xref: /freebsd/contrib/netcat/nc.1 (revision 783d3ff6d7fae619db8a7990b8a6387de0c677b5)
1.\"     $OpenBSD: nc.1,v 1.68 2015/03/26 10:35:04 tobias Exp $
2.\"
3.\" Copyright (c) 1996 David Sacerdote
4.\" All rights reserved.
5.\"
6.\" Redistribution and use in source and binary forms, with or without
7.\" modification, are permitted provided that the following conditions
8.\" are met:
9.\" 1. Redistributions of source code must retain the above copyright
10.\"    notice, this list of conditions and the following disclaimer.
11.\" 2. Redistributions in binary form must reproduce the above copyright
12.\"    notice, this list of conditions and the following disclaimer in the
13.\"    documentation and/or other materials provided with the distribution.
14.\" 3. The name of the author may not be used to endorse or promote products
15.\"    derived from this software without specific prior written permission
16.\"
17.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
18.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
19.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
20.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
21.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
22.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
23.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
24.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
25.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
26.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
27.\"
28.\" $FreeBSD$
29.\"
30.Dd January 17, 2023
31.Dt NC 1
32.Os
33.Sh NAME
34.Nm nc
35.Nd arbitrary TCP and UDP connections and listens
36.Sh SYNOPSIS
37.Nm nc
38.Bk -words
39.Op Fl 46DdEFhklMNnrStUuvz
40.Op Fl e Ar IPsec_policy
41.Op Fl I Ar length
42.Op Fl i Ar interval
43.Op Fl -no-tcpopt
44.Op Fl -sctp
45.Op Fl -crlf
46.Op Fl O Ar length
47.Op Fl P Ar proxy_username
48.Op Fl p Ar source_port
49.Op Fl s Ar source
50.Op Fl T Ar toskeyword
51.Op Fl -tun Ar tundev
52.Op Fl V Ar rtable
53.Op Fl w Ar timeout
54.Op Fl X Ar proxy_protocol
55.Oo Xo
56.Fl x Ar proxy_address Ns Oo : Ns
57.Ar port Oc
58.Xc Oc
59.Op Ar destination
60.Op Ar port
61.Ek
62.Sh DESCRIPTION
63The
64.Nm
65(or
66.Nm netcat )
67utility is used for just about anything under the sun involving TCP,
68UDP, or
69.Ux Ns -domain
70sockets.
71It can open TCP connections, send UDP packets, listen on arbitrary
72TCP and UDP ports, do port scanning, and deal with both IPv4 and
73IPv6.
74Unlike
75.Xr telnet 1 ,
76.Nm
77scripts nicely, and separates error messages onto standard error instead
78of sending them to standard output, as
79.Xr telnet 1
80does with some.
81.Pp
82Common uses include:
83.Pp
84.Bl -bullet -offset indent -compact
85.It
86simple TCP proxies
87.It
88shell-script based HTTP clients and servers
89.It
90network daemon testing
91.It
92a SOCKS or HTTP ProxyCommand for
93.Xr ssh 1
94.It
95and much, much more
96.El
97.Pp
98The options are as follows:
99.Bl -tag -width Ds
100.It Fl 4
101Forces
102.Nm
103to use IPv4 addresses only.
104.It Fl 6
105Forces
106.Nm
107to use IPv6 addresses only.
108.It Fl -crlf
109Convert LF into CRLF when sending data over the network.
110.It Fl D
111Enable debugging on the socket.
112.It Fl d
113Do not attempt to read from stdin.
114.It Fl E
115Shortcut for
116.Qo
117.Li "-e 'in ipsec esp/transport//require'"
118.Li "-e 'out ipsec esp/transport//require'"
119.Qc ,
120which enables IPsec ESP transport mode in both
121directions.
122.It Fl e
123If IPsec support is available, then one can specify the IPsec policies
124to be used using the syntax described in
125.Xr ipsec_set_policy 3 .
126This flag can be specified up to two times, as typically one policy for
127each direction is needed.
128.It Fl F
129Pass the first connected socket using
130.Xr sendmsg 2
131to stdout and exit.
132This is useful in conjunction with
133.Fl X
134to have
135.Nm
136perform connection setup with a proxy but then leave the rest of the
137connection to another program (e.g.\&
138.Xr ssh 1
139using the
140.Xr ssh_config 5
141.Cm ProxyUseFdpass
142option).
143.It Fl h
144Prints out
145.Nm
146help.
147.It Fl I Ar length
148Specifies the size of the TCP receive buffer.
149.It Fl i Ar interval
150Specifies a delay time interval between lines of text sent and received.
151Also causes a delay time between connections to multiple ports.
152.It Fl k
153Forces
154.Nm
155to stay listening for another connection after its current connection
156is completed.
157It is an error to use this option without the
158.Fl l
159option.
160When used together with the
161.Fl u
162option, the server socket is not connected and it can receive UDP datagrams from
163multiple hosts.
164.It Fl l
165Used to specify that
166.Nm
167should listen for an incoming connection rather than initiate a
168connection to a remote host.
169It is an error to use this option in conjunction with the
170.Fl p ,
171.Fl s ,
172or
173.Fl z
174options.
175Additionally, any timeouts specified with the
176.Fl w
177option are ignored.
178.It Fl M
179Collect per-connection TCP statistics using the
180.Xr stats 3
181framework and print them in JSON format to
182.Xr stderr 4
183after the connection is closed.
184.It Fl N
185.Xr shutdown 2
186the network socket after EOF on the input.
187Some servers require this to finish their work.
188.It Fl n
189Do not do any DNS or service lookups on any specified addresses,
190hostnames or ports.
191.It Fl -no-tcpopt
192Disables the use of TCP options on the socket, by setting the boolean
193TCP_NOOPT
194socket option.
195.It Fl -sctp
196Use SCTP instead of the default option of TCP.
197.It Fl O Ar length
198Specifies the size of the TCP send buffer.
199.It Fl P Ar proxy_username
200Specifies a username to present to a proxy server that requires authentication.
201If no username is specified then authentication will not be attempted.
202Proxy authentication is only supported for HTTP CONNECT proxies at present.
203.It Fl p Ar source_port
204Specifies the source port
205.Nm
206should use, subject to privilege restrictions and availability.
207It is an error to use this option in conjunction with the
208.Fl l
209option.
210.It Fl r
211Specifies that source and/or destination ports should be chosen randomly
212instead of sequentially within a range or in the order that the system
213assigns them.
214.It Fl S
215Enables the RFC 2385 TCP MD5 signature option.
216.It Fl s Ar source
217Specifies the IP of the interface which is used to send the packets.
218For
219.Ux Ns -domain
220datagram sockets, specifies the local temporary socket file
221to create and use so that datagrams can be received.
222It is an error to use this option in conjunction with the
223.Fl l
224option.
225.It Fl T Ar toskeyword
226Change IPv4 TOS value.
227.Ar toskeyword
228may be one of
229.Ar critical ,
230.Ar inetcontrol ,
231.Ar lowdelay ,
232.Ar netcontrol ,
233.Ar throughput ,
234.Ar reliability ,
235or one of the DiffServ Code Points:
236.Ar ef ,
237.Ar af11 ... af43 ,
238.Ar cs0 ... cs7 ;
239or a number in either hex or decimal.
240.It Fl t
241Causes
242.Nm
243to send RFC 854 DON'T and WON'T responses to RFC 854 DO and WILL requests.
244This makes it possible to use
245.Nm
246to script telnet sessions.
247.It Fl -tun Ar tundev
248Causes
249.Nm
250to use the provided
251.Xr tun 4
252for input and output rather than the default of stdin and stdout.
253.It Fl U
254Specifies to use
255.Ux Ns -domain
256sockets.
257.It Fl u
258Use UDP instead of the default option of TCP.
259For
260.Ux Ns -domain
261sockets, use a datagram socket instead of a stream socket.
262If a
263.Ux Ns -domain
264socket is used, a temporary receiving socket is created in
265.Pa /tmp
266unless the
267.Fl s
268flag is given.
269.It Fl V Ar rtable
270Set the routing table
271.Pq Dq FIB
272to be used.
273.It Fl v
274Have
275.Nm
276give more verbose output.
277.It Fl w Ar timeout
278Connections which cannot be established or are idle timeout after
279.Ar timeout
280seconds.
281The
282.Fl w
283flag has no effect on the
284.Fl l
285option, i.e.\&
286.Nm
287will listen forever for a connection, with or without the
288.Fl w
289flag.
290The default is no timeout.
291.It Fl X Ar proxy_protocol
292Requests that
293.Nm
294should use the specified protocol when talking to the proxy server.
295Supported protocols are
296.Dq 4
297(SOCKS v.4),
298.Dq 5
299(SOCKS v.5)
300and
301.Dq connect
302(HTTPS proxy).
303If the protocol is not specified, SOCKS version 5 is used.
304.It Xo
305.Fl x Ar proxy_address Ns Oo : Ns
306.Ar port Oc
307.Xc
308Requests that
309.Nm
310should connect to
311.Ar destination
312using a proxy at
313.Ar proxy_address
314and
315.Ar port .
316If
317.Ar port
318is not specified, the well-known port for the proxy protocol is used (1080
319for SOCKS, 3128 for HTTPS).
320.It Fl z
321Specifies that
322.Nm
323should just scan for listening daemons, without sending any data to them.
324It is an error to use this option in conjunction with the
325.Fl l
326option.
327.El
328.Pp
329.Ar destination
330can be a numerical IP address or a symbolic hostname
331(unless the
332.Fl n
333option is given).
334In general, a destination must be specified,
335unless the
336.Fl l
337option is given
338(in which case the local host is used).
339For
340.Ux Ns -domain
341sockets, a destination is required and is the socket path to connect to
342(or listen on if the
343.Fl l
344option is given).
345.Pp
346.Ar port
347can be a single integer or a range of ports.
348Ranges are in the form nn-mm.
349In general,
350a destination port must be specified,
351unless the
352.Fl U
353option is given.
354.Sh CLIENT/SERVER MODEL
355It is quite simple to build a very basic client/server model using
356.Nm .
357On one console, start
358.Nm
359listening on a specific port for a connection.
360For example:
361.Pp
362.Dl $ nc -l 1234
363.Pp
364.Nm
365is now listening on port 1234 for a connection.
366On a second console
367.Pq or a second machine ,
368connect to the machine and port being listened on:
369.Pp
370.Dl $ nc 127.0.0.1 1234
371.Pp
372There should now be a connection between the ports.
373Anything typed at the second console will be concatenated to the first,
374and vice-versa.
375After the connection has been set up,
376.Nm
377does not really care which side is being used as a
378.Sq server
379and which side is being used as a
380.Sq client .
381The connection may be terminated using an
382.Dv EOF
383.Pq Sq ^D .
384.Sh DATA TRANSFER
385The example in the previous section can be expanded to build a
386basic data transfer model.
387Any information input into one end of the connection will be output
388to the other end, and input and output can be easily captured in order to
389emulate file transfer.
390.Pp
391Start by using
392.Nm
393to listen on a specific port, with output captured into a file:
394.Pp
395.Dl $ nc -l 1234 \*(Gt filename.out
396.Pp
397Using a second machine, connect to the listening
398.Nm
399process, feeding it the file which is to be transferred:
400.Pp
401.Dl $ nc -N host.example.com 1234 \*(Lt filename.in
402.Pp
403After the file has been transferred, the connection will close automatically.
404.Sh TALKING TO SERVERS
405It is sometimes useful to talk to servers
406.Dq by hand
407rather than through a user interface.
408It can aid in troubleshooting,
409when it might be necessary to verify what data a server is sending
410in response to commands issued by the client.
411For example, to retrieve the home page of a web site:
412.Bd -literal -offset indent
413$ printf "GET / HTTP/1.0\er\en\er\en" | nc host.example.com 80
414.Ed
415.Pp
416Note that this also displays the headers sent by the web server.
417They can be filtered, using a tool such as
418.Xr sed 1 ,
419if necessary.
420.Pp
421More complicated examples can be built up when the user knows the format
422of requests required by the server.
423As another example, an email may be submitted to an SMTP server using:
424.Bd -literal -offset indent
425$ nc localhost 25 \*(Lt\*(Lt EOF
426HELO host.example.com
427MAIL FROM:\*(Ltuser@host.example.com\*(Gt
428RCPT TO:\*(Ltuser2@host.example.com\*(Gt
429DATA
430Body of email.
431\&.
432QUIT
433EOF
434.Ed
435.Sh PORT SCANNING
436It may be useful to know which ports are open and running services on
437a target machine.
438The
439.Fl z
440flag can be used to tell
441.Nm
442to report open ports,
443rather than initiate a connection.
444For example:
445.Bd -literal -offset indent
446$ nc -z host.example.com 20-30
447Connection to host.example.com 22 port [tcp/ssh] succeeded!
448Connection to host.example.com 25 port [tcp/smtp] succeeded!
449.Ed
450.Pp
451The port range was specified to limit the search to ports 20 \- 30.
452.Pp
453Alternatively, it might be useful to know which server software
454is running, and which versions.
455This information is often contained within the greeting banners.
456In order to retrieve these, it is necessary to first make a connection,
457and then break the connection when the banner has been retrieved.
458This can be accomplished by specifying a small timeout with the
459.Fl w
460flag, or perhaps by issuing a
461.Qq Dv QUIT
462command to the server:
463.Bd -literal -offset indent
464$ echo "QUIT" | nc host.example.com 20-30
465SSH-1.99-OpenSSH_3.6.1p2
466Protocol mismatch.
467220 host.example.com IMS SMTP Receiver Version 0.84 Ready
468.Ed
469.Sh EXAMPLES
470Open a TCP connection to port 42 of host.example.com, using port 31337 as
471the source port, with a timeout of 5 seconds:
472.Pp
473.Dl $ nc -p 31337 -w 5 host.example.com 42
474.Pp
475Open a UDP connection to port 53 of host.example.com:
476.Pp
477.Dl $ nc -u host.example.com 53
478.Pp
479Open a TCP connection to port 42 of host.example.com using 10.1.2.3 as the
480IP for the local end of the connection:
481.Pp
482.Dl $ nc -s 10.1.2.3 host.example.com 42
483.Pp
484Open a TCP connection to port 42 of host.example.com using IPsec ESP for
485incoming and outgoing traffic.
486.Pp
487.Dl $ nc -E host.example.com 42
488.Pp
489Open a TCP connection to port 42 of host.example.com using IPsec ESP for
490outgoing traffic only.
491.Pp
492.Dl $ nc -e 'out ipsec esp/transport//require' host.example.com 42
493.Pp
494Create and listen on a
495.Ux Ns -domain
496stream socket:
497.Pp
498.Dl $ nc -lU /var/tmp/dsocket
499.Pp
500Connect to port 42 of host.example.com via an HTTP proxy at 10.2.3.4,
501port 8080.
502This example could also be used by
503.Xr ssh 1 ;
504see the
505.Cm ProxyCommand
506directive in
507.Xr ssh_config 5
508for more information.
509.Pp
510.Dl $ nc -x10.2.3.4:8080 -Xconnect host.example.com 42
511.Pp
512The same example again, this time enabling proxy authentication with username
513.Dq ruser
514if the proxy requires it:
515.Pp
516.Dl $ nc -x10.2.3.4:8080 -Xconnect -Pruser host.example.com 42
517.Sh EXIT STATUS
518.Ex -std
519.Sh SEE ALSO
520.Xr cat 1 ,
521.Xr setfib 1 ,
522.Xr ssh 1 ,
523.Xr tcp 4
524.Sh AUTHORS
525Original implementation by *Hobbit*
526.Aq Mt hobbit@avian.org .
527.br
528Rewritten with IPv6 support by
529.An Eric Jackson Aq Mt ericj@monkey.org .
530.Sh CAVEATS
531UDP port scans using the
532.Fl uz
533combination of flags will always report success irrespective of
534the target machine's state.
535However,
536in conjunction with a traffic sniffer either on the target machine
537or an intermediary device,
538the
539.Fl uz
540combination could be useful for communications diagnostics.
541Note that the amount of UDP traffic generated may be limited either
542due to hardware resources and/or configuration settings.
543