1.\" $OpenBSD: nc.1,v 1.36 2005/01/07 10:11:31 jmc Exp $ 2.\" 3.\" Copyright (c) 1996 David Sacerdote 4.\" All rights reserved. 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 2. Redistributions in binary form must reproduce the above copyright 12.\" notice, this list of conditions and the following disclaimer in the 13.\" documentation and/or other materials provided with the distribution. 14.\" 3. The name of the author may not be used to endorse or promote products 15.\" derived from this software without specific prior written permission 16.\" 17.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 18.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 19.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 20.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 21.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 22.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 23.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 24.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 25.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 26.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 27.\" 28.\" $FreeBSD$ 29.\" 30.Dd January 30, 2005 31.Dt NC 1 32.Os 33.Sh NAME 34.Nm nc 35.Nd arbitrary TCP and UDP connections and listens 36.Sh SYNOPSIS 37.Nm nc 38.Bk -words 39.Op Fl 46DEdhklnorStUuvz 40.Op Fl e Ar IPsec policy 41.Op Fl i Ar interval 42.Op Fl p Ar source_port 43.Op Fl s Ar source_ip_address 44.Op Fl w Ar timeout 45.Op Fl X Ar proxy_protocol 46.Oo Xo 47.Fl x Ar proxy_address Ns Oo : Ns 48.Ar port Oc Oc 49.Xc 50.Op Ar hostname 51.Op Ar port Ns Bq Ar s 52.Ek 53.Sh DESCRIPTION 54The 55.Nm 56(or 57.Nm netcat ) 58utility is used for just about anything under the sun involving TCP 59or UDP. 60It can open TCP connections, send UDP packets, listen on arbitrary 61TCP and UDP ports, do port scanning, and deal with both IPv4 and 62IPv6. 63Unlike 64.Xr telnet 1 , 65.Nm 66scripts nicely, and separates error messages onto standard error instead 67of sending them to standard output, as 68.Xr telnet 1 69does with some. 70.Pp 71Common uses include: 72.Pp 73.Bl -bullet -offset indent -compact 74.It 75simple TCP proxies 76.It 77shell-script based HTTP clients and servers 78.It 79network daemon testing 80.It 81a SOCKS or HTTP ProxyCommand for 82.Xr ssh 1 83.It 84and much, much more 85.El 86.Pp 87The options are as follows: 88.Bl -tag -width Ds 89.It Fl 4 90Forces 91.Nm 92to use IPv4 addresses only. 93.It Fl 6 94Forces 95.Nm 96to use IPv6 addresses only. 97.It Fl D 98Enable debugging on the socket. 99.It Fl d 100Do not attempt to read from stdin. 101.It Fl h 102Prints out 103.Nm 104help. 105.It Fl E 106Shortcut for "-e 'in ipsec esp/transport//require' -e 'out ipsec 107esp/transport//require'", which enables IPsec ESP transport mode in both 108directions. 109.It Fl e 110If IPsec support is available, then one can specify the IPsec policies 111to be used using the syntax described in 112.Xr ipsec_set_policy 3 . 113This flag can be specified up to two times, as typically one policy for 114each direction is needed. 115.It Fl i Ar interval 116Specifies a delay time interval between lines of text sent and received. 117Also causes a delay time between connections to multiple ports. 118.It Fl k 119Forces 120.Nm 121to stay listening for another connection after its current connection 122is completed. 123It is an error to use this option without the 124.Fl l 125option. 126.It Fl l 127Used to specify that 128.Nm 129should listen for an incoming connection rather than initiate a 130connection to a remote host. 131It is an error to use this option in conjunction with the 132.Fl p , 133.Fl s , 134or 135.Fl z 136options. 137Additionally, any timeouts specified with the 138.Fl w 139option are ignored. 140.It Fl n 141Do not do any DNS or service lookups on any specified addresses, 142hostnames or ports. 143.It Fl o 144.Dq Once-only mode . 145By default, 146.Nm 147does not terminate on EOF condition on input, 148but continues until the network side has been closed down. 149Specifying 150.Fl o 151will make it terminate on EOF as well. 152.It Fl p Ar source_port 153Specifies the source port 154.Nm 155should use, subject to privilege restrictions and availability. 156It is an error to use this option in conjunction with the 157.Fl l 158option. 159.It Fl r 160Specifies that source and/or destination ports should be chosen randomly 161instead of sequentially within a range or in the order that the system 162assigns them. 163.It Fl S 164Enables the RFC 2385 TCP MD5 signature option. 165.It Fl s Ar source_ip_address 166Specifies the IP of the interface which is used to send the packets. 167It is an error to use this option in conjunction with the 168.Fl l 169option. 170.It Fl t 171Causes 172.Nm 173to send RFC 854 DON'T and WON'T responses to RFC 854 DO and WILL requests. 174This makes it possible to use 175.Nm 176to script telnet sessions. 177.It Fl U 178Specifies to use Unix Domain Sockets. 179.It Fl u 180Use UDP instead of the default option of TCP. 181.It Fl v 182Have 183.Nm 184give more verbose output. 185.It Fl w Ar timeout 186If a connection and stdin are idle for more than 187.Ar timeout 188seconds, then the connection is silently closed. 189The 190.Fl w 191flag has no effect on the 192.Fl l 193option, i.e.\& 194.Nm 195will listen forever for a connection, with or without the 196.Fl w 197flag. 198The default is no timeout. 199.It Fl X Ar proxy_version 200Requests that 201.Nm 202should use the specified protocol when talking to the proxy server. 203Supported protocols are 204.Dq 4 205(SOCKS v.4), 206.Dq 5 207(SOCKS v.5) 208and 209.Dq connect 210(HTTPS proxy). 211If the protocol is not specified, SOCKS version 5 is used. 212.It Xo 213.Fl x Ar proxy_address Ns Oo : Ns 214.Ar port Oc 215.Xc 216Requests that 217.Nm 218should connect to 219.Ar hostname 220using a proxy at 221.Ar proxy_address 222and 223.Ar port . 224If 225.Ar port 226is not specified, the well-known port for the proxy protocol is used (1080 227for SOCKS, 3128 for HTTPS). 228.It Fl z 229Specifies that 230.Nm 231should just scan for listening daemons, without sending any data to them. 232It is an error to use this option in conjunction with the 233.Fl l 234option. 235.El 236.Pp 237.Ar hostname 238can be a numerical IP address or a symbolic hostname 239(unless the 240.Fl n 241option is given). 242In general, a hostname must be specified, 243unless the 244.Fl l 245option is given 246(in which case the local host is used). 247.Pp 248.Ar port Ns Op Ar s 249can be single integers or ranges. 250Ranges are in the form nn-mm. 251In general, 252a destination port must be specified, 253unless the 254.Fl U 255option is given 256(in which case a socket must be specified). 257.Sh CLIENT/SERVER MODEL 258It is quite simple to build a very basic client/server model using 259.Nm . 260On one console, start 261.Nm 262listening on a specific port for a connection. 263For example: 264.Pp 265.Dl $ nc -l 1234 266.Pp 267.Nm 268is now listening on port 1234 for a connection. 269On a second console 270.Pq or a second machine , 271connect to the machine and port being listened on: 272.Pp 273.Dl $ nc 127.0.0.1 1234 274.Pp 275There should now be a connection between the ports. 276Anything typed at the second console will be concatenated to the first, 277and vice-versa. 278After the connection has been set up, 279.Nm 280does not really care which side is being used as a 281.Sq server 282and which side is being used as a 283.Sq client . 284The connection may be terminated using an 285.Dv EOF 286.Pq Sq ^D . 287.Sh DATA TRANSFER 288The example in the previous section can be expanded to build a 289basic data transfer model. 290Any information input into one end of the connection will be output 291to the other end, and input and output can be easily captured in order to 292emulate file transfer. 293.Pp 294Start by using 295.Nm 296to listen on a specific port, with output captured into a file: 297.Pp 298.Dl $ nc -l 1234 \*(Gt filename.out 299.Pp 300Using a second machine, connect to the listening 301.Nm 302process, feeding it the file which is to be transferred: 303.Pp 304.Dl $ nc host.example.com 1234 \*(Lt filename.in 305.Pp 306After the file has been transferred, the connection will close automatically. 307.Sh TALKING TO SERVERS 308It is sometimes useful to talk to servers 309.Dq by hand 310rather than through a user interface. 311It can aid in troubleshooting, 312when it might be necessary to verify what data a server is sending 313in response to commands issued by the client. 314For example, to retrieve the home page of a web site: 315.Pp 316.Dl $ echo \&"GET\&" | nc host.example.com 80 317.Pp 318Note that this also displays the headers sent by the web server. 319They can be filtered, using a tool such as 320.Xr sed 1 , 321if necessary. 322.Pp 323More complicated examples can be built up when the user knows the format 324of requests required by the server. 325As another example, an email may be submitted to an SMTP server using: 326.Bd -literal -offset indent 327$ nc localhost 25 \*(Lt\*(Lt EOF 328HELO host.example.com 329MAIL FROM: \*(Ltuser@host.example.com\*(Gt 330RCPT TO: \*(Ltuser2@host.example.com\*(Gt 331DATA 332Body of email. 333\&. 334QUIT 335EOF 336.Ed 337.Sh PORT SCANNING 338It may be useful to know which ports are open and running services on 339a target machine. 340The 341.Fl z 342flag can be used to tell 343.Nm 344not to initiate a connection, 345together with the 346.Fl v 347.Pq verbose 348flag, 349to report open ports. 350For example: 351.Bd -literal -offset indent 352$ nc -vz host.example.com 20-30 353Connection to host.example.com 22 port [tcp/ssh] succeeded! 354Connection to host.example.com 25 port [tcp/smtp] succeeded! 355.Ed 356.Pp 357The port range was specified to limit the search to ports 20 \- 30. 358.Pp 359Alternatively, it might be useful to know which server software 360is running, and which versions. 361This information is often contained within the greeting banners. 362In order to retrieve these, it is necessary to first make a connection, 363and then break the connection when the banner has been retrieved. 364This can be accomplished by specifying a small timeout with the 365.Fl w 366flag, or perhaps by issuing a 367.Qq Dv QUIT 368command to the server: 369.Bd -literal -offset indent 370$ echo "QUIT" | nc host.example.com 20-30 371SSH-1.99-OpenSSH_3.6.1p2 372Protocol mismatch. 373220 host.example.com IMS SMTP Receiver Version 0.84 Ready 374.Ed 375.Sh EXAMPLES 376Open a TCP connection to port 42 of hostname, using port 31337 as 377the source port, with a timeout of 5 seconds: 378.Pp 379.Dl $ nc -p 31337 -w 5 hostname 42 380.Pp 381Open a UDP connection to port 53 of hostname: 382.Pp 383.Dl $ nc -u hostname 53 384.Pp 385Open a TCP connection to port 42 of example.host using 10.1.2.3 as the 386IP for the local end of the connection: 387.It Li "nc -E example.host 42" 388Open a TCP connection to port 42 of example.host using IPsec ESP for 389incoming and outgoing traffic. 390.It Li "nc -e 'out ipsec esp/transport//require' example.host 42" 391Open a TCP connection to port 42 of example.host using IPsec ESP for 392outgoing traffic only. 393.Pp 394.Dl $ nc -s 10.1.2.3 example.host 42 395.Pp 396Send UDP packets to ports 20-30 of example.host, and report which ones 397responded with an ICMP packet after three seconds: 398.Pp 399.Dl $ nc -uvz -w 3 hostname 20-30 400.Pp 401Create and listen on a Unix Domain Socket: 402.Pp 403.Dl $ nc -lU /var/tmp/dsocket 404.Pp 405Connect to port 42 of hostname via an HTTP proxy at 10.2.3.4, port 8080: 406.Pp 407.Dl $ nc -x10.2.3.4:8080 -Xconnect hostname 42 408.Sh SEE ALSO 409.Xr cat 1 410.Sh AUTHORS 411Original implementation by *Hobbit* 412.Aq hobbit@avian.org . 413.br 414Rewritten with IPv6 support by 415.An Eric Jackson Aq ericj@monkey.org . 416