Netcat Wikipedia. Netcat often abbreviated to nc is a computer networking utility for reading from and writing to network connections using TCP or UDP. Netcat is designed to be a dependable back end that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature rich network debugging and investigation tool, since it can produce almost any kind of connection its user could need and has a number of built in capabilities. Its list of features includes port scanning, transferring files, and port listening, and it can be used as a backdoor. FeatureseditThe original netcats features include 1Outbound or inbound connections, TCP or UDP, to or from any ports. Full DNS forwardreverse checking, with appropriate warnings. Ability to use any local source port. Ability to use any locally configured network source address. Built in port scanning capabilities, with randomization. Built in loose source routing capability. Can read command line arguments from standard input. Slow send mode, one line every N seconds. Hex dump of transmitted and received data. Optional ability to let another program service establish connections. Top 40 Linux hardeningsecurity tutorial and tips to secure the default installation of RHEL CentOS Fedora Debian Ubuntu Linux servers. While many may shy away from Linux because of its complexity, it is this very complexity that makes it so interesting and beneficial. And as with anything complex. Useful web interface for other network utilities, net traffic, and exploit search engine. Support for packages has been discontinued on Sunfreeware. Please Visit our New Website UNIXPackages. UNIX packages provides full package support for all levels. Install Nmap Solaris 10' title='Install Nmap Solaris 10' />Optional telnet options responder. Featured tunneling mode which permits user defined tunneling, e. UDP or TCP, with the possibility of specifying all network parameters source portinterface, listening portinterface, and the remote host allowed to connect to the tunnel. Rewrites like GNUs and Open. Install Nmap Solaris 10' title='Install Nmap Solaris 10' />Netcat often abbreviated to nc is a computer networking utility for reading from and writing to network connections using TCP or UDP. Netcat is designed to be a. Developers of NMAP, a network port scanner and service detector offering stealth SYN scan, ping sweep, FTP bounce, UDP scan and operating system fingerprinting. Similarly to the Windows 10 Creators Update, the Windows 10 Fall Creators Update FCU delivers a large number of improvements and features in the Windows. BSDs support additional features. For example, Open. BSDs nc supports TLS. ExampleseditOpening a raw connection to port 2. SMTPedit. nc mail. Setting up a one shot webserver on port 8. HTTP1. 0 2. 00 OKrn. UULQDBI3Lo/Wf75aA-18FI/AAAAAAAACYs/NXQHwftMLZEx1fMPU8A5KUDvEfBUB8jcACLcBGAs/s500-c/Nmap.png' alt='Install Nmap Solaris 10' title='Install Nmap Solaris 10' />Content Length drnrnwc c lt some. The file can then be accessed via a web browser under http servername 8. Netcat only serves the file once to the first client that connects and then exits it also provides the content length for browsers that expect it. This should work fine in a LAN, but may potentially fail with any kind of firewall between. In some versions of netcat like netcat traditional in Debian 8. Checking whether UDP ports u 8. IO zedit. nc vzu 1. Note that UDP tests will always show as open. The z argument is useless. Test whether UDP port is open simple UDP server and clienteditThis test is useful, if you have shell access to the server that should be tested, but you do not know whether there is a firewall blocking a specific UDP port on the server. On the listening host, i. On the sending host, do the following note that servname is the hostname of the listening host. If text typed on the sending host type something and hit enter is displayed also on the listening host, then the UDP port 7. If it is not open, you will get an error such as Connection refused. There is a caveat. On some machines, IPv. IP version to use by netcat. Thus, the host specified by the hostname is contacted using IPv. Ports may appear closed in the test, even though they would be open when using IPv. This can be difficult to notice and may cause the false impression that the port is blocked, while it is actually open. You can force the use of IPv. Pipe via UDP u with a wait time w of 1 second to loggerhost on port 5. Port scanningeditAn uncommon use of netcat is port scanning. Netcat is not considered the best tool for this job, but it can be sufficient a more advanced tool is nmap. The n parameter here prevents DNS lookup, z makes nc not receive any data from the server, and w 1 makes the connection timeout after 1 second of inactivity. ProxyingeditAnother useful behaviour is using netcat as a proxy. Both ports and hosts can be redirected. Look at this example. Port 1. 23. 45 represents the request. This starts a nc server on port 1. If a web browser makes a request to nc, the request will be sent to google but the response will not be sent to the web browser. That is because pipes are unidirectional. This can be worked around with a named pipe to redirect the input and output. The c option may also be used with the ncat implementation 2. Using a named pipe is a more reliable method because using c option provides only a one shot proxy. Another useful feature is to proxy SSL connections. This way, the traffic can not be viewed in wire sniffing applications such as wireshark. This can be accomplished on UNIXes by utilizing mkfifo, netcat, and openssl. Making any process a servereditnetcat can be used to make any process a network server. It can listen on a port and pipe the input it receives to that process. The e option spawns the executable with its input and output redirected via network socket. For example, it is possible to expose a bourne shell process to remote computers. To do so, on a computer A with IP address 1. Then, from any other computer on the same network, one could run this nc command nc 1. In this way, the e option can be used to create a rudimentary backdoor. Some administrators perceive this as a risk and thus do not allow netcat on a computer. Examples by netcat Debian 8. Connect to example. TCP port 8. 08. 0. Listen for connections on TCP port 8. Redirect TCP port 8. Bind to TCP port 8. Bind a shell to TCP port 8. Connect to smtphost 2. SOCKS4 server on port 1. Create an HTTP proxy server on localhost port 8. Send a file over TCP port 9. HOST1 ncat l 9. HOST2 ncat HOST1 9. Transfer in the other direction, turning Ncat into a one file server. HOST1 ncat l 9. HOST2 ncat HOST1 9. Encrypted file transfer3editSuppose you have an SSH tunnel, and you want to copy a file to the remote machine. You could just scp it directly, but that opens up another connection. The goal is to re use the existing connection. You can use netcat to do this When you SSH in, add L 3. On the remote nc lvnp 3. On the local nc v w 2 1. No extra overhead. TCP takes care of error correction. SSH has already encrypted the pipe. Ports and reimplementationseditThe original version of netcat was a Unix program. The last version 1. March 1. 99. 6. 1There are several implementations on POSIX systems, including rewrites from scratch like GNU netcat4 or Open. BSD netcat,5 the latter of which supports IPv. TLS. The Open. BSD version has been ported to the Free. BSD base6 and WindowsCygwin. Mac OS X users can use Mac. Ports to install a netcat variant. There is also a Microsoft Windows version of netcat available. Known ports for embedded systems includes versions for Windows CE named Netcat 4 wince1. Phone. 1. 1Busy. Box includes by default a lightweight version of netcat. Solaris 1. 1 includes netcat implementation based on Open. BSD netcat. Socat1. It is larger and more flexible and has more options that must be configured for a given task. On February 1, 2. Santiago Zanella Beguelin and Microsoft Vulnerability Research issued a security advisory regarding a composite. Diffie Hellman parameter which had been hard coded into the Open. SSL implementation of socat. The implausibility that a composite might have been unintentionally introduced where a prime number is required has led to the suspicion of sabotage to introduce a backdoorsoftware vulnerability. Cryptcat1. 3 is a version of netcat with integrated transport encryption capabilities. In the middle of 2. Nmap announced another netcat incarnation called Ncat. Tools for Pentesters. Compilation. Toxy. HTTP proxy. failure scenarios. It was mainly designed for fuzzingevil testing purposes, when toxy becomes particularly useful to cover fault tolerance and resiliency capabilities of a system, especially in. Mit. M proxy among services. HTTP flow as you need, performing multiple evil actions in the middle of that process, such as limiting the bandwidth, delaying TCP packets, injecting network jitter latency or replying with a custom error or status code. It operates only at L7 application level. It was built on top of. HTTP proxy, and its also. Requires node. js 0. Full featured HTTPS proxy backed by. Hackable and elegant programmatic API inspired on connectexpress. Admin HTTP API for external management and dynamic configuration. Featured built in router with nested configuration. Hierarchical and composable poisoning with rule based filtering. Hierarchical middleware layer both global and route scopes. Easily augmentable via middleware based on connectexpress middleware. Supports both incoming and outgoing traffic poisoning. Built in poisons bandwidth, error, abort, latency, slow read. Rule based poisoning probabilistic, HTTP method, headers, body. Supports third party poisons and rules. Built in balancer and traffic interceptor via middleware. Inherits API and features from. Compatible with connectexpress and most of their middleware. Able to run as standalone HTTP proxy. Therere some other similar solutions like. Furthermore, the majority of the those solutions only operates at TCP L3 level stack instead of providing high level abstractions to cover common requirements in the specific domain and nature of the HTTP L7 protocol, like toxy tries to provide. HTTP protocol primitives easily. Via its built in hierarchical domain specific middleware layer you can easily augment toxy features to your own needs. HTTP transaction e. One HTTP transaction can be poisoned by one or multiple poisons, and those poisons can be also configured to infect both global or route level traffic. HTTP requestresponse in order to determine, given a certain rules, if the HTTP transaction should be poisioned or not e. Rules can be reused and applied to both incoming and outgoing traffic flows, including different scopes global, route or poison level. Incoming request. Toxy Router Match the incoming request. Incoming phase The proxy receives the request from the client. Exec Rules Apply configured rules for the incoming request. Exec Poisons If all rules passed, then poison the HTTP flow. HTTP dispatcher Forward the HTTP traffic to the target server, either poisoned or not. Outgoing phase Receives response from target server. Exec Rules Apply configured rules for the outgoing request. Exec Poisons If all rules passed, then poison the HTTP flow before send it to the client. Send to the client Finally, send the request to the client, either poisoned or not. Create a new toxy proxy. Default server to forward incoming traffic. Register global poisons and rules. Register multiple routes. Rulerules. headersAuthorization Bearer. Infect outgoing traffic only after the server replied properly. Poisonpoisons. bandwidth bps 5. Rulerules. methodGET. Rulerules. time. Threshold duration 1. Rulerules. response. Status range 2. Limit limit 1. Rulerules. methodPOST, PUT, DELETE. And use a different more permissive poison for GET requests. Limit limit 5. Rulerules. GET. Handle the rest of the traffic. Close delay 1. Read bps 1. Rulerules. probability5. Server listening on port, 3. Test it, http localhost 3. Poisons host specific logic which intercepts and mutates, wraps, modify andor cancel an HTTP transaction in the proxy server. Poisons can be applied to incoming or outgoing, or even both traffic flows. Poisons can be composed and reused for different HTTP scenarios. They are executed in FIFO order and asynchronously. Poisoning scopes. HTTP traffic received by the proxy server, regardless of the HTTP method or path. HTTP verb and URI path. Poisons can be plugged to both scopes, meaning you can operate with better accuracy and restrict the scope of the poisoning. Poisoning phases. Poisons can be plugged to incoming or outgoing traffic flows, or even both. This means, essentially, that you can plug in your poisons to infect the HTTP traffic. HTTP server or sent to the client. This allows you apply a better and more accurated poisoning based on the request or server response. For instance, given the nature of some poisons, like. Built in poisons. Poisoning Phase. incoming outgoing. Reaches the server. Infects the HTTP flow injecting a latency jitter in the response. Jitter value in miliseconds. Random jitter maximum value. Random jitter minimum value. Or alternatively using a random value. Inject response. Poisoning Phase. Reaches the server. Injects a custom response, intercepting the request before sending it to the target server. Useful to inject errors originated in the server. Response HTTP status code. Default. Optional headers to send. Optional body data to send. It can be a. Body encoding. Default to. toxy. Content Type applicationjson. Poisoning Phase. incoming outgoing. Reaches the server. Limits the amount of bytes sent over the network in outgoing HTTP traffic for a specific time frame. This poison is basically an alias to. Amount of chunk of bytes to send. Winfax Windows 7 more. Default. Packets time frame in miliseconds. Default. toxy. poisontoxy. Poisoning Phase. incoming outgoing. Reaches the server. Limits the amount of requests received by the proxy in a specific threshold time frame. Designed to test API limits. Exposes typical. X Rate. Limit Note that this is very simple rate limit implementation, indeed limits are stored in memory, therefore are completely volalite. Therere a bunch of featured and consistent rate limiter implementations in. You might be also interested in. Total amount of requests. Default to. Limit time frame in miliseconds. Default to. Optional error message when limit is reached. HTTP status code when limit is reached. Default to. toxy. Limit limit 5, threshold 1. Poisoning Phase. Reaches the server. Reads incoming payload data packets slowly. Only valid for non GET request. Packet chunk size in bytes. Default to. Limit threshold time frame in miliseconds. Default to. toxy. Read chunk 2. 04. Poisoning Phase. Reaches the server. Delays the HTTP connection ready state. Delay connection in miliseconds. Default to. toxy. Open delay 2. 00. Poisoning Phase. incoming outgoing. Reaches the server. Delays the HTTP connection close signal EOF. Delay time in miliseconds. Default to. toxy. Close delay 2. Poisoning Phase. Reaches the server. Restricts the amount of packets sent over the network in a specific threshold time frame. Packet chunk size in bytes. Default to. Data chunk delay time frame in miliseconds. Default to. toxy. Abort connection. Poisoning Phase. incoming outgoing. Reaches the server. Aborts the TCP connection. From the low level perspective, this will destroy the socket on the server, operating only at TCP level without sending any specific HTTP application level data. Aborts TCP connection after waiting the given miliseconds. Default to., the connection will be aborted if the target server takes more than the. Default to. Custom internal node.