connect to.

$ nc google.com 80

Now let’s make the HTTP request. Type or copy/paste the following and press enter twice.

GET /index.html HTTP/1.1


You should see output similar to this screenshot.

Grab website using netcat

Grab website using netcat

Chat

This example assumes that you have 2 computers on the same network, with hostnames host1 and host2. This assumption will be made in following examples as well. To create a netcat listening connection on host1 enter the following.

$ nc -lv 8888

This listens for connections on port 8888. The -v flag specifies verbose output which will give you more information about incoming connections.

Now on host2 enter:

$ nc host1 8888

You will notice that any text entered into the terminal on host1 is sent to the terminal on host2 and vice versa. This can be used as an adhoc chat between two users on the same network.

File Transfer

Netcat can be used to copy a file from one machine to another. Let’s assume you have a file called ncnotes.txt that you want to transfer from host1 to host2

On host1 enter the following to create the file and listen for an incoming connection to transfer it on port 2222:

$ echo “These are my netcat notes”  >  ncnotes.txt
$ nc -l  2222 < ncnotes.txt

On host2 enter the following to copy/receive the file and then print it it to stdout in order to verify that the file transfer was succeful.

$ nc host1 2222 > ncnotes.txt
$ cat ncnotes

What if you want to transfer an entire folder rather than just a single file? Netcat is not capable of doing this on it’s own, so we will have to utilize the tar command.

Enter the following on host1 to create a folder filled with five files and then use tar to create an archive and pipe it over the network with netcat.

$ mkdir files; touch files/{1..5}
$ tar -cvz files | nc -l 8888

Enter the following on host2 to transfer the folder and verify that it includes all five files.

$ nc host1 8888 | tar -xvz
$ ls files

On host1 the -c flag is used to create the archive that will be piped into netcat, -v is used for verbose output so that we have visual feedback which lets us know this is happening and -z is used to compress the archive so that the network transfer is faster. In our example the compression doesn’t make much of a difference since the files folder is filled with empty files, but you may want to transfer large directories/files, so it is good to know. On host2 the -x flag is used to extract the archive that is piped in from netcat, -v is for verbose extracting, and -z is to decompress the archive.

Port Scanning

Netcat can be used as a rudimentary port scanner by using the -z flag.

Suppose you are on host1 and you want to know if a ssh server is running on host2. Assuming it is running on the default port (22) and there is no firewall blocking access to it, you can use the following command to see if the service is running.

$ nc -zv host2 22

Netcat can also scan a range of ports to see which if any of them are open. This can be used to infer what services that machine is running. Suppose you are on host2 and you want to see if any ports between 1 and 1024 are open on host1; you can use the following command.

$ nc -zv host1 1-1024

Depending on what version of netcat you have installed on your system the previous command will either report only the open ports or it will print a line for each opened and closed port. If the former is the case then the output is very easy to read, but if the latter is the case then the output can prove difficult to parse through and the following command should be used instead so that only open ports are displayed.

$ nc -zv host1 1-1024 2>&1 | grep succeeded


View Message in Browser

On host1 enter the following. The -k flag keeps the connection alive so that it can be reconnected to again by the same machine or by other machines. Without this flag host1 will stop listening for more connections once the first connection is made.

$ echo "hello there" | nc -lkv 5555

On host2 open a browser and navigate to host1:5555

You should see the words hello there displayed in the browser.

Reverse Shell

Netcat can also be used to establish a reverse shell in order to remotely administer a machine over the network. This is done with the -e flag. In this example, we want to connect to a bash shell on host2 in order to administer it from host1.

On host1 enter:

$ nc -lv 6666

On host2 enter:

$ nc -v host1 6666 -e /bin/bash

Now on host1 Enter the following and it will be apparent that we have remote access to the bash shell on host2.

$ hostname
$ whoami
$ ls

You should see the hostname for host2, the username of the user who initiated nc on host2 and their files. Many versions of netcat do not include the -e option due to it’s potential for abuse. Establishing a remote shell on a machine that has a version of netcat which doesn’t include the -e option would require performing the same netcat commands on host1, while using a different program to create the reverse shell on host2. Solutions for this exist for Bash, Python, Perl, PHP and more.



Comments and Discussions
Linux Forum