Skip to main content

NetCat - Portscanning TCP/UDP

· 3 min read
Strider

NetCat as I mentioned in the previous post Post, that it is a Swiss army knife is not yet completely clear. Here I want to show that you can also make portscanns with NetCat no matter if TCP or UDP.

What is a portscan? (In a nutshell) Portscanning is used to check which ports (services) are running on a system. This can be HTTP, SSH, FTP, Samba etc... It is also used to gather information about the system e.g. if the system is a Windows, Linux, Mac etc.... Because many services give their signature or banner where information like version, what kind of service it is and maybe even give insight into the system.

A portscan with NetCat is built like this but can be further customized.

nc -z -v -w 1 -n <host addr> <port range>

Break it down:
-z makes NetCat report open ports instead of establishing a connection.
-v is the verbose mode and ensures that everything NetCat does is output.
-w 1 sets a timeout to maximum 1 second.
-n ensures that no DNS server is queried for IP address, this saves time.
-u switches NetCat to UDP mode because by default NetCat works with TCP.
<host addr> is the IP-address to be scanned
<port range> is the range of port numbers from where to where. e.g. 1-1024

A TCP port scan then looks like this with NetCat: Example with metasploitable VM.

nc -z -v -w 1 -n 192.168.56.102 1-65535

running.png

Here you can see how a portscan looks like under ncat. You can see which service is assigned to which port number e.g. for port 80 (UNKNOWN) [192.168.56.102] 80 (http) open We get the IP address again followed by the port number. In the brackets after the port number we see the protocol, so not the service like Apache or Ngnix, just the protocol that would be used here. Last but not least we are told if the port is open or not, well only the open ports are shown.

Why would? Just because a protocol was specified does not mean that this protocol is also processed behind it. It can be also very well that at port 80 no HTTP server but a SSH server runs.

But if we use the parameter -vv then we see even more what NetCat is doing. We see then also the ports which are not accessible and how many packets were sent or received.

done.png

What does the whole thing look like now under UDP? Actually the same. You just have to add the parameter or option -u and NetCat switches to UDP.

I hope I could give you some more insight into NetCat's functions.

Have fun! 😃