xref: /freebsd/contrib/netcat/nc.1 (revision af23369a6deaaeb612ab266eb88b8bb8d560c322)
1.\"     $OpenBSD: nc.1,v 1.68 2015/03/26 10:35:04 tobias Exp $
2.\"
3.\" Copyright (c) 1996 David Sacerdote
4.\" All rights reserved.
5.\"
6.\" Redistribution and use in source and binary forms, with or without
7.\" modification, are permitted provided that the following conditions
8.\" are met:
9.\" 1. Redistributions of source code must retain the above copyright
10.\"    notice, this list of conditions and the following disclaimer.
11.\" 2. Redistributions in binary form must reproduce the above copyright
12.\"    notice, this list of conditions and the following disclaimer in the
13.\"    documentation and/or other materials provided with the distribution.
14.\" 3. The name of the author may not be used to endorse or promote products
15.\"    derived from this software without specific prior written permission
16.\"
17.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
18.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
19.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
20.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
21.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
22.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
23.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
24.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
25.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
26.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
27.\"
28.\" $FreeBSD$
29.\"
30.Dd January 17, 2023
31.Dt NC 1
32.Os
33.Sh NAME
34.Nm nc
35.Nd arbitrary TCP and UDP connections and listens
36.Sh SYNOPSIS
37.Nm nc
38.Bk -words
39.Op Fl 46DdEFhklMNnrStUuvz
40.Op Fl e Ar IPsec_policy
41.Op Fl I Ar length
42.Op Fl i Ar interval
43.Op Fl -no-tcpopt
44.Op Fl -sctp
45.Op Fl O Ar length
46.Op Fl P Ar proxy_username
47.Op Fl p Ar source_port
48.Op Fl s Ar source
49.Op Fl T Ar toskeyword
50.Op Fl -tun Ar tundev
51.Op Fl V Ar rtable
52.Op Fl w Ar timeout
53.Op Fl X Ar proxy_protocol
54.Oo Xo
55.Fl x Ar proxy_address Ns Oo : Ns
56.Ar port Oc
57.Xc Oc
58.Op Ar destination
59.Op Ar port
60.Ek
61.Sh DESCRIPTION
62The
63.Nm
64(or
65.Nm netcat )
66utility is used for just about anything under the sun involving TCP,
67UDP, or
68.Ux Ns -domain
69sockets.
70It can open TCP connections, send UDP packets, listen on arbitrary
71TCP and UDP ports, do port scanning, and deal with both IPv4 and
72IPv6.
73Unlike
74.Xr telnet 1 ,
75.Nm
76scripts nicely, and separates error messages onto standard error instead
77of sending them to standard output, as
78.Xr telnet 1
79does with some.
80.Pp
81Common uses include:
82.Pp
83.Bl -bullet -offset indent -compact
84.It
85simple TCP proxies
86.It
87shell-script based HTTP clients and servers
88.It
89network daemon testing
90.It
91a SOCKS or HTTP ProxyCommand for
92.Xr ssh 1
93.It
94and much, much more
95.El
96.Pp
97The options are as follows:
98.Bl -tag -width Ds
99.It Fl 4
100Forces
101.Nm
102to use IPv4 addresses only.
103.It Fl 6
104Forces
105.Nm
106to use IPv6 addresses only.
107.It Fl D
108Enable debugging on the socket.
109.It Fl d
110Do not attempt to read from stdin.
111.It Fl E
112Shortcut for
113.Qo
114.Li "-e 'in ipsec esp/transport//require'"
115.Li "-e 'out ipsec esp/transport//require'"
116.Qc ,
117which enables IPsec ESP transport mode in both
118directions.
119.It Fl e
120If IPsec support is available, then one can specify the IPsec policies
121to be used using the syntax described in
122.Xr ipsec_set_policy 3 .
123This flag can be specified up to two times, as typically one policy for
124each direction is needed.
125.It Fl F
126Pass the first connected socket using
127.Xr sendmsg 2
128to stdout and exit.
129This is useful in conjunction with
130.Fl X
131to have
132.Nm
133perform connection setup with a proxy but then leave the rest of the
134connection to another program (e.g.\&
135.Xr ssh 1
136using the
137.Xr ssh_config 5
138.Cm ProxyUseFdpass
139option).
140.It Fl h
141Prints out
142.Nm
143help.
144.It Fl I Ar length
145Specifies the size of the TCP receive buffer.
146.It Fl i Ar interval
147Specifies a delay time interval between lines of text sent and received.
148Also causes a delay time between connections to multiple ports.
149.It Fl k
150Forces
151.Nm
152to stay listening for another connection after its current connection
153is completed.
154It is an error to use this option without the
155.Fl l
156option.
157When used together with the
158.Fl u
159option, the server socket is not connected and it can receive UDP datagrams from
160multiple hosts.
161.It Fl l
162Used to specify that
163.Nm
164should listen for an incoming connection rather than initiate a
165connection to a remote host.
166It is an error to use this option in conjunction with the
167.Fl p ,
168.Fl s ,
169or
170.Fl z
171options.
172Additionally, any timeouts specified with the
173.Fl w
174option are ignored.
175.It Fl M
176Collect per-connection TCP statistics using the
177.Xr stats 3
178framework and print them in JSON format to
179.Xr stderr 4
180after the connection is closed.
181.It Fl N
182.Xr shutdown 2
183the network socket after EOF on the input.
184Some servers require this to finish their work.
185.It Fl n
186Do not do any DNS or service lookups on any specified addresses,
187hostnames or ports.
188.It Fl -no-tcpopt
189Disables the use of TCP options on the socket, by setting the boolean
190TCP_NOOPT
191socket option.
192.It Fl -sctp
193Use SCTP instead of the default option of TCP.
194.It Fl O Ar length
195Specifies the size of the TCP send buffer.
196.It Fl P Ar proxy_username
197Specifies a username to present to a proxy server that requires authentication.
198If no username is specified then authentication will not be attempted.
199Proxy authentication is only supported for HTTP CONNECT proxies at present.
200.It Fl p Ar source_port
201Specifies the source port
202.Nm
203should use, subject to privilege restrictions and availability.
204It is an error to use this option in conjunction with the
205.Fl l
206option.
207.It Fl r
208Specifies that source and/or destination ports should be chosen randomly
209instead of sequentially within a range or in the order that the system
210assigns them.
211.It Fl S
212Enables the RFC 2385 TCP MD5 signature option.
213.It Fl s Ar source
214Specifies the IP of the interface which is used to send the packets.
215For
216.Ux Ns -domain
217datagram sockets, specifies the local temporary socket file
218to create and use so that datagrams can be received.
219It is an error to use this option in conjunction with the
220.Fl l
221option.
222.It Fl T Ar toskeyword
223Change IPv4 TOS value.
224.Ar toskeyword
225may be one of
226.Ar critical ,
227.Ar inetcontrol ,
228.Ar lowdelay ,
229.Ar netcontrol ,
230.Ar throughput ,
231.Ar reliability ,
232or one of the DiffServ Code Points:
233.Ar ef ,
234.Ar af11 ... af43 ,
235.Ar cs0 ... cs7 ;
236or a number in either hex or decimal.
237.It Fl t
238Causes
239.Nm
240to send RFC 854 DON'T and WON'T responses to RFC 854 DO and WILL requests.
241This makes it possible to use
242.Nm
243to script telnet sessions.
244.It Fl -tun Ar tundev
245Causes
246.Nm
247to use the provided
248.Xr tun 4
249for input and output rather than the default of stdin and stdout.
250.It Fl U
251Specifies to use
252.Ux Ns -domain
253sockets.
254.It Fl u
255Use UDP instead of the default option of TCP.
256For
257.Ux Ns -domain
258sockets, use a datagram socket instead of a stream socket.
259If a
260.Ux Ns -domain
261socket is used, a temporary receiving socket is created in
262.Pa /tmp
263unless the
264.Fl s
265flag is given.
266.It Fl V Ar rtable
267Set the routing table
268.Pq Dq FIB
269to be used.
270.It Fl v
271Have
272.Nm
273give more verbose output.
274.It Fl w Ar timeout
275Connections which cannot be established or are idle timeout after
276.Ar timeout
277seconds.
278The
279.Fl w
280flag has no effect on the
281.Fl l
282option, i.e.\&
283.Nm
284will listen forever for a connection, with or without the
285.Fl w
286flag.
287The default is no timeout.
288.It Fl X Ar proxy_protocol
289Requests that
290.Nm
291should use the specified protocol when talking to the proxy server.
292Supported protocols are
293.Dq 4
294(SOCKS v.4),
295.Dq 5
296(SOCKS v.5)
297and
298.Dq connect
299(HTTPS proxy).
300If the protocol is not specified, SOCKS version 5 is used.
301.It Xo
302.Fl x Ar proxy_address Ns Oo : Ns
303.Ar port Oc
304.Xc
305Requests that
306.Nm
307should connect to
308.Ar destination
309using a proxy at
310.Ar proxy_address
311and
312.Ar port .
313If
314.Ar port
315is not specified, the well-known port for the proxy protocol is used (1080
316for SOCKS, 3128 for HTTPS).
317.It Fl z
318Specifies that
319.Nm
320should just scan for listening daemons, without sending any data to them.
321It is an error to use this option in conjunction with the
322.Fl l
323option.
324.El
325.Pp
326.Ar destination
327can be a numerical IP address or a symbolic hostname
328(unless the
329.Fl n
330option is given).
331In general, a destination must be specified,
332unless the
333.Fl l
334option is given
335(in which case the local host is used).
336For
337.Ux Ns -domain
338sockets, a destination is required and is the socket path to connect to
339(or listen on if the
340.Fl l
341option is given).
342.Pp
343.Ar port
344can be a single integer or a range of ports.
345Ranges are in the form nn-mm.
346In general,
347a destination port must be specified,
348unless the
349.Fl U
350option is given.
351.Sh CLIENT/SERVER MODEL
352It is quite simple to build a very basic client/server model using
353.Nm .
354On one console, start
355.Nm
356listening on a specific port for a connection.
357For example:
358.Pp
359.Dl $ nc -l 1234
360.Pp
361.Nm
362is now listening on port 1234 for a connection.
363On a second console
364.Pq or a second machine ,
365connect to the machine and port being listened on:
366.Pp
367.Dl $ nc 127.0.0.1 1234
368.Pp
369There should now be a connection between the ports.
370Anything typed at the second console will be concatenated to the first,
371and vice-versa.
372After the connection has been set up,
373.Nm
374does not really care which side is being used as a
375.Sq server
376and which side is being used as a
377.Sq client .
378The connection may be terminated using an
379.Dv EOF
380.Pq Sq ^D .
381.Sh DATA TRANSFER
382The example in the previous section can be expanded to build a
383basic data transfer model.
384Any information input into one end of the connection will be output
385to the other end, and input and output can be easily captured in order to
386emulate file transfer.
387.Pp
388Start by using
389.Nm
390to listen on a specific port, with output captured into a file:
391.Pp
392.Dl $ nc -l 1234 \*(Gt filename.out
393.Pp
394Using a second machine, connect to the listening
395.Nm
396process, feeding it the file which is to be transferred:
397.Pp
398.Dl $ nc -N host.example.com 1234 \*(Lt filename.in
399.Pp
400After the file has been transferred, the connection will close automatically.
401.Sh TALKING TO SERVERS
402It is sometimes useful to talk to servers
403.Dq by hand
404rather than through a user interface.
405It can aid in troubleshooting,
406when it might be necessary to verify what data a server is sending
407in response to commands issued by the client.
408For example, to retrieve the home page of a web site:
409.Bd -literal -offset indent
410$ printf "GET / HTTP/1.0\er\en\er\en" | nc host.example.com 80
411.Ed
412.Pp
413Note that this also displays the headers sent by the web server.
414They can be filtered, using a tool such as
415.Xr sed 1 ,
416if necessary.
417.Pp
418More complicated examples can be built up when the user knows the format
419of requests required by the server.
420As another example, an email may be submitted to an SMTP server using:
421.Bd -literal -offset indent
422$ nc localhost 25 \*(Lt\*(Lt EOF
423HELO host.example.com
424MAIL FROM:\*(Ltuser@host.example.com\*(Gt
425RCPT TO:\*(Ltuser2@host.example.com\*(Gt
426DATA
427Body of email.
428\&.
429QUIT
430EOF
431.Ed
432.Sh PORT SCANNING
433It may be useful to know which ports are open and running services on
434a target machine.
435The
436.Fl z
437flag can be used to tell
438.Nm
439to report open ports,
440rather than initiate a connection.
441For example:
442.Bd -literal -offset indent
443$ nc -z host.example.com 20-30
444Connection to host.example.com 22 port [tcp/ssh] succeeded!
445Connection to host.example.com 25 port [tcp/smtp] succeeded!
446.Ed
447.Pp
448The port range was specified to limit the search to ports 20 \- 30.
449.Pp
450Alternatively, it might be useful to know which server software
451is running, and which versions.
452This information is often contained within the greeting banners.
453In order to retrieve these, it is necessary to first make a connection,
454and then break the connection when the banner has been retrieved.
455This can be accomplished by specifying a small timeout with the
456.Fl w
457flag, or perhaps by issuing a
458.Qq Dv QUIT
459command to the server:
460.Bd -literal -offset indent
461$ echo "QUIT" | nc host.example.com 20-30
462SSH-1.99-OpenSSH_3.6.1p2
463Protocol mismatch.
464220 host.example.com IMS SMTP Receiver Version 0.84 Ready
465.Ed
466.Sh EXAMPLES
467Open a TCP connection to port 42 of host.example.com, using port 31337 as
468the source port, with a timeout of 5 seconds:
469.Pp
470.Dl $ nc -p 31337 -w 5 host.example.com 42
471.Pp
472Open a UDP connection to port 53 of host.example.com:
473.Pp
474.Dl $ nc -u host.example.com 53
475.Pp
476Open a TCP connection to port 42 of host.example.com using 10.1.2.3 as the
477IP for the local end of the connection:
478.Pp
479.Dl $ nc -s 10.1.2.3 host.example.com 42
480.Pp
481Open a TCP connection to port 42 of host.example.com using IPsec ESP for
482incoming and outgoing traffic.
483.Pp
484.Dl $ nc -E host.example.com 42
485.Pp
486Open a TCP connection to port 42 of host.example.com using IPsec ESP for
487outgoing traffic only.
488.Pp
489.Dl $ nc -e 'out ipsec esp/transport//require' host.example.com 42
490.Pp
491Create and listen on a
492.Ux Ns -domain
493stream socket:
494.Pp
495.Dl $ nc -lU /var/tmp/dsocket
496.Pp
497Connect to port 42 of host.example.com via an HTTP proxy at 10.2.3.4,
498port 8080.
499This example could also be used by
500.Xr ssh 1 ;
501see the
502.Cm ProxyCommand
503directive in
504.Xr ssh_config 5
505for more information.
506.Pp
507.Dl $ nc -x10.2.3.4:8080 -Xconnect host.example.com 42
508.Pp
509The same example again, this time enabling proxy authentication with username
510.Dq ruser
511if the proxy requires it:
512.Pp
513.Dl $ nc -x10.2.3.4:8080 -Xconnect -Pruser host.example.com 42
514.Sh EXIT STATUS
515.Ex -std
516.Sh SEE ALSO
517.Xr cat 1 ,
518.Xr setfib 1 ,
519.Xr ssh 1 ,
520.Xr tcp 4
521.Sh AUTHORS
522Original implementation by *Hobbit*
523.Aq Mt hobbit@avian.org .
524.br
525Rewritten with IPv6 support by
526.An Eric Jackson Aq Mt ericj@monkey.org .
527.Sh CAVEATS
528UDP port scans using the
529.Fl uz
530combination of flags will always report success irrespective of
531the target machine's state.
532However,
533in conjunction with a traffic sniffer either on the target machine
534or an intermediary device,
535the
536.Fl uz
537combination could be useful for communications diagnostics.
538Note that the amount of UDP traffic generated may be limited either
539due to hardware resources and/or configuration settings.
540