> nc -lvnp 4444 && echo 'listening...'_
Netcat does one thing: it creates a network connection and moves data through it. It connects to a remote host and sends data. Or it listens on a local port and receives data. TCP or UDP. That's it. The entire tool is a bidirectional pipe between a network socket and standard input/output.
That simplicity is its power. Because Netcat is nothing more than a raw network pipe, it can be used as a building block for almost any network operation: port scanning, service banner grabbing, file transfer, chat systems, reverse shells, bind shells, port forwarding, network pivoting, proxy relays, and ad-hoc service testing. Every more sophisticated tool in the penetration tester's arsenal — Metasploit's payloads, Cobalt Strike's beacons, even curl and wget — is doing fundamentally what Netcat does, with more features wrapped around it.
Netcat was originally written by Hobbit in 1995. Nearly three decades later, it remains installed by default on most Linux distributions and macOS, is available for Windows, and is one of the first tools a penetration tester reaches for when they need a quick, reliable, no-dependencies network utility on a compromised system.
Netcat is a legitimate networking utility used by system administrators, developers, and network engineers for troubleshooting and testing. The techniques described in this article — particularly reverse shells and pivoting — must only be used against systems you own or have explicit written authorisation to test. Unauthorised use of these techniques is illegal under the Computer Misuse Act 1990 (UK), the Computer Fraud and Abuse Act (US), and equivalent legislation in most jurisdictions.
There are several Netcat implementations with different capabilities. Knowing which variant is on the system matters — because the flags, features, and behaviour differ between them.
| Variant | Package / Binary | Key Features | Common On |
|---|---|---|---|
| Traditional Netcat (Hobbit's original) | nc or netcat |
The original 1995 implementation. Supports TCP and UDP, basic port scanning (-z), and the -e flag for executing programs on connection (the flag that makes bind/reverse shells possible). Minimal features, maximum portability. |
Older Linux systems. Available in most package repositories as netcat-traditional. |
| OpenBSD Netcat | nc (often the default on modern systems) |
Rewritten for OpenBSD with security in mind. Supports UNIX domain sockets, proxy connections (-X for SOCKS/HTTP proxy), and TLS via -c flag on some builds. Does not support -e — deliberately omitted as a security measure. |
Ubuntu, Debian, macOS (default nc on most modern systems). |
| Ncat (Nmap project) | ncat |
The most feature-rich variant. Developed as part of the Nmap project. Supports SSL/TLS encryption (--ssl), access control (--allow, --deny), connection brokering, proxy support (SOCKS4/5, HTTP), and the -e flag for program execution. The recommended variant for pen testing. |
Installed alongside Nmap. Available on all platforms. |
| GNU Netcat | netcat |
GNU reimplementation. Supports tunnelling and the -e flag. Less commonly encountered than the other variants. |
Some Linux distributions. Less widely deployed. |
| Flag | Operation | What It Does |
|---|---|---|
nc <host> <port> |
Client mode (connect) | Connects to the specified host and port. Anything typed on standard input is sent to the remote host. Anything received from the remote host is printed to standard output. The most basic operation — equivalent to a raw TCP connection. |
-l |
Listen mode | Listens on the specified port for an incoming connection instead of initiating one. The local machine becomes the server. Combined with a port number: nc -l 4444 listens on port 4444. |
-v |
Verbose | Prints connection status messages — useful for confirming that a connection was established, or diagnosing why it wasn't. -vv increases verbosity further on some variants. |
-n |
No DNS resolution | Skips DNS lookups for IP addresses. Faster and avoids DNS-based detection. Always use when connecting to IP addresses rather than hostnames. |
-p <port> |
Source port | Specifies the local source port for the connection. Useful when a firewall allows traffic from specific source ports (e.g. port 53 for DNS or port 80 for HTTP). |
-u |
UDP mode | Uses UDP instead of TCP. By default, Netcat operates over TCP. -u switches to UDP — useful for testing DNS, SNMP, TFTP, and other UDP services. |
-w <seconds> |
Timeout | Sets a timeout for connections. -w 3 closes the connection if no data is received for 3 seconds. Essential for scripted operations where you don't want hanging connections. |
-z |
Zero-I/O (scan mode) | Connects and immediately closes — sending no data. Used for port scanning. nc -zv host 1-1000 scans ports 1 through 1000 and reports which are open. |
When Netcat connects to a port, many services immediately send a banner — a string identifying the service name, version, and sometimes the operating system. Banner grabbing is the simplest form of service enumeration: connect, read the response, and close.
Banner information is directly actionable: OpenSSH_8.9p1 Ubuntu-3ubuntu0.6 maps to a specific Ubuntu release and specific known vulnerabilities. ProFTPD 1.3.5e is vulnerable to CVE-2019-12815 (mod_copy remote code execution). Banner grabbing with Netcat requires no special tools, no installation, and works on every system that has nc available — which is almost all of them.
On a compromised system with no SCP, no FTP, no curl, and no wget, Netcat provides a raw file transfer capability. The sender pipes a file into Netcat. The receiver listens and redirects the output to a file. No protocol overhead, no authentication, no encryption — just bytes across a TCP connection.
The encrypted variant using ncat --ssl is important during engagements where the network is monitored — transferring tools or exfiltrating data over unencrypted Netcat will be visible to any IDS or network tap. Ncat's SSL mode wraps the connection in TLS with no additional configuration required.
Netcat's ability to pipe a program's input and output across a network connection is the foundation of bind and reverse shells — the two most fundamental remote access techniques in penetration testing. Understanding both is essential, because the choice between them depends on the network topology and firewall rules between the attacker and the target.
| Shell Type | How It Works | When to Use It |
|---|---|---|
| Bind shell | The target listens on a port and binds a shell to it. The attacker connects to that port and receives a shell. The target is the server; the attacker is the client. | When the target has a port accessible to the attacker — typically during internal testing where firewall rules are permissive. Less common in external testing because inbound connections to the target are usually filtered. |
| Reverse shell | The attacker listens on a port. The target initiates an outbound connection to the attacker and sends its shell. The attacker is the server; the target is the client. | The default choice for most engagements. Outbound connections from the target are more likely to succeed than inbound connections to it — most firewalls are configured to restrict inbound traffic but allow outbound. |
The named pipe (mkfifo) technique is essential knowledge because the OpenBSD variant of nc — the default on Ubuntu and Debian — deliberately omits the -e flag. On these systems, the named pipe provides the same functionality: it creates a bidirectional pipe between the network connection and the shell process. It's less elegant than -e, but it works everywhere.
A raw Netcat shell is functional but limited: no tab completion, no command history, no ability to use interactive programs like vim or top, and Ctrl+C kills the shell instead of the running process. Upgrading to a fully interactive TTY is a standard post-exploitation step.
Netcat's port scanning capability is rudimentary compared to Nmap — no service detection, no OS fingerprinting, no scripting engine. But on a compromised system where Nmap isn't installed and can't be transferred, Netcat's -z flag provides basic TCP port scanning that's often sufficient for identifying the next pivot target.
During an internal pen test, the attacker often compromises a host that has access to a network segment the attacker's machine can't reach directly. Netcat can create a relay — forwarding traffic from the attacker through the compromised host to the target network.
The named pipe relay is a technique every penetration tester should know by heart. It requires no additional tools, no compilation, no dependencies — just a mkfifo and two instances of nc. Ncat's --sh-exec provides cleaner syntax for the same operation and adds the option of encrypting the attacker-facing side with --ssl to avoid detection by network monitoring.
Ncat extends the traditional Netcat feature set with capabilities specifically useful for penetration testing: encrypted connections, access controls, connection brokering, and proxy support.
| Feature | Flag(s) | Use Case |
|---|---|---|
| SSL/TLS encryption | --ssl |
Wraps the connection in TLS. Prevents IDS from inspecting the traffic. Essential for transferring sensitive data or maintaining shells on monitored networks. |
| Access control | --allow 10.0.0.5 / --deny 0.0.0.0/0 |
Restricts which IP addresses can connect to the listener. Prevents other testers or unexpected connections from interfering with your listener during a shared engagement. |
| Connection brokering | --broker |
Allows multiple clients to connect to the same listener and share data. Creates a basic chat server or a multiplexed relay point. |
| Proxy support | --proxy <host:port> --proxy-type socks5 |
Routes connections through a SOCKS4, SOCKS5, or HTTP proxy. Useful for pivoting through a compromised proxy server or chaining through Tor. |
| Keep-alive / persistent listener | -k |
Keeps the listener running after a client disconnects. Without -k, the listener exits after the first connection closes. Essential for persistent listeners that accept multiple connections sequentially. |
| Execution on connect | -e <command> / --sh-exec '<command>' |
Executes a program and pipes its I/O through the network connection. -e /bin/bash for shells. --sh-exec passes the command through /bin/sh for shell features like pipes and redirects. |
Netcat is the most fundamental networking tool in the penetration tester's arsenal. Not the most powerful — Nmap does service detection better, Metasploit does exploitation better, Cobalt Strike does C2 better. But Netcat does what none of them can do as reliably: it creates a raw network connection with zero dependencies, zero configuration, and zero installation on almost any system the tester encounters.
That simplicity makes it irreplaceable. On the compromised Linux server with no tools installed: Netcat is there. On the Windows workstation where you need to transfer a binary: Netcat can do it. On the pivot host where you need to relay traffic to a network segment you can't reach directly: Netcat builds the bridge. On the system where you need a reverse shell and don't have Meterpreter: Netcat and a named pipe give you one in a single line.
Every penetration tester should know Netcat's core operations by heart — client mode, listen mode, the -e flag, the named pipe workaround, file transfer in both directions, and the shell upgrade sequence from raw to interactive. These are the building blocks that every more sophisticated tool is built upon — and the fallback that's always available when those tools aren't.
Our penetration testers combine deep tool knowledge with manual analysis, creative thinking, and real-world attack methodology — because understanding Netcat is table stakes, not the whole game.