Friday, 1 August 2008

Netcat to send files

Today, we are going to tar and compress (or gzip) the files contained within a specified
directory and then pipe the data through a Netcat client. The "–w" option can provide a few seconds of delay prior to a time-out. This covers the problem of temporary disconnects and intermitent traffic flow.

Moving the file from a listener to the netcat client.

  • A listener.

# nc -l -p 53 < /tmp/the_file_name.bin

  • The client.
#nc [IP_Address_of_Listener]

Pushing a file from the client to the netcat listener.

  • A listener.

# nc -l -p 53 > /tmp/the_file_we_want_to_copy.bin

  • The client.

#nc [IP_Address_of_Listener] 53 < /tmp/The_File_we_saved.bin

Just the reverse of what we did at first. This allows the sending or receiving of files. These files are sent in binary format, but this also allows text to be sent. Some issues can occur (and require translation) when sending from *NIX to Windows and visa versa.

No Netcat?
And of course if netcat is not installed on the client, we can still use a makeshift client such as:

# cat /etc/passwd> /dev/tcp/[IP_Address_of_Listener]/[Listener_Port]

Filtering connections
An exercise to try is to setup restrictions on the source IP that is allowed to connect. Netcat can be configured to accept connections only from a predefined source IP address. This makes the connection operate like TCP_Wrappers and is seminal to a firewall for the individual service.

Sending compressed files
In this example, the data received is piped into tar. By running tar with the “v” option (or verbose) we can see the filenames - they are printed to SDOUT (generally the screen). Omit this if you want to script this or otherwise automate this process (less noise).

To compress the output, also run tar with the “z” flag. This will automatically run the gzip compression program over the output.

Note: Not all implementations of tar support the “z” flag and it may be necessary to pipe the tar’d output to gzip in a separate step.

To do this we use the commands:

  • Client
# tar cfpz - /[directory_path]/[File] /bin/nc –w 3 [Destination_Host_IP] [Listener-Port]
or for an entire directory, just:
# tar cfpz - /[directory_path] /bin/nc –w 3 [Destination_Host_IP] [Listener-Port]

  • Listener

# nc –l -p [Listener-Port] tar xfpvz -

On the listener we reverse the process in this example and restore the files.

For the details on how to use tar see:


Together, dd and netcat make a great way to either backup a system (and all slack etc) or to remotely obtain a forensically sound copy of a partition, drive, memory etc. Say we want to make an image of /dev/hdb1 (a partition, but the entire drive can also be copied with /dev/hdb) we can use the following commands:

  • Client

# dd if=/dev/hda1 nc –v –w 15 [Netcat_Listener_IP] 1200

  • Listener

# nc –l –v –w 15 -p 1200 dd of=/tmp/image_hdb.dd

There are other options with dd that can be incorporated and I have these in other posts. In this case I have used TCP 1200 as the port, but this can be anything that is not in use. Also, UDP can be used as well, but there is a larger chance of error.

This image can now be cloned to other hosts, used as a backup to be restored the original if needed or used for forensic analysis.

No comments: