1.\" $OpenBSD: nc.1,v 1.45 2007/05/31 19:20:13 jmc Exp $ 2.\" 3.\" Copyright (c) 1996 David Sacerdote 4.\" All rights reserved. 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 2. Redistributions in binary form must reproduce the above copyright 12.\" notice, this list of conditions and the following disclaimer in the 13.\" documentation and/or other materials provided with the distribution. 14.\" 3. The name of the author may not be used to endorse or promote products 15.\" derived from this software without specific prior written permission 16.\" 17.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 18.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 19.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 20.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 21.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 22.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 23.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 24.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 25.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 26.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 27.\" 28.\" $FreeBSD$ 29.\" 30.Dd $Mdocdate$ 31.Dt NC 1 32.Os 33.Sh NAME 34.Nm nc 35.Nd arbitrary TCP and UDP connections and listens 36.Sh SYNOPSIS 37.Nm nc 38.Bk -words 39.Op Fl 46DdEhklnOorStUuvz 40.Op Fl e Ar IPsec_policy 41.Op Fl i Ar interval 42.Op Fl P Ar proxy_username 43.Op Fl p Ar source_port 44.Op Fl s Ar source_ip_address 45.Op Fl T Ar ToS 46.Op Fl w Ar timeout 47.Op Fl X Ar proxy_protocol 48.Oo Xo 49.Fl x Ar proxy_address Ns Oo : Ns 50.Ar port Oc Oc 51.Xc 52.Op Ar hostname 53.Op Ar port Ns Bq Ar s 54.Ek 55.Sh DESCRIPTION 56The 57.Nm 58(or 59.Nm netcat ) 60utility is used for just about anything under the sun involving TCP 61or UDP. 62It can open TCP connections, send UDP packets, listen on arbitrary 63TCP and UDP ports, do port scanning, and deal with both IPv4 and 64IPv6. 65Unlike 66.Xr telnet 1 , 67.Nm 68scripts nicely, and separates error messages onto standard error instead 69of sending them to standard output, as 70.Xr telnet 1 71does with some. 72.Pp 73Common uses include: 74.Pp 75.Bl -bullet -offset indent -compact 76.It 77simple TCP proxies 78.It 79shell-script based HTTP clients and servers 80.It 81network daemon testing 82.It 83a SOCKS or HTTP ProxyCommand for 84.Xr ssh 1 85.It 86and much, much more 87.El 88.Pp 89The options are as follows: 90.Bl -tag -width Ds 91.It Fl 4 92Forces 93.Nm 94to use IPv4 addresses only. 95.It Fl 6 96Forces 97.Nm 98to use IPv6 addresses only. 99.It Fl D 100Enable debugging on the socket. 101.It Fl d 102Do not attempt to read from stdin. 103.It Fl E 104Shortcut for 105.Qo 106.Li "-e 'in ipsec esp/transport//require'" 107.Li "-e 'out ipsec esp/transport//require'" 108.Qc , 109which enables IPsec ESP transport mode in both 110directions. 111.It Fl e 112If IPsec support is available, then one can specify the IPsec policies 113to be used using the syntax described in 114.Xr ipsec_set_policy 3 . 115This flag can be specified up to two times, as typically one policy for 116each direction is needed. 117.It Fl h 118Prints out 119.Nm 120help. 121.It Fl i Ar interval 122Specifies a delay time interval between lines of text sent and received. 123Also causes a delay time between connections to multiple ports. 124.It Fl k 125Forces 126.Nm 127to stay listening for another connection after its current connection 128is completed. 129It is an error to use this option without the 130.Fl l 131option. 132.It Fl l 133Used to specify that 134.Nm 135should listen for an incoming connection rather than initiate a 136connection to a remote host. 137It is an error to use this option in conjunction with the 138.Fl p , 139.Fl s , 140or 141.Fl z 142options. 143Additionally, any timeouts specified with the 144.Fl w 145option are ignored. 146.It Fl n 147Do not do any DNS or service lookups on any specified addresses, 148hostnames or ports. 149.It Fl O 150Disables the use of TCP options on the socket, by setting the boolean 151TCP_NOOPT 152socket option. 153.It Fl o 154.Dq Once-only mode . 155By default, 156.Nm 157does not terminate on EOF condition on input, 158but continues until the network side has been closed down. 159Specifying 160.Fl o 161will make it terminate on EOF as well. 162.It Fl P Ar proxy_username 163Specifies a username to present to a proxy server that requires authentication. 164If no username is specified then authentication will not be attempted. 165Proxy authentication is only supported for HTTP CONNECT proxies at present. 166.It Fl p Ar source_port 167Specifies the source port 168.Nm 169should use, subject to privilege restrictions and availability. 170It is an error to use this option in conjunction with the 171.Fl l 172option. 173.It Fl r 174Specifies that source and/or destination ports should be chosen randomly 175instead of sequentially within a range or in the order that the system 176assigns them. 177.It Fl S 178Enables the RFC 2385 TCP MD5 signature option. 179.It Fl s Ar source_ip_address 180Specifies the IP of the interface which is used to send the packets. 181It is an error to use this option in conjunction with the 182.Fl l 183option. 184.It Fl T Ar ToS 185Specifies IP Type of Service (ToS) for the connection. 186Valid values are the tokens 187.Dq lowdelay , 188.Dq throughput , 189.Dq reliability , 190or an 8-bit hexadecimal value preceded by 191.Dq 0x . 192.It Fl t 193Causes 194.Nm 195to send RFC 854 DON'T and WON'T responses to RFC 854 DO and WILL requests. 196This makes it possible to use 197.Nm 198to script telnet sessions. 199.It Fl U 200Specifies to use Unix Domain Sockets. 201.It Fl u 202Use UDP instead of the default option of TCP. 203.It Fl v 204Have 205.Nm 206give more verbose output. 207.It Fl w Ar timeout 208If a connection and stdin are idle for more than 209.Ar timeout 210seconds, then the connection is silently closed. 211The 212.Fl w 213flag has no effect on the 214.Fl l 215option, i.e.\& 216.Nm 217will listen forever for a connection, with or without the 218.Fl w 219flag. 220The default is no timeout. 221.It Fl X Ar proxy_protocol 222Requests that 223.Nm 224should use the specified protocol when talking to the proxy server. 225Supported protocols are 226.Dq 4 227(SOCKS v.4), 228.Dq 5 229(SOCKS v.5) 230and 231.Dq connect 232(HTTPS proxy). 233If the protocol is not specified, SOCKS version 5 is used. 234.It Xo 235.Fl x Ar proxy_address Ns Oo : Ns 236.Ar port Oc 237.Xc 238Requests that 239.Nm 240should connect to 241.Ar hostname 242using a proxy at 243.Ar proxy_address 244and 245.Ar port . 246If 247.Ar port 248is not specified, the well-known port for the proxy protocol is used (1080 249for SOCKS, 3128 for HTTPS). 250.It Fl z 251Specifies that 252.Nm 253should just scan for listening daemons, without sending any data to them. 254It is an error to use this option in conjunction with the 255.Fl l 256option. 257.El 258.Pp 259.Ar hostname 260can be a numerical IP address or a symbolic hostname 261(unless the 262.Fl n 263option is given). 264In general, a hostname must be specified, 265unless the 266.Fl l 267option is given 268(in which case the local host is used). 269.Pp 270.Ar port Ns Op Ar s 271can be single integers or ranges. 272Ranges are in the form nn-mm. 273In general, 274a destination port must be specified, 275unless the 276.Fl U 277option is given 278(in which case a socket must be specified). 279.Sh CLIENT/SERVER MODEL 280It is quite simple to build a very basic client/server model using 281.Nm . 282On one console, start 283.Nm 284listening on a specific port for a connection. 285For example: 286.Pp 287.Dl $ nc -l 1234 288.Pp 289.Nm 290is now listening on port 1234 for a connection. 291On a second console 292.Pq or a second machine , 293connect to the machine and port being listened on: 294.Pp 295.Dl $ nc 127.0.0.1 1234 296.Pp 297There should now be a connection between the ports. 298Anything typed at the second console will be concatenated to the first, 299and vice-versa. 300After the connection has been set up, 301.Nm 302does not really care which side is being used as a 303.Sq server 304and which side is being used as a 305.Sq client . 306The connection may be terminated using an 307.Dv EOF 308.Pq Sq ^D . 309.Sh DATA TRANSFER 310The example in the previous section can be expanded to build a 311basic data transfer model. 312Any information input into one end of the connection will be output 313to the other end, and input and output can be easily captured in order to 314emulate file transfer. 315.Pp 316Start by using 317.Nm 318to listen on a specific port, with output captured into a file: 319.Pp 320.Dl $ nc -l 1234 \*(Gt filename.out 321.Pp 322Using a second machine, connect to the listening 323.Nm 324process, feeding it the file which is to be transferred: 325.Pp 326.Dl $ nc host.example.com 1234 \*(Lt filename.in 327.Pp 328After the file has been transferred, the connection will close automatically. 329.Sh TALKING TO SERVERS 330It is sometimes useful to talk to servers 331.Dq by hand 332rather than through a user interface. 333It can aid in troubleshooting, 334when it might be necessary to verify what data a server is sending 335in response to commands issued by the client. 336For example, to retrieve the home page of a web site: 337.Bd -literal -offset indent 338$ echo -n "GET / HTTP/1.0\er\en\er\en" | nc host.example.com 80 339.Ed 340.Pp 341Note that this also displays the headers sent by the web server. 342They can be filtered, using a tool such as 343.Xr sed 1 , 344if necessary. 345.Pp 346More complicated examples can be built up when the user knows the format 347of requests required by the server. 348As another example, an email may be submitted to an SMTP server using: 349.Bd -literal -offset indent 350$ nc localhost 25 \*(Lt\*(Lt EOF 351HELO host.example.com 352MAIL FROM:\*(Ltuser@host.example.com\*(Gt 353RCPT TO:\*(Ltuser2@host.example.com\*(Gt 354DATA 355Body of email. 356\&. 357QUIT 358EOF 359.Ed 360.Sh PORT SCANNING 361It may be useful to know which ports are open and running services on 362a target machine. 363The 364.Fl z 365flag can be used to tell 366.Nm 367to report open ports, 368rather than initiate a connection. 369For example: 370.Bd -literal -offset indent 371$ nc -z host.example.com 20-30 372Connection to host.example.com 22 port [tcp/ssh] succeeded! 373Connection to host.example.com 25 port [tcp/smtp] succeeded! 374.Ed 375.Pp 376The port range was specified to limit the search to ports 20 \- 30. 377.Pp 378Alternatively, it might be useful to know which server software 379is running, and which versions. 380This information is often contained within the greeting banners. 381In order to retrieve these, it is necessary to first make a connection, 382and then break the connection when the banner has been retrieved. 383This can be accomplished by specifying a small timeout with the 384.Fl w 385flag, or perhaps by issuing a 386.Qq Dv QUIT 387command to the server: 388.Bd -literal -offset indent 389$ echo "QUIT" | nc host.example.com 20-30 390SSH-1.99-OpenSSH_3.6.1p2 391Protocol mismatch. 392220 host.example.com IMS SMTP Receiver Version 0.84 Ready 393.Ed 394.Sh EXAMPLES 395Open a TCP connection to port 42 of host.example.com, using port 31337 as 396the source port, with a timeout of 5 seconds: 397.Pp 398.Dl $ nc -p 31337 -w 5 host.example.com 42 399.Pp 400Open a UDP connection to port 53 of host.example.com: 401.Pp 402.Dl $ nc -u host.example.com 53 403.Pp 404Open a TCP connection to port 42 of host.example.com using 10.1.2.3 as the 405IP for the local end of the connection: 406.Pp 407.Dl $ nc -s 10.1.2.3 host.example.com 42 408.Pp 409Open a TCP connection to port 42 of host.example.com using IPsec ESP for 410incoming and outgoing traffic. 411.Pp 412.Dl $ nc -E host.example.com 42 413.Pp 414Open a TCP connection to port 42 of host.example.com using IPsec ESP for 415outgoing traffic only. 416.Pp 417.Dl $ nc -e 'out ipsec esp/transport//require' host.example.com 42 418.Pp 419Create and listen on a Unix Domain Socket: 420.Pp 421.Dl $ nc -lU /var/tmp/dsocket 422.Pp 423Connect to port 42 of host.example.com via an HTTP proxy at 10.2.3.4, 424port 8080. 425This example could also be used by 426.Xr ssh 1 ; 427see the 428.Cm ProxyCommand 429directive in 430.Xr ssh_config 5 431for more information. 432.Pp 433.Dl $ nc -x10.2.3.4:8080 -Xconnect host.example.com 42 434.Pp 435The same example again, this time enabling proxy authentication with username 436.Dq ruser 437if the proxy requires it: 438.Pp 439.Dl $ nc -x10.2.3.4:8080 -Xconnect -Pruser host.example.com 42 440.Sh SEE ALSO 441.Xr cat 1 , 442.Xr ssh 1 , 443.Xr tcp 4 444.Sh AUTHORS 445Original implementation by *Hobbit* 446.Aq hobbit@avian.org . 447.br 448Rewritten with IPv6 support by 449.An Eric Jackson Aq ericj@monkey.org . 450.Sh CAVEATS 451UDP port scans will always succeed 452(i.e. report the port as open), 453rendering the 454.Fl uz 455combination of flags relatively useless. 456