xref: /freebsd/contrib/netcat/nc.1 (revision b0d29bc47dba79f6f38e67eabadfb4b32ffd9390)
1.\"     $OpenBSD: nc.1,v 1.68 2015/03/26 10:35:04 tobias Exp $
2.\"
3.\" Copyright (c) 1996 David Sacerdote
4.\" All rights reserved.
5.\"
6.\" Redistribution and use in source and binary forms, with or without
7.\" modification, are permitted provided that the following conditions
8.\" are met:
9.\" 1. Redistributions of source code must retain the above copyright
10.\"    notice, this list of conditions and the following disclaimer.
11.\" 2. Redistributions in binary form must reproduce the above copyright
12.\"    notice, this list of conditions and the following disclaimer in the
13.\"    documentation and/or other materials provided with the distribution.
14.\" 3. The name of the author may not be used to endorse or promote products
15.\"    derived from this software without specific prior written permission
16.\"
17.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
18.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
19.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
20.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
21.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
22.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
23.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
24.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
25.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
26.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
27.\"
28.\" $FreeBSD$
29.\"
30.Dd August 20, 2019
31.Dt NC 1
32.Os
33.Sh NAME
34.Nm nc
35.Nd arbitrary TCP and UDP connections and listens
36.Sh SYNOPSIS
37.Nm nc
38.Bk -words
39.Op Fl 46DdEFhklMNnrStUuvz
40.Op Fl e Ar IPsec_policy
41.Op Fl I Ar length
42.Op Fl i Ar interval
43.Op Fl -no-tcpopt
44.Op Fl O Ar length
45.Op Fl P Ar proxy_username
46.Op Fl p Ar source_port
47.Op Fl s Ar source
48.Op Fl T Ar toskeyword
49.Op Fl V Ar rtable
50.Op Fl w Ar timeout
51.Op Fl X Ar proxy_protocol
52.Oo Xo
53.Fl x Ar proxy_address Ns Oo : Ns
54.Ar port Oc
55.Xc Oc
56.Op Ar destination
57.Op Ar port
58.Ek
59.Sh DESCRIPTION
60The
61.Nm
62(or
63.Nm netcat )
64utility is used for just about anything under the sun involving TCP,
65UDP, or
66.Ux Ns -domain
67sockets.
68It can open TCP connections, send UDP packets, listen on arbitrary
69TCP and UDP ports, do port scanning, and deal with both IPv4 and
70IPv6.
71Unlike
72.Xr telnet 1 ,
73.Nm
74scripts nicely, and separates error messages onto standard error instead
75of sending them to standard output, as
76.Xr telnet 1
77does with some.
78.Pp
79Common uses include:
80.Pp
81.Bl -bullet -offset indent -compact
82.It
83simple TCP proxies
84.It
85shell-script based HTTP clients and servers
86.It
87network daemon testing
88.It
89a SOCKS or HTTP ProxyCommand for
90.Xr ssh 1
91.It
92and much, much more
93.El
94.Pp
95The options are as follows:
96.Bl -tag -width Ds
97.It Fl 4
98Forces
99.Nm
100to use IPv4 addresses only.
101.It Fl 6
102Forces
103.Nm
104to use IPv6 addresses only.
105.It Fl D
106Enable debugging on the socket.
107.It Fl d
108Do not attempt to read from stdin.
109.It Fl E
110Shortcut for
111.Qo
112.Li "-e 'in ipsec esp/transport//require'"
113.Li "-e 'out ipsec esp/transport//require'"
114.Qc ,
115which enables IPsec ESP transport mode in both
116directions.
117.It Fl e
118If IPsec support is available, then one can specify the IPsec policies
119to be used using the syntax described in
120.Xr ipsec_set_policy 3 .
121This flag can be specified up to two times, as typically one policy for
122each direction is needed.
123.It Fl F
124Pass the first connected socket using
125.Xr sendmsg 2
126to stdout and exit.
127This is useful in conjunction with
128.Fl X
129to have
130.Nm
131perform connection setup with a proxy but then leave the rest of the
132connection to another program (e.g.\&
133.Xr ssh 1
134using the
135.Xr ssh_config 5
136.Cm ProxyUseFdpass
137option).
138.It Fl h
139Prints out
140.Nm
141help.
142.It Fl I Ar length
143Specifies the size of the TCP receive buffer.
144.It Fl i Ar interval
145Specifies a delay time interval between lines of text sent and received.
146Also causes a delay time between connections to multiple ports.
147.It Fl k
148Forces
149.Nm
150to stay listening for another connection after its current connection
151is completed.
152It is an error to use this option without the
153.Fl l
154option.
155When used together with the
156.Fl u
157option, the server socket is not connected and it can receive UDP datagrams from
158multiple hosts.
159.It Fl l
160Used to specify that
161.Nm
162should listen for an incoming connection rather than initiate a
163connection to a remote host.
164It is an error to use this option in conjunction with the
165.Fl p ,
166.Fl s ,
167or
168.Fl z
169options.
170Additionally, any timeouts specified with the
171.Fl w
172option are ignored.
173.It Fl M
174Collect per-connection TCP statistics using the
175.Xr stats 3
176framework and print them in JSON format to
177.Xr stderr 4
178after the connection is closed.
179.It Fl N
180.Xr shutdown 2
181the network socket after EOF on the input.
182Some servers require this to finish their work.
183.It Fl n
184Do not do any DNS or service lookups on any specified addresses,
185hostnames or ports.
186.It Fl -no-tcpopt
187Disables the use of TCP options on the socket, by setting the boolean
188TCP_NOOPT
189socket option.
190.It Fl O Ar length
191Specifies the size of the TCP send buffer.
192.It Fl P Ar proxy_username
193Specifies a username to present to a proxy server that requires authentication.
194If no username is specified then authentication will not be attempted.
195Proxy authentication is only supported for HTTP CONNECT proxies at present.
196.It Fl p Ar source_port
197Specifies the source port
198.Nm
199should use, subject to privilege restrictions and availability.
200It is an error to use this option in conjunction with the
201.Fl l
202option.
203.It Fl r
204Specifies that source and/or destination ports should be chosen randomly
205instead of sequentially within a range or in the order that the system
206assigns them.
207.It Fl S
208Enables the RFC 2385 TCP MD5 signature option.
209.It Fl s Ar source
210Specifies the IP of the interface which is used to send the packets.
211For
212.Ux Ns -domain
213datagram sockets, specifies the local temporary socket file
214to create and use so that datagrams can be received.
215It is an error to use this option in conjunction with the
216.Fl l
217option.
218.It Fl T Ar toskeyword
219Change IPv4 TOS value.
220.Ar toskeyword
221may be one of
222.Ar critical ,
223.Ar inetcontrol ,
224.Ar lowdelay ,
225.Ar netcontrol ,
226.Ar throughput ,
227.Ar reliability ,
228or one of the DiffServ Code Points:
229.Ar ef ,
230.Ar af11 ... af43 ,
231.Ar cs0 ... cs7 ;
232or a number in either hex or decimal.
233.It Fl t
234Causes
235.Nm
236to send RFC 854 DON'T and WON'T responses to RFC 854 DO and WILL requests.
237This makes it possible to use
238.Nm
239to script telnet sessions.
240.It Fl U
241Specifies to use
242.Ux Ns -domain
243sockets.
244.It Fl u
245Use UDP instead of the default option of TCP.
246For
247.Ux Ns -domain
248sockets, use a datagram socket instead of a stream socket.
249If a
250.Ux Ns -domain
251socket is used, a temporary receiving socket is created in
252.Pa /tmp
253unless the
254.Fl s
255flag is given.
256.It Fl V Ar rtable
257Set the routing table
258.Pq Dq FIB
259to be used.
260.It Fl v
261Have
262.Nm
263give more verbose output.
264.It Fl w Ar timeout
265Connections which cannot be established or are idle timeout after
266.Ar timeout
267seconds.
268The
269.Fl w
270flag has no effect on the
271.Fl l
272option, i.e.\&
273.Nm
274will listen forever for a connection, with or without the
275.Fl w
276flag.
277The default is no timeout.
278.It Fl X Ar proxy_protocol
279Requests that
280.Nm
281should use the specified protocol when talking to the proxy server.
282Supported protocols are
283.Dq 4
284(SOCKS v.4),
285.Dq 5
286(SOCKS v.5)
287and
288.Dq connect
289(HTTPS proxy).
290If the protocol is not specified, SOCKS version 5 is used.
291.It Xo
292.Fl x Ar proxy_address Ns Oo : Ns
293.Ar port Oc
294.Xc
295Requests that
296.Nm
297should connect to
298.Ar destination
299using a proxy at
300.Ar proxy_address
301and
302.Ar port .
303If
304.Ar port
305is not specified, the well-known port for the proxy protocol is used (1080
306for SOCKS, 3128 for HTTPS).
307.It Fl z
308Specifies that
309.Nm
310should just scan for listening daemons, without sending any data to them.
311It is an error to use this option in conjunction with the
312.Fl l
313option.
314.El
315.Pp
316.Ar destination
317can be a numerical IP address or a symbolic hostname
318(unless the
319.Fl n
320option is given).
321In general, a destination must be specified,
322unless the
323.Fl l
324option is given
325(in which case the local host is used).
326For
327.Ux Ns -domain
328sockets, a destination is required and is the socket path to connect to
329(or listen on if the
330.Fl l
331option is given).
332.Pp
333.Ar port
334can be a single integer or a range of ports.
335Ranges are in the form nn-mm.
336In general,
337a destination port must be specified,
338unless the
339.Fl U
340option is given.
341.Sh CLIENT/SERVER MODEL
342It is quite simple to build a very basic client/server model using
343.Nm .
344On one console, start
345.Nm
346listening on a specific port for a connection.
347For example:
348.Pp
349.Dl $ nc -l 1234
350.Pp
351.Nm
352is now listening on port 1234 for a connection.
353On a second console
354.Pq or a second machine ,
355connect to the machine and port being listened on:
356.Pp
357.Dl $ nc 127.0.0.1 1234
358.Pp
359There should now be a connection between the ports.
360Anything typed at the second console will be concatenated to the first,
361and vice-versa.
362After the connection has been set up,
363.Nm
364does not really care which side is being used as a
365.Sq server
366and which side is being used as a
367.Sq client .
368The connection may be terminated using an
369.Dv EOF
370.Pq Sq ^D .
371.Sh DATA TRANSFER
372The example in the previous section can be expanded to build a
373basic data transfer model.
374Any information input into one end of the connection will be output
375to the other end, and input and output can be easily captured in order to
376emulate file transfer.
377.Pp
378Start by using
379.Nm
380to listen on a specific port, with output captured into a file:
381.Pp
382.Dl $ nc -l 1234 \*(Gt filename.out
383.Pp
384Using a second machine, connect to the listening
385.Nm
386process, feeding it the file which is to be transferred:
387.Pp
388.Dl $ nc -N host.example.com 1234 \*(Lt filename.in
389.Pp
390After the file has been transferred, the connection will close automatically.
391.Sh TALKING TO SERVERS
392It is sometimes useful to talk to servers
393.Dq by hand
394rather than through a user interface.
395It can aid in troubleshooting,
396when it might be necessary to verify what data a server is sending
397in response to commands issued by the client.
398For example, to retrieve the home page of a web site:
399.Bd -literal -offset indent
400$ printf "GET / HTTP/1.0\er\en\er\en" | nc host.example.com 80
401.Ed
402.Pp
403Note that this also displays the headers sent by the web server.
404They can be filtered, using a tool such as
405.Xr sed 1 ,
406if necessary.
407.Pp
408More complicated examples can be built up when the user knows the format
409of requests required by the server.
410As another example, an email may be submitted to an SMTP server using:
411.Bd -literal -offset indent
412$ nc localhost 25 \*(Lt\*(Lt EOF
413HELO host.example.com
414MAIL FROM:\*(Ltuser@host.example.com\*(Gt
415RCPT TO:\*(Ltuser2@host.example.com\*(Gt
416DATA
417Body of email.
418\&.
419QUIT
420EOF
421.Ed
422.Sh PORT SCANNING
423It may be useful to know which ports are open and running services on
424a target machine.
425The
426.Fl z
427flag can be used to tell
428.Nm
429to report open ports,
430rather than initiate a connection.
431For example:
432.Bd -literal -offset indent
433$ nc -z host.example.com 20-30
434Connection to host.example.com 22 port [tcp/ssh] succeeded!
435Connection to host.example.com 25 port [tcp/smtp] succeeded!
436.Ed
437.Pp
438The port range was specified to limit the search to ports 20 \- 30.
439.Pp
440Alternatively, it might be useful to know which server software
441is running, and which versions.
442This information is often contained within the greeting banners.
443In order to retrieve these, it is necessary to first make a connection,
444and then break the connection when the banner has been retrieved.
445This can be accomplished by specifying a small timeout with the
446.Fl w
447flag, or perhaps by issuing a
448.Qq Dv QUIT
449command to the server:
450.Bd -literal -offset indent
451$ echo "QUIT" | nc host.example.com 20-30
452SSH-1.99-OpenSSH_3.6.1p2
453Protocol mismatch.
454220 host.example.com IMS SMTP Receiver Version 0.84 Ready
455.Ed
456.Sh EXAMPLES
457Open a TCP connection to port 42 of host.example.com, using port 31337 as
458the source port, with a timeout of 5 seconds:
459.Pp
460.Dl $ nc -p 31337 -w 5 host.example.com 42
461.Pp
462Open a UDP connection to port 53 of host.example.com:
463.Pp
464.Dl $ nc -u host.example.com 53
465.Pp
466Open a TCP connection to port 42 of host.example.com using 10.1.2.3 as the
467IP for the local end of the connection:
468.Pp
469.Dl $ nc -s 10.1.2.3 host.example.com 42
470.Pp
471Open a TCP connection to port 42 of host.example.com using IPsec ESP for
472incoming and outgoing traffic.
473.Pp
474.Dl $ nc -E host.example.com 42
475.Pp
476Open a TCP connection to port 42 of host.example.com using IPsec ESP for
477outgoing traffic only.
478.Pp
479.Dl $ nc -e 'out ipsec esp/transport//require' host.example.com 42
480.Pp
481Create and listen on a
482.Ux Ns -domain
483stream socket:
484.Pp
485.Dl $ nc -lU /var/tmp/dsocket
486.Pp
487Connect to port 42 of host.example.com via an HTTP proxy at 10.2.3.4,
488port 8080.
489This example could also be used by
490.Xr ssh 1 ;
491see the
492.Cm ProxyCommand
493directive in
494.Xr ssh_config 5
495for more information.
496.Pp
497.Dl $ nc -x10.2.3.4:8080 -Xconnect host.example.com 42
498.Pp
499The same example again, this time enabling proxy authentication with username
500.Dq ruser
501if the proxy requires it:
502.Pp
503.Dl $ nc -x10.2.3.4:8080 -Xconnect -Pruser host.example.com 42
504.Sh EXIT STATUS
505.Ex -std
506.Sh SEE ALSO
507.Xr cat 1 ,
508.Xr setfib 1 ,
509.Xr ssh 1 ,
510.Xr tcp 4
511.Sh AUTHORS
512Original implementation by *Hobbit*
513.Aq Mt hobbit@avian.org .
514.br
515Rewritten with IPv6 support by
516.An Eric Jackson Aq Mt ericj@monkey.org .
517.Sh CAVEATS
518UDP port scans using the
519.Fl uz
520combination of flags will always report success irrespective of
521the target machine's state.
522However,
523in conjunction with a traffic sniffer either on the target machine
524or an intermediary device,
525the
526.Fl uz
527combination could be useful for communications diagnostics.
528Note that the amount of UDP traffic generated may be limited either
529due to hardware resources and/or configuration settings.
530