Netcat - The
TCP/IP Swiss Army Knife
SANS Auditing Networks,
Perimeters and Systems Training
If you found the articles in this section
useful and would like to look into Security Auditing training,
upcoming SANS conferences in the following cities will feature the Auditing
Networks, Perimeters & Systems Track:
Feb. 12 - 17, 2003
San Diego, CA
Mar. 7 - 12, 2003
Colorado Springs, CObr>
Mar. 30 - Apr. 4, 2003
Apr. 7 - 12, 2003
June 11 - 16, 2003
June 23 - 28, 2003
February 15, 2001
Netcat is a tool that every security professional should be aware of and
possibly have in their ‘security tool box’. In May/June of 2000,
insecure.org conducted a survey of 1200 Nmap users from the Nmap-hackers mailing
list to determine their favorite security tools. Netcat was the second most
popular tool, not including Nmap. A quick search on securityportal (www.securityportal.com)
found 166 matches of netcat. Most of the matches describe or use netcat in some
way. Netcat is a utility that is able to write and read data across TCP and UDP
network connections. If you are responsible for network or system security it
essential that you understand the capabilities of netcat.
Netcat should not be installed unless you have authority to do so. Never
install any executable unless you can trust the providor. If possible review the
source and compile it yourself. To be safe only use netcat in a test
Hobbit (firstname.lastname@example.org) created
netcat in 1995 as a feature-rich network debugging
and exploration tool. Its purpose was to be able to create just about any type
of network connection. According to Hobbit-
Some of the features of netcat are:
- Outbound or inbound connections, TCP or UDP, to or from any ports
- Full DNS forward/reverse checking, with appropriate warnings
- Ability to use any local source port
- Ability to use any locally-configured network source address
- Built-in port-scanning capabilities, with randomizer
- Built-in loose source-routing capability
- Can read command line arguments from standard input
- Slow-send mode, one line every N seconds
- Optional ability to let another program service inbound connections
Some of the potential uses of netcat:
- Script backends
- Scanning ports and inventorying services
- Backup handlers
- File transfers
- Server testing and simulation
- Firewall testing
- Proxy gatewaying
- Network performance testing
- Address spoofing tests
- Protecting X servers
- 1001 other uses you`ll likely come up with
The original version of netcat was released to run on Unix and Linux. Weld
Pond (email@example.com) released the Windows
NT version in 1998. The source code is available for both versions.
Remote command prompt anyone?
On a Windows NT server issue the following command in the directory that
nc -l -p1234 -d -e cmd.exe –L
This –l puts netcat into listen mode, the -p1234 tells netcat to use port
1234, the –d allows netcat to run detached from the console, the –e cmd.exe
tells netcat to execute the cmd.exe program when a connection is made, and the
–L will restart Netcat with the same command line when the connection is
On the client system issue the following command:
nc destination 1234
This command causes netcat to connect to the server named destination on port
1234. Immediately you are given a console connection to the destination server.
Be careful! To exit the remote console session type:
You will be returned to your own console and will be able to reconnect to the
destination server because netcat was started on the destination server with the
FTP & drive mapping blocked?
To receive a file named newfile on the destination system start netcat with
the following command:
nc –l –p 1234 >newfile
On the source system send a file named origfile to the destination system
with the following command:
nc destination 1234 <origfile
Issue a ^C on the source system and your done. Be sure to check the file to
be sure it is the same size as the original.
Hiding Netcat on Windows NT
Here are a few ways that a hacker could use to hide netcat on a system or use
it behind a firewall:
- Rename the executable or recompile with a different name. Beware that
using a copy of netcat that you aren’t sure how the source was compiled is
very dangerous. If possible review the source code and compile it yourself.
- Detach from the console option (-d)
- Use a port that is well known and allowed through any firewalls between
the two systems.
A scanning example from Hobbit is "nc -v -w 2 -z target 20-30".
Netcat will try connecting to every port between 20 and 30 [inclusive] at the
target, and will likely inform you about an FTP server, telnet server, and
mailer along the way. The -z switch prevents sending any data to a TCP
connection and very limited probe data to a UDP connection, and is thus useful
as a fast scanning mode just to see what ports the target is listening on. To
limit scanning speed if desired, -i will insert a delay between each port probe.
Even though netcat can be used for port scanning it isn’t its strength. A tool
such as nmap is better suited for port scanning.
Netcat + Encryption = Cryptcat
Netcat is a useful tool as it is, but if someone were using it you would be
able to at least get a feel for what they were doing. At least you could before
Cryptcat! Cryptcat is the standard netcat enhanced with Bruce Schneier’s
twofish encryption. It can be found at www.farm9.com.
Linux, OpenBSD, FreeBSD, and Windows versions are available. So much for
sniffing any netcat traffic!
Command Option Overview
Netcat accepts its commands with options first, then the target host, and
everything thereafter is interpreted as port names or numbers, or ranges of
ports in M-N syntax. Netcat does not currently handle portnames with hyphens.
|Allows netcat to detach from the console on
|Executes a program if netcat is compiled with
|Sets the interval time. Netcat uses large 8K
reads and writes. This basically sends data one line at a time. This is
normally used when data is read from files or pipes.
|Used to construct a loose-source-routed path
for your connection. This is modeled after "traceroute".
|Positions the "hop pointer" within
|Forces netcat to listen for an inbound
connection. An example "nc –l –p 1234 <filename" tells
netcat to listen for a connection on port 1234 and once a connection is
made to send the file named filename. The file is sent whether the
connecting system wants it or not. If you specify a target host netcat
will only accept an bound connection only from that host and if you
specify one, only from the specified foreign source port.
|Restarts Netcat with the same command line that
was used when the connection was started.. This way you can connect over
and over to the same Netcat process.
|Forces netcat to only accept numeric IP
addresses and to not do any DNS lookups for anything
|Used to obtain a hex dump file of the data sent
either way, use "-o logfile". The dump lines begin with
"<" or ">" to respectively indicate "from
the net" or "to the net", and contain the total count per
direction, and hex or ascii representations of the traffic.
|Required for outbound connections. The
parameter can be numeric or a name as listed in the services file. If –p
is not used netcat will bind to whatever unused port the systems gives it,
unless the –r option is used.
|Causes port scanning to be done randomly.
Normally it is done highest to lowest.
|Used to specifiy local network source address.
Usage "-s ip-addr" or "-s name".
|Enables netcat to respond to telnet option
negotiation if netcat is compiled with –DTELNET parameter. Telnet
daemons will get no useful answers, as they would from a telnet program.
|Tells netcat to use UDP instead of TCP.
|Controls the level of verbosity.
- (without –n) netcat will do a full forward and reverse name and
address lookup for the host, and warn you about the all-to-common
problem of mismatched names in the DNS.
- Usually want to use the –w 3, which limits the time spent trying
to make a connection.
- If multiple ports are given –v must be specified twice.
|Limits the time spent trying to make a
|Prevents sending any data to a TCP connection
and very limited probe data to a UDP connection. Use –i to insert a
delay between each port probe. This is useful as a fast scanning mode just
to see what ports the target is listening on.
Netcat is a powerful tool that every security professional should be familiar
with. It should be used with caution. I would not recommend installing netcat on
your production networks. I would suggest using it to test your firewall, and
router configurations in a test environment. It can also be used to test your
operating system lockdown procedures. Be certain that you have the authority to
install and use netcat on your network before doing so. You might even want to
review the source code to learn how Hobbit built netcat and how Weld Pond ported
it to the Windows platform.
1. Insecure.org, "Top 50 Security Tools"
(August 21, 2000)
2. Hobbit, "New tool available: Netcat"
(October 28, 1995)
3. Weld Pond, "Netcat 1.10 for NT"
(February 2, 1998)
4. Hobbit, "Netcat 1.10"
(March 20, 1996)
5. Farm9, "cryptcat = netcat + encryption"
(October 2, 2000)
6. Hobbit, "Netcat 1.10"
(March 20, 1996)
top of page | to Reading Room Home