Fun With Netcat
by MobiusRenoire
The following is a presentation of a very useful network utility.
Some call it the Swiss Army knife of network utilities. With it you can connect to a port on a server, listen on a port on your local machine, set up a backdoor on a machine, or port scan someone's box. The uses of these and other features will be made clear shortly.
Standard Disclaimer: This article is knowledge and is therefore inherently neither good nor evil; only what you do with it decides that. I cannot and will not be held responsible. That said, let's move on.
The first thing that I did with Netcat was to connect to a server. The typical command line options I use are:
The double -v gives you an ultra-verbose mode.
You can attempt to connect to any port, but only a few ports will be useful to us, specifically POP3, SMTP, HTTP, and a few other random ports.
After finding a copy to download (nc11nt.zip for Windows or nc110.tgz for *NIX users [usually includes source files]), go ahead and connect to a web server on port 80.
On a side note to those who must use a proxy server, Netcat is made simple with proxies; just connect to your proxy site in the normal manner in which you would connect to any other computer (including the port number of your proxy, of course) and when you issue one of the following commands, use the full URL of the site you wish to retrieve.
Once connected, it will list the server's name (e.g. google.com), its IP address, the port number, the name of the port, and open, with a blinking cursor at the end, waiting for input. This is the part where we get to explore HTTP protocol.
By sending a GET request via Netcat, we can get the source code for the webpage. This is typically no big deal, unless it's one of those annoying pages that try to disallow you to see its source by disabling right-click.
The listing will scroll extensively if it's a decently-sized webpage, so you should redirect output from Netcat to an ASCII file. Now you have a copy of the webpage's source. Big deal, right? It gets a little more interesting...
The typical request is formatted:
$ nc google.com 80 GET / HTTP/1.0 <Enter> <Enter> HTTP/1.0 200 OK Date: Wed, 01 May 2024 01:30:49 GMT Expires: -1 Cache-Control: private, max-age=0 Content-Type: text/html; charset=ISO-8859-1 Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-bNvMDH5k4jq9ZF6GRYt7nw' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Server: gws X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Set-Cookie: 1P_JAR=2024-05-01-01; expires=Fri, 31-May-2024 01:30:49 GMT; path=/; domain=.google.com; Secure Set-Cookie: AEC=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX; expires=Mon, 28-Oct-2024 01:30:49 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax Set-Cookie: NID=513=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX; expires=Thu, 31-Oct-2024 01:30:49 GMT; path=/; domain=.google.com; HttpOnly Accept-Ranges: none Vary: Accept-Encoding <!doctype html> <html itemscope="" itemtype="http://schema.org/WebPage" lang="en"> <head> <meta content="Search the world's information, including webpages, images, videos and more. Google has many special features to help you find exactly what you're looking for." name="description"> <meta content="noodp, " name="robots"> <meta content="text/html; charset=UTF-8" http-equiv="Content-Type"> <meta content="/images/branding/googleg/1x/googleg_standard_color_128dp.png" itemprop="image"> <title>Google</title> <script nonce="bNvMDH5k4jq9ZF6GRYt7nw">(function(){var _g={kEI:'SZsxZt3fCsDPhbIP5fu2QA',kEXPI:'0,1370478,1133897,1195934,633,368,478218,4998,58391,2891,3926,7828,67811,8 ...The slash is, of course, the root directory wherever you connected, where the index page will be returned if you didn't specify otherwise. You can change this using either absolute or relative URLs with usually the same results.
Absolute references will typically work with the most accuracy. This is the typical request that your browser sends when it connects to a web server but without all the fat.
GET also works with images.
For example:
$ nc -v -v www.google.com 80 > logo.gif GET http://www.google.com/images/logo.gif HTTP/1.0 <Enter> <Enter> $ ls -l logo.gif -rw-r--r-- 1 root root 9153 Apr 30 20:36 logo.gif $ file logo.gif logo.gif: data $ strings logo.gif HTTP/1.0 200 OK Accept-Ranges: bytes Content-Type: image/gif Cross-Origin-Resource-Policy: cross-origin Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="static-on-bigtable" Report-To: {"group":"static-on-bigtable","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/static-on-bigtable"}]} Content-Length: 8558 Date: Wed, 01 May 2024 01:36:08 GMT Expires: Wed, 01 May 2024 01:36:08 GMT Cache-Control: private, max-age=31536000 Last-Modified: Tue, 22 Oct 2019 18:30:00 GMT X-Content-Type-Options: nosniff Server: sffe X-XSS-Protection: 0 GIF89a $c!Y I1)Q k,!1 !kikB ...This will give you www.google.com/images/logo.gif. All you have to do to look at it is to remove the HTTP header from the file with your hex editor (another essential tool).
Let's say now that you have a website with a form and you want to know what kind of information that it's going to POST, wherever it's going to POST it.
Using simple JavaScript in the address bar of your browser (in Internet Explorer, at least), you can change the value of the action variable of the form.
I suggest setting up Netcat to listen on a certain port while changing the action of the form to something more suitable like: http://<your IP address>:<portnumber>
Hint: If you're behind a firewall, simply use a common port that won't be blocked, 80 works for me.
After entering your JavaScript, submit the form and wait.
Netcat should print some information, at the bottom of which is the information in which you may be most interested.
There will probably be a contentlength = <num>, where <num> is the number of characters submitted by the form.
This is important, because you're going to copy this information in a text editor in order to have some fun with it.
You can alter the information that it was going to POST, as long as you change the content-length field above to reflect your changes.
You can delete some of the other fields as well, but depending on where it's going to be POSTed, you may need to keep those fields the same as when you received the form.
After editing the form-submittal to your taste, start up Netcat again, but this time use it to connect to the server from where you got your form data.
This time, instead of doing a GET request, you replace GET with POST. The full command will basically be:
or something similar.
This does the same thing as pressing the button on the original website, but this time you get to decide what gets sent. You can either retype the form data that you just got or put the POST command at the top of the text file you created and use > out.txt to use the file for input.
Make sure there are a couple of lines after the POST command or it won't send.
An important note: there is usually a referrer field in the HTTP header that should probably not get changed. If whatever you're submitting to a script that checks the referrer and requires that the referrer be a certain page (so people can't POST from their own websites), then it needs to be what it was when you got it.
That's not a big deal of course, but it is a vital exploration of the protocol that defines how a server sends webpages and a browser requests and sends data. It is definitely recommended that you read up on some of the syntax of HTTP protocol, as well as POP3 and SMTP, which we'll be looking at shortly.
Netcat is great for exploration, but it can also serve practical uses such as checking your POP3 (port 110) e-mail.
If you go to a college like mine where connecting to your email account requires no encryption, then you can simply connect to their POP3 server and, with the right syntax, login.
Typical login looks like this:
To check for e-mail, supply the word LIST on a new line. It will return the number of emails you currently have as well as their sizes. Use RETR <e-mail number> to get the email.
SMTP (port 25) is similar, and for brevity's sake, it's up to you to discover syntax. I will tell you that to send e-mail to a domain outside of your business or school, you will probably have to login using an encryption method of sorts.
You can make your POP3 client connect to localhost and let Netcat listen on port 25 to get the login syntax if you must (this is also a good way to spoof the From: address in an e-mail).
Netcat can do numerous more things. The things that I have listed can help you if you need to check on what data one of your forms is sending, allowing you into your e-mail account when the web client or your POP3 client is not working, and getting the source to pesky websites.
Think your network's safe? You can also port scan it with Netcat to ensure yourself that unnecessary ports are blocked. On the flip side, Netcat can be used to port scan computers and/or networks to find vulnerabilities and it can be set up to be a nasty backdoor into a computer using the right command-line switches (see documentation).
Now, this backdoor can either hurt or help you. There are many Perl scripts included with some versions that will allow the computer running Netcat to act as a proxy or even an IRC server.
Or... you could run Netcat so that you can log in to your or someone else's computer and have CMD.EXE run as soon as you connect.
In sum, get to know Netcat as well as many of the other great utilities out there.
Learn the protocols and intricacies that allow the Internet to run and never quit asking questions.
Additional Information
Netcat was originally written by *Hobbit* for *NIX and was ported over to Windows NT by Weld Pond.
ore information can be found in various places on the web, as well as the README file included in most ZIP files.
Use this powerful tool to learn and to educate others.
For more information on HTTP, POP3 and SMTP, read RFCs 1521, 1225, and 822 respectively.
