7 Fundamental Use Cases of Netcat
A guide to Netcat — TCP/IP Swiss Army knife
Introduction:
Netcat is regarded as TCP/IP Swiss Army Knife. It is a command-line utility that is so simple yet powerful and can perform operations related to Transmission Control Protocol (TCP), User Data Protocol (UDP). It has an additional capability of being a reliable back-end tool that can be used by other scripts.
It is a feature-rich network debugging and exploration tool, since it can create almost any kind of connection you would need and has several interesting built-in capabilities. — man page
Installation:
Netcat (short for NC) can be installed with the command below. The example below is for Debian-based Operating systems.
apt-get install netcatUse Cases:
There are many use-cases for this tool. It is to be noted that both the listener and client mode in Netcat take input from STDIN and display the data received from the network on STDOUT. I have typically used Netcat for testing a server, creating a server for one-time usage that prints out the desired output, as a temporary chat application. Apart from this, there are several other use-cases. Below is a list of the typical scenarios for using this tool
- Port Scanning
- Data Transfer
- One-shot server
- Temporary Chat server
- Troubleshooting a server
- Netcat Relays
- Executing a script after connection
1) Port Scanning:
Netcat is useful in scanning ports on a server from your local machine. It is used to know if a specific port is open and/or accepting connections. The -z option is used to just scan for the port but not send any data. It is commonly referred to as zero I/O mode. Netcat also supports passing a range of ports as an option.
# nc -zn <test_ip_address> <port/s or port-range>
$ nc -zn 192.168.1.148 8080
(UNKNOWN) [192.168.1.148] 8080 (?) open2) Data Transfer:
Netcat can be readily used for sending data files across the internet. On the receiver host, open an available/accessible port and run the command below
nc -l -p 2002 > file.txtOn the client-side connect to the receiving server on the same port and send in the data by reading from the file to be sent
nc receiver_host.com 2002 < file.txtIt should be understood that the host listening (-l) is the receiving end (server) and the Netcat client is sending the data by reading from a file
3) One-shot server:
Netcat comes in handy to set up a server, that gives you a tailored response. This kind of setup will be useful when you want to imitate a server as a part of end-to-end testing but do not intend to hit the actual server. The -l option opens the port 80 to listen for any inbound connections.
while true; do { echo -e 'HTTP/1.1 200 OK\r\n'; sh test.sh; } | nc -l 8080; done# test.sh
echo "Output of test Netcat server"
You can hit the test server created through Netcat either through a web browser or using a curl command.
4) Temporary Chat Server:
This is one of the most interesting use-cases of Netcat! You could create a simple command-line messaging service with Netcat. Run the command below to set up a chat server on a port of choice. Make sure that the port selected is not blocked by any firewall rules.
# host_1
nc -l -v -p 2000On the other system, run the command below to connect to the chat server.
# host_2
nc <ip_address_host_1> 2000If you are interested in making cosmetic improvements to the chat server, here is an interesting read.
5) Troubleshooting a Server:
Netcat can be used as an alternative option to the curl command for troubleshooting any server related issues. The server can either be hosting an API endpoint or a web page. Netcat, in this case, is performing an HTTP Get Request.
When making requests using HTTP/1.1, the Host field should be specified, otherwise, the request won’t be successful. It can be empty or a random value, but the presence of this parameter is a requirement when making HTTP requests
printf "GET /index.html HTTP/1.1\r\nUser-Agent: netcat/0.0.1\r\nHost: <Server_IP_Address>\r\nAccept: */*\r\n\r\n" | nc <Server_IP_Address> 80When using HTTP/1.0 for making the requests, the options to be passed in the header are minimal.
printf "GET / HTTP/1.0\r\n\r\n" | nc <Server_IP_Address> 80To know more about how Curl handles this use-case, and to know more about Curl in general, you can refer to the article below.
6) Netcat Relays:
Netcat can be used to relay information from one port on a specific machine to another port on a different machine. 3 types of relays can be established.
- Listener-to-Listener Relay
- Listener-to-Client Relay
- Client-to-Client relay
For setting up Netcat relays, a named pipe can be used to send and receive data through that pipe.
# Creating a named pipe
mknod mypipe pListener-to-Listener Relay: Creates a Netcat relay that sends packets from any connection on the local port (2222) to any connection on remote port (443) of the remote host (my_test_host.com) specified
# Listener-to-Listener Relay
nc -l -p 2222 0<mypipe | nc -l -p my_test_host.com 443 | tee mypipeListener-to-Client Relay: The below command creates a relay from the local port (8080) to a Netcat client connected to a remote host (my_test_host.com) on a remote port (80)
# Listener to Client Relay
nc -l -p 8080 0<mypipe | nc my_test_host.com 80 | tee mypipeClient-to-Client Relay: Creates a relay that sends packets from the connection to host_1 on port_1 to Netcat client connected on host_2 on port_2
nc host_1 port_1 0<mypipe | nc host_2 port_2 | tee mypipeThis relay setup is sometimes used by an attacker, to create an impression that the attack is happening from a specific host, but in reality, it is just acting as a relay and the attacking source is present somewhere else.
7) Executing a script after Connection:
Netcat supports two options to support command and script execution. The -c option is recommended for the execution of a shell command. The -c option with its parameters translates to /bin/sh -c <parameters> .
For executing a script, the -e option is used. Both of these options are valid only on the listen mode.
# running a shell command
nc -l -p <port_number> -c 'echo $(pwd)'# running a script
nc -l -p <port_number> -e '/usr/local/bin/my_scrpt'
Final Words:
That’s my take on some interesting Netcat Use-cases. I hope you enjoyed this article as much as I enjoyed writing it!
