Few Useful Netcat Tricks
I always say that small, simple and self contained tools can often be more useful, and more feature rich than huge bloated frameworks. For example lets take legendary “Swiss Army Knife of Networking” – netcat. It is a single binary, which takes up about 60KB of space on your disk (give or take a few KB depending on where and how you compile it). What can it do?
I guess a good question is what can’t it do?
Port Scanner
Netcat can be a port scanner. It does not have as many features as say nmap, but if you just want to see what ports are open on a given machine, you can simply do:
nc -v -w 1 localhost -z 1-3000
The command above will scan all the ports in the range 1-3000 on localhost.
File Transfer
Let’s say you want to transfer a big zip file from machine A to machine B but neither one has FTP, and using email or IM is out of the question due to file size, or other restrictions. What do you do? You can use netcat as a makeshift file transfer software.
On machine B do the following, where 1337 is some unused port on which you want to send the file:
nc -lp 1337> file.zip
Assuming that the IP of machine B is 10.48.2.40 go to machine A and do:
nc -w 1 10.48.2.40 1337 < file.zip
That's it. The file will be magically transfered over the network socket.
Chat Server
Have you even needed an improvised one-on-one chat? Netcat can do that too. You simply start listening to connections on some port like this:
nc -lp 1337
Then on another machine simply connect to that port:
nc 10.48.2.40 1337
Now start typing on either machine. When you press enter, the line will immediately show up on the other machine.
Telnet Server
Nectat can also be used to set up a telnet server in a matter of seconds. You can specify the shell (or for that matter any executable) you want netcat to run at a successful connection with the -e parameter:
nc -lp 1337 -e /bin/bash
On windows you can use:
nc -lp 1337 -e cmd.exe
Then on a client machine simply connect to port 1337 and you will get full access to the shell, with the permissions of the user who ran nc on the server.
Spoofing HTTP Headers
You can use netcat to connect to a server using completely spoofed headers. You can actually type out your user agent, referrer and etc. It's useful when you want to generate bunch of hits that can be easily found in the logs or something like that:
nc google.com 80
GET / HTTP/1.1
Host: google.com
User-Agent: NOT-YOUR-BUSINESS
Referrer: YOUR-MOM.COM
Note that your request won't be sent until you generate a blank line. So hit return twice when your are done typing. You will get a response of headers and HTML streaming down your screen:
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: PREF=ID=79f8f28c854d90ec:TM=1186369443:LM=1186369443:S=UIiTvi68MtmbcmG l; expires=Sun, 1
-Jan-2038 19:14:07 GMT; path=/; domain=.google.com
Server: GWS/2.1
Transfer-Encoding: chunked
Date: 2007年8月06日 03:04:03 GMT
738
I deleted the HTML that followed the response - but you get the idea. It is also a good way of looking at headers. Some sites have nice surprises there (like slashdot's X-Bender and X-Fry headers). Seriously, check them out!
Web Server
I think this is my favorite trick. Did you ever need to set up simple makeshift webserver that would serve a single page? I know I did. In the past when my web server at work melted down, I set up laptop with this simple script:
while true; do nc -l -p 80 -q 1 < error.html; done
The error.html page was just a very simple error message notifying our users about the outage, and giving them an estimate of when it would be fixed. It took me 3 minutes to set up, and probably saved us many angry support calls.
Cloning Hard Drive Partitions Over the Network
This trick was submitted by Craig in the comments. On a system you want to clone do:
dd if=/dev/sda | nc 192.168.0.1 9000
Where 9000 is some random port. On the receiving side di:
nc -l -p 9000 | dd of=/dev/sda
Of course you need to have the cloned partitions unmounted on both systems. So if you are cloning / you will have to boot from a live distro like Knoppix. Note that you can use this technique to clone NTFS partitions as well - just need to use a live Linux distro on both sides.
Summary
Despite being able to do all that netcat still conforms to the Unix philosophy of doing one thing, and doing it well. Netcat was designed for a single purpose - to read and write data packets over network sockets. And because of it's singular purpose it can be used in such a myriad of ways.
It is ironic, but it is of ten the case that the more features you add to your application, the more specialized it gets. And of course, GUI is the ultimate functionality killer. If netcat had a GUI I doubt it would be half as useful as it is right now.
I've been told that socat is a more powerful netcat fork which has even more functionality. Personally, I haven't played with it at all. It does seem to have a different syntax, and it is not as mature or well known, and popular as it's predecessor.
[tags]netcat, socat, network, netcat tricks, tricks, unix tricks[/tags]
52 Responses to Few Useful Netcat Tricks
My favorite use is to clone systems. I run this on the system I want to image from:
dd if=/dev/sda | nc 192.168.0.1 9000
and this on the receiving side:
nc -l -p 9000 | dd of=/dev/sda
Of course, both systems will need to be booted with a CD and have access to the network drivers and the netcat program (gotta love Knoppix). I am also in the habit of ALWAYS assigning 192.168.0.1 to the new system and 192.168.0.100 to the master.
Oh wow. Didn’t think about that! Very, very useful.
Thanks!
ugh, its 3:22… just pretend i made a quitty joke about teching old netcats new tricks…
Quitty?
There, fixd! LOL
Pretty slick there, Luke. Some of us “oldtimers” would have used sed, but it is the same outcome.
BTW- you really need to upgrade your Firefox . . .
Well, regexps are pretty much the same in almost every language (excluding Microsoft stuff that is – they always fuck things up for everyone).
That could have been a sed script. :)
a simple “check out the netcat (nc) man page” would do too..
I don’t think the web server, and system mirroring tricks are on the man page.
Man pages are helpful, but they are not all knowing.
I have to admit, most of my tricks have been passed down from other sysadmins. The book “UNIX Power Tools” would be next in line, followed by my dear friend, Google.
There are so many cool things, like using netcat to mirror a system. I have a sysadmin under me that is constantly amazed at the tools I keep pulling out of my brain to solve problems.
Well, Unix Power Tools just got on my books-to-buy list :)
Also, I miss having a unix mentor. :( Mine went to do bigger and better things at Oracle. Its kinda scary to think that I’m usually the most experienced unix person in the CS department at my university. At least until Nick shows up. :)
add lzop to the pipe on one end and lzop -d on the other when doing non-media transfers for excellent speedup… (dd or tar pipes for example)
There you have it! Another awesome tip passed down.
I have lzo installed on my Solaris systems (thanks to BlastWave) but no lzop. Guess I will be doing some compiling! :-D
I typically use gzip to compress my data, but it can have some tremendous overhead sometimes.
Nice! I haven’t used lzop before, but I’m definitely going to check it out for fast compression stuff. Btw, lzop is actually in the Ubuntu repositories so you can get it via apt-get.
And it’s Lzop not Izop. ;)
I think the redirects in the file transfer section are reversed. On the host with the file you want should use ” and the same reverse on the other side.
Looks like the redirect symbol got stripped out of my last reply. Basically just reverse the redirects on each end and you should be good.
Hm… I think they are correct though. I’m transferring the file from B to A. So on B the file is an input, and on A it is an output. So I think it is correct.
Pingback: links for 2007年08月11日 « Donghai Ma UNITED STATES
Pingback: Flipsidereality » Blog Archive » Few Useful Netcat Tricks UNITED KINGDOM
Pingback: Enlaces interesantes #6
Pingback: Few Useful Netcat Tricks : In Through The Out Door UNITED STATES
Pingback: links for 2007年08月13日 at edsmiley.com UNITED STATES
OK, does anyone know if it would be possible to transfer some file with netcat to remote side if remote can use only web browser? So, basically simulating http transfer with netcat?
Netcat doesn’t emulate protocols. If the remote system needed a web proxy, you would have to do something else. Maybe a little clever scripting with expect . . .
However, if there is no proxy, just configure netcat to use port 80, since you would know that http traffic is allowed through.
Sock would be easy to configure since it doesn’t care about protocols, just tcp streams. I am sure you can just take the output from netcat and pipe it into something like connect (not too sure of this process. I would have to read up on it, but in throery it should work).
Koby – the web server method I described in the post works. But you loose the mimetype of the file, so when you save it on the remote site you will need to save it with the right extension.
For example, on linux I set up nc to serve test.zip, but firefox picked up the file as something like bwu8a.bin (ie. random file name + generic extension). When I renamed it to zip, and unzipped it it worked.
Not sure how it would work with IE or on windows but it does work with Firefox on Linux.
Btw, why would you only be able to use the browser on the remote side? If you are so locked down on the remote you can’t open a listening socket, you can listen on the local machine, and then grab the file from the remote. Locally do:
Then on the remote do:
That should do it. :)
Well, I am only locked to extent of my laziness, e.g. I thought of a lazy way sharing files between *nix box and windows. But anyway, just
nc -lp 80 <file_to_transfer.extand then pointing web browser to remote_ip/file_to_transfer.ext works, only transfer is hanging until ^C on *nix box or forcing download to complete/close. But file is transfered :)Yeah, nc doesn’t always know when it finished. I think if you set -w to 1 on both sides it might close properly though.
In reply to my earlier post, you are right, I wasn’t really paying attention to the source and target… Great article btw…
I’m surprised that the webserver trick would work without sending back HTTP headers. Unless perhaps the appropriate headers are put at the beginning of error.html?
Yeah, I thought about that too. But for some reason it just worked. Go figure. :)
Thank you, very useful for me :)
Thanks for the good old hdd clone script. lost it some time ago.
http://www.debian-administration.org/articles/145 has a fine tutorial on netcat abuse.
Pingback: Gary’s Weblog » Blog Archive » netcat tricks SWITZERLAND
it’s cool and thanks for these useful trickes…it’s me….after_burn…egyptionhacker
Using netcat to tunnel ports / forward traffic:
cya
I see that remote access is indeed possible with netcat, but I can not seem to get some chat server to work over a remote connection. Both are using Windows XP (shouldn’t matter is diff. OS) and have opened up the necessary ports in which we would like to chat with, but still no dice. Has anyone gotten a netcat chat server to work over a remote connection?
Thanks in advance…
well this isnt really special or anything, But sort of a point of concept I guess.
On your local computer.
cat somefile.txt | netcat -lp 1000
On remote server.
netcat -w 1 64.174.24.112 1000 > file.txt
Hi, Using Microsoft Windows is more better
Windows is the BEST OS around the world
I can’t find netcat ur talking in Windows, so it is not a good software, let using Windows and the program inside it
Thanks
@lovexp – LOL! Oh man, this made my day.
Also, I will counter your troll attempt, with a genuine ‘on-topic’ reply, by pointing you to the page where you can download NT port of netcat thus making this conversation meaningful again. ;)
Dude! I heard that eSlap all the way in California!
Also, the cygwin package has all the UNIX favorites, including NetCat.
:twisted:
Heh, didn’t even think about Cygwin at the moment, but you are right. Pretty much everything can be run under Cygwin these days.
Did I mention that I once managed to get KDE running under cygwin? I have also seen packages for Gnome on some of the mirrors. :P
Thanks for explaining some of the many uses for netcat, I know this will be useful to me in the future ;)
Hi all, I read somewhere a long time ago about techniques to ‘push’ the server side of any client-server remote control application onto the remote PC over which you have no physical control. Lets say grandpa calls you up for some remote support but has no idea how to install any s/w you send him or run the simplest of .exe/.com scripts. I would like to be able to simply port scan grandpa’s m/c (it could be running WXP/VISTA/Linux/*BSD/Solaris/MAC OS X… whatever) and check for any open ports I can use to hook onto and by knowing his IP address, somehow use netcat/nc/socat or other derivative of netcat to execute a cmd which runs netcat on that port preferable opening a remote console e.g. cmd.exe or a konsole shell.. Then I could use my client to interact with that shell with the credentials of the remote user. So a number of questions:
1. Is it possible to do it without getting the remote user to run a script at the remote end which tells netcat to interact with a given port?
2. If yes to (1), how do you do it? And how do you determine which user a/c the program you execute with netcat under? Of course any useful tips on privaledge escalation would be appreciated too if say on XP/vista you cannot get in as Administrator, or under *nix root.?
3. Under Vista, how do you get past the Windows Defender application which keeps poping up a dialogue asking the user to allow/disallow the execution of a program, when you are trying to install remotely?
4. If its not possible to do it with netcat, do u have any other solutions to get that initial connection setup so that one can then transfer netcat to the remote m/c and then run it through a console shell ?
TIA.
Pingback: A Few Useful Netcat Tricks « A Better Flapjack UNITED STATES
Hi – see no one mentioned the use of pv, ($apt-get install pv) for giving a Visual Progress of a file transfer in the form eg:
rx pc x.x.x.x: $ netcat -lp 1234 | pv | > file.iso
tx pc: $cat file.iso | pv | netcat x.x.x.x 1234
I was using this to send a 7GB video .iso but it stopped at4GB, with a “file too big…” Anyone know why?
cheers
Steve
whretofindnetcat?
@toto: It is usually preinstalled on most Linux and unix systems. Windows binary is sometimes hard to find. Check this post with two working links.
HI – I have mirrored netcat win32 binary on my site (if its up and ddclient is working!). The problem will be overcoming your Win Anti-virus to download it, maybe..I had to get it on my Linux box then transfer it on internal LAN which worked (???) then unpack it and tell AVG to list it as an exception.
http://www.stevepedwards.dyndns.org
last page – Alcatel stuff
Steve
hello, i have a smiple (at lest i think) question..
how can you forward Traffic to another PC runing Net cat?
so like computer A is me, and computer B is where i am sending it to. i guss you could call it ip spoofing, so computer C thinks all of my traffic form computer A is coming form computer B. i have see Ex. where computer C is the computer your going to attack , but i just want it to make it look like all internet activity is coming form computer B when it is really computer A. any ideas?
@stevee : the “file too big” error is due to a limitation of the FAT32 filesystem : it can’t store files bigger than 2^32 = 4G . You might want to split your file (using dd for example) :
# Part 1
rx pc x.x.x.x: $ netcat -lp 1234 | pv | > file-A.iso
tx pc: $ dd if=file.iso bs=1M count=3999 | pv | netcat x.x.x.x 1234
# Part 2
rx pc x.x.x.x: $ netcat -lp 1234 | pv | > file-B.iso
tx pc: $ dd if=file.iso bs=1M skip=3999 | pv | netcat x.x.x.x 1234
really useful :) bookmarked!
Pingback: Netcat – lenriquez2016 UNITED STATES