How to use Netcat: Commands and use cases

Netcat: Security's Swiss Army knife

Netcat is a small, lightweight tool designed to send and receive data over a network. Much like the Linux and Unix cat utilities output the content of a file to a terminal or stdout, Netcat does the same thing but over the network.

While this sounds modest in scope, security practitioners can use it creatively and string it together with itself or other commands in surprisingly powerful ways. Consider just a few of the many possible use cases:

• Penetration testers. Netcat can serve as a testing harness for interacting directly with a listening (server) socket or even as a quick-and-dirty command-and-control interface -- e.g., reverse shell.
• Application security specialists. Netcat can connect to APIs, test and interact with proprietary protocols at a low (i.e., socket) level, and help gather information during reconnaissance.
• Network engineers. Netcat is a simple and effective tool to test connectivity between different endpoints.
• Students. Netcat is an excellent way to learn networking fundamentals and experiment with network communications.

The widespread popularity of Netcat boils down to the following key factors:

• Ubiquity. Many Linux distributions -- whether security-focused or general-purpose --include Netcat by default.
• Portable. If a platform has a shell and a network connection, chances are good you can run Netcat on it.
• Lightweight. The small binary can easily be transported and installed when and if needed.
• Versatile. Netcat works seamlessly under a variety of conditions, whether over TCP or User Datagram Protocol (UDP), IPv4 or IPv6. For good reason, it's often called the Swiss Army knife of network security tools.

Let's explore how the tool works in greater detail and highlight some situations where you might consider using it.

How Ncat operates

Netcat operates in one of two modes: as a server -- i.e., listener -- or as a client. Both are useful depending on the context, though the latter is more commonly used. The format of an extremely basic usage scenario is nc <host> <port> to connect to a remote host and nc -l <port> to listen on a given port.

Like many command-line tools, Netcat offers a lot of options. It has dozens of switches that enable you to control everything from the details of the network -- e.g., which versions of IP to support, among them TCP or UDP, timeouts, time-to-live, etc. -- and what data it sends to external commands that you can chain with it.

Given the large number of options -- some of which are only used in rare circumstances -- I won't cover all of them here. The following are among the most common and why you might choose them (again, this is not an exhaustive list):

• -l (listen mode). Creates a listening socket.
• -e (execute). Once connected, executes a specified command.
• -k (listen upon completion). When using -l (listen mode), causes Netcat to listen again for a new connection when one is completed.
• -n (no DNS). Do not attempt to resolve addresses via DNS.
• -u (UDP mode). Use UDP instead of TCP for connections.
• -v (verbose output). Show additional information to the user -- for example, when a connection succeeds, when one fails or when a new client connects.
• -w (timeout). Specify a timeout value after which a connection fails. Without this, Netcat blocks until a connection is established. Note that this applies only to outbound connections and not to listening mode.
• -x (use a proxy). Specify a proxy to connect through. Note that other flags could be required to configure the proxy connection -- for example, if the proxy requires authentication.

Using Netcat

Let's examine how to use Netcat by exploring how to create a server connection. This is foundational to much of how it is used in the field. You could, for example, need to create a remote shell on a victim box in a red teaming context. Or, you might want to emulate the server side of a connection to test how resistant a service is to man-in-the-middle attacks.

Creating a listener

The screen capture below illustrates using Netcat (nc) to create a listening socket on port 80. I used Firefox to connect to that socket to showcase how Netcat captures and displays inbound data -- in this case, the data being sent from Firefox -- being sent to that listening socket.

Note how I ran nc as root using sudo. That's because the default behavior in most Linux and Unix environments is to require root permissions to create low -- i.e., below 1024 -- sockets. High ports -- i.e., above 1024 -- are not similarly encumbered and do not require root permission.

Unless you specify otherwise, using the –l (listen) flag causes nc to block -- i.e., wait -- until a connection is made. You can either specify no additional flags, as I've done here, for default mode or you can use the -k flag -- e.g., nc -lk 80 -- to have Netcat listen for new connection attempts after each connection closes.

Now, you might think it's unlikely you'll need or want to use Netcat to mimic the behavior of a web server -- particularly an insecure one that doesn't support TLS. For the most part, that's likely true. I've used this as an example for two reasons. First, HTTP is one of the simpler network protocols out there, so it's easy to illustrate Netcat's functionality. Second, extending this functionality to other protocols is intuitive and far from useless. Not only can you examine other unencrypted protocols, but bear in mind that it's not unheard of for HTTP-only connections to be used both as clients and servers for internal traffic. This is true for legacy equipment, industrial control systems, special-purpose healthcare devices and numerous other scenarios.

Establishing a client connection

Let's look at the other side of that connection: the client. Initiating a connection from a client is similarly easy to accomplish. Building on the earlier example, if you want to view the server's response to the above request from our browser, do the following:

In this example, I used a standard Linux pipe -- the vertical bar operator signified by the | character -- to redirect the output of the initial command to a new command, in this case nc <host> 80.

I could have opened a connection directly to the remote host. Instead, I attached the output of the listening socket to the input of the new client connection to illustrate the client connection functionality, as well as the ability to chain Netcat instances together with other commands or even with Netcat itself. This in turn means you can pipe or redirect file output to Netcat, pipe input and output between different instances and numerous other actions. This again showcases how you can use Netcat in such powerful and flexible ways.

As an example of that, I could have constructed an HTTP request to send instead in the manner depicted below:

This is almost exactly the same, except the origin of the request is a file on the filesystem instead of the output of another Netcat command. You can extend this concept in numerous ways. For example, you can create a command-and-control channel for use in a red team context -- watch an example of this in the companion video; with the addition of a named pipe (mknod) you could create a quick and dirty proxy server; you can send and receive in real-time the output of commands, etc. If you have experience with the Linux-Unix CLI, you can use Netcat in many powerful ways.

Used creatively, Netcat is one of the most flexible and common tools in your security arsenal. Try Netcat today to explore how it can help solve security challenges in your day to day.

Ed Moyle is a technical writer with more than 25 years of experience in information security. He is a partner at SecurityCurve, a consulting, research and education company.