CyberCheatsheets

Packet tools when you cannot install anything

tcpdump filters and netcat patterns on locked-down hosts where you cannot pull down a full toolkit.

Published 2 min read
netcattcpdumpnetwork

The server team said no new binaries. No curl upgrade, no static nmap build, no "just this one Go binary." You still need to know where traffic goes when the app "cannot reach the database."

tcpdump and netcat are often already there or allowed by policy because ops teams used them first.

tcpdump: capture less than you think

Full interface captures fill disk and leak other tenants' packets on shared taps. Filter early.

DNS troubleshooting on a broken resolver path:

tcpdump -i any -n udp port 53 -c 50

Confirm SYN leaving the host for a suspected firewall block:

tcpdump -i eth0 -n host db.internal and tcp port 1433 -c 20

Write rotating files when you must leave a capture running:

tcpdump -i eth0 -w /tmp/cap.pcap -C 50 -W 5 'tcp port 443'

-C and -W keep you from owning the partition. Clean up after. Defenders notice odd pcaps too.

Read briefly on the wire when allowed:

tcpdump -i eth0 -n -A 'tcp port 80' -c 10

-A is noisy and slow. Use it for ten packets, not the whole engagement.

netcat: the boring swiss knife

Connect test when telnet is missing but nc exists:

nc -vz target.host 443

Reverse shell is not the only use case. Port relay during pivot:

nc -lkvp 4444 -c "nc db.internal 1433"

Forward local port through a jump you control:

nc -lkvp 8080 -e "/bin/sh"   # only where policy allows; many modern nc builds omit -e

Check nc -h on the target. OpenBSD netcat, traditional netcat, and ncat differ. Assuming -e exists is a common stall during time pressure.

Banner grab:

echo "" | nc -w 3 target 25

Three second wait, move on.

When both tools are "not installed"

Ask for ss or netstat output from the app user. Ask for a one-line Python or PowerShell test socket if interpreters exist. The goal is evidence for a ticket, not purity of tooling.

Document interface names (eth0 vs ens192), namespace (container netns), and whether localhost-only binding explains the "connection refused" from outside.

Coordination with the blue team

Packet captures on production without notice can trigger DLP. Mention passive monitoring in the test plan. Share PCAP paths and deletion after review.

Document interface names (eth0 vs ens192), network namespace if the app runs in a container, and whether the service binds localhost only. "Connection refused" from another host is often binding policy, not a mystery firewall rule.

These tools are old. That is why they survive lockdowns. Use them deliberately.