Re: Nc.exe
Brie Hoffler
The genuine nc.exe file is a software component of NetCat Network Control Program by Rodney Beede.
In 1995, someone called "hobbit" created NetCat for Unix and used the name "nc.exe"; Rodney Beede later adapted it to Windows NT (and later), where it needs the Minimalist GNU for Windows (MinGW) for an underlying Unix/Linux platform. It gives network administrators a "Swiss army knife" for testing TCP/IP connections and ports. It can usually be uninstalled by looking for "Network Control" under "Uninstall a Program" in the Control Panel. An early well-known MS-DOS freeware program called "Norton Commander" also existed for managing files. (A modern freeware version is called "winnc.exe".) Because these made "nc.exe" a popular name, it appears to be a popular imitation name for malware. NetCat's bare-metal TCP/IP port-level access is useful for testing a network but opens possibilities for abuse. The NetCat source code is free and widely shared so there are many potential versions and some trigger antivirus warnings, although these may be false.
The .exe extension on a filename indicates an executable file. Executable files may, in some cases, harm your computer. Therefore, please read below to decide for yourself whether the nc.exe on your computer is a Trojan that you should remove, or whether it is a file belonging to the Windows operating system or to a trusted application.
Important: Some malware also uses the file name nc.exe, for example HKTL_NETCAT (detected by TrendMicro), and not-a-virus:RemoteAdmin.Win32.NetCat.a (detected by Kaspersky). Therefore, you should check the nc.exe process on your PC to see if it is a threat. We recommend Security Task Manager for verifying your computer's security. This was one of the Top Download Picks of The Washington Post and PC World.
Summary: Average user rating of nc.exe: based on 33 votes with 19 user comments.9 users think nc.exe is essential for Windows or an installed application.6 users think it's probably harmless.4 users think it's neither essential nor dangerous.4 users suspect danger.10 users think nc.exe is dangerous and recommend removing it.2 users don't grade nc.exe ("not sure about it").
A clean and tidy computer is the key requirement for avoiding problems with nc. This means running a scan for malware, cleaning your hard drive using 1cleanmgr and 2sfc /scannow, 3uninstalling programs that you no longer need, checking for Autostart programs (using 4msconfig) and enabling Windows' 5Automatic Update. Always remember to perform periodic backups, or at least to set restore points.
Should you experience an actual problem, try to recall the last thing you did, or the last thing you installed before the problem appeared for the first time. Use the 6resmon command to identify the processes that are causing your problem. Even for serious problems, rather than reinstalling Windows, you are better off repairing of your installation or, for Windows 8 and later versions, executing the 7DISM.exe /Online /Cleanup-image /Restorehealth command. This allows you to repair the operating system without losing data.
To help you analyze the nc.exe process on your computer, the following programs have proven to be helpful: ASecurity Task Manager displays all running Windows tasks, including embedded hidden processes, such as keyboard and browser monitoring or Autostart entries. A unique security risk rating indicates the likelihood of the process being potential spyware, malware or a Trojan. BMalwarebytes Anti-Malware detects and removes sleeping spyware, adware, Trojans, keyloggers, malware and trackers from your hard drive.
NetCapture - nc.exeNetcat tries its best to behave just like ``cat''. It currently does nothing toterminal input modes, and does no end-of-line conversion. Standard input froma terminal is read line by line with normal editing characters in effect. Youcan freely suspend out of an interactive connection and resume. ^C or whateveryour interrupt character is will make netcat close the network connection andexit. A switch to place the terminal in raw mode has been considered, but sofar has not been necessary. You can send raw binary data by reading it out ofa file or piping from another program, so more meaningful effort would be spentwriting an appropriate front-end driver.
Netcat is not an ``arbitrary packet generator'', but the ability to talk to rawsockets and/or nit/bpf/dlpi may appear at some point. Such things are clearlyuseful; I refer you to Darren Reed's excellent ip_filter package, which nowincludes a tool to construct and send raw packets with any contents you want.
Port-scanning is a popular method for exploring what's out there. Netcataccepts its commands with options first, then the target host, and everythingthereafter is interpreted as port names or numbers, or ranges of ports in M-Nsyntax. CAVEAT: some port names in /etc/services contain hyphens -- netcatcurrently will not correctly parse those, so specify ranges using numbers ifyou can. If more than one port is thus specified, netcat connects to *all* ofthem, sending the same batch of data from standard input [up to 8K worth] toeach one that is successfully connected to. Specifying multiple ports alsosuppresses diagnostic messages about refused connections, unless -v isspecified twice for ``more verbosity''. This way you normally get notified onlyabout genuinely open connections. Example: ``nc -v -w 2 -z target 20-30'' willtry connecting to every port between 20 and 30 [inclusive] at the target, andwill likely inform you about an FTP server, telnet server, and mailer along theway. The -z switch prevents sending any data to a TCP connection and verylimited probe data to a UDP connection, and is thus useful as a fast scanningmode just to see what ports the target is listening on. To limit scanningspeed if desired, -i will insert a delay between each port probe. There aresome pitfalls with regard to UDP scanning, described later, but in general itworks well.
For each range of ports specified, scanning is normally done downward withinthat range. If the -r switch is used, scanning hops randomly around withinthat range and reports open ports as it finds them. [If you want them listedin order regardless, pipe standard error through ``sort''...] In addition, ifrandom mode is in effect, the local source ports are also randomized. Thisprevents netcat from exhibiting any kind of regular pattern in its scanning.You can exert fairly fine control over your scan by judicious use of -r andselected port ranges to cover. If you use -r for a single connection, thesource port will have a random value above 8192, rather than the next one thekernel would have assigned you. Note that selecting a specific local portwith -p overrides any local-port randomization.
An exciting thing to do is to get a quick shell going on a remotemachine by using the -l or ``listen'' option and the -e or ``execute''option. You run Netcat listening on particular port for a connection.When a connection is made, Netcat executes the program of your choiceand connects the stdin and stdout of the program to the network connection.
will get Netcat listening on port 23 (telnet). When it gets connected toby a client it will spawn a shell (cmd.exe). The -t option tells Netcatto handle any telnet negotiation the client might expect.
If netcat is compiled with -DGAPING_SECURITY_HOLE, the -e argument specifiesa program to exec after making or receiving a successful connection. In thelistening mode, this works similarly to ``inetd'' but only for a single instance.Use with GREAT CARE. This piece of the code is normally not enabled; if youknow what you're doing, have fun. This hack also works in UDP mode. Note thatyou can only supply -e with the name of the program, but no arguments. If youwant to launch something with an argument list, write a two-line wrapper scriptor just use inetd like always.
Many people are interested in testing network connectivity using IP sourcerouting, even if it's only to make sure their own firewalls are blockingsource-routed packets. On systems that support it, the -g switch can be usedmultiple times [up to 8] to construct a loose-source-routed path for yourconnection, and the -G argument positions the ``hop pointer'' within the list.If your network allows source-routed traffic in and out, you can testconnectivity to your own services via remote points in the internet. Note thatalthough newer BSD-flavor telnets also have source-routing capability, it isn'tclearly documented and the command syntax is somewhat clumsy. Netcat'shandling of ``-g'' is modeled after ``traceroute''.
Data from the network connection is always delivered to standard output asefficiently as possible, using large 8K reads and writes. Standard input isnormally sent to the net the same way, but the -i switch specifies an ``intervaltime'' which slows this down considerably. Standard input is still read inlarge batches, but netcat then tries to find where line breaks exist and sendsone line every interval time. Note that if standard input is a terminal, datais already read line by line, so unless you make the -i interval rather long,what you type will go out at a fairly normal rate. -i is really designedfor use when you want to ``measure out'' what is read from files or pipes.
Listen mode will cause netcat to wait for an inbound connection, and then thesame data transfer happens. Thus, you can do ``nc -l -p 1234 < filename'' andwhen someone else connects to your port 1234, the file is sent to them whetherthey wanted it or not. Listen mode is generally used along with a local portargument -- this is required for UDP mode, while TCP mode can have the systemassign one and tell you what it is if -v is turned on. If you specify a targethost and optional port in listen mode, netcat will accept an inbound connectiononly from that host and if you specify one, only from that foreign source port.In verbose mode you'll be informed about the inbound connection, including whataddress and port it came from, and since listening on ``any'' applies to severalpossibilities, which address it came *to* on your end. If the system supportsIP socket options, netcat will attempt to retrieve any such options from aninbound connection and print them out in hex.
d3342ee215