Netcat - KadeTheKade/ForensicTools GitHub Wiki

Netcat is an incredibly useful tool in forensics because it allows the user to create and use just about any type of coonection they might need to do full debugging and investigative analysis. This can be leveraged to many types of uses included but not limited to:

• TCP/UDP connections in and outbound over any port

• Tranfer files

• Port listening and scanning

We use this for these exact uses in our analysis thus far to enable us to pull information off the victim computer without losing volitile data by installing and running tools directly on the victim system. The simple commands we have used run like this:

For the trusted workstation setup a listener to capture the information coming from the victim:

nc -v -l -p 2222 > [command_run_on_victim].txt

This uses the -v flag for verbose mode, -l flag to set it to listening mode, and the -p flag sets the port it will be listening on. This also feeds the incoming information into a text file we can then use for our analysis our collection.

For the victim to then send things through this port to the trusted workstation the command is:

[command_run_on_victim] | nc [trusted_workstation_ip] 2222

With this we run whatever command we need to gather the desired information and pipe the result through our connection over our specified port to the workstation that is listening for this incoming data. This can then be done over and over to get everything one needs to be fully equiped for an analysis.

The other beautiful thing about this tool is that it is designed to be a backend that can be used as we have or can be driven with scripts or other programs that can automate much of what you want it to do simply and effectively.