Netcat first released in 1995(!) by Hobbit is one of the “original” network penetration testing tools and is so versatile that it lives up to the author’s designation as a hacker’s “Swiss army knife”. The clearest definition of Netcat is from Hobbit himself: a simple “utility which reads and writes data across network connections, using TCP or UDP protocols.
Connecting to a TCP/UDP Port
We can use client mode to connect to any TCP/UDP port, allowing us to: • Check if a port is open or closed. • Read a banner from the service listening on a port. • Connect to a network service manually.
Example:
1
nc -nv 10.11.10.2 110
-n option to skip DNS name resolution; -v to add some verbosity;
Output:
1 2 3 4 5 6 7 8
(UNKNOWN) [10.11.10.2] 110 (pop3) open +OK Dovecot ready. USER offsec +OK PASS offsec -ERR [AUTH] Authentication failed. quit +OK Logging out
Listening on a TCP/UDP Port
Example:
First , server start listening:
1 2 3
//From server : msfadmin@metasploitable:~$ nc -nlvp 4444 listening on [any] 4444 ...
Then client try to connect server,and send “hello world”:
1 2 3 4 5
//From client : ┌──(root㉿kali)-[/home/kali/Desktop] └─# nc -nv 192.168.244.136 4444 (UNKNOWN) [192.168.244.136] 4444 (?) open hello world
The server will receive message “hello world”:
1 2 3 4 5
//From server : msfadmin@metasploitable:~$ nc -nlvp 4444 listening on [any] 4444 ... connect to [192.168.244.136] from (UNKNOWN) [192.168.244.140] 47386 hello world
Transferring Files with Netcat
From Server:
1 2 3
//From server : C:\Users\Administrator\Desktop\nc> nc -nlvp 4444 > mync.exe listening on [any] 4444 ...
Notice that we have not received any feedback from Netcat about our file upload progress. In this case, since the file we are uploading is small, we can just wait a few seconds, then check whether the file has been fully uploaded to the Windows machine by attempting to run it:
1 2 3 4 5 6 7 8 9 10 11
C:\Users\Administrator\Desktop\nc>mync -h [v1.10-47] connect to somewhere: nc [-options] hostname port[s] [ports] ... listen for inbound: nc -l -p port [-options] [hostname] [port] options: -c shell commands as `-e'; use /bin/sh to exec [dangerous!!] -e filename program to exec after connect [dangerous!!] -b allow broadcasts ... port numbers can be individual or ranges: lo-hi [inclusive]; hyphens in port names must be backslash escaped (e.g. 'ftp\-data').
Netcat Bind Shell Scenario
Run Netcat with the -e option to execute cmd.exe once a connection is made to the listening port:
┌──(root㉿kali)-[/home/kali/Desktop] └─# nc -nv 192.168.244.143 4444 (UNKNOWN) [192.168.244.143] 4444 (?) open Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved.