xref: /illumos-gate/usr/src/man/man1/nc.1 (revision 9164a50bf932130cbb5097a16f6986873ce0e6e5)
1.\" Copyright (c) 1996 David Sacerdote All rights reserved.
2.\" Redistribution and use in source and binary forms, with or without
3.\" modification, are permitted provided that the following conditions are
4.\" met: 1. Redistributions of source code must retain the above copyright
5.\" notice, this list of conditions and the following disclaimer.
6.\"
7.\" 2. Redistributions in binary form must reproduce the above copyright
8.\" notice, this list of conditions and the following disclaimer in the
9.\" documentation and/or other materials provided with the distribution. 3.
10.\" The name of the author may not be used to endorse or promote products
11.\" derived from this
12.\"
13.\" software without specific prior written permission THIS SOFTWARE IS
14.\" PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
15.\" INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
16.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN
17.\" NO EVENT SHALL THE AUTHOR
18.\"
19.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
20.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
21.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
22.\" BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
23.\" WHETHER IN CONTRACT,
24.\"
25.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
26.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
27.\" POSSIBILITY OF SUCH DAMAGE.
28.\"
29.\" Portions Copyright (c) 2009, Sun Microsystems, Inc. All Rights Reserved.
30.\" Copyright 2024 Oxide Computer Company
31.\"
32.Dd April 27, 2024
33.Dt NC 1
34.Os
35.Sh NAME
36.Nm nc
37.Nd arbitrary TCP and UDP connections and listens
38.Sh SYNOPSIS
39.Nm
40.Fl h
41.Nm
42.Op Fl 46dnrStuvz
43.Op Fl i Ar interval
44.Op Fl M Ar ttl
45.Op Fl m Ar minttl
46.Op Fl P Ar proxy_username
47.Op Fl p Ar port
48.Op Fl s Ar source_ip_address
49.Op Fl T Ar ToS
50.Op Fl w Ar timeout
51.Op Fl X Ar proxy_protocol
52.Op Fl x Ar proxy_address Ns Op &: Ar port
53.Ar hostname
54.Ar port_list
55.Nm
56.Fl l
57.Op Fl 46DdnrStuvz
58.Op Fl i Ar interval
59.Op Fl M Ar ttl
60.Op Fl m Ar minttl
61.Op Fl T Ar ToS
62.Op Ar hostname
63.Ar port
64.Nm
65.Fl l
66.Op Fl 46DdnrStuvz
67.Op Fl i Ar interval
68.Op Fl M Ar ttl
69.Op Fl m Ar minttl
70.Op Fl T Ar ToS
71.Fl p Ar port
72.Nm
73.Fl U
74.Op Fl Ddtvz
75.Op Fl i Ar interval
76.Op Fl w Ar timeout
77.Fl p Ar path
78.Nm
79.Fl Ul
80.Op Fl 46Ddktv
81.Op Fl i Ar interval
82.Ar path
83.Sh DESCRIPTION
84The
85.Nm
86.Po
87or
88.Nm netcat
89.Pc
90utility is used for a variety of tasks associated with TCP or UDP.
91.Nm
92can open TCP connections, send UDP packets, listen on arbitrary TCP and UDP
93ports, perform port scanning, and deal with both IPv4 and IPv6.
94Unlike
95.Xr telnet 1 ,
96.Nm
97scripts nicely, and separates error messages onto standard error instead of
98sending them to standard output.
99.Pp
100The
101.Nm
102command is often used for the following tasks:
103.Bl -bullet -width Ds
104.It
105simple TCP proxies
106.It
107shell-script based HTTP clients and servers
108.It
109network daemon testing
110.It
111a SOCKS or HTTP ProxyCommand for
112.Xr ssh 1
113.El
114.Sh OPTIONS
115The following options are supported:
116.Bl -tag -width Ds
117.It Fl 4
118Force
119.Nm
120to use IPv4 addresses only.
121.It Fl 6
122Force
123.Nm
124to use IPv6 addresses only.
125.It Fl D
126Enable debugging on the socket.
127.It Fl d
128Do not attempt to read from
129.Dv stdin .
130.It Fl h
131Print
132.Nm
133help.
134.It Fl i Ar interval
135Specify a delay time of
136.Ar interval
137between lines of text sent and received.
138This option also causes a delay time between connections to multiple ports.
139.It Fl k
140Force
141.Nm
142to listen for another connection after its current connection is closed.
143.Pp
144It is an error to use this option without the
145.Fl l
146option.
147.It Fl l
148Listen for an incoming connection rather than initiate a connection to a remote
149host.
150.Pp
151It is an error to use this option in conjunction with the
152.Fl s
153or
154.Fl z
155options.
156Additionally, any
157.Ar timeout
158specified with the
159.Fl w
160option is ignored.
161.It Fl M
162Set the default IPv4 TTL or IPv6 hop count that should be used in outgoing
163packets.
164This corresponds to the
165.Dv IP_TTL
166and
167.Dv IPV6_UNICAST_HOPS
168socket options.
169.It Fl m
170Set the minimum IPv4 TTL or IPv6 hop count that must be present on a packet for
171a packet to be received.
172This corresponds to the
173.Dv IP_MINTTL
174and
175.Dv IPV6_MINHOPCOUNT
176socket options.
177.It Fl n
178Do not do any naming or service lookups on any addresses, hostnames, or ports.
179.Pp
180Use of this option means that
181.Ar hostname
182and
183.Ar port
184arguments are restricted to numeric values.
185.Pp
186If used with
187.Fl v
188option all addresses and ports are printed in numeric form, in addition to the
189restriction imposed on the arguments.
190This option does not have any effect when used in conjunction with the
191.Fl U
192option.
193.It Fl P Ar proxy_username
194Specify a username
195.Po
196.Ar proxy_username
197.Pc
198to present to a proxy server that requires authentication.
199If
200.Ar proxy_username
201is not specified, authentication is not attempted.
202Proxy authentication is only supported for HTTP CONNECT proxies at present.
203.Pp
204It is an error to use this option in conjunction with the
205.Fl l
206option.
207.It Fl p Ar port
208When used without
209.Fl l
210option, specify the source port
211.Nm
212should use, subject to privilege restrictions and availability.
213When used with the
214.Fl l
215option, set the listen port.
216.Pp
217This option can be used with
218.Fl l
219option only provided global port argument is not specified.
220.It Fl r
221Choose source or destination ports randomly instead of sequentially within a
222range or in the order that the system assigns them.
223.Pp
224It is an error to use this option in conjunction with the
225.Fl l
226option.
227.It Fl S
228Enables the
229.%T RFC 2385
230TCP MD5 signature option.
231.Pp
232In order for packets to be sent or received in conjunction with this option, a
233security association that matches the traffic must also be created using
234.Xr tcpkey 8 .
235.It Fl s Ar source_ip_address
236Specify the IP of the interface which is used to send the packets.
237.Pp
238It is an error to use this option in conjunction with the
239.Fl l
240option.
241.It Fl T Ar ToS
242Specify IP Type of Service
243.Pq ToS
244or IPv6 traffic class for the connection.
245Valid values are the tokens:
246.Cm lowdelay ,
247.Cm throughput ,
248.Cm reliability ,
249or any decimal or hexadecimal integer between 0 and 255.
250.It Fl t
251Cause
252.Nm
253to send
254.%T RFC 854
255.Dq DON'T
256and
257.Dq WON'T
258responses to
259.%T RFC 854
260.Dq DO
261and
262.Dq WILL
263requests.
264This makes it possible to use
265.Nm
266to script telnet sessions.
267.It Fl U
268Specify the use of Unix Domain Sockets.
269If you specify this option without
270.Fl l ,
271it becomes an
272.Dv AF_UNIX
273client.
274If you specify this option with the
275.Fl l
276option, a
277.Dv AF_UNIX
278server is created.
279.Pp
280Use of this option requires that a single argument of a valid Unix domain path
281has to be provided to
282.Nm ,
283not a host name or port.
284.It Fl u
285Use UDP instead of the default option of TCP.
286.It Fl v
287Specify verbose output.
288.It Fl w Ar timeout
289Silently close the connection if a connection and
290.Dv stdin
291are idle for more than
292.Ar timeout
293seconds.
294.Pp
295This option has no effect on the
296.Fl l
297option, that is,
298.Nm
299listens forever for a connection, with or without the
300.Fl w
301flag.
302The default is no timeout.
303.It Fl X Ar proxy_protocol
304Use the specified protocol when talking to the proxy server.
305Supported protocols are 4
306.Pq SOCKS v.4 ,
3075
308.Pq SOCKS v.5
309and connect
310.Pq HTTP proxy .
311If the protocol is not specified, SOCKS v.5 is used.
312.Pp
313It is an error to use this option in conjunction with the
314.Fl l
315option.
316.It Fl x Ar proxy_address Ns Op &: Ar port
317Request connection to
318.Ar hostname
319using a proxy at
320.Ar proxy_address
321and
322.Ar port .
323If
324.Ar port
325is not specified, the well-known port for the proxy protocol is used
326.Pq 1080 for SOCKS, 3128 for HTTP .
327.Pp
328It is an error to use this option in conjunction with the
329.Fl l
330option.
331.It Fl z
332Scan for listening daemons, without sending any data to them.
333.Pp
334It is an error to use this option in conjunction with the
335.Fl l
336option.
337.El
338.Sh OPERANDS
339The following operands are supported:
340.Bl -tag -width Ds
341.It Ar hostname
342Specify host name.
343.Pp
344.Ar hostname
345can be a numerical IP address or a symbolic hostname
346.Po
347unless the
348.Fl n
349option is specified
350.Pc .
351.Pp
352In general,
353.Ar hostname
354must be specified, unless the
355.Fl l
356option is given or
357.Fl U
358is used
359.Pq in which case the argument is a path .
360If
361.Ar hostname
362argument is specified with
363.Fl l
364option then
365.Ar port
366argument must be given as well and
367.Nm
368tries to bind to that address and port.
369If
370.Ar hostname
371argument is not specified with
372.Fl l
373option then
374.Nm
375tries to listen on a wildcard socket for given
376.Ar port .
377.It Ar path
378Specify pathname.
379.It Ar port | port_list
380Specify port.
381.Pp
382.Ar port_list
383can be specified as single integers, ranges or combinations of both.
384Specify ranges in the form of nn-mm.
385The
386.Ar port_list
387must have at least one member, but can have multiple ports/ranges separated by
388commas.
389.Pp
390In general, a destination port must be specified, unless the
391.Fl U
392option is given, in which case a Unix Domain Socket path must be specified
393instead of
394.Ar hostname .
395.El
396.Sh USAGE
397.Ss Client/Server Model
398It is quite simple to build a very basic client/server model using
399.Nm .
400On one console, start
401.Nm
402listening on a specific port for a connection.
403For example, the command:
404.Pp
405.Dl $ nc -l 1234
406.Pp
407listens on port 1234 for a connection.
408On a second console
409.Pq or a second machine ,
410connect to the machine and port to which
411.Nm
412is listening:
413.Pp
414.Dl $ nc 127.0.0.1 1234
415.Pp
416There should now be a connection between the ports.
417Anything typed at the second console is concatenated to the first, and
418vice-versa.
419After the connection has been set up,
420.Nm
421does not really care which side is being used as a server and which side is
422being used as a client.
423The connection can be terminated using an EOF
424.Pq Ctrl/d .
425.Ss Data Transfer
426The example in the previous section can be expanded to build a basic data
427transfer model.
428Any information input into one end of the connection is output to the other
429end, and input and output can be easily captured in order to emulate file
430transfer.
431.Pp
432Start by using
433.Nm
434to listen on a specific port, with output captured into a file:
435.Pp
436.Dl $ nc -l 1234 > filename.out
437.Pp
438Using a second machine, connect to the listening
439.Nm
440process, feeding it the file which is to be transferred:
441.Pp
442.Dl $ nc host.example.com 1234 < filename.in
443.Pp
444After the file has been transferred, the connection closes automatically.
445.Ss Talking to Servers
446It is sometimes useful to talk to servers by hand rather than through a user
447interface.
448It can aid in troubleshooting, when it might be necessary to verify what data a
449server is sending in response to commands issued by the client.
450.Pp
451For example, to retrieve the home page of a web site:
452.Pp
453.Dl $ echo -n \&"GET / HTTP/1.0\er\en\er\en\&" | nc host.example.com 80
454.Pp
455This also displays the headers sent by the web server.
456They can be filtered, if necessary, by using a tool such as
457.Xr sed 1 .
458.Pp
459More complicated examples can be built up when the user knows the format of
460requests required by the server.
461As another example, an email can be submitted to an SMTP server using:
462.Bd -literal -offset indent
463$ nc localhost 25 << EOF
464HELO host.example.com
465MAIL FROM: <user@host.example.com>
466RCPT TO: <user2@host.example.com>
467DATA
468Body of email.
469\&.
470QUIT
471EOF
472.Ed
473.Ss Port Scanning
474It can be useful to know which ports are open and running services on a target
475machine.
476The
477.Fl z
478flag can be used to tell
479.Nm
480to report open ports, rather than to initiate a connection.
481.Pp
482In this example:
483.Bd -literal -offset indent
484$ nc -z host.example.com 20-30
485Connection to host.example.com 22 port [tcp/ssh] succeeded!
486Connection to host.example.com 25 port [tcp/smtp] succeeded!
487.Ed
488.Pp
489The port range was specified to limit the search to ports 20 - 30.
490.Pp
491Alternatively, it might be useful to know which server software is running, and
492which versions.
493This information is often contained within the greeting banners.
494In order to retrieve these, it is necessary to first make a connection, and
495then break the connection when the banner has been retrieved.
496This can be accomplished by specifying a small timeout with the
497.Fl w
498flag, or perhaps by issuing a QUIT command to the server:
499.Bd -literal -offset indent
500$ echo "QUIT" | nc host.example.com 20-30
501SSH-2.0-Sun_SSH_1.1
502Protocol mismatch.
503220 host.example.com IMS SMTP Receiver Version 0.84 Ready
504.Ed
505.Ss inetd Capabilities
506One of the possible uses is to create simple services by using
507.Xr inetd 8 .
508.Pp
509The following example creates a redirect from TCP port 8080 to port 80 on host
510realwww:
511.Bd -literal -offset indent
512# cat << EOF >> /etc/services
513wwwredir	  8080/tcp    # WWW redirect EOF
514# cat << EOF > /tmp/wwwredir.conf
515wwwredir stream tcp nowait nobody /usr/bin/nc /usr/bin/nc -w 3 realwww 80
516EOF
517# inetconv -i /tmp/wwwredir.conf
518wwwredir -> /var/svc/manifest/network/wwwredir-tcp.xml
519Importing wwwredir-tcp.xml ...Done
520# inetadm -l wwwredir/tcp
521SCOPE    NAME=VALUE
522name="wwwredir"
523endpoint_type="stream"
524proto="tcp"
525isrpc=FALSE
526wait=FALSE
527exec="/usr/bin/nc -w 3 realwww 80"
528arg0="/usr/bin/nc"
529user="nobody"
530default  bind_addr=""
531default  bind_fail_max=-1
532default  bind_fail_interval=-1
533default  max_con_rate=-1
534default  max_copies=-1
535default  con_rate_offline=-1
536default  failrate_cnt=40
537default  failrate_interval=60
538default  inherit_env=TRUE
539default  tcp_trace=TRUE
540default  tcp_wrappers=FALSE
541.Ed
542.Ss Privileges
543To bind to a privileged port number
544.Nm
545needs to be granted the
546.Sy net_privaddr
547privilege.
548If Trusted Extensions are configured and the port
549.Nm
550should listen on is configured as a multi-level port
551.Nm
552also needs the
553.Sy net_bindmlp
554privilege.
555.Pp
556Privileges can be assigned to the user or role directly, by specifying them in
557the account's default privilege set in
558.Xr user_attr 5 .
559However, this means that any application that this user or role starts have
560these additional privileges.
561To only grant the
562.Xr privileges 7
563when
564.Nm
565is invoked, the recommended approach is to create and assign an
566.Xr rbac 7
567rights profile.
568See
569.Sx EXAMPLES
570for additional information.
571.Sh EXAMPLES
572Open a TCP connection to port 42 of host.example.com, using port 3141 as the
573source port, with a timeout of 5 seconds:
574.Pp
575.Dl $ nc -p 3141 -w 5 host.example.com 42
576.Pp
577Open a UDP connection to port 53 of host.example.com:
578.Pp
579.Dl $ nc -u host.example.com 53
580.Pp
581Open a TCP connection to port 42 of host.example.com using 10.1.2.3 as the IP
582for the local end of the connection:
583.Pp
584.Dl $ nc -s 10.1.2.3 host.example.com 42
585.Pp
586Use a list of ports and port ranges for a port scan on various ports:
587.Pp
588.Dl $ nc -z host.example.com 21-25,53,80,110-120,443
589.Pp
590Create and listen on a Unix Domain Socket:
591.Pp
592.Dl $ nc -lU /var/tmp/dsocket
593.Pp
594Create and listen on a UDP socket with associated port 8888:
595.Pp
596.Dl $ nc -u -l -p 8888
597.Pp
598which is the same as:
599.Pp
600.Dl $ nc -u -l 8888
601.Pp
602Create and listen on a TCP socket with associated port 2222 and bind to address
603127.0.0.1 only:
604.Pp
605.Dl $ nc -l 127.0.0.1 2222
606.Pp
607Connect to port 42 of host.example.com using an HTTP proxy at 10.2.3.4, port
6088080.
609This example could also be used by
610.Xr ssh 1 .
611See the
612.Cm ProxyCommand
613directive in
614.Xr ssh_config 5
615for more information.
616.Pp
617.Dl $ nc -x10.2.3.4:8080 -Xconnect host.example.com 42
618.Pp
619The same example again, this time enabling proxy authentication with username
620ruser if the proxy requires it:
621.Pp
622.Dl $ nc -x10.2.3.4:8080 -Xconnect -Pruser host.example.com 42
623.Pp
624To run
625.Nm
626with the smallest possible set of privileges as a user or role that has
627additional privileges
628.Pq such as the default root account
629it can be invoked using
630.Xr ppriv 1
631as well.
632For example, limiting it to only run with the privilege to bind to a privileged
633port:
634.Bd -literal -offset indent
635$ ppriv -e -sA=basic,!file_link_any,!proc_exec,!proc_fork,\e
636    !proc_info,!proc_session,net_privaddr nc -l 42
637.Ed
638.Pp
639To allow a user or role to use only
640.Nm
641with the
642.Sy net_privaddr
643privilege, a rights profile needs to be created:
644.Pp
645.Pa /etc/security/exec_attr:
646.Dl Netcat privileged:solaris:cmd:::/usr/bin/nc:privs=net_privaddr
647.Pa /etc/security/prof_attr
648.Dl Netcat privileged:::Allow nc to bind to privileged ports:help=None.html
649.Pp
650Assigning this rights profile using
651.Xr user_attr 5
652permits the user or role to run
653.Nm
654allowing it to listen on any port.
655To permit a user or role to use
656.Nm
657only to listen on specific ports a wrapper script should be specified in the
658rights profiles:
659.Pp
660.Pa /etc/security/exec_attr
661.Dl Netcat restricted:solaris:cmd:::/usr/bin/nc-restricted:privs=net_privaddr
662.Pa /etc/security/prof_attr
663.Dl Netcat restricted:::Allow nc to bind to privileged ports:help=None.html
664.Pp
665and write a shell script that restricts the permissible options, for example,
666one that permits one to bind only on ports between 42 and 64 non-inclusive:
667.Bd -literal -offset indent
668#!/bin/ksh
669
670(( $# == 1 )) || exit 1
671(( $1 > 42 && $1 < 64 )) || exit 1
672exec /usr/bin/nc -l -p "$1"
673.Ed
674.Pp
675This grants the extra privileges when the user or role invokes
676.Nm
677using the wrapper script from a profile shell.
678See
679.Xr pfsh 1 ,
680.Xr pfksh 1 ,
681.Xr pfcsh 1 ,
682and
683.Xr pfexec 1 .
684.Pp
685Invoking
686.Nm
687directly does not run it with the additional privileges, and neither does
688invoking the script without using
689.Sy pfexec
690or a profile shell.
691.Sh INTERFACE STABILITY
692The command line syntax is
693.Sy Committed
694for the
695.Fl 4 ,
696.Fl 6 ,
697.Fl l ,
698.Fl n ,
699.Fl p ,
700.Fl u ,
701and
702.Fl w
703options and their arguments
704.Pq if any .
705The
706.Ar name
707and
708.Ar port
709list arguments are
710.Sy Committed .
711The port range syntax is
712.Sy Uncommitted .
713The interface stability level for all other command line options and their
714arguments is
715.Sy Uncommitted.
716.Sh SEE ALSO
717.Xr cat 1 ,
718.Xr pfcsh 1 ,
719.Xr pfexec 1 ,
720.Xr pfksh 1 ,
721.Xr pfsh 1 ,
722.Xr ppriv 1 ,
723.Xr sed 1 ,
724.Xr ssh 1 ,
725.Xr telnet 1 ,
726.Xr ssh_config 5 ,
727.Xr user_attr 5 ,
728.Xr attributes 7 ,
729.Xr privileges 7 ,
730.Xr rbac 7 ,
731.Xr inetadm 8 ,
732.Xr inetconv 8 ,
733.Xr inetd 8 ,
734.Xr tcpkey 8
735.Sh AUTHORS
736The original implementation of
737.Nm
738was written by
739.An Hobbit Aq Mt hobbit@avian.org
740.Pp
741.Nm
742was rewritten with IPv6 support by
743.An -nosplit
744.An Eric Jackson Aq Mt ericj@monkey.org
745.Sh NOTES
746UDP port scans always succeed, that is, report the port as open, rendering the
747.Fl uz
748combination of flags relatively useless.
749