User:Samermaz

In 2000 according to www.insecure.org Netcat was voted the second most functional network security tool. Also, in 2003 and 2006 it gained forth place in the same category. Netcat is often referred to as a Swiss-army knife for TCP/IP", and for a good reason. Just like the multi-function usefulness of the venerable Swiss Army pocket knife, netcat’s functionality is as helpful. Some of its features include port scanning, transferring files, port listening and it can be used a backdoor. Netcat is a computer networking service or reading from and writing network connections using TCP or UDP. Netcat is designed to be a dependable “back-end”  device that can be used candidly or easily driven by other programs and scripts.  At the same time, it is a feature-rich network debugging and investigation tool, since it can produce almost any kind of correlation you would need and has a number of exciting built-incapabilities.

According to http://nc110.sourceforge.net/, some of netcat's major features are: •	•		Outbound or inbound connections, TCP or UDP, to or from any ports •		Full DNS forward/reverse checking, with appropriate warnings •		Ability to use any local source port •		Ability to use any locally-configured network source address •		Built-in port-scanning capabilities, with randomizer •		Built-in loose source-routing capability •		Can read command line arguments from standard input •		Slow-send mode, one line every N seconds •		Hex dump of transmitted and received data •		Optional ability to let another program service established connections •		Optional telnet-options responder

Examples
Copying files from machine XXX to bar on port 1234 (-l, listen):

user@bar$ nc -l -p 1234 > backup.iso user@foo$ nc bar 1234 < backup.iso

Opening a raw connection to port 25 is (like telnet):

nc mail.server.net 25

Checking if UDP ports (-u) 80-90 are open on 192.168.0.1 using zero mode I/O (-z):

nc -vzu 192.168.0.1 80-90

Pipe via UDP (-u) with a wait time (-w) of 1 second to 'loggerhost' on port 514

echo '<0>message' | nc -w 1 -u loggerhost 514

Starting a chat server:

•	On a computer A with IP 192.168.1.2

nc -l -p 1234

Connecting to computer A from any other computer on the same network:

nc 192.168.1.2 1234

Now both parties can chat!

Note: It turns out that “-l” can’t be used together with “-p” on a Mac! The solution is to replace “-l -p 6666″ with just “-l 6666″. Like this:

nc -l 6666

•	nc now listens on port 6666 on a Mac computer

An uncommon use of netcat is port scanning. Netcat is not the best tool for this job, but it does it ok (the best tool is nmap):

nc -v -n -z -w 1 192.168.1.2 1-1000

(UNKNOWN) [192.168.1.2] 445 (microsoft-ds) open (UNKNOWN) [192.168.1.2] 139 (netbios-ssn) open (UNKNOWN) [192.168.1.2] 111 (sunrpc) open (UNKNOWN) [192.168.1.2] 80 (www) open (UNKNOWN) [192.168.1.2] 25 (smtp) : Connection timed out (UNKNOWN) [192.168.1.2] 22 (ssh) open

The “-n” parameter here prevents DNS lookup, “-z” makes nc not to receive any data from the server, and “-w 1″ makes the connection timeout after 1 second of inactivity. Another uncommon behavior is using netcat as a proxy. Both ports and hosts can be redirected. Look at this example:

nc -l -p 12345 | nc www.google.com 80

Port 12345 represents the request

This starts a nc server on port 12345 and all the connections get redirected to google.com:80. If it’s connected to that computer on port 12345 and a request is given, it will result that no data gets sent back. That’s correct, because it needs to be redirected by setting up a bidirectional pipe. In order to have bidirectional pipe an additional pipe needs to be added for data back and another port.

nc -l -p 12345 | nc www.google.com 80 | nc -l -p 12346

Port 12346 represents the response

Making any process a server:

•	On a computer A with IP 192.168.1.2

nc -l -p 1234 -e /bin/bash

The “-e” option spawns the executable with it’s input and output redirected via network socket. It connects to computer A from any other computer on the same network:

nc 192.168.1.2 1234

ls -las

total 4288 4 drwxr-xr-x 15 pkrumins users 4096 2009-02-17 07:47. 4 drwxr-xr-x 4 pkrumins users 4096 2009-01-18 21:22 .. 8 -rw--- 1 pkrumins users 8192 2009-02-16 19:30 .bash_history 4 -rw-r--r-- 1 pkrumins users 220 2009-01-18 21:04 .bash_logout ...

The consequences are that nc is a popular hacker tool as it is so easy to create a backdoor on any computer. On a Linux computer you may spawn /bin/bash and on a Windows computer cmd.exe to have total control over it.

Variants
The original version of netcat is a UNIX program. Its author is known as *Hobbit*. He released version 1.1 in March 1996.

Netcat is fully POSIX compatible and there exist several implementations, including a rewrite from scratch known as GNU netcat, which is maintained by Giovanni Giacobbi and an MS-Windows version of netcat created by Chris Wysopal. Andreas Bischoff has ported the Windows version to Windows CE (now known as Windows Mobile).

On some systems, modified versions or similar utilities go by the command name(s) nc, ncat, pnetcat, socat, sock, socket, sbd.

socat is a more complex cousin of netcat. It is larger and more flexible than netcat, and has more options that must be configured for a given task.

Cryptcat is a version of netcat with integrated transport encryption capabilities.