1.\" $OpenBSD: nc.1,v 1.67 2014/02/26 20:56:11 claudio Exp $ 2.\" 3.\" Copyright (c) 1996 David Sacerdote 4.\" All rights reserved. 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 2. Redistributions in binary form must reproduce the above copyright 12.\" notice, this list of conditions and the following disclaimer in the 13.\" documentation and/or other materials provided with the distribution. 14.\" 3. The name of the author may not be used to endorse or promote products 15.\" derived from this software without specific prior written permission 16.\" 17.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 18.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 19.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 20.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 21.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 22.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 23.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 24.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 25.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 26.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 27.\" 28.Dd $Mdocdate: February 26 2014 $ 29.Dt NC 1 30.Os 31.Sh NAME 32.Nm nc 33.Nd arbitrary TCP and UDP connections and listens 34.Sh SYNOPSIS 35.Nm nc 36.Bk -words 37.Op Fl 46DdFhklNnrStUuvz 38.Op Fl I Ar length 39.Op Fl i Ar interval 40.Op Fl O Ar length 41.Op Fl P Ar proxy_username 42.Op Fl p Ar source_port 43.Op Fl s Ar source 44.Op Fl T Ar toskeyword 45.Op Fl V Ar rtable 46.Op Fl w Ar timeout 47.Op Fl X Ar proxy_protocol 48.Oo Xo 49.Fl x Ar proxy_address Ns Oo : Ns 50.Ar port Oc 51.Xc Oc 52.Op Ar destination 53.Op Ar port 54.Ek 55.Sh DESCRIPTION 56The 57.Nm 58(or 59.Nm netcat ) 60utility is used for just about anything under the sun involving TCP, 61UDP, or 62.Ux Ns -domain 63sockets. 64It can open TCP connections, send UDP packets, listen on arbitrary 65TCP and UDP ports, do port scanning, and deal with both IPv4 and 66IPv6. 67Unlike 68.Xr telnet 1 , 69.Nm 70scripts nicely, and separates error messages onto standard error instead 71of sending them to standard output, as 72.Xr telnet 1 73does with some. 74.Pp 75Common uses include: 76.Pp 77.Bl -bullet -offset indent -compact 78.It 79simple TCP proxies 80.It 81shell-script based HTTP clients and servers 82.It 83network daemon testing 84.It 85a SOCKS or HTTP ProxyCommand for 86.Xr ssh 1 87.It 88and much, much more 89.El 90.Pp 91The options are as follows: 92.Bl -tag -width Ds 93.It Fl 4 94Forces 95.Nm 96to use IPv4 addresses only. 97.It Fl 6 98Forces 99.Nm 100to use IPv6 addresses only. 101.It Fl D 102Enable debugging on the socket. 103.It Fl d 104Do not attempt to read from stdin. 105.It Fl F 106Pass the first connected socket using 107.Xr sendmsg 2 108to stdout and exit. 109This is useful in conjunction with 110.Fl X 111to have 112.Nm 113perform connection setup with a proxy but then leave the rest of the 114connection to another program (e.g.\& 115.Xr ssh 1 116using the 117.Xr ssh_config 5 118.Cm ProxyUseFdPass 119option). 120.It Fl h 121Prints out 122.Nm 123help. 124.It Fl I Ar length 125Specifies the size of the TCP receive buffer. 126.It Fl i Ar interval 127Specifies a delay time interval between lines of text sent and received. 128Also causes a delay time between connections to multiple ports. 129.It Fl k 130Forces 131.Nm 132to stay listening for another connection after its current connection 133is completed. 134It is an error to use this option without the 135.Fl l 136option. 137When used together with the 138.Fl u 139option, the server socket is not connected and it can receive UDP datagrams from 140multiple hosts. 141.It Fl l 142Used to specify that 143.Nm 144should listen for an incoming connection rather than initiate a 145connection to a remote host. 146It is an error to use this option in conjunction with the 147.Fl p , 148.Fl s , 149or 150.Fl z 151options. 152Additionally, any timeouts specified with the 153.Fl w 154option are ignored. 155.It Fl N 156.Xr shutdown 2 157the network socket after EOF on the input. 158Some servers require this to finish their work. 159.It Fl n 160Do not do any DNS or service lookups on any specified addresses, 161hostnames or ports. 162.It Fl O Ar length 163Specifies the size of the TCP send buffer. 164.It Fl P Ar proxy_username 165Specifies a username to present to a proxy server that requires authentication. 166If no username is specified then authentication will not be attempted. 167Proxy authentication is only supported for HTTP CONNECT proxies at present. 168.It Fl p Ar source_port 169Specifies the source port 170.Nm 171should use, subject to privilege restrictions and availability. 172It is an error to use this option in conjunction with the 173.Fl l 174option. 175.It Fl r 176Specifies that source and/or destination ports should be chosen randomly 177instead of sequentially within a range or in the order that the system 178assigns them. 179.It Fl S 180Enables the RFC 2385 TCP MD5 signature option. 181.It Fl s Ar source 182Specifies the IP of the interface which is used to send the packets. 183For 184.Ux Ns -domain 185datagram sockets, specifies the local temporary socket file 186to create and use so that datagrams can be received. 187It is an error to use this option in conjunction with the 188.Fl l 189option. 190.It Fl T Ar toskeyword 191Change IPv4 TOS value. 192.Ar toskeyword 193may be one of 194.Ar critical , 195.Ar inetcontrol , 196.Ar lowdelay , 197.Ar netcontrol , 198.Ar throughput , 199.Ar reliability , 200or one of the DiffServ Code Points: 201.Ar ef , 202.Ar af11 ... af43 , 203.Ar cs0 ... cs7 ; 204or a number in either hex or decimal. 205.It Fl t 206Causes 207.Nm 208to send RFC 854 DON'T and WON'T responses to RFC 854 DO and WILL requests. 209This makes it possible to use 210.Nm 211to script telnet sessions. 212.It Fl U 213Specifies to use 214.Ux Ns -domain 215sockets. 216.It Fl u 217Use UDP instead of the default option of TCP. 218For 219.Ux Ns -domain 220sockets, use a datagram socket instead of a stream socket. 221If a 222.Ux Ns -domain 223socket is used, a temporary receiving socket is created in 224.Pa /tmp 225unless the 226.Fl s 227flag is given. 228.It Fl V Ar rtable 229Set the routing table to be used. 230.It Fl v 231Have 232.Nm 233give more verbose output. 234.It Fl w Ar timeout 235Connections which cannot be established or are idle timeout after 236.Ar timeout 237seconds. 238The 239.Fl w 240flag has no effect on the 241.Fl l 242option, i.e.\& 243.Nm 244will listen forever for a connection, with or without the 245.Fl w 246flag. 247The default is no timeout. 248.It Fl X Ar proxy_protocol 249Requests that 250.Nm 251should use the specified protocol when talking to the proxy server. 252Supported protocols are 253.Dq 4 254(SOCKS v.4), 255.Dq 5 256(SOCKS v.5) 257and 258.Dq connect 259(HTTPS proxy). 260If the protocol is not specified, SOCKS version 5 is used. 261.It Xo 262.Fl x Ar proxy_address Ns Oo : Ns 263.Ar port Oc 264.Xc 265Requests that 266.Nm 267should connect to 268.Ar destination 269using a proxy at 270.Ar proxy_address 271and 272.Ar port . 273If 274.Ar port 275is not specified, the well-known port for the proxy protocol is used (1080 276for SOCKS, 3128 for HTTPS). 277.It Fl z 278Specifies that 279.Nm 280should just scan for listening daemons, without sending any data to them. 281It is an error to use this option in conjunction with the 282.Fl l 283option. 284.El 285.Pp 286.Ar destination 287can be a numerical IP address or a symbolic hostname 288(unless the 289.Fl n 290option is given). 291In general, a destination must be specified, 292unless the 293.Fl l 294option is given 295(in which case the local host is used). 296For 297.Ux Ns -domain 298sockets, a destination is required and is the socket path to connect to 299(or listen on if the 300.Fl l 301option is given). 302.Pp 303.Ar port 304can be a single integer or a range of ports. 305Ranges are in the form nn-mm. 306In general, 307a destination port must be specified, 308unless the 309.Fl U 310option is given. 311.Sh CLIENT/SERVER MODEL 312It is quite simple to build a very basic client/server model using 313.Nm . 314On one console, start 315.Nm 316listening on a specific port for a connection. 317For example: 318.Pp 319.Dl $ nc -l 1234 320.Pp 321.Nm 322is now listening on port 1234 for a connection. 323On a second console 324.Pq or a second machine , 325connect to the machine and port being listened on: 326.Pp 327.Dl $ nc 127.0.0.1 1234 328.Pp 329There should now be a connection between the ports. 330Anything typed at the second console will be concatenated to the first, 331and vice-versa. 332After the connection has been set up, 333.Nm 334does not really care which side is being used as a 335.Sq server 336and which side is being used as a 337.Sq client . 338The connection may be terminated using an 339.Dv EOF 340.Pq Sq ^D . 341.Sh DATA TRANSFER 342The example in the previous section can be expanded to build a 343basic data transfer model. 344Any information input into one end of the connection will be output 345to the other end, and input and output can be easily captured in order to 346emulate file transfer. 347.Pp 348Start by using 349.Nm 350to listen on a specific port, with output captured into a file: 351.Pp 352.Dl $ nc -l 1234 \*(Gt filename.out 353.Pp 354Using a second machine, connect to the listening 355.Nm 356process, feeding it the file which is to be transferred: 357.Pp 358.Dl $ nc -N host.example.com 1234 \*(Lt filename.in 359.Pp 360After the file has been transferred, the connection will close automatically. 361.Sh TALKING TO SERVERS 362It is sometimes useful to talk to servers 363.Dq by hand 364rather than through a user interface. 365It can aid in troubleshooting, 366when it might be necessary to verify what data a server is sending 367in response to commands issued by the client. 368For example, to retrieve the home page of a web site: 369.Bd -literal -offset indent 370$ printf "GET / HTTP/1.0\er\en\er\en" | nc host.example.com 80 371.Ed 372.Pp 373Note that this also displays the headers sent by the web server. 374They can be filtered, using a tool such as 375.Xr sed 1 , 376if necessary. 377.Pp 378More complicated examples can be built up when the user knows the format 379of requests required by the server. 380As another example, an email may be submitted to an SMTP server using: 381.Bd -literal -offset indent 382$ nc localhost 25 \*(Lt\*(Lt EOF 383HELO host.example.com 384MAIL FROM:\*(Ltuser@host.example.com\*(Gt 385RCPT TO:\*(Ltuser2@host.example.com\*(Gt 386DATA 387Body of email. 388\&. 389QUIT 390EOF 391.Ed 392.Sh PORT SCANNING 393It may be useful to know which ports are open and running services on 394a target machine. 395The 396.Fl z 397flag can be used to tell 398.Nm 399to report open ports, 400rather than initiate a connection. 401For example: 402.Bd -literal -offset indent 403$ nc -z host.example.com 20-30 404Connection to host.example.com 22 port [tcp/ssh] succeeded! 405Connection to host.example.com 25 port [tcp/smtp] succeeded! 406.Ed 407.Pp 408The port range was specified to limit the search to ports 20 \- 30. 409.Pp 410Alternatively, it might be useful to know which server software 411is running, and which versions. 412This information is often contained within the greeting banners. 413In order to retrieve these, it is necessary to first make a connection, 414and then break the connection when the banner has been retrieved. 415This can be accomplished by specifying a small timeout with the 416.Fl w 417flag, or perhaps by issuing a 418.Qq Dv QUIT 419command to the server: 420.Bd -literal -offset indent 421$ echo "QUIT" | nc host.example.com 20-30 422SSH-1.99-OpenSSH_3.6.1p2 423Protocol mismatch. 424220 host.example.com IMS SMTP Receiver Version 0.84 Ready 425.Ed 426.Sh EXAMPLES 427Open a TCP connection to port 42 of host.example.com, using port 31337 as 428the source port, with a timeout of 5 seconds: 429.Pp 430.Dl $ nc -p 31337 -w 5 host.example.com 42 431.Pp 432Open a UDP connection to port 53 of host.example.com: 433.Pp 434.Dl $ nc -u host.example.com 53 435.Pp 436Open a TCP connection to port 42 of host.example.com using 10.1.2.3 as the 437IP for the local end of the connection: 438.Pp 439.Dl $ nc -s 10.1.2.3 host.example.com 42 440.Pp 441Create and listen on a 442.Ux Ns -domain 443stream socket: 444.Pp 445.Dl $ nc -lU /var/tmp/dsocket 446.Pp 447Connect to port 42 of host.example.com via an HTTP proxy at 10.2.3.4, 448port 8080. 449This example could also be used by 450.Xr ssh 1 ; 451see the 452.Cm ProxyCommand 453directive in 454.Xr ssh_config 5 455for more information. 456.Pp 457.Dl $ nc -x10.2.3.4:8080 -Xconnect host.example.com 42 458.Pp 459The same example again, this time enabling proxy authentication with username 460.Dq ruser 461if the proxy requires it: 462.Pp 463.Dl $ nc -x10.2.3.4:8080 -Xconnect -Pruser host.example.com 42 464.Sh SEE ALSO 465.Xr cat 1 , 466.Xr ssh 1 467.Sh AUTHORS 468Original implementation by *Hobbit* 469.Aq Mt hobbit@avian.org . 470.br 471Rewritten with IPv6 support by 472.An Eric Jackson Aq Mt ericj@monkey.org . 473.Sh CAVEATS 474UDP port scans using the 475.Fl uz 476combination of flags will always report success irrespective of 477the target machine's state. 478However, 479in conjunction with a traffic sniffer either on the target machine 480or an intermediary device, 481the 482.Fl uz 483combination could be useful for communications diagnostics. 484Note that the amount of UDP traffic generated may be limited either 485due to hardware resources and/or configuration settings. 486