xref: /freebsd/contrib/netcat/nc.1 (revision 9e5787d2284e187abb5b654d924394a65772e004)
1.\"     $OpenBSD: nc.1,v 1.68 2015/03/26 10:35:04 tobias Exp $
2.\"
3.\" Copyright (c) 1996 David Sacerdote
4.\" All rights reserved.
5.\"
6.\" Redistribution and use in source and binary forms, with or without
7.\" modification, are permitted provided that the following conditions
8.\" are met:
9.\" 1. Redistributions of source code must retain the above copyright
10.\"    notice, this list of conditions and the following disclaimer.
11.\" 2. Redistributions in binary form must reproduce the above copyright
12.\"    notice, this list of conditions and the following disclaimer in the
13.\"    documentation and/or other materials provided with the distribution.
14.\" 3. The name of the author may not be used to endorse or promote products
15.\"    derived from this software without specific prior written permission
16.\"
17.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
18.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
19.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
20.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
21.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
22.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
23.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
24.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
25.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
26.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
27.\"
28.\" $FreeBSD$
29.\"
30.Dd July 10, 2020
31.Dt NC 1
32.Os
33.Sh NAME
34.Nm nc
35.Nd arbitrary TCP and UDP connections and listens
36.Sh SYNOPSIS
37.Nm nc
38.Bk -words
39.Op Fl 46DdEFhklMNnrStUuvz
40.Op Fl e Ar IPsec_policy
41.Op Fl I Ar length
42.Op Fl i Ar interval
43.Op Fl -no-tcpopt
44.Op Fl -sctp
45.Op Fl O Ar length
46.Op Fl P Ar proxy_username
47.Op Fl p Ar source_port
48.Op Fl s Ar source
49.Op Fl T Ar toskeyword
50.Op Fl V Ar rtable
51.Op Fl w Ar timeout
52.Op Fl X Ar proxy_protocol
53.Oo Xo
54.Fl x Ar proxy_address Ns Oo : Ns
55.Ar port Oc
56.Xc Oc
57.Op Ar destination
58.Op Ar port
59.Ek
60.Sh DESCRIPTION
61The
62.Nm
63(or
64.Nm netcat )
65utility is used for just about anything under the sun involving TCP,
66UDP, or
67.Ux Ns -domain
68sockets.
69It can open TCP connections, send UDP packets, listen on arbitrary
70TCP and UDP ports, do port scanning, and deal with both IPv4 and
71IPv6.
72Unlike
73.Xr telnet 1 ,
74.Nm
75scripts nicely, and separates error messages onto standard error instead
76of sending them to standard output, as
77.Xr telnet 1
78does with some.
79.Pp
80Common uses include:
81.Pp
82.Bl -bullet -offset indent -compact
83.It
84simple TCP proxies
85.It
86shell-script based HTTP clients and servers
87.It
88network daemon testing
89.It
90a SOCKS or HTTP ProxyCommand for
91.Xr ssh 1
92.It
93and much, much more
94.El
95.Pp
96The options are as follows:
97.Bl -tag -width Ds
98.It Fl 4
99Forces
100.Nm
101to use IPv4 addresses only.
102.It Fl 6
103Forces
104.Nm
105to use IPv6 addresses only.
106.It Fl D
107Enable debugging on the socket.
108.It Fl d
109Do not attempt to read from stdin.
110.It Fl E
111Shortcut for
112.Qo
113.Li "-e 'in ipsec esp/transport//require'"
114.Li "-e 'out ipsec esp/transport//require'"
115.Qc ,
116which enables IPsec ESP transport mode in both
117directions.
118.It Fl e
119If IPsec support is available, then one can specify the IPsec policies
120to be used using the syntax described in
121.Xr ipsec_set_policy 3 .
122This flag can be specified up to two times, as typically one policy for
123each direction is needed.
124.It Fl F
125Pass the first connected socket using
126.Xr sendmsg 2
127to stdout and exit.
128This is useful in conjunction with
129.Fl X
130to have
131.Nm
132perform connection setup with a proxy but then leave the rest of the
133connection to another program (e.g.\&
134.Xr ssh 1
135using the
136.Xr ssh_config 5
137.Cm ProxyUseFdpass
138option).
139.It Fl h
140Prints out
141.Nm
142help.
143.It Fl I Ar length
144Specifies the size of the TCP receive buffer.
145.It Fl i Ar interval
146Specifies a delay time interval between lines of text sent and received.
147Also causes a delay time between connections to multiple ports.
148.It Fl k
149Forces
150.Nm
151to stay listening for another connection after its current connection
152is completed.
153It is an error to use this option without the
154.Fl l
155option.
156When used together with the
157.Fl u
158option, the server socket is not connected and it can receive UDP datagrams from
159multiple hosts.
160.It Fl l
161Used to specify that
162.Nm
163should listen for an incoming connection rather than initiate a
164connection to a remote host.
165It is an error to use this option in conjunction with the
166.Fl p ,
167.Fl s ,
168or
169.Fl z
170options.
171Additionally, any timeouts specified with the
172.Fl w
173option are ignored.
174.It Fl M
175Collect per-connection TCP statistics using the
176.Xr stats 3
177framework and print them in JSON format to
178.Xr stderr 4
179after the connection is closed.
180.It Fl N
181.Xr shutdown 2
182the network socket after EOF on the input.
183Some servers require this to finish their work.
184.It Fl n
185Do not do any DNS or service lookups on any specified addresses,
186hostnames or ports.
187.It Fl -no-tcpopt
188Disables the use of TCP options on the socket, by setting the boolean
189TCP_NOOPT
190socket option.
191.It Fl -sctp
192Use SCTP instead of the default option of TCP.
193.It Fl O Ar length
194Specifies the size of the TCP send buffer.
195.It Fl P Ar proxy_username
196Specifies a username to present to a proxy server that requires authentication.
197If no username is specified then authentication will not be attempted.
198Proxy authentication is only supported for HTTP CONNECT proxies at present.
199.It Fl p Ar source_port
200Specifies the source port
201.Nm
202should use, subject to privilege restrictions and availability.
203It is an error to use this option in conjunction with the
204.Fl l
205option.
206.It Fl r
207Specifies that source and/or destination ports should be chosen randomly
208instead of sequentially within a range or in the order that the system
209assigns them.
210.It Fl S
211Enables the RFC 2385 TCP MD5 signature option.
212.It Fl s Ar source
213Specifies the IP of the interface which is used to send the packets.
214For
215.Ux Ns -domain
216datagram sockets, specifies the local temporary socket file
217to create and use so that datagrams can be received.
218It is an error to use this option in conjunction with the
219.Fl l
220option.
221.It Fl T Ar toskeyword
222Change IPv4 TOS value.
223.Ar toskeyword
224may be one of
225.Ar critical ,
226.Ar inetcontrol ,
227.Ar lowdelay ,
228.Ar netcontrol ,
229.Ar throughput ,
230.Ar reliability ,
231or one of the DiffServ Code Points:
232.Ar ef ,
233.Ar af11 ... af43 ,
234.Ar cs0 ... cs7 ;
235or a number in either hex or decimal.
236.It Fl t
237Causes
238.Nm
239to send RFC 854 DON'T and WON'T responses to RFC 854 DO and WILL requests.
240This makes it possible to use
241.Nm
242to script telnet sessions.
243.It Fl U
244Specifies to use
245.Ux Ns -domain
246sockets.
247.It Fl u
248Use UDP instead of the default option of TCP.
249For
250.Ux Ns -domain
251sockets, use a datagram socket instead of a stream socket.
252If a
253.Ux Ns -domain
254socket is used, a temporary receiving socket is created in
255.Pa /tmp
256unless the
257.Fl s
258flag is given.
259.It Fl V Ar rtable
260Set the routing table
261.Pq Dq FIB
262to be used.
263.It Fl v
264Have
265.Nm
266give more verbose output.
267.It Fl w Ar timeout
268Connections which cannot be established or are idle timeout after
269.Ar timeout
270seconds.
271The
272.Fl w
273flag has no effect on the
274.Fl l
275option, i.e.\&
276.Nm
277will listen forever for a connection, with or without the
278.Fl w
279flag.
280The default is no timeout.
281.It Fl X Ar proxy_protocol
282Requests that
283.Nm
284should use the specified protocol when talking to the proxy server.
285Supported protocols are
286.Dq 4
287(SOCKS v.4),
288.Dq 5
289(SOCKS v.5)
290and
291.Dq connect
292(HTTPS proxy).
293If the protocol is not specified, SOCKS version 5 is used.
294.It Xo
295.Fl x Ar proxy_address Ns Oo : Ns
296.Ar port Oc
297.Xc
298Requests that
299.Nm
300should connect to
301.Ar destination
302using a proxy at
303.Ar proxy_address
304and
305.Ar port .
306If
307.Ar port
308is not specified, the well-known port for the proxy protocol is used (1080
309for SOCKS, 3128 for HTTPS).
310.It Fl z
311Specifies that
312.Nm
313should just scan for listening daemons, without sending any data to them.
314It is an error to use this option in conjunction with the
315.Fl l
316option.
317.El
318.Pp
319.Ar destination
320can be a numerical IP address or a symbolic hostname
321(unless the
322.Fl n
323option is given).
324In general, a destination must be specified,
325unless the
326.Fl l
327option is given
328(in which case the local host is used).
329For
330.Ux Ns -domain
331sockets, a destination is required and is the socket path to connect to
332(or listen on if the
333.Fl l
334option is given).
335.Pp
336.Ar port
337can be a single integer or a range of ports.
338Ranges are in the form nn-mm.
339In general,
340a destination port must be specified,
341unless the
342.Fl U
343option is given.
344.Sh CLIENT/SERVER MODEL
345It is quite simple to build a very basic client/server model using
346.Nm .
347On one console, start
348.Nm
349listening on a specific port for a connection.
350For example:
351.Pp
352.Dl $ nc -l 1234
353.Pp
354.Nm
355is now listening on port 1234 for a connection.
356On a second console
357.Pq or a second machine ,
358connect to the machine and port being listened on:
359.Pp
360.Dl $ nc 127.0.0.1 1234
361.Pp
362There should now be a connection between the ports.
363Anything typed at the second console will be concatenated to the first,
364and vice-versa.
365After the connection has been set up,
366.Nm
367does not really care which side is being used as a
368.Sq server
369and which side is being used as a
370.Sq client .
371The connection may be terminated using an
372.Dv EOF
373.Pq Sq ^D .
374.Sh DATA TRANSFER
375The example in the previous section can be expanded to build a
376basic data transfer model.
377Any information input into one end of the connection will be output
378to the other end, and input and output can be easily captured in order to
379emulate file transfer.
380.Pp
381Start by using
382.Nm
383to listen on a specific port, with output captured into a file:
384.Pp
385.Dl $ nc -l 1234 \*(Gt filename.out
386.Pp
387Using a second machine, connect to the listening
388.Nm
389process, feeding it the file which is to be transferred:
390.Pp
391.Dl $ nc -N host.example.com 1234 \*(Lt filename.in
392.Pp
393After the file has been transferred, the connection will close automatically.
394.Sh TALKING TO SERVERS
395It is sometimes useful to talk to servers
396.Dq by hand
397rather than through a user interface.
398It can aid in troubleshooting,
399when it might be necessary to verify what data a server is sending
400in response to commands issued by the client.
401For example, to retrieve the home page of a web site:
402.Bd -literal -offset indent
403$ printf "GET / HTTP/1.0\er\en\er\en" | nc host.example.com 80
404.Ed
405.Pp
406Note that this also displays the headers sent by the web server.
407They can be filtered, using a tool such as
408.Xr sed 1 ,
409if necessary.
410.Pp
411More complicated examples can be built up when the user knows the format
412of requests required by the server.
413As another example, an email may be submitted to an SMTP server using:
414.Bd -literal -offset indent
415$ nc localhost 25 \*(Lt\*(Lt EOF
416HELO host.example.com
417MAIL FROM:\*(Ltuser@host.example.com\*(Gt
418RCPT TO:\*(Ltuser2@host.example.com\*(Gt
419DATA
420Body of email.
421\&.
422QUIT
423EOF
424.Ed
425.Sh PORT SCANNING
426It may be useful to know which ports are open and running services on
427a target machine.
428The
429.Fl z
430flag can be used to tell
431.Nm
432to report open ports,
433rather than initiate a connection.
434For example:
435.Bd -literal -offset indent
436$ nc -z host.example.com 20-30
437Connection to host.example.com 22 port [tcp/ssh] succeeded!
438Connection to host.example.com 25 port [tcp/smtp] succeeded!
439.Ed
440.Pp
441The port range was specified to limit the search to ports 20 \- 30.
442.Pp
443Alternatively, it might be useful to know which server software
444is running, and which versions.
445This information is often contained within the greeting banners.
446In order to retrieve these, it is necessary to first make a connection,
447and then break the connection when the banner has been retrieved.
448This can be accomplished by specifying a small timeout with the
449.Fl w
450flag, or perhaps by issuing a
451.Qq Dv QUIT
452command to the server:
453.Bd -literal -offset indent
454$ echo "QUIT" | nc host.example.com 20-30
455SSH-1.99-OpenSSH_3.6.1p2
456Protocol mismatch.
457220 host.example.com IMS SMTP Receiver Version 0.84 Ready
458.Ed
459.Sh EXAMPLES
460Open a TCP connection to port 42 of host.example.com, using port 31337 as
461the source port, with a timeout of 5 seconds:
462.Pp
463.Dl $ nc -p 31337 -w 5 host.example.com 42
464.Pp
465Open a UDP connection to port 53 of host.example.com:
466.Pp
467.Dl $ nc -u host.example.com 53
468.Pp
469Open a TCP connection to port 42 of host.example.com using 10.1.2.3 as the
470IP for the local end of the connection:
471.Pp
472.Dl $ nc -s 10.1.2.3 host.example.com 42
473.Pp
474Open a TCP connection to port 42 of host.example.com using IPsec ESP for
475incoming and outgoing traffic.
476.Pp
477.Dl $ nc -E host.example.com 42
478.Pp
479Open a TCP connection to port 42 of host.example.com using IPsec ESP for
480outgoing traffic only.
481.Pp
482.Dl $ nc -e 'out ipsec esp/transport//require' host.example.com 42
483.Pp
484Create and listen on a
485.Ux Ns -domain
486stream socket:
487.Pp
488.Dl $ nc -lU /var/tmp/dsocket
489.Pp
490Connect to port 42 of host.example.com via an HTTP proxy at 10.2.3.4,
491port 8080.
492This example could also be used by
493.Xr ssh 1 ;
494see the
495.Cm ProxyCommand
496directive in
497.Xr ssh_config 5
498for more information.
499.Pp
500.Dl $ nc -x10.2.3.4:8080 -Xconnect host.example.com 42
501.Pp
502The same example again, this time enabling proxy authentication with username
503.Dq ruser
504if the proxy requires it:
505.Pp
506.Dl $ nc -x10.2.3.4:8080 -Xconnect -Pruser host.example.com 42
507.Sh EXIT STATUS
508.Ex -std
509.Sh SEE ALSO
510.Xr cat 1 ,
511.Xr setfib 1 ,
512.Xr ssh 1 ,
513.Xr tcp 4
514.Sh AUTHORS
515Original implementation by *Hobbit*
516.Aq Mt hobbit@avian.org .
517.br
518Rewritten with IPv6 support by
519.An Eric Jackson Aq Mt ericj@monkey.org .
520.Sh CAVEATS
521UDP port scans using the
522.Fl uz
523combination of flags will always report success irrespective of
524the target machine's state.
525However,
526in conjunction with a traffic sniffer either on the target machine
527or an intermediary device,
528the
529.Fl uz
530combination could be useful for communications diagnostics.
531Note that the amount of UDP traffic generated may be limited either
532due to hardware resources and/or configuration settings.
533