February 28, 2005

CLI Magic: Netcat

Author: Joe Barr

This week I'm going to tell you about a top-secret tool. It can be
real handy at times, under the right conditions. But I don't want you to
use it. It's too dangerous. I want you to use other tools instead.
So snap to, you fellow explorers of the CLI-scape, let's try to
figure out what I'm talking about. Follow me down this hole in the
ground.Netcat is
often described at the "Swiss Army knife" of Internet tools,
because it can do a lot of different things, from copying files, to
forwarding ports, to logging into the shell or executing programs
remotely. The big problem with Netcat is that it's not secure.
DO NOT USE IT OVER THE INTERNET. On your home LAN, behind a
good firewall, it's OK. But otherwise, forget it.

Speaking of home LANs, I am going to use ssh to set up my laptop
as one of the two machines talking via Netcat, rather than getting
up from the office and walking to the living room each time I need
enter something at that end. So let's go over some of the
housekeeping I did first.

First I added an entry in my /etc/hosts file on my desktop
machine for the laptop. It looks like this:       laptop

Then I added a similar entry in /etc/hosts on the laptop, with identified as my desktop. Now I can use the names
instead of the IP address in all the netcat commands. Like this
one, which I entered on the laptop via an ssh connection:

netcat -vv -l -p 9999 &

The -vv option tells Netcat to be very verbose so
we can follow what it's doing. The -l and -p
tell Netcat to listen on port 9999. The
& means to keep running this command even after I
break the ssh session I used to initiate it. Here is what Netcat
had to say in response to that command:

Listening on any address 9999
[1] 2357

With Netcat listening on the laptop, I was now ready to use it
from my desktop machine. Our first task is simple enough, copy a
file from the laptop to the desktop. Here's how to do it. On the
desktop machine, enter the following to connect the two

netcat --vv laptop 9999

Once connected, I entered the following command:

< testfile.txt

Then I ended the Netcat session by entering CTL-C. Checking in
the current directory verified that the file had been copied from
the laptop.

On the laptop, the following appeared during the session. When
the session was established, it made that known by saying:

$ Connection from

Notice that the port address is not the one Netcat was listening
on, but the one used for the Netcat session. When I entered the
command to copy the file from the laptop, the laptop Netcat echoed
that command. And when I ended the Netcat session, it reported the
total bytes sent and received.

The next time I tried to connect to the laptop, I got a
"Connection Refused" message. Why? Because Netcat stopped running
(and listening) on the laptop when I ended the Netcat session on
the desktop.

Now let's try something else. Let's connect the two machines
again, and execute a program on the laptop. To do that, we need to
add an -e option to the command used to start Netcat
listening on the laptop. Like this:

netcat -vv -l -p 9999 -e /bin/bash &

After the connection between machines is established, Netcat on
the laptop documents this by saying:

Connection from
Passing control to the specified program

On the desktop, I can now do all manner of things in the shell
running on the laptop. A directory listing, for example:


One final example of Netcat's prowess. We'll use it to scan a range of ports on the laptop using the following command:

netcat -v -w 1 laptop -z 10-500

The -w specifies the length of time to wait for a connection as 1 second. The -z indicates that this is a scan, and instead of specifying a single port, this time we're giving a range.

Netcat responds with:

laptop [] 80 (www) open
laptop [] 22 (ssh) open
laptop [] 19 (chargen) open
laptop [] 15 (netstat) open
laptop [] 13 (daytime) open
laptop [] 11 (systat) open

OK. There is a beginning on the mysteries of Netcat. As noted in
the lead, you really shouldn't be using this program any more than
you use telnet or ftp. Because just like
those two programs, Netcat doesn't encrypt the data so your traffic
is wide open to prying eyes. Use Cryptcat or other encrypted
versions of Netcat instead. For more information on Netcat, you
might find this article
at OnLamp useful. I did.

Click Here!