NetCat Tutorial
Day 1
The basics

This tut will be aimed at windows users who are also new to NetCat.
NC comes ‘stock’ with all the newer *nix systems along with documentation, (but not so with m$ OSs.) and has been available to linux users much longer than the windows port has been, and besides, I know windows better.

NetCat for Windows systems can be downloaded here:

http://www.atstake.com/research/tools.html

netcat comes with the source code to allow you to select different options to compile in. The options im discussing here are compiled into this version.

In the words of its creater Hobbit, it’s the “Swiss Army knife” of network utils

With nc (NetCat) you have:

A Tcp/IP client and server
Port Scanner
Firewall checker
Remote Shell
CGI vulnerability tester
An IDS tool
Telnet client/server
It will even run scripts
The limits are your imagination

****If you want to use both sides, client and server, on your own machine do an ipconfig and use your own ip addess to use to connect to the server on that port or just use the loop-back address, 127.0.0.1 and the port number. both work.****

Its most basic use is client/server and it couldn’t be easier to set up.

At a command prompt enter:

NC –l –p1234 [nc <options> <port number>] that’s it!
(NetCat Listen on port 1234)
Its now waiting for a connection on port 1234.

The ‘-l’ means listen. Choosing this option will close the nc server after the first connection is finished. If you wanted the server to accept any future incoming connection and not end with one, you would set the –L option instead, for listen and listen again:
nc –L –p1234.

On another machine go to a command prompt and enter:

[NC <the Remote mach IP / URL> 1234]
NC xxx.xxx.xxx.xxx 1234
NC someurl.com 1234

You now have a network ‘pipeline’ working between these too computers. With it you can pipe (‘|’) data back and forth

(Note that on the client side the –p is omitted and the port number placed at the end of the command. The –p option is only used for declaring local ports, remote ports are placed after the IP address or URL.)

The basic configuration by itself, isn’t all that usefull. You can use it for 1 on 1 chat where anything you type on one side is echoed on the other end, or to transfer the contents of a directory or file. This doesn’t require a network login to do, so this is either good or bad depending on your position.

Pkzip c:\oproject\myproj.zip *.* |nc NCserveraddress 1234
Or
Type some.txt |nc theotherbox 1234

On the receiving side NetCat must be running like this:
nc –l –p1234 |pkunzip myproj.zip c:\backup
or
nc –L -p1234 >> c:\some.txt
I use the ‘>>’ here to append to this file in case you want to transfer more than one text file.

Fortunately, there are options for netcat that greatly increase its usefulness. The most popular being the –e or ‘execute’ option. If an nc server is started with this option, whenever a client connects an executable is run.
Interesting to note here that this can also be a batch file.
So, if you do:
nc –L –p 1234 –e cmd.exe
you can connect to that mach from any other mach using that ip address and port number (and of course a client which could even be telnet) and get a command prompt on that machine, when your session is complete and you disconnect, nc restarts with the same options.

As a port blocker:

If you have port 139 open (or any other port associated with a service) you can block file sharing and instead send a message to anyone connecting:
NC –L –s xxx.xxx.xxx.xxx –p 139 –e warning.bat

Warning.bat:
@echo off
call netstat -n
echo Now get the hell out of here lamer!
Call netstat –n >>nclog.txt

When someone telnets to your 139 they will see a record of their connection and someone telling them to beat it, plus you keep a record in a text file and their connection is closed when the batch file (or other executable) finishes.

To do this and catch the data before netbios gets it, you must anchor nc to this interface on that port. This is done with the ‘-s’ and ‘–p’ options, which in this case would be the ip assigned to this connection (interface) and –p 139. If netbios was not enabled the –s option would not be necessary unless you had 2 interfaces (multi-homed)

Even more aggressive strategies can be used on say, well known Trojan ports. Its up to your imagination and the law.

A binary dump of transactions made in both directions can be kept with the –o option naming a file to dump too after the option.
nc –L –o nclog.txt –p 1234

(In the log file, outgoing data will start with ‘>’. Inbound with ‘<’.)

If used with the –d option it detaches from the console and runs in the background without showing itself on the taskbar.
Nc –L –d –o nclog –p 1234
Nc –L –d –p 1234 –e warning.bat

Using the –z option you can use nc as a port scanner:
nc –v –z xxx.xxx.xxx.xxx 1–1024 5000-6000
nc –v -z -v someurl.com 1-1024 5000-6000

this can be used with the ‘-r’ and ‘-w’ options to help make you more stealth.
With –r each port check comes from a different random local port and the ports being checked are also done in a random fashion
-w allows you to set the time in seconds for time-outs . The default is 3

nc will do a full fwd and reverse DNS lookup unless the ‘-n’ option is used for (ip addy) Numbers only. Use this to save time

-z tells netcat to attempt a connection but send no data, on all port listed. This can be done as 10-200 or 20 21 25 80 110
-v is verbose to get debugging info. Its recommended it be used more than once to get more info, but in this case, using it only once will return only successful attempts
names of services can be used instead of port numbers, but numbers are so much easier, im not even getting into that.

Another method of getting information on a server is to pipe the quit command threw nc.
Echo quit |nc –v xxx.xxx.xxx.xxx 1-1024
This can return many service names and version numbers. (one of the methods Satan employs)

This should be enough to keep newbies to netcat, happy and busy for a while.

In day 2, I’ll cover more advanced topics like the use of scripts cgi scans and more

Thanks for reading this far