xref: /freebsd/contrib/netcat/nc.1 (revision b1d046441de9053152c7cf03d6b60d9882687e1b)
1.\"     $OpenBSD: nc.1,v 1.57 2011/01/09 22:16:46 jeremy Exp $
2.\"
3.\" Copyright (c) 1996 David Sacerdote
4.\" All rights reserved.
5.\"
6.\" Redistribution and use in source and binary forms, with or without
7.\" modification, are permitted provided that the following conditions
8.\" are met:
9.\" 1. Redistributions of source code must retain the above copyright
10.\"    notice, this list of conditions and the following disclaimer.
11.\" 2. Redistributions in binary form must reproduce the above copyright
12.\"    notice, this list of conditions and the following disclaimer in the
13.\"    documentation and/or other materials provided with the distribution.
14.\" 3. The name of the author may not be used to endorse or promote products
15.\"    derived from this software without specific prior written permission
16.\"
17.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
18.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
19.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
20.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
21.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
22.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
23.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
24.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
25.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
26.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
27.\"
28.\" $FreeBSD$
29.\"
30.Dd January 8, 2011
31.Dt NC 1
32.Os
33.Sh NAME
34.Nm nc
35.Nd arbitrary TCP and UDP connections and listens
36.Sh SYNOPSIS
37.Nm nc
38.Bk -words
39.Op Fl 46DdEhklnrStUuvz
40.Op Fl e Ar IPsec_policy
41.Op Fl I Ar length
42.Op Fl i Ar interval
43.Op Fl -no-tcpopt
44.Op Fl O Ar length
45.Op Fl P Ar proxy_username
46.Op Fl p Ar source_port
47.Op Fl s Ar source
48.Op Fl T Ar ToS
49.Op Fl V Ar rtable
50.Op Fl w Ar timeout
51.Op Fl X Ar proxy_protocol
52.Oo Xo
53.Fl x Ar proxy_address Ns Oo : Ns
54.Ar port Oc
55.Xc Oc
56.Op Ar destination
57.Op Ar port
58.Ek
59.Sh DESCRIPTION
60The
61.Nm
62(or
63.Nm netcat )
64utility is used for just about anything under the sun involving TCP,
65UDP, or
66.Ux Ns -domain
67sockets.
68It can open TCP connections, send UDP packets, listen on arbitrary
69TCP and UDP ports, do port scanning, and deal with both IPv4 and
70IPv6.
71Unlike
72.Xr telnet 1 ,
73.Nm
74scripts nicely, and separates error messages onto standard error instead
75of sending them to standard output, as
76.Xr telnet 1
77does with some.
78.Pp
79Common uses include:
80.Pp
81.Bl -bullet -offset indent -compact
82.It
83simple TCP proxies
84.It
85shell-script based HTTP clients and servers
86.It
87network daemon testing
88.It
89a SOCKS or HTTP ProxyCommand for
90.Xr ssh 1
91.It
92and much, much more
93.El
94.Pp
95The options are as follows:
96.Bl -tag -width Ds
97.It Fl 4
98Forces
99.Nm
100to use IPv4 addresses only.
101.It Fl 6
102Forces
103.Nm
104to use IPv6 addresses only.
105.It Fl D
106Enable debugging on the socket.
107.It Fl d
108Do not attempt to read from stdin.
109.It Fl E
110Shortcut for
111.Qo
112.Li "-e 'in ipsec esp/transport//require'"
113.Li "-e 'out ipsec esp/transport//require'"
114.Qc ,
115which enables IPsec ESP transport mode in both
116directions.
117.It Fl e
118If IPsec support is available, then one can specify the IPsec policies
119to be used using the syntax described in
120.Xr ipsec_set_policy 3 .
121This flag can be specified up to two times, as typically one policy for
122each direction is needed.
123.It Fl h
124Prints out
125.Nm
126help.
127.It Fl I Ar length
128Specifies the size of the TCP receive buffer.
129.It Fl i Ar interval
130Specifies a delay time interval between lines of text sent and received.
131Also causes a delay time between connections to multiple ports.
132.It Fl k
133Forces
134.Nm
135to stay listening for another connection after its current connection
136is completed.
137It is an error to use this option without the
138.Fl l
139option.
140.It Fl l
141Used to specify that
142.Nm
143should listen for an incoming connection rather than initiate a
144connection to a remote host.
145It is an error to use this option in conjunction with the
146.Fl p ,
147.Fl s ,
148or
149.Fl z
150options.
151Additionally, any timeouts specified with the
152.Fl w
153option are ignored.
154.It Fl n
155Do not do any DNS or service lookups on any specified addresses,
156hostnames or ports.
157.It Fl -no-tcpopt
158Disables the use of TCP options on the socket, by setting the boolean
159TCP_NOOPT
160socket option.
161.It Fl O Ar length
162Specifies the size of the TCP send buffer.
163.It Fl P Ar proxy_username
164Specifies a username to present to a proxy server that requires authentication.
165If no username is specified then authentication will not be attempted.
166Proxy authentication is only supported for HTTP CONNECT proxies at present.
167.It Fl p Ar source_port
168Specifies the source port
169.Nm
170should use, subject to privilege restrictions and availability.
171It is an error to use this option in conjunction with the
172.Fl l
173option.
174.It Fl r
175Specifies that source and/or destination ports should be chosen randomly
176instead of sequentially within a range or in the order that the system
177assigns them.
178.It Fl S
179Enables the RFC 2385 TCP MD5 signature option.
180.It Fl s Ar source
181Specifies the IP of the interface which is used to send the packets.
182For
183.Ux Ns -domain
184datagram sockets, specifies the local temporary socket file
185to create and use so that datagrams can be received.
186It is an error to use this option in conjunction with the
187.Fl l
188option.
189.It Fl T Ar ToS
190Specifies IP Type of Service (ToS) for the connection.
191Valid values are the tokens
192.Dq lowdelay ,
193.Dq throughput ,
194.Dq reliability ,
195or an 8-bit hexadecimal value preceded by
196.Dq 0x .
197.It Fl t
198Causes
199.Nm
200to send RFC 854 DON'T and WON'T responses to RFC 854 DO and WILL requests.
201This makes it possible to use
202.Nm
203to script telnet sessions.
204.It Fl U
205Specifies to use
206.Ux Ns -domain
207sockets.
208.It Fl u
209Use UDP instead of the default option of TCP.
210For
211.Ux Ns -domain
212sockets, use a datagram socket instead of a stream socket.
213If a
214.Ux Ns -domain
215socket is used, a temporary receiving socket is created in
216.Pa /tmp
217unless the
218.Fl s
219flag is given.
220.It Fl V Ar rtable
221Set the routing table
222.Pq Dq FIB
223to be used.
224The default is 0.
225.It Fl v
226Have
227.Nm
228give more verbose output.
229.It Fl w Ar timeout
230If a connection and stdin are idle for more than
231.Ar timeout
232seconds, then the connection is silently closed.
233The
234.Fl w
235flag has no effect on the
236.Fl l
237option, i.e.\&
238.Nm
239will listen forever for a connection, with or without the
240.Fl w
241flag.
242The default is no timeout.
243.It Fl X Ar proxy_protocol
244Requests that
245.Nm
246should use the specified protocol when talking to the proxy server.
247Supported protocols are
248.Dq 4
249(SOCKS v.4),
250.Dq 5
251(SOCKS v.5)
252and
253.Dq connect
254(HTTPS proxy).
255If the protocol is not specified, SOCKS version 5 is used.
256.It Xo
257.Fl x Ar proxy_address Ns Oo : Ns
258.Ar port Oc
259.Xc
260Requests that
261.Nm
262should connect to
263.Ar destination
264using a proxy at
265.Ar proxy_address
266and
267.Ar port .
268If
269.Ar port
270is not specified, the well-known port for the proxy protocol is used (1080
271for SOCKS, 3128 for HTTPS).
272.It Fl z
273Specifies that
274.Nm
275should just scan for listening daemons, without sending any data to them.
276It is an error to use this option in conjunction with the
277.Fl l
278option.
279.El
280.Pp
281.Ar destination
282can be a numerical IP address or a symbolic hostname
283(unless the
284.Fl n
285option is given).
286In general, a destination must be specified,
287unless the
288.Fl l
289option is given
290(in which case the local host is used).
291For
292.Ux Ns -domain
293sockets, a destination is required and is the socket path to connect to
294(or listen on if the
295.Fl l
296option is given).
297.Pp
298.Ar port
299can be a single integer or a range of ports.
300Ranges are in the form nn-mm.
301In general,
302a destination port must be specified,
303unless the
304.Fl U
305option is given.
306.Sh CLIENT/SERVER MODEL
307It is quite simple to build a very basic client/server model using
308.Nm .
309On one console, start
310.Nm
311listening on a specific port for a connection.
312For example:
313.Pp
314.Dl $ nc -l 1234
315.Pp
316.Nm
317is now listening on port 1234 for a connection.
318On a second console
319.Pq or a second machine ,
320connect to the machine and port being listened on:
321.Pp
322.Dl $ nc 127.0.0.1 1234
323.Pp
324There should now be a connection between the ports.
325Anything typed at the second console will be concatenated to the first,
326and vice-versa.
327After the connection has been set up,
328.Nm
329does not really care which side is being used as a
330.Sq server
331and which side is being used as a
332.Sq client .
333The connection may be terminated using an
334.Dv EOF
335.Pq Sq ^D .
336.Sh DATA TRANSFER
337The example in the previous section can be expanded to build a
338basic data transfer model.
339Any information input into one end of the connection will be output
340to the other end, and input and output can be easily captured in order to
341emulate file transfer.
342.Pp
343Start by using
344.Nm
345to listen on a specific port, with output captured into a file:
346.Pp
347.Dl $ nc -l 1234 \*(Gt filename.out
348.Pp
349Using a second machine, connect to the listening
350.Nm
351process, feeding it the file which is to be transferred:
352.Pp
353.Dl $ nc host.example.com 1234 \*(Lt filename.in
354.Pp
355After the file has been transferred, the connection will close automatically.
356.Sh TALKING TO SERVERS
357It is sometimes useful to talk to servers
358.Dq by hand
359rather than through a user interface.
360It can aid in troubleshooting,
361when it might be necessary to verify what data a server is sending
362in response to commands issued by the client.
363For example, to retrieve the home page of a web site:
364.Bd -literal -offset indent
365$ printf "GET / HTTP/1.0\er\en\er\en" | nc host.example.com 80
366.Ed
367.Pp
368Note that this also displays the headers sent by the web server.
369They can be filtered, using a tool such as
370.Xr sed 1 ,
371if necessary.
372.Pp
373More complicated examples can be built up when the user knows the format
374of requests required by the server.
375As another example, an email may be submitted to an SMTP server using:
376.Bd -literal -offset indent
377$ nc localhost 25 \*(Lt\*(Lt EOF
378HELO host.example.com
379MAIL FROM:\*(Ltuser@host.example.com\*(Gt
380RCPT TO:\*(Ltuser2@host.example.com\*(Gt
381DATA
382Body of email.
383\&.
384QUIT
385EOF
386.Ed
387.Sh PORT SCANNING
388It may be useful to know which ports are open and running services on
389a target machine.
390The
391.Fl z
392flag can be used to tell
393.Nm
394to report open ports,
395rather than initiate a connection.
396For example:
397.Bd -literal -offset indent
398$ nc -z host.example.com 20-30
399Connection to host.example.com 22 port [tcp/ssh] succeeded!
400Connection to host.example.com 25 port [tcp/smtp] succeeded!
401.Ed
402.Pp
403The port range was specified to limit the search to ports 20 \- 30.
404.Pp
405Alternatively, it might be useful to know which server software
406is running, and which versions.
407This information is often contained within the greeting banners.
408In order to retrieve these, it is necessary to first make a connection,
409and then break the connection when the banner has been retrieved.
410This can be accomplished by specifying a small timeout with the
411.Fl w
412flag, or perhaps by issuing a
413.Qq Dv QUIT
414command to the server:
415.Bd -literal -offset indent
416$ echo "QUIT" | nc host.example.com 20-30
417SSH-1.99-OpenSSH_3.6.1p2
418Protocol mismatch.
419220 host.example.com IMS SMTP Receiver Version 0.84 Ready
420.Ed
421.Sh EXAMPLES
422Open a TCP connection to port 42 of host.example.com, using port 31337 as
423the source port, with a timeout of 5 seconds:
424.Pp
425.Dl $ nc -p 31337 -w 5 host.example.com 42
426.Pp
427Open a UDP connection to port 53 of host.example.com:
428.Pp
429.Dl $ nc -u host.example.com 53
430.Pp
431Open a TCP connection to port 42 of host.example.com using 10.1.2.3 as the
432IP for the local end of the connection:
433.Pp
434.Dl $ nc -s 10.1.2.3 host.example.com 42
435.Pp
436Open a TCP connection to port 42 of host.example.com using IPsec ESP for
437incoming and outgoing traffic.
438.Pp
439.Dl $ nc -E host.example.com 42
440.Pp
441Open a TCP connection to port 42 of host.example.com using IPsec ESP for
442outgoing traffic only.
443.Pp
444.Dl $ nc -e 'out ipsec esp/transport//require' host.example.com 42
445.Pp
446Create and listen on a
447.Ux Ns -domain
448stream socket:
449.Pp
450.Dl $ nc -lU /var/tmp/dsocket
451.Pp
452Connect to port 42 of host.example.com via an HTTP proxy at 10.2.3.4,
453port 8080.
454This example could also be used by
455.Xr ssh 1 ;
456see the
457.Cm ProxyCommand
458directive in
459.Xr ssh_config 5
460for more information.
461.Pp
462.Dl $ nc -x10.2.3.4:8080 -Xconnect host.example.com 42
463.Pp
464The same example again, this time enabling proxy authentication with username
465.Dq ruser
466if the proxy requires it:
467.Pp
468.Dl $ nc -x10.2.3.4:8080 -Xconnect -Pruser host.example.com 42
469.Sh EXIT STATUS
470.Ex -std
471.Sh SEE ALSO
472.Xr cat 1 ,
473.Xr setfib 1 ,
474.Xr ssh 1 ,
475.Xr tcp 4
476.Sh AUTHORS
477Original implementation by *Hobbit*
478.Aq hobbit@avian.org .
479.br
480Rewritten with IPv6 support by
481.An Eric Jackson Aq ericj@monkey.org .
482.Sh CAVEATS
483UDP port scans will always succeed
484(i.e. report the port as open),
485rendering the
486.Fl uz
487combination of flags relatively useless.
488