nc.1 - OpenGrok cross reference for /illumos-gate/usr/src/man/man1/nc.1

Deleted Added

sdiffudifftextold (b92be93c..)new (1edba515..)

nc.1 (b92be93cdb5c3e9e673cdcb4daffe01fe1419f9e)	nc.1 (1edba515a3484e0f74b638b203d462b3112ac84d)
1'\" te
2.\" Copyright (c) 1996 David Sacerdote All rights reserved.	1.\" Copyright (c) 1996 David Sacerdote All rights reserved.
3.\" Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 4.\" 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. The name of the author may not be used to endorse or promote products derived from this 5.\" software without specific prior written permission THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR 6.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 7.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	2.\" Redistribution and use in source and binary forms, with or without 3.\" modification, are permitted provided that the following conditions are 4.\" met: 1. Redistributions of source code must retain the above copyright 5.\" notice, this list of conditions and the following disclaimer. 6.\" 7.\" 2. Redistributions in binary form must reproduce the above copyright 8.\" notice, this list of conditions and the following disclaimer in the 9.\" documentation and/or other materials provided with the distribution. 3. 10.\" The name of the author may not be used to endorse or promote products 11.\" derived from this 12.\" 13.\" software without specific prior written permission THIS SOFTWARE IS 14.\" PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, 15.\" INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF 16.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN 17.\" NO EVENT SHALL THE AUTHOR 18.\" 19.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 20.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 21.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR 22.\" BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23.\" WHETHER IN CONTRACT, 24.\" 25.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 26.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 27.\" POSSIBILITY OF SUCH DAMAGE. 28.\"
8.\" Portions Copyright (c) 2009, Sun Microsystems, Inc. All Rights Reserved.	29.\" Portions Copyright (c) 2009, Sun Microsystems, Inc. All Rights Reserved.
9.TH NC 1 "Feb 17, 2023" 10.SH NAME 11nc \- arbitrary TCP and UDP connections and listens 12.SH SYNOPSIS 13.nf 14\fBnc\fR \fB-h\fR 15.fi 16 17.LP 18.nf 19\fBnc\fR [\fB-46dnrtuvz\fR] [\fB-i\fR \fIinterval\fR] [\fB-P\fR \fIproxy_username\fR] [\fB-p\fR \fIport\fR] 20 [\fB-s\fR \fIsource_ip_address\fR] [\fB-T\fR \fIToS\fR] [\fB-w\fR \fItimeout\fR] 21 [\fB-X\fR \fIproxy_protocol\fR] [\fB-x\fR \fIproxy_address\fR[:\fIport\fR]] 22 \fIhostname\fR \fIport_list\fR 23.fi 24 25.LP 26.nf 27\fBnc\fR \fB-l\fR [\fB-46Ddnrtuvz\fR] [\fB-i\fR \fIinterval\fR] [\fB-T\fR \fIToS\fR] [\fIhostname\fR] \fIport\fR 28.fi 29 30.LP 31.nf 32\fBnc\fR \fB-l\fR [\fB-46Ddnrtuvz\fR] [\fB-i\fR \fIinterval\fR] [\fB-T\fR \fIToS\fR] \fB-p\fR \fIport\fR 33.fi 34 35.LP 36.nf 37\fBnc\fR \fB-U\fR [\fB-Ddtvz\fR] [\fB-i\fR \fIinterval\fR] [\fB-w\fR \fItimeout\fR] \fIpath\fR 38.fi 39 40.LP 41.nf 42\fBnc\fR \fB-Ul\fR [\fB-46Ddktv\fR] [\fB-i\fR \fIinterval\fR] \fIpath\fR 43.fi 44 45.SH DESCRIPTION 46The \fBnc\fR (or \fBnetcat\fR) utility is used for a variety of tasks 47associated with TCP or UDP. \fBnc\fR can open TCP connections, send UDP 48packets, listen on arbitrary TCP and UDP ports, perform port scanning, and deal 49with both IPv4 and IPv6. Unlike \fBtelnet\fR(1), \fBnc\fR scripts nicely, and 50separates error messages onto standard error instead of sending them to 51standard output. 52.sp 53.LP 54The \fBnc\fR command is often used for the following tasks: 55.RS +4 56.TP 57.ie t \(bu 58.el o	30.\" Copyright 2024 Oxide Computer Company 31.\" 32.Dd April 15, 2024 33.Dt NC 1 34.Os 35.Sh NAME 36.Nm nc 37.Nd arbitrary TCP and UDP connections and listens 38.Sh SYNOPSIS 39.Nm 40.Fl h 41.Nm 42.Op Fl 46dnrStuvz 43.Op Fl i Ar interval 44.Op Fl P Ar proxy_username 45.Op Fl p Ar port 46.Op Fl s Ar source_ip_address 47.Op Fl T Ar ToS 48.Op Fl w Ar timeout 49.Op Fl X Ar proxy_protocol 50.Op Fl x Ar proxy_address Ns Op &: Ar port 51.Ar hostname 52.Ar port_list 53.Nm 54.Fl l 55.Op Fl 46DdnrStuvz 56.Op Fl i Ar interval 57.Op Fl T Ar ToS 58.Op Ar hostname 59.Ar port 60.Nm 61.Fl l 62.Op Fl 46DdnrStuvz 63.Op Fl i Ar interval 64.Op Fl T Ar ToS 65.Fl p Ar port 66.Nm 67.Fl U 68.Op Fl Ddtvz 69.Op Fl i Ar interval 70.Op Fl w Ar timeout 71.Fl p Ar path 72.Nm 73.Fl Ul 74.Op Fl 46Ddktv 75.Op Fl i Ar interval 76.Ar path 77.Sh DESCRIPTION 78The 79.Nm 80.Po 81or 82.Nm netcat 83.Pc 84utility is used for a variety of tasks associated with TCP or UDP. 85.Nm 86can open TCP connections, send UDP packets, listen on arbitrary TCP and UDP 87ports, perform port scanning, and deal with both IPv4 and IPv6. 88Unlike 89.Xr telnet 1 , 90.Nm 91scripts nicely, and separates error messages onto standard error instead of 92sending them to standard output. 93.Pp 94The 95.Nm 96command is often used for the following tasks: 97.Bl -bullet -width Ds 98.It
59simple TCP proxies	99simple TCP proxies
60.RE 61.RS +4 62.TP 63.ie t \(bu 64.el o	100.It
65shell-script based HTTP clients and servers	101shell-script based HTTP clients and servers
66.RE 67.RS +4 68.TP 69.ie t \(bu 70.el o	102.It
71network daemon testing	103network daemon testing
72.RE 73.RS +4 74.TP 75.ie t \(bu 76.el o 77a SOCKS or HTTP \fBProxyCommand\fR for \fBssh\fR(1) 78.RE 79.SH OPTIONS	104.It 105a SOCKS or HTTP ProxyCommand for 106.Xr ssh 1 107.El 108.Sh OPTIONS
80The following options are supported:	109The following options are supported:
81.sp 82.ne 2 83.na 84\fB\fB-4\fR\fR 85.ad 86.sp .6 87.RS 4n 88Force \fBnc\fR to use IPv4 addresses only. 89.RE 90 91.sp 92.ne 2 93.na 94\fB\fB-6\fR\fR 95.ad 96.sp .6 97.RS 4n 98Force \fBnc\fR to use IPv6 addresses only. 99.RE 100 101.sp 102.ne 2 103.na 104\fB\fB-D\fR\fR 105.ad 106.sp .6 107.RS 4n	110.Bl -tag -width Ds 111.It Fl 4 112Force 113.Nm 114to use IPv4 addresses only. 115.It Fl 6 116Force 117.Nm 118to use IPv6 addresses only. 119.It Fl D
108Enable debugging on the socket.	120Enable debugging on the socket.
109.RE 110 111.sp 112.ne 2 113.na 114\fB\fB-d\fR\fR 115.ad 116.sp .6 117.RS 4n 118Do not attempt to read from \fBstdin\fR. 119.RE 120 121.sp 122.ne 2 123.na 124\fB\fB-h\fR\fR 125.ad 126.sp .6 127.RS 4n 128Print \fBnc\fR help. 129.RE 130 131.sp 132.ne 2 133.na 134\fB\fB-i\fR \fIinterval\fR\fR 135.ad 136.sp .6 137.RS 4n 138Specify a delay time of \fIinterval\fR between lines of text sent and received.	121.It Fl d 122Do not attempt to read from 123.Dv stdin . 124.It Fl h 125Print 126.Nm 127help. 128.It Fl i Ar interval 129Specify a delay time of 130.Ar interval 131between lines of text sent and received.
139This option also causes a delay time between connections to multiple ports.	132This option also causes a delay time between connections to multiple ports.
140.RE 141 142.sp 143.ne 2 144.na 145\fB\fB-k\fR\fR 146.ad 147.sp .6 148.RS 4n 149Force \fBnc\fR to listen for another connection after its current connection is 150closed. 151.sp 152It is an error to use this option without the \fB-l\fR option. 153.RE 154 155.sp 156.ne 2 157.na 158\fB\fB-l\fR\fR 159.ad 160.sp .6 161.RS 4n	133.It Fl k 134Force 135.Nm 136to listen for another connection after its current connection is closed. 137.Pp 138It is an error to use this option without the 139.Fl l 140option. 141.It Fl l
162Listen for an incoming connection rather than initiate a connection to a remote 163host.	142Listen for an incoming connection rather than initiate a connection to a remote 143host.
164.sp 165It is an error to use this option in conjunction with the \fB-s\fR or \fB-z\fR 166options. Additionally, any \fItimeout\fR specified with the \fB-w\fR option is 167ignored. 168.RE 169 170.sp 171.ne 2 172.na 173\fB\fB-n\fR\fR 174.ad 175.sp .6 176.RS 4n	144.Pp 145It is an error to use this option in conjunction with the 146.Fl s 147or 148.Fl z 149options. 150Additionally, any 151.Ar timeout 152specified with the 153.Fl w 154option is ignored. 155.It Fl n
177Do not do any naming or service lookups on any addresses, hostnames, or ports.	156Do not do any naming or service lookups on any addresses, hostnames, or ports.
178.sp 179Use of this option means that \fIhostname\fR and \fIport\fR arguments are 180restricted to numeric values. 181.sp 182If used with \fB-v\fR option all addresses and ports are printed in numeric 183form, in addition to the restriction imposed on the arguments. This option does 184not have any effect when used in conjunction with the \fB-U\fR option. 185.RE 186 187.sp 188.ne 2 189.na 190\fB\fB-P\fR \fIproxy_username\fR\fR 191.ad 192.sp .6 193.RS 4n 194Specify a username (\fIproxy_username\fR) to present to a proxy server that 195requires authentication. If \fIproxy_username\fR is not specified, 196authentication is not attempted. Proxy authentication is only supported for 197\fBHTTP CONNECT\fR proxies at present. 198.sp 199It is an error to use this option in conjunction with the \fB-l\fR option. 200.RE 201 202.sp 203.ne 2 204.na 205\fB\fB-p\fR \fIport\fR\fR 206.ad 207.sp .6 208.RS 4n 209When used without \fB-l\fR option, specify the source port \fBnc\fR should use, 210subject to privilege restrictions and availability. When used with the \fB-l\fR	157.Pp 158Use of this option means that 159.Ar hostname 160and 161.Ar port 162arguments are restricted to numeric values. 163.Pp 164If used with 165.Fl v 166option all addresses and ports are printed in numeric form, in addition to the 167restriction imposed on the arguments. 168This option does not have any effect when used in conjunction with the 169.Fl U 170option. 171.It Fl P Ar proxy_username 172Specify a username 173.Po 174.Ar proxy_username 175.Pc 176to present to a proxy server that requires authentication. 177If 178.Ar proxy_username 179is not specified, authentication is not attempted. 180Proxy authentication is only supported for HTTP CONNECT proxies at present. 181.Pp 182It is an error to use this option in conjunction with the 183.Fl l 184option. 185.It Fl p Ar port 186When used without 187.Fl l 188option, specify the source port 189.Nm 190should use, subject to privilege restrictions and availability. 191When used with the 192.Fl l
211option, set the listen port.	193option, set the listen port.
212.sp 213This option can be used with \fB-l\fR option only provided global port argument 214is not specified. 215.RE 216 217.sp 218.ne 2 219.na 220\fB\fB-r\fR\fR 221.ad 222.sp .6 223.RS 4n	194.Pp 195This option can be used with 196.Fl l 197option only provided global port argument is not specified. 198.It Fl r
224Choose source or destination ports randomly instead of sequentially within a 225range or in the order that the system assigns them.	199Choose source or destination ports randomly instead of sequentially within a 200range or in the order that the system assigns them.
226.sp 227It is an error to use this option in conjunction with the \fB-l\fR option. 228.RE 229 230.sp 231.ne 2 232.na 233\fB\fB-s\fR \fIsource_ip_address\fR\fR 234.ad 235.sp .6 236.RS 4n	201.Pp 202It is an error to use this option in conjunction with the 203.Fl l 204option. 205.It Fl S 206Enables the 207.%T RFC 2385 208TCP MD5 signature option. 209.Pp 210In order for packets to be sent or received in conjunction with this option, a 211security association that matches the traffic must also be created using 212.Xr tcpkey 8 . 213.It Fl s Ar source_ip_address
237Specify the IP of the interface which is used to send the packets.	214Specify the IP of the interface which is used to send the packets.
238.sp 239It is an error to use this option in conjunction with the \fB-l\fR option. 240.RE 241 242.sp 243.ne 2 244.na 245\fB\fB-T\fR \fIToS\fR\fR 246.ad 247.sp .6 248.RS 4n 249Specify IP Type of Service (\fBToS\fR) for the connection. Valid values are the 250tokens: \fBlowdelay\fR, \fBthroughput\fR, \fBreliability\fR, or an 8-bit 251hexadecimal value preceded by \fB0x\fR. 252.RE 253 254.sp 255.ne 2 256.na 257\fB\fB-t\fR\fR 258.ad 259.sp .6 260.RS 4n 261Cause \fBnc\fR to send \fIRFC 854\fR \fBDON'T\fR and \fBWON'T\fR responses to 262\fIRFC 854\fR \fBDO\fR and \fBWILL\fR requests. This makes it possible to use 263\fBnc\fR to script \fBtelnet\fR sessions. 264.RE 265 266.sp 267.ne 2 268.na 269\fB\fB-U\fR\fR 270.ad 271.sp .6 272.RS 4n 273Specify the use of Unix Domain Sockets. If you specify this option without 274\fB-l\fR, \fBnc\fR, it becomes \fBAF_UNIX\fR client. If you specify this option 275with the \fB-l\fR option, a \fBAF_UNIX\fR server is created. 276.sp	215.Pp 216It is an error to use this option in conjunction with the 217.Fl l 218option. 219.It Fl T Ar ToS 220Specify IP Type of Service 221.Pq ToS 222for the connection. 223Valid values are the tokens: 224.Cm lowdelay , 225.Cm throughput , 226.Cm reliability , 227or an 8-bit hexadecimal value preceded by 0x. 228.It Fl t 229Cause 230.Nm 231to send 232.%T RFC 854 233.Dq DON'T 234and 235.Dq WON'T 236responses to 237.%T RFC 854 238.Dq DO 239and 240.Dq WILL 241requests. 242This makes it possible to use 243.Nm 244to script telnet sessions. 245.It Fl U 246Specify the use of Unix Domain Sockets. 247If you specify this option without 248.Fl l , 249it becomes an 250.Dv AF_UNIX 251client. 252If you specify this option with the 253.Fl l 254option, a 255.Dv AF_UNIX 256server is created. 257.Pp
277Use of this option requires that a single argument of a valid Unix domain path	258Use of this option requires that a single argument of a valid Unix domain path
278has to be provided to \fBnc\fR, not a host name or port. 279.RE 280 281.sp 282.ne 2 283.na 284\fB\fB-u\fR\fR 285.ad 286.sp .6 287.RS 4n	259has to be provided to 260.Nm , 261not a host name or port. 262.It Fl u
288Use UDP instead of the default option of TCP.	263Use UDP instead of the default option of TCP.
289.RE 290 291.sp 292.ne 2 293.na 294\fB\fB-v\fR\fR 295.ad 296.sp .6 297.RS 4n	264.It Fl v
298Specify verbose output.	265Specify verbose output.
299.RE 300 301.sp 302.ne 2 303.na 304\fB\fB-w\fR \fItimeout\fR\fR 305.ad 306.sp .6 307.RS 4n 308Silently close the connection if a connection and \fBstdin\fR are idle for more 309than \fItimeout\fR seconds. 310.sp 311This option has no effect on the \fB-l\fR option, that is, \fBnc\fR listens 312forever for a connection, with or without the \fB-w\fR flag. The default is no 313timeout. 314.RE 315 316.sp 317.ne 2 318.na 319\fB\fB-X\fR \fIproxy_protocol\fR\fR 320.ad 321.sp .6 322.RS 4n 323Use the specified protocol when talking to the proxy server. Supported 324protocols are \fB4\fR (\fBSOCKS v.4\fR), \fB5\fR (\fBSOCKS v.5\fR) and 325\fBconnect\fR (\fBHTTP\fR proxy). If the protocol is not specified, 326\fBSOCKS v.5\fR is used. 327.sp 328It is an error to use this option in conjunction with the \fB-l\fR option. 329.RE 330 331.sp 332.ne 2 333.na 334\fB\fB-x\fR \fIproxy_address\fR[:\fIport\fR]\fR 335.ad 336.sp .6 337.RS 4n 338Request connection to \fIhostname\fR using a proxy at \fIproxy_address\fR and 339\fIport\fR. If \fIport\fR is not specified, the well-known port for the proxy 340protocol is used (\fB1080\fR for \fBSOCKS\fR, \fB3128\fR for \fBHTTP\fR). 341.sp 342It is an error to use this option in conjunction with the \fB-l\fR option. 343.RE 344 345.sp 346.ne 2 347.na 348\fB\fB-z\fR\fR 349.ad 350.sp .6 351.RS 4n	266.It Fl w Ar timeout 267Silently close the connection if a connection and 268.Dv stdin 269are idle for more than 270.Ar timeout 271seconds. 272.Pp 273This option has no effect on the 274.Fl l 275option, that is, 276.Nm 277listens forever for a connection, with or without the 278.Fl w 279flag. 280The default is no timeout. 281.It Fl X Ar proxy_protocol 282Use the specified protocol when talking to the proxy server. 283Supported protocols are 4 284.Pq SOCKS v.4 , 2855 286.Pq SOCKS v.5 287and connect 288.Pq HTTP proxy . 289If the protocol is not specified, SOCKS v.5 is used. 290.Pp 291It is an error to use this option in conjunction with the 292.Fl l 293option. 294.It Fl x Ar proxy_address Ns Op &: Ar port 295Request connection to 296.Ar hostname 297using a proxy at 298.Ar proxy_address 299and 300.Ar port . 301If 302.Ar port 303is not specified, the well-known port for the proxy protocol is used 304.Pq 1080 for SOCKS, 3128 for HTTP . 305.Pp 306It is an error to use this option in conjunction with the 307.Fl l 308option. 309.It Fl z
352Scan for listening daemons, without sending any data to them.	310Scan for listening daemons, without sending any data to them.
353.sp 354It is an error to use this option in conjunction with the \fB-l\fR option. 355.RE 356 357.SH OPERANDS	311.Pp 312It is an error to use this option in conjunction with the 313.Fl l 314option. 315.El 316.Sh OPERANDS
358The following operands are supported:	317The following operands are supported:
359.sp 360.ne 2 361.na 362\fB\fIhostname\fR\fR 363.ad 364.RS 13n	318.Bl -tag -width Ds 319.It Ar hostname
365Specify host name.	320Specify host name.
366.sp 367\fIhostname\fR can be a numerical IP address or a symbolic hostname (unless the 368\fB-n\fR option is specified). 369.sp 370In general, \fIhostname\fR must be specified, unless the \fB-l\fR option is 371given or \fB-U\fR is used (in which case the argument is a path). If 372\fIhostname\fR argument is specified with \fB-l\fR option then \fIport\fR 373argument must be given as well and \fBnc\fR tries to bind to that address and 374port. If \fIhostname\fR argument is not specified with \fB-l\fR option then 375\fBnc\fR tries to listen on a wildcard socket for given \fIport\fR. 376.RE 377 378.sp 379.ne 2 380.na 381\fB\fIpath\fR\fR 382.ad 383.RS 13n	321.Pp 322.Ar hostname 323can be a numerical IP address or a symbolic hostname 324.Po 325unless the 326.Fl n 327option is specified 328.Pc . 329.Pp 330In general, 331.Ar hostname 332must be specified, unless the 333.Fl l 334option is given or 335.Fl U 336is used 337.Pq in which case the argument is a path . 338If 339.Ar hostname 340argument is specified with 341.Fl l 342option then 343.Ar port 344argument must be given as well and 345.Nm 346tries to bind to that address and port. 347If 348.Ar hostname 349argument is not specified with 350.Fl l 351option then 352.Nm 353tries to listen on a wildcard socket for given 354.Ar port . 355.It Ar path
384Specify pathname.	356Specify pathname.
385.RE 386 387.sp 388.ne 2 389.na 390\fB\fIport\fR\fR 391.ad 392.br 393.na 394\fB\fIport_list\fR\fR 395.ad 396.RS 13n	357.It Ar port \| port_list
397Specify port.	358Specify port.
398.sp 399\fIport_list\fR can be specified as single integers, ranges or combinations of 400both. Specify ranges in the form of \fInn-mm\fR. The \fIport_list\fR must have 401at least one member, but can have multiple ports/ranges separated by commas. 402.sp 403In general, a destination port must be specified, unless the \fB-U\fR option is 404given, in which case a Unix Domain Socket path must be specified instead of 405\fIhostname\fR. 406.RE 407 408.SH USAGE 409.SS "Client/Server Model" 410It is quite simple to build a very basic client/server model using \fBnc\fR. On 411one console, start \fBnc\fR listening on a specific port for a connection. For 412example, the command: 413.sp 414.in +2 415.nf 416$ nc -l 1234 417.fi 418.in -2 419.sp 420 421.sp 422.LP 423listens on port \fB1234\fR for a connection. On a second console (or a second 424machine), connect to the machine and port to which \fBnc\fR is listening: 425.sp 426.in +2 427.nf 428$ nc 127.0.0.1 1234 429.fi 430.in -2 431.sp 432 433.sp 434.LP 435There should now be a connection between the ports. Anything typed at the 436second console is concatenated to the first, and vice-versa. After the 437connection has been set up, \fBnc\fR does not really care which side is being 438used as a \fBserver\fR and which side is being used as a \fBclient\fR. The 439connection can be terminated using an \fBEOF\fR (Ctrl/d). 440.SS "Data Transfer"	359.Pp 360.Ar port_list 361can be specified as single integers, ranges or combinations of both. 362Specify ranges in the form of nn-mm. 363The 364.Ar port_list 365must have at least one member, but can have multiple ports/ranges separated by 366commas. 367.Pp 368In general, a destination port must be specified, unless the 369.Fl U 370option is given, in which case a Unix Domain Socket path must be specified 371instead of 372.Ar hostname . 373.El 374.Sh USAGE 375.Ss Client/Server Model 376It is quite simple to build a very basic client/server model using 377.Nm . 378On one console, start 379.Nm 380listening on a specific port for a connection. 381For example, the command: 382.Pp 383.Dl $ nc -l 1234 384.Pp 385listens on port 1234 for a connection. 386On a second console 387.Pq or a second machine , 388connect to the machine and port to which 389.Nm 390is listening: 391.Pp 392.Dl $ nc 127.0.0.1 1234 393.Pp 394There should now be a connection between the ports. 395Anything typed at the second console is concatenated to the first, and 396vice-versa. 397After the connection has been set up, 398.Nm 399does not really care which side is being used as a server and which side is 400being used as a client. 401The connection can be terminated using an EOF 402.Pq Ctrl/d . 403.Ss Data Transfer
441The example in the previous section can be expanded to build a basic data	404The example in the previous section can be expanded to build a basic data
442transfer model. Any information input into one end of the connection is output 443to the other end, and input and output can be easily captured in order to 444emulate file transfer. 445.sp 446.LP 447Start by using \fBnc\fR to listen on a specific port, with output captured into 448a file: 449.sp 450.in +2 451.nf 452$ nc -l 1234 > filename.out 453.fi 454.in -2 455.sp 456 457.sp 458.LP 459Using a second machine, connect to the listening \fBnc\fR process, feeding it 460the file which is to be transferred: 461.sp 462.in +2 463.nf 464$ nc host.example.com 1234 < filename.in 465.fi 466.in -2 467.sp 468 469.sp 470.LP	405transfer model. 406Any information input into one end of the connection is output to the other 407end, and input and output can be easily captured in order to emulate file 408transfer. 409.Pp 410Start by using 411.Nm 412to listen on a specific port, with output captured into a file: 413.Pp 414.Dl $ nc -l 1234 > filename.out 415.Pp 416Using a second machine, connect to the listening 417.Nm 418process, feeding it the file which is to be transferred: 419.Pp 420.Dl $ nc host.example.com 1234 < filename.in 421.Pp
471After the file has been transferred, the connection closes automatically.	422After the file has been transferred, the connection closes automatically.
472.SS "Talking to Servers" 473It is sometimes useful to talk to servers \fBby hand\fR rather than through a 474user interface. It can aid in troubleshooting, when it might be necessary to 475verify what data a server is sending in response to commands issued by the 476client. 477.sp 478.LP	423.Ss Talking to Servers 424It is sometimes useful to talk to servers by hand rather than through a user 425interface. 426It can aid in troubleshooting, when it might be necessary to verify what data a 427server is sending in response to commands issued by the client. 428.Pp
479For example, to retrieve the home page of a web site:	429For example, to retrieve the home page of a web site:
480.sp 481.in +2 482.nf 483$ echo -n "GET / HTTP/1.0\er\en\er\en" \| nc host.example.com 80 484.fi 485.in -2 486.sp 487 488.sp 489.LP 490This also displays the headers sent by the web server. They can be filtered, if 491necessary, by using a tool such as \fBsed\fR(1). 492.sp 493.LP	430.Pp 431.Dl $ echo -n \&"GET / HTTP/1.0\er\en\er\en\&" \| nc host.example.com 80 432.Pp 433This also displays the headers sent by the web server. 434They can be filtered, if necessary, by using a tool such as 435.Xr sed 1 . 436.Pp
494More complicated examples can be built up when the user knows the format of	437More complicated examples can be built up when the user knows the format of
495requests required by the server. As another example, an email can be submitted 496to an SMTP server using: 497.sp 498.in +2 499.nf	438requests required by the server. 439As another example, an email can be submitted to an SMTP server using: 440.Bd -literal -offset indent
500$ nc localhost 25 << EOF 501HELO host.example.com	441$ nc localhost 25 << EOF 442HELO host.example.com
502MAIL FROM: <user@host.example.com 503RCTP TO: <user2@host.example.com	443MAIL FROM: <user@host.example.com> 444RCPT TO: <user2@host.example.com>
504DATA 505Body of email. 506\&. 507QUIT 508EOF	445DATA 446Body of email. 447\&. 448QUIT 449EOF
509.fi 510.in -2 511.sp 512 513.SS "Port Scanning"	450.Ed 451.Ss Port Scanning
514It can be useful to know which ports are open and running services on a target	452It can be useful to know which ports are open and running services on a target
515machine. The \fB-z\fR flag can be used to tell \fBnc\fR to report open ports, 516rather than to initiate a connection. 517.sp 518.LP	453machine. 454The 455.Fl z 456flag can be used to tell 457.Nm 458to report open ports, rather than to initiate a connection. 459.Pp
519In this example:	460In this example:
520.sp 521.in +2 522.nf	461.Bd -literal -offset indent
523$ nc -z host.example.com 20-30 524Connection to host.example.com 22 port [tcp/ssh] succeeded! 525Connection to host.example.com 25 port [tcp/smtp] succeeded!	462$ nc -z host.example.com 20-30 463Connection to host.example.com 22 port [tcp/ssh] succeeded! 464Connection to host.example.com 25 port [tcp/smtp] succeeded!
526.fi 527.in -2 528.sp 529 530.sp 531.LP	465.Ed 466.Pp
532The port range was specified to limit the search to ports 20 - 30.	467The port range was specified to limit the search to ports 20 - 30.
533.sp 534.LP	468.Pp
535Alternatively, it might be useful to know which server software is running, and	469Alternatively, it might be useful to know which server software is running, and
536which versions. This information is often contained within the greeting 537banners. In order to retrieve these, it is necessary to first make a 538connection, and then break the connection when the banner has been retrieved. 539This can be accomplished by specifying a small timeout with the \fB-w\fR flag, 540or perhaps by issuing a \fBQUIT\fR command to the server: 541.sp 542.in +2 543.nf	470which versions. 471This information is often contained within the greeting banners. 472In order to retrieve these, it is necessary to first make a connection, and 473then break the connection when the banner has been retrieved. 474This can be accomplished by specifying a small timeout with the 475.Fl w 476flag, or perhaps by issuing a QUIT command to the server: 477.Bd -literal -offset indent
544$ echo "QUIT" \| nc host.example.com 20-30 545SSH-2.0-Sun_SSH_1.1 546Protocol mismatch. 547220 host.example.com IMS SMTP Receiver Version 0.84 Ready	478$ echo "QUIT" \| nc host.example.com 20-30 479SSH-2.0-Sun_SSH_1.1 480Protocol mismatch. 481220 host.example.com IMS SMTP Receiver Version 0.84 Ready
548.fi 549.in -2 550.sp 551 552.SS "\fBinetd\fR Capabilities" 553One of the possible uses is to create simple services by using \fBinetd\fR(8). 554.sp 555.LP	482.Ed 483.Ss inetd Capabilities 484One of the possible uses is to create simple services by using 485.Xr inetd 8 . 486.Pp
556The following example creates a redirect from TCP port 8080 to port 80 on host	487The following example creates a redirect from TCP port 8080 to port 80 on host
557\fBrealwww\fR: 558.sp 559.in +2 560.nf	488realwww: 489.Bd -literal -offset indent
561# cat << EOF >> /etc/services	490# cat << EOF >> /etc/services
562wwwredir 8080/tcp # WWW redirect 563EOF	491wwwredir 8080/tcp # WWW redirect EOF
564# cat << EOF > /tmp/wwwredir.conf 565wwwredir stream tcp nowait nobody /usr/bin/nc /usr/bin/nc -w 3 realwww 80 566EOF 567# inetconv -i /tmp/wwwredir.conf 568wwwredir -> /var/svc/manifest/network/wwwredir-tcp.xml 569Importing wwwredir-tcp.xml ...Done 570# inetadm -l wwwredir/tcp 571SCOPE NAME=VALUE --- 11 unchanged lines hidden (view full) --- 583default max_con_rate=-1 584default max_copies=-1 585default con_rate_offline=-1 586default failrate_cnt=40 587default failrate_interval=60 588default inherit_env=TRUE 589default tcp_trace=TRUE 590default tcp_wrappers=FALSE	492# cat << EOF > /tmp/wwwredir.conf 493wwwredir stream tcp nowait nobody /usr/bin/nc /usr/bin/nc -w 3 realwww 80 494EOF 495# inetconv -i /tmp/wwwredir.conf 496wwwredir -> /var/svc/manifest/network/wwwredir-tcp.xml 497Importing wwwredir-tcp.xml ...Done 498# inetadm -l wwwredir/tcp 499SCOPE NAME=VALUE --- 11 unchanged lines hidden (view full) --- 511default max_con_rate=-1 512default max_copies=-1 513default con_rate_offline=-1 514default failrate_cnt=40 515default failrate_interval=60 516default inherit_env=TRUE 517default tcp_trace=TRUE 518default tcp_wrappers=FALSE
591.fi 592.in -2 593.sp 594 595.SS "Privileges" 596To bind to a privileged port number \fBnc\fR needs to be granted the 597\fBnet_privaddr\fR privilege. If Solaris Trusted Extensions are configured and 598the port \fBnc\fR should listen on is configured as a multi-level port \fBnc\fR 599also needs the \fBnet_bindmlp\fR privilege. 600.sp 601.LP	519.Ed 520.Ss Privileges 521To bind to a privileged port number 522.Nm 523needs to be granted the 524.Sy net_privaddr 525privilege. 526If Trusted Extensions are configured and the port 527.Nm 528should listen on is configured as a multi-level port 529.Nm 530also needs the 531.Sy net_bindmlp 532privilege. 533.Pp
602Privileges can be assigned to the user or role directly, by specifying them in	534Privileges can be assigned to the user or role directly, by specifying them in
603the account's default privilege set in \fBuser_attr\fR(5). However, this means 604that any application that this user or role starts have these additional 605privileges. To only grant the \fBprivileges\fR(7) when \fBnc\fR is invoked, the 606recommended approach is to create and assign an \fBrbac\fR(7) rights profile. 607See \fBEXAMPLES\fR for additional information. 608.SH EXAMPLES 609\fBExample 1 \fRUsing \fBnc\fR 610.sp 611.LP 612Open a TCP connection to port \fB42\fR of \fBhost.example.com\fR, using port 613\fB3141\fR as the source port, with a timeout of \fB5\fR seconds: 614 615.sp 616.in +2 617.nf 618$ nc -p 3141 -w 5 host.example.com 42 619.fi 620.in -2 621.sp 622 623.sp 624.LP 625Open a UDP connection to port \fB53\fR of \fBhost.example.com\fR: 626 627.sp 628.in +2 629.nf 630$ nc -u host.example.com 53 631.fi 632.in -2 633.sp 634 635.sp 636.LP 637Open a TCP connection to port 42 of \fBhost.example.com\fR using \fB10.1.2.3\fR 638as the IP for the local end of the connection: 639 640.sp 641.in +2 642.nf 643$ nc -s 10.1.2.3 host.example.com 42 644.fi 645.in -2 646.sp 647 648.sp 649.LP	535the account's default privilege set in 536.Xr user_attr 5 . 537However, this means that any application that this user or role starts have 538these additional privileges. 539To only grant the 540.Xr privileges 7 541when 542.Nm 543is invoked, the recommended approach is to create and assign an 544.Xr rbac 7 545rights profile. 546See 547.Sx EXAMPLES 548for additional information. 549.Sh EXAMPLES 550Open a TCP connection to port 42 of host.example.com, using port 3141 as the 551source port, with a timeout of 5 seconds: 552.Pp 553.Dl $ nc -p 3141 -w 5 host.example.com 42 554.Pp 555Open a UDP connection to port 53 of host.example.com: 556.Pp 557.Dl $ nc -u host.example.com 53 558.Pp 559Open a TCP connection to port 42 of host.example.com using 10.1.2.3 as the IP 560for the local end of the connection: 561.Pp 562.Dl $ nc -s 10.1.2.3 host.example.com 42 563.Pp
650Use a list of ports and port ranges for a port scan on various ports:	564Use a list of ports and port ranges for a port scan on various ports:
651 652.sp 653.in +2 654.nf 655$ nc -z host.example.com 21-25,53,80,110-120,443 656.fi 657.in -2 658.sp 659 660.sp 661.LP	565.Pp 566.Dl $ nc -z host.example.com 21-25,53,80,110-120,443 567.Pp
662Create and listen on a Unix Domain Socket:	568Create and listen on a Unix Domain Socket:
663 664.sp 665.in +2 666.nf 667$ nc -lU /var/tmp/dsocket 668.fi 669.in -2 670.sp 671 672.sp 673.LP 674Create and listen on a UDP socket with associated port \fB8888\fR: 675 676.sp 677.in +2 678.nf 679$ nc -u -l -p 8888 680.fi 681.in -2 682.sp 683 684.sp 685.LP	569.Pp 570.Dl $ nc -lU /var/tmp/dsocket 571.Pp 572Create and listen on a UDP socket with associated port 8888: 573.Pp 574.Dl $ nc -u -l -p 8888 575.Pp
686which is the same as:	576which is the same as:
687 688.sp 689.in +2 690.nf 691$ nc -u -l 8888 692.fi 693.in -2 694.sp 695 696.sp 697.LP 698Create and listen on a TCP socket with associated port \fB2222\fR and bind to 699address \fB127.0.0.1\fR only: 700 701.sp 702.in +2 703.nf 704$ nc -l 127.0.0.1 2222 705.fi 706.in -2 707.sp 708 709.sp 710.LP 711Connect to port \fB42\fR of \fBhost.example.com\fR using an HTTP proxy at 712\fB10.2.3.4\fR, port \fB8080\fR. This example could also be used by 713\fBssh\fR(1). See the \fBProxyCommand\fR directive in \fBssh_config\fR(5) for 714more information. 715 716.sp 717.in +2 718.nf 719$ nc -x10.2.3.4:8080 -Xconnect host.example.com 42 720.fi 721.in -2 722.sp 723 724.sp 725.LP	577.Pp 578.Dl $ nc -u -l 8888 579.Pp 580Create and listen on a TCP socket with associated port 2222 and bind to address 581127.0.0.1 only: 582.Pp 583.Dl $ nc -l 127.0.0.1 2222 584.Pp 585Connect to port 42 of host.example.com using an HTTP proxy at 10.2.3.4, port 5868080. 587This example could also be used by 588.Xr ssh 1 . 589See the 590.Cm ProxyCommand 591directive in 592.Xr ssh_config 5 593for more information. 594.Pp 595.Dl $ nc -x10.2.3.4:8080 -Xconnect host.example.com 42 596.Pp
726The same example again, this time enabling proxy authentication with username	597The same example again, this time enabling proxy authentication with username
727\fBruser\fR if the proxy requires it: 728 729.sp 730.in +2 731.nf 732$ nc -x10.2.3.4:8080 -Xconnect -Pruser host.example.com 42 733.fi 734.in -2 735.sp 736 737.sp 738.LP 739To run \fBnc\fR with the smallest possible set of privileges as a user or role 740that has additional privileges (such as the default \fBroot\fR account) it can 741be invoked using \fBppriv\fR(1) as well. For example, limiting it to only run 742with the privilege to bind to a privileged port: 743 744.sp 745.in +2 746.nf	598ruser if the proxy requires it: 599.Pp 600.Dl $ nc -x10.2.3.4:8080 -Xconnect -Pruser host.example.com 42 601.Pp 602To run 603.Nm 604with the smallest possible set of privileges as a user or role that has 605additional privileges 606.Pq such as the default root account 607it can be invoked using 608.Xr ppriv 1 609as well. 610For example, limiting it to only run with the privilege to bind to a privileged 611port: 612.Bd -literal -offset indent
747$ ppriv -e -sA=basic,!file_link_any,!proc_exec,!proc_fork,\e	613$ ppriv -e -sA=basic,!file_link_any,!proc_exec,!proc_fork,\e
748!proc_info,!proc_session,net_privaddr nc -l 42 749.fi 750.in -2 751.sp 752 753.sp 754.LP 755To allow a user or role to use only \fBnc\fR with the \fBnet_privaddr\fR	614 !proc_info,!proc_session,net_privaddr nc -l 42 615.Ed 616.Pp 617To allow a user or role to use only 618.Nm 619with the 620.Sy net_privaddr
756privilege, a rights profile needs to be created:	621privilege, a rights profile needs to be created:
757 758.sp 759.in +2 760.nf 761/etc/security/exec_attr 762Netcat privileged:solaris:cmd:::/usr/bin/nc:privs=net_privaddr 763 764/etc/security/prof_attr 765Netcat privileged:::Allow nc to bind to privileged ports:help=None.html 766.fi 767.in -2 768.sp 769 770.sp 771.LP 772Assigning this rights profile using \fBuser_attr\fR(5) permits the user or role 773to run \fBnc\fR allowing it to listen on any port. To permit a user or role to 774use \fBnc\fR only to listen on specific ports a wrapper script should be 775specified in the rights profiles: 776 777.sp 778.in +2 779.nf 780/etc/security/exec_attr 781Netcat restricted:solaris:cmd:::/usr/bin/nc-restricted:privs=net_privaddr 782 783/etc/security/prof_attr 784Netcat restricted:::Allow nc to bind to privileged ports:help=None.html 785.fi 786.in -2 787.sp 788 789.sp 790.LP	622.Pp 623.Pa /etc/security/exec_attr: 624.Dl Netcat privileged:solaris:cmd:::/usr/bin/nc:privs=net_privaddr 625.Pa /etc/security/prof_attr 626.Dl Netcat privileged:::Allow nc to bind to privileged ports:help=None.html 627.Pp 628Assigning this rights profile using 629.Xr user_attr 5 630permits the user or role to run 631.Nm 632allowing it to listen on any port. 633To permit a user or role to use 634.Nm 635only to listen on specific ports a wrapper script should be specified in the 636rights profiles: 637.Pp 638.Pa /etc/security/exec_attr 639.Dl Netcat restricted:solaris:cmd:::/usr/bin/nc-restricted:privs=net_privaddr 640.Pa /etc/security/prof_attr 641.Dl Netcat restricted:::Allow nc to bind to privileged ports:help=None.html 642.Pp
791and write a shell script that restricts the permissible options, for example,	643and write a shell script that restricts the permissible options, for example,
792one that permits one to bind only on ports between \fB42\fR and \fB64\fR 793(non-inclusive):	644one that permits one to bind only on ports between 42 and 64 non-inclusive: 645.Bd -literal -offset indent 646#!/bin/ksh
794	647
795.sp 796.in +2 797.nf 798/usr/bin/nc-restricted: 799 800#!/bin/sh 801[ $# -eq 1 ] && [ $1 -gt 42 -a $1 -lt 64 ] && /usr/bin/nc -l -p "$1" 802.fi 803.in -2 804.sp 805 806.sp 807.LP 808This grants the extra privileges when the user or role invokes \fBnc\fR using 809the wrapper script from a profile shell. See \fBpfsh\fR(1), \fBpfksh\fR(1), 810\fBpfcsh\fR(1), and \fBpfexec\fR(1). 811 812.sp 813.LP 814Invoking \fBnc\fR directly does not run it with the additional privileges, and 815neither does invoking the script without using \fBpfexec\fR or a profile shell. 816 817.SH ATTRIBUTES 818See \fBattributes\fR(7) for descriptions of the following attributes: 819.sp 820 821.sp 822.TS 823box; 824c \| c 825l \| l . 826ATTRIBUTE TYPE ATTRIBUTE VALUE 827_ 828Interface Stability See below. 829.TE 830 831.sp 832.LP 833The package name is Committed. The command line syntax is Committed for the 834\fB-4\fR, \fB-6\fR, \fB-l\fR, \fB-n\fR, \fB-p\fR, \fB-u\fR, and \fB-w\fR 835options and their arguments (if any). The \fIname\fR and \fIport\fR list 836arguments are Committed. The port range syntax is Uncommitted. The interface 837stability level for all other command line options and their arguments is 838Uncommitted. 839.SH SEE ALSO 840.BR cat (1), 841.BR pfcsh (1), 842.BR pfexec (1), 843.BR pfksh (1), 844.BR pfsh (1), 845.BR ppriv (1), 846.BR sed (1), 847.BR ssh (1), 848.BR telnet (1), 849.BR ssh_config (5), 850.BR user_attr (5), 851.BR attributes (7), 852.BR privileges (7), 853.BR rbac (7), 854.BR inetadm (8), 855.BR inetconv (8), 856.BR inetd (8) 857.SH AUTHORS 858The original implementation of \fBnc\fR was written by Hobbit, 859\fBhobbit@avian.org\fR. 860.sp 861.LP 862\fBnc\fR was rewritten with IPv6 support by Eric Jackson, 863\fBericj@monkey.org\fR. 864.SH NOTES 865UDP port scans always succeeds, that is, reports the port as open, rendering 866the \fB-uz\fR combination of flags relatively useless.	648(( $# == 1 )) \|\| exit 1 649(( $1 > 42 && $1 < 64 )) \|\| exit 1 650exec /usr/bin/nc -l -p "$1" 651.Ed 652.Pp 653This grants the extra privileges when the user or role invokes 654.Nm 655using the wrapper script from a profile shell. 656See 657.Xr pfsh 1 , 658.Xr pfksh 1 , 659.Xr pfcsh 1 , 660and 661.Xr pfexec 1 . 662.Pp 663Invoking 664.Nm 665directly does not run it with the additional privileges, and neither does 666invoking the script without using 667.Sy pfexec 668or a profile shell. 669.Sh INTERFACE STABILITY 670The command line syntax is 671.Sy Committed 672for the 673.Fl 4 , 674.Fl 6 , 675.Fl l , 676.Fl n , 677.Fl p , 678.Fl u , 679and 680.Fl w 681options and their arguments 682.Pq if any . 683The 684.Ar name 685and 686.Ar port 687list arguments are 688.Sy Committed . 689The port range syntax is 690.Sy Uncommitted . 691The interface stability level for all other command line options and their 692arguments is 693.Sy Uncommitted. 694.Sh SEE ALSO 695.Xr cat 1 , 696.Xr pfcsh 1 , 697.Xr pfexec 1 , 698.Xr pfksh 1 , 699.Xr pfsh 1 , 700.Xr ppriv 1 , 701.Xr sed 1 , 702.Xr ssh 1 , 703.Xr telnet 1 , 704.Xr ssh_config 5 , 705.Xr user_attr 5 , 706.Xr attributes 7 , 707.Xr privileges 7 , 708.Xr rbac 7 , 709.Xr inetadm 8 , 710.Xr inetconv 8 , 711.Xr inetd 8 , 712.Xr tcpkey 8 713.Sh AUTHORS 714The original implementation of 715.Nm 716was written by 717.An Hobbit Aq Mt hobbit@avian.org 718.Pp 719.Nm 720was rewritten with IPv6 support by 721.An -nosplit 722.An Eric Jackson Aq Mt ericj@monkey.org 723.Sh NOTES 724UDP port scans always succeed, that is, report the port as open, rendering the 725.Fl uz 726combination of flags relatively useless.