The Linux netcat(nc) command is often referred to as the Swiss army knife of networking tools, and a skilled system administrator could come up with some interesting uses for this sophisticated and versatile tool. It essentially establishes a connection between two computers and allows data to be written across the TCP and UDP transport layer protocols, and the network layer protocol IP. Netcat could even be thought of like the ‘cat’ command in Linux but for network-based communication between servers.
Netcat operates in 2 modes
- Server mode
- Client mode
Server mode: In the server, mode netcat listens to incoming connections depending on various parameters that may have been passed to the utility.The below syntax indicates how you would typically use netcat in the server mode:
nc -l -p port [options] [hostname] [port]
Client mode: In the client, mode netcat initiates a TCP/UDP connection to the same or different machine.The below syntax depicts how you would typically use netcat in the client mode:
nc [-options] hostname port[s] [ports]
We will be covering both methods in depth in our examples.
Typical uses of the Linux netcat tool
- Chat server
- Port scanner
- File transfer
- Information fetching
Chat server: We can use netcat to transfer simple text messages between two system forming a rather minimal and straightforward instant messaging interface.
Port scanner: Netcat can be used to scan open ports on one or more systems. Its port scanning capabilities are somewhat trivial, and we’d strongly recommend using NMAP in this regard.
File transfer: it allows file transfers between servers without needing to resort to FTP server or sftp server or tftp server.
Information fetching: Netcat can be used to establish a socket to a specific port on the destination system to identify specific information or weaknesses in the system. This is similar to lsof command or nmap command.
Netcat comes pre-installed in both Red Hat and Debian based distributions.
We’ll now verify that the presence of netcat on a centos 6 and an Ubuntu 16.04 machine.
Verifying netcat on Centos/Redhat Linux
[[email protected] ~]# rpm -qa | grep -w ^nc nc-1.84-24.el6.x86_64 [[email protected] ~]# rpm -qi nc Name: nc Relocations: (not relocatable) Version: 1.84 Vendor: CentOSRelease : 24.el6 Build Date: Mon 08 Dec 2014 02:51:43 PM IST Install Date: Tue 26 Sep 2017 01:02:29 AM IST Build Host: c6b8.bsys.dev.centos.org Group: Applications/Internet Source RPM: nc-1.84-24.el6.src.rpm Size: 111502 License: BSD Signature : RSA/SHA1, Mon 08 Dec 2014 07:05:39 PM IST, Key ID 0946fca2c105b9de Packager : CentOS BuildSystem <http://bugs.centos.org> URL: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/nc/ Summary: Reads and writes data across network connections using TCP or UDP Description: The nc package contains Netcat (the program is actually nc), a simple utility for reading and writing data across network connections, using the TCP or UDP protocols. Netcat is intended to be a reliable back-end tool which can be used directly or easily driven by other programs and scripts. Netcat is also a feature-rich network debugging and exploration tool since it can create many different connections and has many built-in capabilities. You may want to install the netcat package if you are administering a network and you'd like to use its debugging and network exploration capabilities.
Verifying netcat on Ubuntu/Debian
Ubuntu systems come pre-installed with the BSD variant of netcat along with the traditional version.
In ubuntu the nc command iactually a soft link as shown below: [email protected]:~# ls -l /bin/nc lrwxrwxrwx 1 root root 20 Oct 16 06:07 /bin/nc -> /etc/alternatives/nc [email protected]:~# ls -l /etc/alternatives/nc lrwxrwxrwx 1 root root 15 Oct 16 06:07 /etc/alternatives/nc -> /bin/nc.openbsd [email protected]:~# ls -l /bin/nc.openbsd -rwxr-xr-x 1 root root 31248 Dec 3 2012 /bin/nc.openbsd [email protected]:~# dpkg -S /bin/nc.openbsdnetcat-openbsd: /bin/nc.openbsd [email protected]:~# dpkg -s netcat-openbsd Package: netcat-openbsd Status: install ok installed Priority: important Section: netInstalled-Size: 109 Maintainer: Ubuntu Developers <[email protected]> Architecture: amd64Version: 1.105-7ubuntu1 Replaces: netcat (<< 1.10-35)Provides: netcat Depends: libbsd0 (>= 0.2.0), libc6 (>= 2.16)Breaks: netcat (<< 1.10-35) Description: TCP/IP swiss army knife A simple Unix utility which reads and writes data across network connections using TCP or UDP protocol. It is designed to be a reliable "back-end" tool that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and exploration tool since it can create almost any kind of connection you would need and has several interesting built-in capabilities. This package contains the OpenBSD rewrite of netcat, including support for IPv6, proxies, and Unix sockets. Original-Maintainer: Aron Xu <[email protected]>
The BSD variant of netcat may have slightly different or a couple of more options as compared to the traditional version of netcat.
This is the output produced from running the BSD version without any options.
[email protected]:~# nc This is nc from the netcat-openbsd package. An alternative nc is availablein the netcat-traditional package. usage: nc [-46bCDdhjklnrStUuvZz] [-I length] [-i interval] [-O length] [-P proxy_username] [-p source_port] [-q seconds] [-s source] [-T toskeyword] [-V rtable] [-w timeout] [-X proxy_protocol] [-x proxy_address[:port]] [destination] [port]
In contrast to the above, this is the output produced by running netcat without any options on my centos system.
[[email protected] ~]# nc usage: nc [-46DdhklnrStUuvzC] [-i interval] [-p source_port] [-s source_ip_address] [-T ToS] [-w timeout] [-X proxy_version] [-x proxy_address[:port]] [hostname] [port[s]]
Now we will go through some examples to understand how we can use netcat according to our requirements.
Getting help from nc command
Use nc command with the -h option to obtain a short description about some of the options that are available for use with netcat.
[[email protected] ~]# nc -h usage: nc [-46DdhklnrStUuvzC] [-i interval] [-p source_port] [-s source_ip_address] [-T ToS] [-w timeout] [-X proxy_version] [-x proxy_address[:port]] [hostname] [port[s]] Command Summary: -4 Use IPv4 -6 Use IPv6 -D Enable the debug socket option -d Detach from stdin -h This help text -i secs Delay interval for lines sent, ports scanned -k Keep inbound sockets open for multiple connects -l Listen mode, for inbound connects -n Suppress name/port resolutions -p port Specify local port for remote connects -r Randomize remote ports -S Enable the TCP MD5 signature option -s addr Local source address -T ToS Set IP Type of Service -C Send CRLF as line-ending -t Answer TELNET negotiation -U Use UNIX domain socket -u UDP mode -v Verbose -w secs Timeout for connects and final net reads -X proto Proxy protocol: "4", "5" (SOCKS) or "connect" -x addr[:port] Specify proxy address and port -z Zero-I/O mode [used for scanning] Port numbers can be individual or ranges: lo-hi [inclusive]
Scan TCP port using nc command
Example 1: Using netcat to scan a single port:
Before we get to the demonstration, we’d like to reemphasize our recommendation for using nmap for fulfilling your port scanning needs.
To scan a port, we use nc with the -z option which tells netcat only to examine the port and not initiate a connection.We can also add the -v option to enable more verbose or detailed output.
In the below demonstration we scan port 22 of our Ubuntu system from our centos system:
[[email protected] ~]# nc -z 192.168.87.146 22 Connection to 192.168.87.146 22 port [tcp/ssh] succeeded!
The connection succeeded message implies that the port is open.
Scan UDP port using nc command
Example 2: Scanning UDP ports instead of TCP.
Let’s see an example this time to scan the 123 on our centos server running the ntpd daemon.
[email protected]:~# nc -z -v -u 192.168.87.144 123 Connection to 192.168.87.144 123 port [udp/ntp] succeeded!
In this example we added the -u flag to indicate that we are scanning a UDP port and not a TCP port.We would get a connection refused if we did not add the -u option because ntpd listens on UDP port 123.
Here’s a demo of that:
[email protected]:~# nc -z -v 192.168.87.144 123 nc: connect to 192.168.87.144 port 123 (tcp) failed: No route to host
Scanning a range of ports using nc command
Example 3: We can use netcat to examine across a range of ports.
The syntax for that is nc -z <host> <first port>-<last port>
Here is an example:
[email protected]:~# nc -z -v 192.168.87.144 20-27 nc: connect to 192.168.87.144 port 20 (tcp) failed: No route to host nc: connect to 192.168.87.144 port 21 (tcp) failed: No route to host Connection to 192.168.87.144 22 port [tcp/ssh] succeeded! nc: connect to 192.168.87.144 port 23 (tcp) failed: No route to host nc: connect to 192.168.87.144 port 24 (tcp) failed: No route to host nc: connect to 192.168.87.144 port 25 (tcp) failed: No route to host nc: connect to 192.168.87.144 port 26 (tcp) failed: No route to host nc: connect to 192.168.87.144 port 27 (tcp) failed: No route to host
In the next article, we’ll use netcat to set up a simple instant messaging interface and transfer files.