Forensic Toolbox: Netcat


Netcat is awesome. It is often referred to as the “swiss army knife” of network administrators since it can be used in so many different ways. In the forensics world, it can be used to do a live forensic analysis of a machine, sending data from the “victim” machine to another machine without writing that data to the “victim’s” hard drive and potentially overwriting important information. In hacking / computer security, it can be used as a backdoor into a machine, to do port scans, and even to capture network traffic. In school, it can be used to chat with friends (there are definitely easier ways, but what’s more fun than chatting through a command prompt?). 

Now that I’ve got your attention, what exactly is netcat? Basically, it is a utility that can create a TCP channel over a network and then read/write data across it. It is used to monitor and test systems, as well as send data, over a network connection.


Basic Usage

To start a server session, use the following syntax (for Windows it will be “ncat” instead of “nc”/”netcat”):

nc -v -l -p 2222

The -v flag means verbose and will print out more details about the connection. The -l flag makes this netcat process a server process, as it will listen for incoming connections on port 2222 (the -p flag specifies the port). Any port can be used, but it is best practice to use a port above 1023, as ports 0-1023 are reserved for specific applications like HTTP, SSH, FTP, etc.

It is often useful to save the data received through netcat to a file so you can analyze it later. To accomplish this, simply use the > command redirection operator to redirect the input/output to a file. For example:

nc -v -l -p 2222 > example.txt

On the ‘client’ side of the session, you would use the syntax:

nc [IP address of server machine] [port open on server, 2222]


A simple chat server using netcat on a Windows machine.


This method of using netcat creates a TCP connection between the two devices on the specified port and can be used as the chat server discussed above. In order to redirect a command’s output on one machine to another machine, on the client side, you would use the | (pipe) command redirection operator to redirect the output of a command to netcat as input. For example:

[command] | nc [IP address of server machine] [port]


This is how you can send the output of a command like “netstat” to another machine without writing to the first machine’s hard drive ( netstat -an | nc [IP Addr] [port] ).

To send a UDP packet (connection-less) instead of TCP, use the -u flag on the client side.

For port scanning, the Digital Ocean post below in the “More Information” section very clearly explains how to scan ports for a specific IP address or a domain, so I will refrain from repeating it here, although I do suggest taking a look at it.


How to Use in Forensics Investigation

It is very difficult to measure or analyze anything without modifying it in some way. Taking the temperature of of an object inadvertently adds the temperature of the thermometer and the heat it may be giving off due to power usage into the mix. Granted, the change is minimal, and we want to keep this change as minimal as possible. Using forensics tools on a machine can also modify the machine. Using a USB stick to run forensics tools may install drivers onto the machine, and running any type of command will write to system memory (RAM) if not the hard drive itself. 

While performing a live investigation, netcat is used to prevent overwriting something useful on the hard drive (something that may have been deleted, but not yet fully removed from the drive, for example), and instead sending the file or data to the hard drive of another device (the “forensic workstation”). A best practice of digital forensics is to impact the victim machine as little as possible during the investigation, and netcat helps us do that. 

When the analysis or investigation is over, remember to end the netcat process. If not, a malicious user could use the open port to access your machine. 


Download Source

Windows: The netcat utility actually comes with the NMap package. This is where I have downloaded the tool from and what I’d recommend using. The tool can also be downloaded separately. The separate version I have experience with is Jon Craton’s and it worked great for my purposes.

Linux: Most Linux distributions come pre-installed with netcat. However, if needed, you can install netcat in Linux using the commands listed here.


More Information

Very Good Overview of Netcat

List of Netcat Switches