Few Useful Netcat Tricks

I always say that small, simple and self contained tools can often be more useful, and more feature rich than huge bloated frameworks. For example lets take legendary “Swiss Army Knife of Networking” – netcat. It is a single binary, which takes up about 60KB of space on your disk (give or take a few KB depending on where and how you compile it). What can it do?

I guess a good question is what can’t it do?

Port Scanner

Netcat can be a port scanner. It does not have as many features as say nmap, but if you just want to see what ports are open on a given machine, you can simply do:

nc -v -w 1 localhost -z 1-3000

The command above will scan all the ports in the range 1-3000 on localhost.

File Transfer

Let’s say you want to transfer a big zip file from machine A to machine B but neither one has FTP, and using email or IM is out of the question due to file size, or other restrictions. What do you do? You can use netcat as a makeshift file transfer software.

On machine B do the following, where 1337 is some unused port on which you want to send the file:

nc -lp 1337 > file.zip

Assuming that the IP of machine B is 10.48.2.40 go to machine A and do:

nc -w 1 10.48.2.40 1337 < file.zip

That’s it. The file will be magically transfered over the network socket.

Chat Server

Have you even needed an improvised one-on-one chat? Netcat can do that too. You simply start listening to connections on some port like this:

nc -lp 1337

Then on another machine simply connect to that port:

nc 10.48.2.40 1337

Now start typing on either machine. When you press enter, the line will immediately show up on the other machine.

Telnet Server

Nectat can also be used to set up a telnet server in a matter of seconds. You can specify the shell (or for that matter any executable) you want netcat to run at a successful connection with the -e parameter:

nc -lp 1337 -e /bin/bash

On windows you can use:

nc -lp 1337 -e cmd.exe

Then on a client machine simply connect to port 1337 and you will get full access to the shell, with the permissions of the user who ran nc on the server.

Spoofing HTTP Headers

You can use netcat to connect to a server using completely spoofed headers. You can actually type out your user agent, referrer and etc. It’s useful when you want to generate bunch of hits that can be easily found in the logs or something like that:

nc google.com 80
GET / HTTP/1.1
Host: google.com
User-Agent: NOT-YOUR-BUSINESS
Referrer: YOUR-MOM.COM

Note that your request won’t be sent until you generate a blank line. So hit return twice when your are done typing. You will get a response of headers and HTML streaming down your screen:

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: PREF=ID=79f8f28c854d90ec:TM=1186369443:LM=1186369443:S=UIiTvi68MtmbcmGl; expires=Sun, 1
-Jan-2038 19:14:07 GMT; path=/; domain=.google.com
Server: GWS/2.1
Transfer-Encoding: chunked
Date: Mon, 06 Aug 2007 03:04:03 GMT
 
738

I deleted the HTML that followed the response – but you get the idea. It is also a good way of looking at headers. Some sites have nice surprises there (like slashdot’s X-Bender and X-Fry headers). Seriously, check them out!

Web Server

I think this is my favorite trick. Did you ever need to set up simple makeshift webserver that would serve a single page? I know I did. In the past when my web server at work melted down, I set up laptop with this simple script:

while true; do nc -l -p 80 -q 1 < error.html; done

The error.html page was just a very simple error message notifying our users about the outage, and giving them an estimate of when it would be fixed. It took me 3 minutes to set up, and probably saved us many angry support calls.

Cloning Hard Drive Partitions Over the Network

This trick was submitted by Craig in the comments. On a system you want to clone do:

dd if=/dev/sda | nc 192.168.0.1 9000

Where 9000 is some random port. On the receiving side di:

nc -l -p 9000 | dd of=/dev/sda

Of course you need to have the cloned partitions unmounted on both systems. So if you are cloning / you will have to boot from a live distro like Knoppix. Note that you can use this technique to clone NTFS partitions as well – just need to use a live Linux distro on both sides.

Summary

Despite being able to do all that netcat still conforms to the Unix philosophy of doing one thing, and doing it well. Netcat was designed for a single purpose – to read and write data packets over network sockets. And because of it’s singular purpose it can be used in such a myriad of ways.

It is ironic, but it is of ten the case that the more features you add to your application, the more specialized it gets. And of course, GUI is the ultimate functionality killer. If netcat had a GUI I doubt it would be half as useful as it is right now.

I’ve been told that socat is a more powerful netcat fork which has even more functionality. Personally, I haven’t played with it at all. It does seem to have a different syntax, and it is not as mature or well known, and popular as it’s predecessor.

[tags]netcat, socat, network, netcat tricks, tricks, unix tricks[/tags]

This entry was posted in sysadmin notes and tagged . Bookmark the permalink.



51 Responses to Few Useful Netcat Tricks

  1. Craig Betts UNITED STATES Mozilla Firefox Solaris Terminalist says:

    My favorite use is to clone systems. I run this on the system I want to image from:
    dd if=/dev/sda | nc 192.168.0.1 9000

    and this on the receiving side:
    nc -l -p 9000 | dd of=/dev/sda

    Of course, both systems will need to be booted with a CD and have access to the network drivers and the netcat program (gotta love Knoppix). I am also in the habit of ALWAYS assigning 192.168.0.1 to the new system and 192.168.0.100 to the master.

    Reply  |  Quote
  2. Luke UNITED STATES Mozilla Firefox Ubuntu Linux says:

    Oh wow. Didn’t think about that! Very, very useful.

    Thanks!

    Reply  |  Quote
  3. ugh, its 3:22… just pretend i made a quitty joke about teching old netcats new tricks…

    Reply  |  Quote
  4. Luke UNITED STATES Mozilla Firefox Ubuntu Linux says:

    Quitty?

    s/quitty/witty/

    There, fixd! LOL

    Reply  |  Quote
  5. Craig Betts UNITED STATES Mozilla Firefox Solaris Terminalist says:
    s/qutty/witty/

    Pretty slick there, Luke. Some of us “oldtimers” would have used sed, but it is the same outcome.

    BTW- you really need to upgrade your Firefox . . .

    Reply  |  Quote
  6. Luke UNITED STATES Mozilla Firefox Ubuntu Linux says:

    Well, regexps are pretty much the same in almost every language (excluding Microsoft stuff that is – they always fuck things up for everyone).

    That could have been a sed script. :)

    Reply  |  Quote
  7. mikey POLAND Mozilla Linux says:

    a simple “check out the netcat (nc) man page” would do too..

    Reply  |  Quote
  8. Luke UNITED STATES Mozilla Firefox Windows says:

    I don’t think the web server, and system mirroring tricks are on the man page.

    Reply  |  Quote
  9. Craig Betts UNITED STATES Mozilla Firefox Mac OS Terminalist says:

    Man pages are helpful, but they are not all knowing.

    I have to admit, most of my tricks have been passed down from other sysadmins. The book “UNIX Power Tools” would be next in line, followed by my dear friend, Google.

    There are so many cool things, like using netcat to mirror a system. I have a sysadmin under me that is constantly amazed at the tools I keep pulling out of my brain to solve problems.

    Reply  |  Quote
  10. Luke UNITED STATES Mozilla Firefox Ubuntu Linux says:

    Well, Unix Power Tools just got on my books-to-buy list :)

    Also, I miss having a unix mentor. :( Mine went to do bigger and better things at Oracle. Its kinda scary to think that I’m usually the most experienced unix person in the CS department at my university. At least until Nick shows up. :)

    Reply  |  Quote
  11. anon CANADA Mozilla Firefox Linux says:

    add lzop to the pipe on one end and lzop -d on the other when doing non-media transfers for excellent speedup… (dd or tar pipes for example)

    Reply  |  Quote
  12. Craig Betts UNITED STATES Mozilla Firefox Solaris Terminalist says:

    There you have it! Another awesome tip passed down.

    I have lzo installed on my Solaris systems (thanks to BlastWave) but no lzop. Guess I will be doing some compiling! :-D

    I typically use gzip to compress my data, but it can have some tremendous overhead sometimes.

    Reply  |  Quote
  13. Luke UNITED STATES Mozilla Firefox Ubuntu Linux says:

    Nice! I haven’t used lzop before, but I’m definitely going to check it out for fast compression stuff. Btw, lzop is actually in the Ubuntu repositories so you can get it via apt-get.

    And it’s Lzop not Izop. ;)

    Reply  |  Quote
  14. Kevin UNITED STATES Mozilla Firefox Linux says:

    I think the redirects in the file transfer section are reversed. On the host with the file you want should use ” and the same reverse on the other side.

    Reply  |  Quote
  15. Kevin UNITED STATES Mozilla Firefox Linux says:

    Looks like the redirect symbol got stripped out of my last reply. Basically just reverse the redirects on each end and you should be good.

    Reply  |  Quote
  16. Luke UNITED STATES Mozilla Firefox Ubuntu Linux says:

    Hm… I think they are correct though. I’m transferring the file from B to A. So on B the file is an input, and on A it is an output. So I think it is correct.

    Reply  |  Quote
  17. Pingback: links for 2007-08-11 « Donghai Ma UNITED STATES WordPress

  18. Pingback: Flipsidereality » Blog Archive » Few Useful Netcat Tricks UNITED KINGDOM WordPress

  19. Pingback: Enlaces interesantes #6 WordPress

  20. Pingback: Few Useful Netcat Tricks : In Through The Out Door UNITED STATES WordPress

  21. Pingback: links for 2007-08-13 at edsmiley.com UNITED STATES WordPress

  22. Koby LATVIA Opera Linux says:

    OK, does anyone know if it would be possible to transfer some file with netcat to remote side if remote can use only web browser? So, basically simulating http transfer with netcat?

    Reply  |  Quote
  23. Craig Betts UNITED STATES Mozilla Firefox Mac OS Terminalist says:

    Netcat doesn’t emulate protocols. If the remote system needed a web proxy, you would have to do something else. Maybe a little clever scripting with expect . . .

    However, if there is no proxy, just configure netcat to use port 80, since you would know that http traffic is allowed through.

    Sock would be easy to configure since it doesn’t care about protocols, just tcp streams. I am sure you can just take the output from netcat and pipe it into something like connect (not too sure of this process. I would have to read up on it, but in throery it should work).

    Reply  |  Quote
  24. Luke UNITED STATES Mozilla Firefox Ubuntu Linux says:

    Koby – the web server method I described in the post works. But you loose the mimetype of the file, so when you save it on the remote site you will need to save it with the right extension.

    For example, on linux I set up nc to serve test.zip, but firefox picked up the file as something like bwu8a.bin (ie. random file name + generic extension). When I renamed it to zip, and unzipped it it worked.

    Not sure how it would work with IE or on windows but it does work with Firefox on Linux.

    Btw, why would you only be able to use the browser on the remote side? If you are so locked down on the remote you can’t open a listening socket, you can listen on the local machine, and then grab the file from the remote. Locally do:

    nc -lp 1337 < somefile.zip

    Then on the remote do:

    nc 10.20.30.40 1337 > somefile.zip

    That should do it. :)

    Reply  |  Quote
  25. Koby LATVIA Opera Linux says:

    Well, I am only locked to extent of my laziness, e.g. I thought of a lazy way sharing files between *nix box and windows. But anyway, justnc -lp 80 <file_to_transfer.extand then pointing web browser to remote_ip/file_to_transfer.ext works, only transfer is hanging until ^C on *nix box or forcing download to complete/close. But file is transfered :)

    Reply  |  Quote
  26. Luke UNITED STATES Mozilla Firefox Ubuntu Linux says:

    Yeah, nc doesn’t always know when it finished. I think if you set -w to 1 on both sides it might close properly though.

    Reply  |  Quote
  27. Kevin UNITED STATES Mozilla Firefox Linux says:

    In reply to my earlier post, you are right, I wasn’t really paying attention to the source and target… Great article btw…

    Reply  |  Quote
  28. I’m surprised that the webserver trick would work without sending back HTTP headers. Unless perhaps the appropriate headers are put at the beginning of error.html?

    Reply  |  Quote
  29. Luke Maciak UNITED STATES Mozilla Firefox Ubuntu Linux says:

    Yeah, I thought about that too. But for some reason it just worked. Go figure. :)

    Reply  |  Quote
  30. Nguyen Vu VIET NAM Mozilla Firefox Ubuntu Linux says:

    Thank you, very useful for me :)

    Reply  |  Quote
  31. Johannes SWEDEN Mozilla Firefox Windows says:

    Thanks for the good old hdd clone script. lost it some time ago.

    Reply  |  Quote
  32. Pingback: Gary’s Weblog » Blog Archive » netcat tricks SWITZERLAND WordPress

  33. after_burn Internet Explorer Windows says:

    it’s cool and thanks for these useful trickes…it’s me….after_burn…egyptionhacker

    Reply  |  Quote
  34. wese AUSTRIA Mozilla Firefox Ubuntu Linux says:

    Using netcat to tunnel ports / forward traffic:

    nc -l 80 | nc newserver.domain.tld 8080

    cya

    Reply  |  Quote
  35. B Dixon UNITED STATES Mozilla Firefox Windows says:

    I see that remote access is indeed possible with netcat, but I can not seem to get some chat server to work over a remote connection. Both are using Windows XP (shouldn’t matter is diff. OS) and have opened up the necessary ports in which we would like to chat with, but still no dice. Has anyone gotten a netcat chat server to work over a remote connection?

    Thanks in advance…

    Reply  |  Quote
  36. xinium UNITED STATES Mozilla Firefox Debian GNU/Linux says:

    well this isnt really special or anything, But sort of a point of concept I guess.

    On your local computer.
    cat somefile.txt | netcat -lp 1000

    On remote server.
    netcat -w 1 64.174.24.112 1000 > file.txt

    Reply  |  Quote
  37. lovexp TAIWAN Mozilla Firefox Windows says:

    Hi, Using Microsoft Windows is more better
    Windows is the BEST OS around the world
    I can’t find netcat ur talking in Windows, so it is not a good software, let using Windows and the program inside it
    Thanks

    Reply  |  Quote
  38. Luke Maciak UNITED STATES Mozilla Firefox Ubuntu Linux Terminalist says:

    @lovexp – LOL! Oh man, this made my day.

    Also, I will counter your troll attempt, with a genuine ‘on-topic’ reply, by pointing you to the page where you can download NT port of netcat thus making this conversation meaningful again. ;)

    Reply  |  Quote
  39. Craig Betts UNITED STATES Mozilla Firefox Solaris Terminalist says:

    Dude! I heard that eSlap all the way in California!

    Also, the cygwin package has all the UNIX favorites, including NetCat.

    Reply  |  Quote
  40. Luke Maciak UNITED STATES Mozilla Firefox Ubuntu Linux Terminalist says:

    :twisted:

    Heh, didn’t even think about Cygwin at the moment, but you are right. Pretty much everything can be run under Cygwin these days.

    Did I mention that I once managed to get KDE running under cygwin? I have also seen packages for Gnome on some of the mirrors. :P

    Reply  |  Quote
  41. Thanks for explaining some of the many uses for netcat, I know this will be useful to me in the future ;)

    Reply  |  Quote
  42. Peter Jones RUSSIAN FEDERATION Mozilla Firefox Linux says:

    Hi all, I read somewhere a long time ago about techniques to ‘push’ the server side of any client-server remote control application onto the remote PC over which you have no physical control. Lets say grandpa calls you up for some remote support but has no idea how to install any s/w you send him or run the simplest of .exe/.com scripts. I would like to be able to simply port scan grandpa’s m/c (it could be running WXP/VISTA/Linux/*BSD/Solaris/MAC OS X… whatever) and check for any open ports I can use to hook onto and by knowing his IP address, somehow use netcat/nc/socat or other derivative of netcat to execute a cmd which runs netcat on that port preferable opening a remote console e.g. cmd.exe or a konsole shell.. Then I could use my client to interact with that shell with the credentials of the remote user. So a number of questions:

    1. Is it possible to do it without getting the remote user to run a script at the remote end which tells netcat to interact with a given port?

    2. If yes to (1), how do you do it? And how do you determine which user a/c the program you execute with netcat under? Of course any useful tips on privaledge escalation would be appreciated too if say on XP/vista you cannot get in as Administrator, or under *nix root.?

    3. Under Vista, how do you get past the Windows Defender application which keeps poping up a dialogue asking the user to allow/disallow the execution of a program, when you are trying to install remotely?

    4. If its not possible to do it with netcat, do u have any other solutions to get that initial connection setup so that one can then transfer netcat to the remote m/c and then run it through a console shell ?

    TIA.

    Reply  |  Quote
  43. Pingback: A Few Useful Netcat Tricks « A Better Flapjack UNITED STATES WordPress

  44. stevee FRANCE Opera Linux says:

    Hi – see no one mentioned the use of pv, ($apt-get install pv) for giving a Visual Progress of a file transfer in the form eg:
    rx pc x.x.x.x: $ netcat -lp 1234 | pv | > file.iso
    tx pc: $cat file.iso | pv | netcat x.x.x.x 1234
    I was using this to send a 7GB video .iso but it stopped at4GB, with a “file too big…” Anyone know why?
    cheers
    Steve

    Reply  |  Quote
  45. toto INDONESIA Internet Explorer Windows says:

    whretofindnetcat?

    Reply  |  Quote
  46. Luke Maciak UNITED STATES Mozilla Firefox Windows Terminalist says:

    @toto: It is usually preinstalled on most Linux and unix systems. Windows binary is sometimes hard to find. Check this post with two working links.

    Reply  |  Quote
  47. stevee FRANCE Konqueror Debian GNU/Linux says:

    HI – I have mirrored netcat win32 binary on my site (if its up and ddclient is working!). The problem will be overcoming your Win Anti-virus to download it, maybe..I had to get it on my Linux box then transfer it on internal LAN which worked (???) then unpack it and tell AVG to list it as an exception.

    http://www.stevepedwards.dyndns.org

    last page – Alcatel stuff
    Steve

    Reply  |  Quote
  48. Knight ZeRo UNITED STATES Internet Explorer Windows says:

    hello, i have a smiple (at lest i think) question..
    how can you forward Traffic to another PC runing Net cat?

    so like computer A is me, and computer B is where i am sending it to. i guss you could call it ip spoofing, so computer C thinks all of my traffic form computer A is coming form computer B. i have see Ex. where computer C is the computer your going to attack , but i just want it to make it look like all internet activity is coming form computer B when it is really computer A. any ideas?

    Reply  |  Quote
  49. js FRANCE Google Chrome Linux says:

    @stevee : the “file too big” error is due to a limitation of the FAT32 filesystem : it can’t store files bigger than 2^32 = 4G . You might want to split your file (using dd for example) :

    # Part 1
    rx pc x.x.x.x: $ netcat -lp 1234 | pv | > file-A.iso
    tx pc: $ dd if=file.iso bs=1M count=3999 | pv | netcat x.x.x.x 1234

    # Part 2
    rx pc x.x.x.x: $ netcat -lp 1234 | pv | > file-B.iso
    tx pc: $ dd if=file.iso bs=1M skip=3999 | pv | netcat x.x.x.x 1234

    Reply  |  Quote
  50. dav3 FRANCE Opera Linux says:

    really useful :) bookmarked!

    Reply  |  Quote

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>