INFO3002 Ethical Hacking Principles and Practice

Lecture 7A: Netcat – Swiss Army Knife

School of Computer, Data and Mathematical Sciences

Western Sydney University
1
Lecture outline
In the coming lectures about exploitation and post-
exploitation, we'll need a networking tool called Netcat, so
we talk about this tool first in this lecture.

■ Netcat overview
■ Establishing raw data connections
■ Grabbing Server Banners
■ Transferring files

2
Netcat overview
■ Netcat is nicknamed Swiss army knife among networking
tools.
■ Netcat can accomplish many networking tasks such as:
▬ Establishing raw data connections
▬ Banner grabbing
▬ Transferring files
▬ Scanning ports
▬ Binding shells, and much more …

■ In this lecture, we'll focus on the first three, and we'll talk
more about netcat in future lectures.

3
Establishing raw data connection
■ The following command is used to establish a TCP
connection with given host and port, and then send and
receive raw data:
▬ nc <ip address> <port>

■ Notes:
▬ In Linux, 'nc' and 'netcat' are equivalent command names for netcat.
They are linked to the same executable.
▬ Netcat has several variants.
o A popular variant comes together with nmap installation. It uses the
command name 'ncat'.
o However, 'ncat' is very heavy-weight although it is more powerful. In
hacking, 'nc' is generally preferred due to its small footprint.

4
Raw connection example: FTP
■ If we connect to the FTP server at our Win7 VM:

■ We see that the FTP server will display a banner message upon
accepting the connection.
▬ Many servers have similar behaviour.
▬ A banner typically discloses the service name and sometimes the software
version number.

■ We call the trick of using nc to obtain the banner message from a

server banner grabbing.
■ We can quit the nc program by entering Ctrl+c.
5
Banner grabbing examples
■ If we connect to the FTP server at Metasploitable2:

■ We can see the service is FTP, and the software program is

vsFTPd version 2.3.4.
■ Note: Not all servers display a banner. E.g. the web server at
Win7 returns no banner. See below:

6
Continued raw connection example: FTP
■ If you know the commands in FTP protocol such as 'user', 'pass', 'pwd',
etc., you can type the raw FTP messages into the connection:

■ The above shows that nc sends/receives raw data to/from the other
party.
▬ To use this feature to play with a protocol, you need to know the message formats
of that protocol.

7
Raw connection example: SMTP
■ If you connect to the Email server at port 25 on Metasploitable2:

■ If you know the SMTP commands, we can experiment a lot with

the email server.

8
File transfers
■ ‘nc’ can also be used to transfer files between two computers.

■ Suppose a sending computer S wants to send a file to a

receiving computer R. You can achieve this by nc in two
methods.

■ Method 1:
▬ Start nc in server mode at R to receive the file.
▬ Start nc in client mode at S to send the file.

■ Method 2:
▬ Start nc in server mode at S to send the file.
▬ Start nc in client mode at R to receive the file.

NB: In both methods, you need to start server-mode nc first.

9
'nc' in server mode
■ The '-l' (listening) option is used to tell nc to run in server mode.
▬ Without this option, nc will run in client mode. In all the previous examples
on raw TCP connections, nc runs in client mode.

■ If running 'nc' in server mode,

▬ the '-p' option is used to tell 'nc' the port number to listen on.
▬ the '-v' (verbose) option instructs 'nc' to display diagnostic messages so
you know what is happening. Otherwise, 'nc' will display nothing.

■ Thus, the syntax of running nc in server mode is:

▬ sudo nc -v -l -p <Port No.>
▬ Or shorter: sudo nc -vlp <Port No.>
o 'sudo' is a must for running 'nc' in server mode since Kali 2020, but not
needed when running 'nc' in client mode.
o In Windows, do NOT add 'sudo'.

■ Next, we demo the aforementioned two methods to transfer files.

10
 File transfer (Method 1)
Suppose you want to transfer a file called open_me.pdf from your Kali
VM (192.168.137.128) to your Win7 VM (192.168.137.130).
Step 1. In Win7 VM, 'cd' the directory where the file is to be
uploaded, then run nc in server mode as follows:

The '>' operator in the command line is used to redirect the output
to a file. I.e., if you are writing the content into a file, use '>'.

You should always start the server mode 'nc' first; otherwise, when the
client mode 'nc' is started, no server mode 'nc' is waiting for it !!

11
 File transfer (Method 1, cont'd)
Step 2. In Kali VM, 'cd' the directory where the file is stored, then run:

The '<' operator in the command

You need to use 'CTRL+c' to
terminate nc when you estimate
that the file transfer has been
completed. Just a few seconds
should be OK. The 'nc' won't return
to command prompt by itself.
line is used to redirect a file to the
input of a program. That is, if you
are reading the content from a file,
use '<'.
12
File transfer (Method 1, cont'd)
Step 3. Finally, in Win7 VM, you should see:

You can ignore these diagnostic

messages.
The file transfer is successful.

13
File transfer (Method 2)
For the same file transfer, you can also do it in another way, that is,
running nc in server mode in the Kali VM.

Step 1. In Kali VM, 'cd' the directory where the file is stored,
then run:

14
File transfer (Method 2)
Step 2. In Win7 VM, cd the directory where the file is to be
uploaded, then run:
nc 192.168.137.128 2222 > open_me.pdf
NB: the port number in client mode should match that one in the server
mode.

Then, you also need to use 'CTRL+c' to terminate nc when

you estimate that the file transfer has been completed. 'nc'
won't return to command prompt by itself.

15
File transfer (Method 2)
Step 3. Finally, in Win7 VM, you should see:

The file transfer is successful.

Question: Both methods will work. Which method is better?

16