Few Useful Netcat Tricks
I always say that small, simple and self contained tools can often be more useful, and more feature rich than huge bloated frameworks. For example lets take legendary “Swiss Army Knife of Networking†- netcat. It is a single binary, which takes up about 60KB of space on your disk (give or take a few KB depending on where and how you compile it). What can it do?
nc -v -w 1 localhost -z 1-3000
The command above will scan all the ports in the range 1-3000 on localhost.
Have you even needed an improvised one-on-one chat? Netcat can do that too. You simply start listening to connections on some port like this:
nc -lp 1337
Then on another machine simply connect to that port:
nc 10.48.2.40 1337
Now start typing on either machine. When you press enter, the line will immediately show up on the other machine.
Nectat can also be used to set up a telnet server in a matter of seconds. You can specify the shell (or for that matter any executable) you want netcat to run at a successful connection with the -e parameter:
nc -lp 1337 -e /bin/bash
On windows you can use:
nc -lp 1337 -e cmd.exe
Then on a client machine simply connect to port 1337 and you will get full access to the shell, with the permissions of the user who ran nc on the server.
Spoofing HTTP Headers
You can use netcat to connect to a server using completely spoofed headers. You can actually type out your user agent, referrer and etc. It’s useful when you want to generate bunch of hits that can be easily found in the logs or something like that:
nc google.com 80
GET / HTTP/1.1
Host: google.com
User-Agent: NOT-YOUR-BUSINESS
Referrer: YOUR-MOM.COM
Note that your request won’t be sent until you generate a blank line. So hit return twice when your are done typing. You will get a response of headers and HTML streaming down your screen:
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: PREF=ID=79f8f28c854d90ec:TM=1186369443:LM=1186369443:S=UIiTvi68MtmbcmGl; expires=Sun, 1
-Jan-2038 19:14:07 GMT; path=/; domain=.google.com
Server: GWS/2.1
Transfer-Encoding: chunked
Date: Mon, 06 Aug 2007 03:04:03 GMT
738
I deleted the HTML that followed the response - but you get the idea. It is also a good way of looking at headers. Some sites have nice surprises there (like slashdot’s X-Bender and X-Fry headers). Seriously, check them out!
I think this is my favorite trick. Did you ever need to set up simple makeshift webserver that would serve a single page? I know I did. In the past when my web server at work melted down, I set up laptop with this simple script:
while true; do nc -l -p 80 -q 1 < error.html; done
The error.html page was just a very simple error message notifying our users about the outage, and giving them an estimate of when it would be fixed. It took me 3 minutes to set up, and probably saved us many angry support calls.
dd if=/dev/sda | nc 192.168.0.1 9000
Where 9000 is some random port. On the receiving side di:
nc -l -p 9000 | dd of=/dev/sda
Of course you need to have the cloned partitions unmounted on both systems. So if you are cloning / you will have to boot from a live distro like Knoppix. Note that you can use this technique to clone NTFS partitions as well - just need to use a live Linux distro on both sides.
I always say that small, simple and self contained tools can often be more useful, and more feature rich than huge bloated frameworks. For example lets take legendary “Swiss Army Knife of Networking†- netcat. It is a single binary, which takes up about 60KB of space on your disk (give or take a few KB depending on where and how you compile it). What can it do?
Port Scanner
Netcat can be a port scanner. It does not have as many features as say nmap, but if you just want to see what ports are open on a given machine, you can simply do:nc -v -w 1 localhost -z 1-3000
The command above will scan all the ports in the range 1-3000 on localhost.
Chat Server
nc -lp 1337
Then on another machine simply connect to that port:
nc 10.48.2.40 1337
Now start typing on either machine. When you press enter, the line will immediately show up on the other machine.
Telnet Server
nc -lp 1337 -e /bin/bash
On windows you can use:
nc -lp 1337 -e cmd.exe
Then on a client machine simply connect to port 1337 and you will get full access to the shell, with the permissions of the user who ran nc on the server.
Spoofing HTTP Headers
You can use netcat to connect to a server using completely spoofed headers. You can actually type out your user agent, referrer and etc. It’s useful when you want to generate bunch of hits that can be easily found in the logs or something like that:
nc google.com 80
GET / HTTP/1.1
Host: google.com
User-Agent: NOT-YOUR-BUSINESS
Referrer: YOUR-MOM.COM
Note that your request won’t be sent until you generate a blank line. So hit return twice when your are done typing. You will get a response of headers and HTML streaming down your screen:
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: PREF=ID=79f8f28c854d90ec:TM=1186369443:LM=1186369443:S=UIiTvi68MtmbcmGl; expires=Sun, 1
-Jan-2038 19:14:07 GMT; path=/; domain=.google.com
Server: GWS/2.1
Transfer-Encoding: chunked
Date: Mon, 06 Aug 2007 03:04:03 GMT
738
I deleted the HTML that followed the response - but you get the idea. It is also a good way of looking at headers. Some sites have nice surprises there (like slashdot’s X-Bender and X-Fry headers). Seriously, check them out!
Web Server
while true; do nc -l -p 80 -q 1 < error.html; done
The error.html page was just a very simple error message notifying our users about the outage, and giving them an estimate of when it would be fixed. It took me 3 minutes to set up, and probably saved us many angry support calls.
Cloning Hard Drive Partitions Over the Network
This trick was submitted by Craig in the comments. On a system you want to clone do:dd if=/dev/sda | nc 192.168.0.1 9000
Where 9000 is some random port. On the receiving side di:
nc -l -p 9000 | dd of=/dev/sda
Of course you need to have the cloned partitions unmounted on both systems. So if you are cloning / you will have to boot from a live distro like Knoppix. Note that you can use this technique to clone NTFS partitions as well - just need to use a live Linux distro on both sides.
