Tool: nc / netcat

How to use nc?

Let’s start with a few very simple examples and build up on those.

If you remember, I said that netcat was a Swiss Army knife. What would a Swiss Army knife be if it also wasn’t a regular knife, right? That’s why netcat can be used as a replacement of telnet:

It’s actually much more handy than the regular telnet because you can terminate the connection at any time with ctrl+c, and it handles binary data as regular data (no escape codes, nothing).

You may add “-v” parameter for more verboseness, and two -v’s (-vv) to get statistics of how many bytes were transmitted during the connection.

Netcat can also be used as a server itself. If you start it as following, it will listen on port 12345 (on all interfaces):

If you now connect to port 12345 on that host, everything you type will be sent to the other party, which leads us to using netcat as a chat server. Start the server on one computer:

And connect to it from another:

Now both parties can chat!

Talking of which, the chat can be turned to make two processes talk to each other, thus making nc do I/O over network! For example, you can send the whole directory from one computer to another by piping tar to nc on the first computer, and redirecting output to another tar process on the second.

Suppose you want to send files in /data from computer A with IP to computer B (with any IP). It’s as simple as this:

Don’t forget to combine the pipeline with [4] pipe viewer from previous article in this series to get statistics on how fast the transfer is going!

A single file can be sent even easier:

You may even copy and restore the whole disk with nc:

Note: It turns out that “-l” can’t be used together with “-p” on a Mac! The solution is to replace “-l -p 6666″ with just “-l 6666″. Like this:

An uncommon use of netcat is port scanning. Netcat is not the best tool for this job, but it does it ok (the best tool is [5] nmap):

The “-n” parameter here prevents DNS lookup, “-z” makes nc not to receive any data from the server, and “-w 1″ makes the connection timeout after 1 second of inactivity.

Another uncommon behavior is using netcat as a proxy. Both ports and hosts can be redirected. Look at this example:

This starts a nc server on port 12345 and all the connections get redirected to If you now connect to that computer on port 12345 and do a request, you will find that no data gets sent back. That’s correct, because we did not set up a bidirectional pipe. If you add another pipe, you can get the data back on another port:

After you have sent the request on port 12345, connect on port 12346 to get the data.

Probably the most powerful netcat’s feature is making any process a server:

The “-e” option spawns the executable with it’s input and output redirected via network socket. If you now connect to the host on port 12345, you may use bash:

The consequences are that nc is a popular hacker tool as it is so easy to create a backdoor on any computer. On a Linux computer you may spawn /bin/bash and on a Windows computer cmd.exe to have total control over it.

That’s everything I can think of. Do you know any other netcat uses that I did not include?

How to install nc?

If you’re on Debian or Debian based system such as Ubuntu do the following:

If you’re on Fedora or Fedora based system such as CentOS do:

If you’re on Slackware, FreeBSD, NetBSD, Solaris or Mac, download the [6] source code of nc and just:

Another way to do it on Mac, if you have [7] MacPorts is:

On Slackware you can actually install it as a package from n/ package directory:

If you’re on Windows, download the Windoze port of it from [8] securityfocus.

The manual of the utility can be found here [9] man nc.

Have fun netcatting, and until next time!

via: catonmat

Leave a Reply

Your email address will not be published. Required fields are marked *