Ncat Linux command: the pocket‑sized network swiss‑army knife you can actually use
If you’ve ever needed to poke around a port or spin up a quick “here’s my console” server without installing a full‑blown framework, Ncat will feel like that friend who always has a spare screwdriver. It’s part of the Nmap family and runs on Linux, macOS, Windows – but this article keeps it strictly in the ncat realm.
What is Ncat and why you care
Ncat is a versatile networking utility that can act as a client, server, or tunnel. Think of it as a Swiss‑Army knife for sockets: you give it an address and a port, and it will either connect to something else or listen for connections. Because it ships with Nmap, it’s pre‑installed on most Kali builds, so you’ll usually find it at /usr/bin/ncat already.
Setting up a simple TCP server with Ncat
1. Choose a listening port
ncat -l 12345 – The -l flag tells Ncat to listen; 12345 is arbitrary, but pick something above 1024 to avoid needing root.
Ports under 1024 are privileged on Linux; using a non‑privileged port keeps the command simple.
2. Accept a single connection
Add -k for keep‑alive: ncat -lk 12345. This lets you drop and re‑connect without restarting Ncat.
During debugging, you often want to re‑enter the session while the service stays up.
3. Pipe data to a program
ncat -lk 12345 | cat > /tmp/received.txt
This streams whatever arrives straight into a file.
Useful for grabbing logs or payloads from a remote script without writing custom code.
Using Ncat to tunnel traffic (the “port forward” trick)
Suppose you’re behind a restrictive firewall that only lets outbound HTTP (port 80). You can tunnel SSH through it:
# On your local machine, create the tunnel ncat --sh-exec "ssh -l user target.server" -N -v -p 443 localhost:12345 # On the remote side (the server), listen on 12345 and forward to local port 22 ncat -lk 12345 -c 'nc localhost 22'
Why this works: Ncat’s --sh-exec runs a shell command when it receives data; here we hand off that data to SSH. The remote -c option executes another connection back to the local machine, effectively opening a reverse tunnel. It’s a one‑liner alternative to tools like ssh -L.
A real‑world scenario: “I accidentally opened an ncat listener on 4444”
A friend of mine was testing a custom network daemon and mistakenly ran:
ncat -l 4444
On the same machine, another script started blasting data to that port. The daemon crashed because it kept receiving garbage, and the system log filled with “Connection reset by peer” entries. Lesson: always double‑check your command line before launching a listener; you can’t easily kill an Ncat process without Ctrl+C or killing its PID.
Remote shell trick (use responsibly)
Ncat can spin up a reversible shell:
# Listener side (on the target machine, as root) ncat -lp 4444 -e /bin/bash
Then on your local machine:
ncat target.ip.address 4444
You now have a raw Bash session. This is handy for quick troubleshooting, but it’s also a big security hole if exposed to the internet. Use it only in isolated networks or with proper firewall rules.
Tips & pitfalls
| Tip | Why |
|---|---|
| Use -v (verbose) on the first run | It prints connection details and helps verify traffic direction. |
| Add --ssl if you need encryption | Ncat can wrap a session in TLS without extra tools. |
| Beware of -e on untrusted hosts | It gives full shell access; never expose it to public IPs. |
| Combine with -d (detach) for background listeners | Keeps your terminal free while the server runs. |
That’s the low‑down on Ncat: a small, flexible tool that can replace dozens of scripts when you’re in a hurry or want to avoid adding more weight to your machine. Next time someone asks how they received data from an obscure port, drop “Ncat” into your reply and watch their eyes widen.
