Testing network connections and computer communications has become increasingly complicated with the deluge of new networking products and server applications. Many network administrators rely on tools such as Ping, Telnet, and packet sniffers to diagnose and test network and server connections. Although these tools let you test network connections and probe remote machines, they don't let you open an arbitrary connection across your network (e.g., specifying both source and destination ports) or set up a temporary client-server connection to quickly copy a file or redirect output from an application on one machine to another. To solve these problems and more, consider using what many call the Swiss Army knife of the network and security administrator's toolkit—Netcat.

Netcat's elegant simplicity belies its power and utility. Let's discuss how to use this handy tool to open network connections, perform port scans, transfer files, and redirect standard input and output. Attackers have also used this tool to set up back doors and infiltrate computer networks. Regardless of whether you choose to add Netcat to your repertoire of security and network tools, you'll benefit from understanding the capabilities that this flexible tool provides.

Netcat's Beginnings
Developed in 1995 for UNIX systems and ported to Windows in 1998, Netcat lets administrators read to and write from custom TCP or UDP connections between remote hosts. You can run Netcat as a client to connect to applications on remote servers or start Netcat in listening mode to permit other network applications—even other Netcat sessions—to connect to it.

Netcat is free to download and use. You can download the UNIX/Linux or Windows versions of Netcat from @stake (http://www.atstake.com/research/tools/network_utilities). While you're at the Web site, read the Netcat README text file for an excellent detailed description of how and when to use the tool.

To get an even better sense of this tool's utility, download the Linux version and study the \scripts directory of the extracted distribution. These short, easy-to-understand scripts provide valuable insight into Netcat's various uses—good and bad. For example, one script uses Netcat to query multiple search engines for a particular word, and another script mimics a simple browser. Two other scripts show how to use Netcat as a proxy or relay for Web traffic. Although not everyone will find these sample scripts useful, they provide good insight into other Netcat applications and uses.

Manipulating I/O Across Networks
One of Netcat's tricks is to redirect a console's or command prompt's standard I/O to that system's network port, letting you perform ad hoc bidirectional communication over networks. Standard in (stdin) and standard out (stdout) streams are part of a computer system's standard I/O stream objects that provide input to an application or direct a program's output to a screen, file, or other device. (In addition to the stdin and stdout streams, a third stream, standard error—stderr—provides a mechanism for reporting errors without tainting the standard out stream.)

For example, on a Windows system, if you type

type sometextfile.txt

at a command prompt, the type utility accepts your command as an argument and processes the command and displays the contents of the sometextfile.txt file to stdout, which typically defaults to the screen. You can use the greater than (>) symbol to redirect the stdout to a file (e.g., type sometextfile.txt > anotherfile.txt). Netcat lets you extend I/O redirection across the network—either to other applications hosted on servers (e.g., a Web site) or to other Netcat servers running as listeners on any port.

Similarly, some applications support data input using stdin. For example, if you type

grep http<samefile.txt

the grep utility will search somefile.txt for the text http. Netcat supports both stdin and stdout.

Easy Installation
Both the Windows and Linux Netcat versions are written in C, and the code provides interesting reading if you want to learn more about programming socket-based network applications. The source code is fairly short and liberally commented, giving you a good idea of the required components (and frustrations involved) for programming networking applications.

The Windows version comes as a ready-to-run executable, but you must compile the Linux version for the platform on which you want it to run (e.g., BSD UNIX, Linux, other *nix variants). To install the Linux version, download and extract the .tar file to a Netcat directory. From that directory, run the command

make system name

where system name is the name of your platform (e.g., make Linux). Two optional compilation flags, -DTELNET and -DGAPING_SECURITY_HOLE, increase Netcat's functionality. The -DTELNET flag lets Netcat connect to Telnet servers; the ominous-sounding -DGAPING_SECURITY_HOLE flag lets you direct standard I/O from Netcat to a binary file on your system. To compile Netcat with these options on a Linux system, use the following make command:

make Linux DFLAGS="-DTELNET
  -DGAPING_SECURITY_HOLE"

On Red Hat Linux 9 (and earlier versions), the downloaded Netcat source code fails to compile, complaining of an undefined reference to res_init. You can work around this glitch by commenting out the line in the netcat.c file that calls the res_init function. (This code is on or around line 1319 of the file.) Comment out the code by using /* and */ to surround the text res_init();, as follows:

/* can *you* say "cc -yaddayadda
  netcat.c -lresolv -l44bsd"
  on SunLOSs?    */
/* res_init(); */
#endif

This code begins the compiling process and produces the Netcat binary file, nc. Copy the file to your preferred location (e.g., /usr/local/bin), and you're ready to use Netcat.

Far from Telnet
As a simple client network program, Netcat differs from Telnet in that it doesn't require authentication and doesn't require logon information or other session-negotiation information. When you connect to a Web server or other proprietary network application, Netcat by itself provides a simple, clean connection. When you connect to a Telnet daemon, the server requires the extra logon information, and you must use Netcat with the -t flag to establish the connection. For example, the command

nc -t 192.168.0.2 23

instructs Netcat to attempt a connection on TCP port 23 to a Telnet server.

You use a similar command syntax to open a connection to any network application running on a remote machine. For example, to connect to a Web server at 192.168.0.3, simply type

nc 192.168.0.3 80

Netcat connects to TCP port 80 (the standard HTTP port) and waits for a command. If you run Netcat without redirecting a text file as stdin or if you call the utility from a script, Netcat runs in interactive mode. For example, after you run Netcat to establish a connection to a Web server, you can issue a GET statement followed by a forward slash to access the default home page:

GET /

After Netcat sends the GET / command to the Web server, the Web server processes the command and returns the default home page (as your browser sees it) to the Netcat program. Figure 1 shows a basic Web page named default.asp. Notice that the response includes the version of Microsoft IIS, as well as other configuration and session information, such as cookie and cache-control settings.

Netcat Port Scanning
Netcat also performs port scanning—with a bit of a twist. Netcat not only can scan ports to identify open ports on a server but can connect to those ports for elementary banner checking. Not all applications display a banner (i.e., announce their name and version number) when Netcat connects to them, but many do. For example, if you connect to a Microsoft Exchange Server server on the SMTP port (TCP port 25), by default you'll see text similar to the following: "220 server.domain.com Microsoft ESMTP MAIL Service, Version: 5.0.2195.6713 ready at Wed, 16 Jul 2003 17:51:35 -0700". If you use a standard port scanner to scan your network for TCP 25, the scanner might tell you that a mail server is listening on a particular IP address, but Netcat might be able to find out the make and model of that mail server.

You can also use Netcat to scan a range of ports. For example, to scan and try to connect to TCP ports 20 through 40 on host 192.168.0.3, type

nc -vv 192.168.0.3 20-40

After Netcat connects to an open port, it waits for further input (as it did in the earlier HTTP example). To force Netcat to continue through your port list, pipe an echo quit command to Netcat, as Figure 2 shows. The -vv flag tells Netcat to display more verbose output; in this example, Netcat shows each refused connection. On a Linux system, you can add the -w 3 or -w 5 flag to specify a timeout for Netcat (a higher number denotes a longer timeout). Varying the timeout value might improve your port scanning response time or accuracy. Depending on your platform, you'll want to fiddle with the various Netcat settings until you get a result satisfactory to your environment. Port scanning provides useful information, including the banners of otherwise hidden applications that might be listening on your servers.

You can use the -z flag to instruct Netcat to perform a more traditional port scan. In this mode, Netcat doesn't try to connect to the ports—it simply scans the range and reports any ports that it finds open. Netcat supports multiple verbose modes: When scanning a range of ports, use the -v flag to display only open ports or use the -vv flag to display both open and closed ports. Additionally, you can use the -r flag to randomize the ports, the -i flag to specify an interval in seconds for scanning, the -s flag to spoof a source address, the -p flag to specify the source port, and the -u flag to perform UDP port scanning and connections.

Netcat port-scanning performance varies by platform. The Linux version of Netcat took about 1 minute to scan all 65,535 ports on a computer, whereas the Windows version took an incredible 18 hours—about 1 second per port—to perform the same scan. As a comparative benchmark, the popular Nmap port-scanner utility performed the same scan on a Linux machine in 16 seconds. Although you probably wouldn't use Netcat as your primary port scanner, it's a great tool for querying and investigating open ports. Say, for example, you have a Linux computer at IP address 192.168.0.11 that allows inbound Secure Shell (SSH) connections. To determine which version of SSH is running, issue the Netcat command

nc 192.168.0.11 22

Netcat File Transfers
We've looked at how Netcat can probe and make connections to remote network applications; Netcat can also run in server mode to listen for incoming connections. To start Netcat in listening mode, use the -l flag, then specify the port on which you want Netcat to listen. To instruct Netcat to listen to TCP port 12345 and redirect any input to the local text file output.txt, on the server, type the command

nc -l -p 12345 >output.txt

Next, fire up Netcat on the client machine and connect to the Netcat server with the command

Client: nc 192.168.0.200 12345

where 192.168.0.200 is the IP address of the server and 12345 is the listening port number. After making this connection, Netcat sends any text typed on the client computer to the listening computer, which then writes the text to the text file output.txt. Let's flip around this example and extend it a bit. This time, configure the listening computer to accept input from the file output.txt by typing the command

nc -l -p 12345 < output.txt

on the server. Connect to the listening computer with the same command as before (nc 192.168.0.200 12345). Now, the listening computer (server) sends the entire contents of output.txt across the network connection to the client computer. This method works with binary files too. Use the commands

nc -l -p 12345 <
aBinary.exe

on the server and

nc 192.168.0.200 12345 > aBinary.exe

on the client to copy the file aBinary.exe from the server to the client. (Note that this method works for only a single connection.) After Netcat transfers the file and closes the connection, the utility exits from the server. The Windows version of Netcat supports an additional argument, the -l flag, which instructs Netcat to run again using the same command it used earlier. This method lets you create a rudimentary file-server application. Multiple clients can connect to the server on an arbitrary port to automatically get a particular file. The Netcat sample scripts also include a short and basic (but very functional) file-distribution script that demonstrates how to use Netcat as a rudimentary file-distribution application.

Shell Anywhere
One of Netcat's most powerful features is its ability to execute and redirect standard I/O to a binary or executable file on a listening computer. For example, the commands

Server:
  nc -l -p 12345 -e /bin/bash

where Server is the server running Linux and

Server:
  nc -l -p 12345 -e cmd.exe

where Server is the server running Windows initialize Netcat as a listener on port 12345. When another Netcat session connects to this computer on port 12345, Netcat redirects I/O to that system's shell program. Figure 3 shows an example of a Windows computer connected over Netcat to a Linux computer. Notice that the Linux whoami command returns the name of the currently logged-on user. In this example, we see that a Windows user who uses Netcat to connect to a bash shell prompt on the Linux computer can issue commands directly on that Linux system under the same privilege as the user account running Netcat—in this case the privileged root account.

In such situations, Netcat is platform-independent. A user can run Netcat on one platform and connect to a Netcat listener on any other platform and issue commands through the redirected binary. You can control any text program in this manner. In the previous example, the binary was the OS's console program—either a Linux bash shell or a Windows command prompt. You can also configure Netcat to use any source or destination port: Imagine how long it might take to discover a Netcat shell program running as a listener on a popular port such as TCP port 80 or TCP port 53 on one of your network servers. A port scan might report TCP 80 as open, but a simple port scan wouldn't discern whether the listening application was a Web server or an illicit Netcat listener.

Friend or Foe?
Netcat offers a huge degree of flexibility in creating network connections, probing remote systems, and facilitating flexible, quick, and ad hoc data transfers between user-defined ports. Netcat's ability to specify any source or destination port, combined with the fact that no authentication is needed to establish a connection between Netcat users, makes it an extremely powerful tool—one that you can use to help manage your network or one that someone could leverage against your network. By learning about this tool's capabilities, you can take full advantage of its benefits and reduce the chances that it will be used against you.