Everything you need to know about Netcat

Netcat is one of the most commonly used anti-hacking tool. Simply stated, Netcat makes and accepts Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) connections. That�s it! Netcat writes and reads data over those connections until they are closed. It provides a basic TCP/UDP networking subsystem that allows users to interact manually or via script with network applications and services on the application layer. It lets us see raw TCP and UDP data before it gets wrapped in the next highest layer such as File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), or Hypertext Transfer Protocol (HTTP).

Technically, Netcat doesn�t make UDP connections because UDP is a connectionless protocol. Throughout this chapter, when we refer to making a UDP connection, we�re referring to using Netcat in UDP mode to start sending data to a UDP service that might be on the receiving end.

Netcat doesn�t do anything fancy. It doesn�t have a nice graphical user interface (GUI), and it doesn�t output its results in a pretty report. It�s rough, raw, and ugly, but because it functions at such a basic level, it lends itself to being useful for a whole slew of situations. Because Netcat alone doesn�t necessarily obtain any meaningful results without being used in tandem with other tools and techniques, an inexperienced user might overlook Netcat as being nothing more than a glorified telnet client. Others might not be able to see the possibilities through the command-line arguments detailed in the lengthy README file. By the end of this chapter, however, you�ll appreciate how Netcat can be one of the most valuable tools in your arsenal.

Implementation
Because it has so many uses, Netcat has often been referred to as a �Swiss army knife� for TCP/IP and UDP. Before you can learn to use it, though, you need to download and install it.

Download
Netcat can be obtained from many sources, and even though many Unix distributions come with Netcat binaries already installed, it�s not a bad idea to obtain the Netcat source code and compile it yourself. By default, the Netcat source doesn�t compile in a few options that you might want. By downloading the source and building it yourself, you can control exactly which Netcat capabilities you�ll have at your disposal.

The official download site for Netcat for both Unix and Windows platforms is http://www.atstake.com/research/tools/network_utilities/.

Installation
We won�t cover the details of downloading, unpacking, and building most of the tools discussed in this book. But because Netcat is the first tool introduced, and because it has some compile-time options that might be of interest to you, it�s important that we go into the nitty-gritty details.

Unix users will want to download the file nc110.tgz from the @Stake web site. Next, you need to unpack it:
[root@originix tmp]# ls
nc110.tgz
[root@originix tmp]# mkdir nc
[root@originix tmp]# cd nc
[root@originix nc]# tar zxf ../nc110.tgz
[root@originix nc]#

Unlike most �tarballs� (archives created with the Unix tar utility), Netcat doesn�t create its own subdirectory. It might seem trivial now, but if all your tarballs and subdirectories have been downloaded into one directory, and you discover that Netcat has placed all its files in the root download directory, it can be a bit of a pain to clean it all up.

Now you�re ready to compile. Following are two compile-time options of importance:
�GAPING_SECURITY_HOLE – As its name suggests, this option can make Netcat dangerous in the wrong hands, but it also makes Netcat extremely powerful. With this option enabled, an instance of Netcat can spawn off an external program. The input/output (I/O) of that program will flow through the Netcat datapipe. This allows Netcat to behave like a rogue inetd utility, allowing you to execute remote commands (such as starting up a shell) just by making a TCP or UDP connection to the listening port. This option is not enabled by default because there is so much potential for abuse or misconfiguration. Used correctly, however, this option is a critical feature.
�TELNET – Normally if you use Netcat to connect to a telnet server (using nc servername 23), you won�t get very far. Telnet servers and clients negotiate several options before a login prompt is displayed. By enabling this option, Netcat can respond to these telnet options (by saying no to each one) and allow you to reach a login prompt.

The significance of these options probably isn�t apparent to you yet, but you�ll see why we bring these up when you take a look at some examples used later in the chapter.

To enable either of these options, you�ll need to add a DFLAGS line to the beginning of the makefile as seen here:
# makefile for netcat, based off same ol’ “generic makefile”.
# Usually do “make systype” — if your systype isn’t defined, try “generic”
# or something else that most closely matches, see where it goes wrong, fix
# it, and MAIL THE DIFFS back to Hobbit.

### PREDEFINES

# DEFAULTS, possibly overridden by recursive call:
# pick gcc if you’d rather, and/or do -g instead of -O if debugging
# debugging
# DFLAGS = -DTEST �DDEBUG
DFLAGS = -DGAPING_SECURITY_HOLE �DTELNET
CFLAGS = -O
You can include one or both of these options on the DFLAGS line.

If you want to play along with the following examples, you�ll need to make this modification. However, before you make changes, make sure that you either own the system you�re working on or have completely restricted other users� access to the executable you�re about to build. Even though it�s easy enough for another user to download a copy of Netcat and build it with these options, you�d probably hate to see your system get hacked because someone used your �dangerous� Netcat as a backdoor into the system.

Now you�re ready to compile. Simply type make systemtype at the prompt, where systemtype is the flavor of Unix that you�re running (that is, linux, freebsd, solaris, and so on�see the Makefile for other operating system definitions). When finished, you�ll have a happy little “nc” binary file sitting in the directory.

For Windows users, your Netcat download file (nc11nt.zip) also comes with source, but because some people don�t have compilers on their Windows systems, a binary has already been compiled with those two options built in by default. So simply unzip the file and you�ve got your �nc.exe� ready to go.

Command Line
The basic command line for Netcat is nc [options] host ports, where host is the hostname or IP address to target and ports is either a single port, a port range (specified �m-n�), or individual ports separated by spaces.

Now you�re almost ready to see some of the amazing things you can do with Netcat. First, however, take an in-depth look at each of the command-line options to get a basic understanding of the possibilities:
� -d Available on Windows only, this option puts Netcat in stealth mode, allowing it to detach and run separately from the controlling MS-DOS command prompt. It lets Netcat run in listen mode without your having to keep a command window open. It also helps a hacker better conceal an instance of a listening Netcat from system administrators.

� -e < command > If Netcat was compiled with the GAPING_SECURITY_HOLE option, a listening Netcat will execute command any time someone makes a connection on the port to which it is listening, while a client Netcat will pipe the I/O to an instance of Netcat listening elsewhere. Using this option is extremely dangerous unless you know exactly what you�re doing. It�s a quick and easy way of setting up a backdoor shell on a system (examples to follow).

� -i < seconds > The delay interval, which is the amount of time Netcat waits between data sends. For example, when piping a file to Netcat, Netcat will wait seconds seconds before transmitting the next line of the input. When you�re using Netcat to operate on multiple ports on a host, Netcat waits seconds seconds before contacting the next port in line. This can allow users to make a data transmission or an attack on a service look less scripted, and it can keep port scans under the radar of some intrusion-detection systems (IDSs) and system administrators.

� -g < route-list > Using this option can be tricky. Netcat supports loose source routing (explained later in the section �Frame a Friend: IP Spoofing�). You can specify up to eight �g options on the command line to force your Netcat traffic to pass through certain IP addresses, which is useful for spoofing the source IP address of your traffic (in an attempt to bypass firewall filters or host allow lists). By source routing through a machine over which you have control, you can force the packets to return to your host address instead of heading for the real destination. Note that this usually won�t work, as most routers ignore source routing options and most port filters and firewalls log your attempts.

� -G < hop-pointer > This option lets you alter which IP address in your �g route list is currently the next hop. Because IP addresses are 4 bytes in size, this argument will always appear in multiples of four, where 4 refers to the first IP address in the route list, 8 refers to the second address, and so on. This is useful for forging portions of the source routing list to make it look as if it were coming from elsewhere. By putting dummy IP addresses in the first two �g list slots and indicating a hop pointer of 12, the packet will be routed straight to the third IP address in the route list. The actual packet contents, however, will still contain the dummy IP addresses, making it appear as though the packet came from one location when in fact it�s from somewhere else. This can help mask the source of the traffic, but any responses will also attempt to reverse route through your forged IP addresses.

� -l This option toggles Netcat�s �listen� mode. This option must be used in conjunction with the �p option to tell Netcat to bind to whatever TCP port you specify and wait for incoming connections. Add the �u option to use UDP ports instead.

� -L This option, available only on the Windows version, is a stronger �listen� option than -l. It tells Netcat to restart its listen mode with the same command-line options after a connection is closed. This allows Netcat to accept future connections without user intervention, even after your initial connection is complete. Like �l, it requires the �p option.

� -n This option tells Netcat not to do any hostname lookups at all. If you use this option on the command line, be sure not to specify any hostnames as arguments.

� -o < hexfile > This option performs a hex dump on the data and stores it in hexfile. The command nc �o hexfile records data going in both directions and begins each line with < or > to indicate incoming and outgoing data respectively. To obtain a hex dump of only incoming data, you would use nc �o hexfile.

� -p < port > Use this option to specify the local port number Netcat should use. This argument is required when using the �l or �L option. If it�s not specified for outgoing connections, Netcat will use whatever port is given to it by the system, just as most other TCP or UDP clients do. Keep in mind that on a Unix box, only root users can specify a port number under 1024.

� -r Netcat chooses random local and remote ports. This is useful if you�re using Netcat to obtain information on a large range of ports on the system and you want to mix up the order of both the source and destination ports to make it look less like a port scan. When this option is used in conjunction with the �i option and a large enough interval, a port scan has an even better chance of going unnoticed unless a system administrator is carefully scrutinizing the logs.

� -s Specifies the source IP address Netcat should use when making its connections. This option allows hackers to do some pretty sneaky tricks. First, it allows them to hide their IP addresses or forge someone else�s, but to get any information routed to their spoofed address, they�d need to use the �g source routing option. Second, when in listen mode, many times you can “pre-bind” in front of an already listening service. All TCP and UDP services bind to a port, but not all of them will bind to a specific IP address. Many services listen on all available interfaces by default. Syslog, for example, listens on UDP port 514 for syslog traffic. However, if you run Netcat to listen on port 514 and use �s to specify a source IP address as well, any traffic going to that specified IP will go to the listening Netcat first! Why? If the socket specifies both a port and an IP address, it gets precedence over sockets that haven�t bound to a specific IP address.

� -t If compiled with the TELNET option, Netcat will be able to handle telnet option negotiation with a telnet server, responding with meaningless information, but allowing you to get to a login prompt.

� -u Tells Netcat to use UDP instead of TCP. Works for both client mode and listen mode.

� -v Controls how much Netcat tells you about what it�s doing. Use no �v, and Netcat will only spit out the data it receives. A single �v will let you know what address it�s connecting or binding to and if any problems occur. A second �v will let you know how much data was sent and received at the end of the connection.

� -w < seconds > Controls how long Netcat waits before giving up on a connection. It also tells Netcat how long to wait after an EOF (end-of-file) is received on standard input before closing the connection and exiting. This is important if you�re sending a command through Netcat to a remote server and are expecting a large amount of data in return (for example, sending an HTTP command to a web server to download a large file).

� -z If you care only about finding out which ports are open, you should probably be using nmap. But this option tells Netcat to send only enough data to discover which ports in your specified range actually have something listening on them.

Related posts:

1. Understand Windows Server 2008 R2’s downgrade rights
2. Remote Desktop for Dummies
3. HTC Desire ROM for Nexus One with HTC Sense
4. Step-by-Step Guide to Network XP to Vista Printer
5. 10 Steps to Speed Up Your Torrent Downloads

Filed Under: Archive Categories