Exploitationnetcatshellfirewall evasionids evasionport forwardingscriptingreverse shell

pwncat

pwncat is an enhanced Netcat implementation with firewall and IDS/IPS evasion capabilities, supporting bind and reverse shells, self-injecting shells, and port forwarding. It is fully scriptable with Python (PSE).

Description

pwncat provides Netcat functionality on steroids, featuring advanced techniques for firewall and intrusion detection/prevention system evasion. It supports multiple modes including connect, listen, zero-I/O scanning, and port forwarding, making it suitable for penetration testing and red team operations requiring persistent connections and stealthy network communication.

The tool is particularly useful for establishing reliable shell access across network security measures. Features like automatic reconnection, self-injecting reverse shells, and customizable scripting enable operators to maintain control over compromised hosts even in hostile environments with active defenses.

pwncat's Python scripting engine allows for custom data transformers and automation, extending its utility beyond basic connectivity to sophisticated command and control scenarios.

How It Works

pwncat operates as a Python (2/3) implementation of enhanced Netcat with IPv4/IPv6 dualstack support (configurable to single stack), TCP/UDP protocols, and IP ToS manipulation. It supports four primary modes: connect (client to remote endpoint with optional reconnection), listen (server accepting incoming connections with optional keep-open), zero-I/O (port scanning/status reporting), and forwarding (L/R modes for port redirection). Advanced features include self-injection for deploying persistent reverse shells upon incoming connections, CRLF line ending normalization, source address/port binding, and a Python scripting engine where user-defined 'transform' functions process data before transmission. Firewall/IDS evasion relies on these low-level protocol tweaks, rebinding, and retry mechanisms.

Installation

bash

sudo apt install pwncat

Flags

-l, --listenStart a server and listen for incoming connections. If using TCP and a connected client disconnects or the connection is interrupted otherwise, the server will quit. See -k/--keep-open to change this behaviour.

-z, --zeroConnect to a remote endpoint and report status only.

-e, --exec cmdExecute shell command. Only for connect or listen mode.

-C, --crlf lfSpecify, 'lf', 'crlf' or 'cr' to always force replacing line endings for input and output accordingly. Specify 'no' to completely remove any line feeds.

-4Only Use IPv4 (default: IPv4 and IPv6 dualstack).

-6Only Use IPv6 (default: IPv4 and IPv6 dualstack).

-u, --udpUse UDP for the connection instead of TCP.

-k, --keep-openRe-accept new clients in listen mode after a client has disconnected or the connection is interrupted otherwise. (default: server will quit after connection is gone)

--rebind [x]If the server is unable to bind, it will re-initialize itself x many times before giving up.

--source-addr addrSpecify source bind IP address for connect mode.

--source-port portSpecify source bind port for connect mode.

--reconn [x]If the remote server is not reachable or the connection is interrupted, the client will connect again x many times before giving up.

--self-inject cmd:host:port[s]Listen mode (TCP only): If you are about to inject a reverse shell onto the victim machine (via php, bash, nc, ncat or similar), start your listening server with this argument. This will then (as soon as the reverse shell connects) automatically deploy and background-run an unbreakable pwncat reverse shell onto the victim machine.

--script-send fileA Python scripting engine to define your own custom transformer function which will be executed before sending data to a remote endpoint.

--bannerTry banner grabbing during port scan.

Examples

Show help message and usage information.

pwncat -h

Run in connect mode as a client to connect to a remote endpoint.

pwncat hostname port

Start a server in listen mode and listen for incoming connections.

pwncat -l [hostname] port

Run in zero-I/O mode to connect to a remote endpoint and report status only.

pwncat -z hostname port

Forward incoming connections from local port to remote hostname:port.

pwncat -L [addr:]port hostname port

Forward connections from remote addr:port to target hostname:port.

pwncat -R addr:port hostname port

Listen mode with keep-open to re-accept new clients after disconnection.

pwncat -k -l port

Updated 2026-04-16kali.org ↗