This week, I thought I would take look at netcat—this

wonderful little tool is a networking utility, often installed by default on

many Linux/BSD systems, and its many uses are often overlooked by netadmins. Netcat

is derived from cat; it works on the

network level dealing with TCP and UDP ports rather than files. So what can we

do with netcat? Actually we can do quite a lot!

First, let’s start with the basic stuff: typing on one computer
and receiving the text on another. On the listening host (hosta):

hosta# nc –l 1212

This means netcat will listen on port 1212. Now on the

broadcasting host (hostb), we want to connect to our listening host on port

1212:

hostb# nc 10.1.1.1 1212

You will now see that any text typed on hostb followed by a

return will be displayed on hosta. That’s quite basic, and you may not see the practicality

thus far; however, remember that like all good Unix tools, netcat performs a

simple function well and can be strung together with other such tools to

perform much more complex tasks. How about redirecting text to the listening

instance:

hosta# nc –l 1212

On hostb:

hostb# ps aux|nc 10.1.1.1 1212

And on hosta we will see the output:

USER PID %CPU %MEM VSZ

RSS TT STAT STARTED TIME COMMAND

root 1

0.0 0.0 412

248 ?? Is 17Jul06

0:01.63 /sbin/init

root 1541

0.0 0.1 124

468 ?? Is 17Jul06

0:00.49 syslogd: [priv] (syslogd)

_syslogd 19818 0.0

0.1 148 484 ??

S 17Jul06 2:49.97 syslogd -a /var/named/dev/log -a

/var/empty/dev/log

root 13002

0.0 0.1 380

328 ?? Is 17Jul06

0:00.04 pflogd: [priv] (pflogd)

_pflogd 12469

0.0 0.1 432

280 ?? S 17Jul06

1:25.39 pflogd: [running] -s 116 -f /var/log/pflog (pflogd)

That’s more useful isn’t it? You’ll notice that the

listening process quits once it has received the output of our ps aux command from hostb. In order to

make netcat continue listening after the initial connection has been dropped,

the –k switch should be used in

conjunction with the –l switch.

hosta# nc –lk 1212

I recently used netcat combined with dd to remotely dump an image of a server’s hard disk (booting up
with a Linux LiveCD containing dd and netcat):

On the machine listening and saving the disk image:

# nc –l 1212 | dd

of=/imagefile.dd

And on the machine sending the disk image:

# dd if=/dev/sda | nc 10.1.1.1

1212

This may not be the cleanest or most efficient method of

transfer, but it is very effective. Passing output from a process on one

machine to a process on another machine opens up a lot of possibilities. File

transfers are easy:

hosta# nc –l 1212 >

/tmp/tempfile

hostb# nc 10.1.1.1 < /etc/motd

hosta# cat /tmp/tempfile

Linux host 2.6.12-9-386 #1 Mon

Oct 10 13:14:36 BST 2005 i686 GNU/Linux

The programs included with the

Ubuntu system are free software;

the exact distribution terms

for each program are described in the

individual files in

/usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY

NO WARRANTY, to the extent permitted by

applicable law.

And if you check the file size you will see they are exactly
the same:

hosta# ls -l /tmp/tempfile

-rw-r–r– 1 user

wheel 339 Aug 25 15:15

/tmp/tempfile

hostb# ls -l /etc/motd

-rw-r–r– 1 justin users 339 2006-04-14 06:46 /etc/motd

Depending on the version of netcat you run, the option flag -e may be available. This is very

interesting as it enables execution of a command once a client connects to the

listening process. Netcat on my Ubuntu machine has this option whereas netcat

on my OpenBSD machine does not. I’m guessing it has been removed from the

OpenBSD variant for security reasons—here’s why. You can give a remote shell

very easily:

hosta# nc -l -p 1212 -e

/bin/bash
hostb# nc 10.21.8.10 1212

ls
archive
build
dbootstrap_settings
monarch-097a.tar.gz

pwd
/root

A cron job could

easily be set up to open a listening remote shell at certain intervals. If the

system were not regularly cared for, this backdoor could go unnoticed for quite

some time!

There are many other uses for this nifty little tool—it can

come in especially handy while coding scripts, which may need to interact with

another machine on the network. Due to the unencrypted nature of netcat it

should be used with caution—an alternative that uses twofish encryption is CryptCat. If you find that your system

doesn’t have netcat installed (and you don’t have apt or yum available), then

you can find source or RPM packages on the official sourceforge site.

A Windows port is also available.

Does anyone have an interesting way in which they’ve used

netcat? Maybe for something unusual or even totally unique? Why not share it

with us