1NCAT(1) Ncat Reference Guide NCAT(1)
2
3
4
6 ncat - Concatenate and redirect sockets
7
9 ncat [OPTIONS...] [hostname] [port]
10
12 Ncat is a feature-packed networking utility which will read and write
13 data across a network from the command line. Ncat was written for the
14 Nmap Project and is the culmination of the currently splintered family
15 of Netcat incarnations. It uses both TCP and UDP for communication and
16 is designed to be a reliable back-end tool to instantly provide network
17 connectivity to other applications and users. Ncat will not only work
18 with IPv4 and IPv6 but provides the user with a virtually limitless
19 number of potential uses.
20
21 Among Ncat´s vast number of features there is the ability to chain
22 Ncats together, redirect both TCP and UDP ports to other sites, SSL
23 support, and proxy connections via SOCKS4 or HTTP (CONNECT method)
24 proxies (with optional proxy authentication as well). Some general
25 principles apply to most applications and thus give you the capability
26 of instantly adding networking support to software that would normally
27 never support it.
28
30 Ncat 5.21 ( http://nmap.org/ncat )
31 Usage: ncat [options] [hostname] [port]
32
33 Options taking a time assume milliseconds, unless you append an ´s´
34 (seconds), ´m´ (minutes), or ´h´ (hours) to the value (e.g. 30s)
35 -4 Use IPv4 only
36 -6 Use IPv6 only
37 -C, --crlf Use CRLF for EOL sequence
38 -c, --sh-exec <command> Executes specified command via /bin/sh
39 -e, --exec <command> Executes specified command
40 -g hop1[,hop2,...] Loose source routing hop points (8 max)
41 -G n Loose source routing hop pointer (4, 8, 12, ...)
42 -m, --max-conns n Maximum n simultaneous connections
43 -h, --help Display this help screen
44 -d, --delay <time> Wait between read/writes
45 -o, --output Dump session data to a file
46 -x, --hex-dump Dump session data as hex to a file
47 -i, --idle-timeout <time> Idle read/write timeout
48 -p, --source-port port Specify source port to use
49 -s, --source addr Specify source address to use (doesn´t affect -l)
50 -l, --listen Bind and listen for incoming connections
51 -k, --keep-open Accept multiple connections in listen mode
52 -n, --nodns Do not resolve hostnames via DNS
53 -t, --telnet Answer Telnet negotiations
54 -u, --udp Use UDP instead of default TCP
55 --sctp Use SCTP instead of default TCP
56 -v, --verbose Set verbosity level (can be used up to 3 times)
57 -w, --wait <time> Connect timeout
58 --send-only Only send data, ignoring received; quit on EOF
59 --recv-only Only receive data, never send anything
60 --allow Allow specific hosts to connect to Ncat
61 --allowfile A file of hosts allowed to connect to Ncat
62 --deny Hosts to be denied from connecting to Ncat
63 --denyfile A file of hosts denied from connecting to Ncat
64 --broker Enable Ncat´s Connection Brokering mode
65 --chat Start a simple Ncat chat server
66 --proxy <addr[:port]> Specify address of host to proxy through
67 --proxy-type <type> Specify proxy type ("http" or "socks4")
68 --proxy-auth <auth> Authenticate with HTTP or SOCKS proxy server
69 --ssl Connect or listen with SSL
70 --ssl-cert Specify SSL certificate file (PEM) for listening
71 --ssl-key Specify SSL private key (PEM) for listening
72 --ssl-verify Verify trust and domain name of certificates
73 --ssl-trustfile PEM file containing trusted SSL certificates
74 --version Display Ncat´s version information and exit
75
76 See the ncat(1) manpage for full options, descriptions and usage examples
77
78
79
80
82 When passing a host parameter to Ncat, the simplest case is just to
83 list a single hostname or IP address. If you are supplying a range of
84 hosts, such as with --deny or --allow options, you can denote the
85 chosen range of IP addresses by appending the CIDR-style ´/mask´ to the
86 IP address. The mask must be between zero (select the whole subnet) and
87 32 (scan the single host specified). For example, you may use /24 to
88 scan a class C subnet and /16 for a class B.
89
91 -4 (IPv4 only) .
92 Force the use of IPv4 only (default).
93
94 -6 (IPv6 only) .
95 Force the use of IPv6 only.
96
97 -u, --udp (Use UDP) .
98 Use UDP for the connection (the default is TCP).
99
100 --sctp (Use SCTP) .
101 Use SCTP for the connection (the default is TCP). SCTP support is
102 implemented in TCP compatible mode.
103
105 -g hop1[,hop2,...] (Loose source routing) .
106 Sets hops for IPv4 loose source routing. You can use -g once with a
107 comma-separated list of hops, use -g multiple times with single
108 hops to build the list, or combine the two. Hops can be given as IP
109 addresses or hostnames.
110
111 -G ptr (Set source routing pointer) .
112 Sets the IPv4 source route “pointer” for use with -g. The argument
113 must be a multiple of four and no more than 28. Not all operating
114 systems support setting this pointer to anything other than four.
115
116 -p port, --source-port port (Specify source port) .
117 Set the port number for Ncat to bind to.
118
119 -s host, --source host (Specify source address) .
120 Set the address for Ncat to bind to.
121
123 See the Access Control section for information on limiting which hosts
124 can connect to the listening Ncat process.
125
126 -l, --listen (Listen for connections) .
127 Listen for connections rather than connecting to a remote machine
128
129 -m numconns, --max-conns numconns (Specify max number of connections) .
130 The maximum number of simultaneous connections accepted for an Ncat
131 instance. 100 is the default.
132
133 -k, --keep-open (Accept multiple connections) .
134 Normally a listening server accepts only one connection and then
135 quits when the connection is closed. This option makes it accept
136 multiple simultaneous connections and wait for more connections
137 after they have all been closed. It must be combined with --listen.
138 In this mode there is no way for Ncat to know when its network
139 input is finished, so it will keep running until interrupted. This
140 also means that it will never close its output stream, so any
141 program reading from Ncat and looking for end-of-file will also
142 hang.
143
144 --broker (Connection brokering) .
145 Allow multiple parties to connect to a centralised Ncat server and
146 communicate with each other. Ncat can broker communication between
147 systems that are behind a NAT or otherwise unable to directly
148 connect. This option is used in conjunction with --listen, which
149 causes the --listen port to have broker mode enabled.
150
151 --chat (Ad-hoc “chat server”) .
152 The --chat option enables chat mode, intended for the exchange of
153 text between several users. In chat mode, connection brokering is
154 turned on. Ncat prefixes each message received with an ID before
155 relaying it to the other connections. The ID is unique for each
156 connected client. This helps distinguish who sent what.
157 Additionally, non-printing characters such as control characters
158 are escaped to keep them from doing damage to a terminal.
159
161 --ssl (Use SSL) .
162 In client-mode Ncat, this option transparently negotiates an SSL
163 session with an SSL server to securely encrypt the connection. This
164 is particularly handy for talking to SSL enabled HTTP servers, etc.
165
166 In server-mode Ncat, this option listens for incoming SSL
167 connections, rather than plain untunneled traffic.
168
169 --ssl-verify (Verify server certificates) .
170 In client mode, --ssl-verify is like --ssl except that it also
171 requires verification of the server certificate. Ncat comes with a
172 default set of trusted certificates. Some operating systems provide
173 a default list of trusted certificates; these will also be used if
174 available. Use --ssl-trustfile to give a custom list. Use -v one or
175 more times to get details about verification failures.
176
177 This option has no effect in server mode.
178
179 --ssl-cert certfile.pem (Specify SSL certificate) .
180 This option gives the location of a PEM-encoded certificate files
181 used to authenticate the server (in listen mode) or the client (in
182 connect mode). Use it in combination with --ssl-key.
183
184 --ssl-key keyfile.pem (Specify SSL private key) .
185 This option gives the location of the PEM-encoded private key file
186 that goes with the certificate named with --ssl-cert.
187
188 --ssl-trustfile cert.pem (List trusted certificates) .
189 This option sets a list of certificates that are trusted for
190 purposes of certificate verification. It has no effect unless
191 combined with --ssl-verify. The argument to this option is the name
192 of a PEM. file containing trusted certificates. Typically, the
193 file will contain certificates of certification authorities, though
194 it may also contain server certificates directly. When this option
195 is used, Ncat does not use its default certificates.
196
198 --proxy host[:port] (Specify proxy address) .
199 Requests proxying through host:port, using the protocol specified
200 by --proxy-type.
201
202 If no port is specified, the proxy protocol´s well-known port is
203 used (1080 for SOCKS and 3128 for HTTP). However, when specifying
204 an IPv6 HTTP proxy server using the IP address rather than the
205 hostname, the port number MUST be specified as well.
206
207 If the proxy requires authentication, --proxy-auth is available.
208
209 --proxy-type proto (Specify proxy protocol) .
210 In client-mode, this option requests using proxy protocol proto to
211 connect through the proxy host specified by --proxy. In
212 server-mode, this option requests Ncat to actually act as a proxy
213 server using the specified protocol.
214
215 The currently available protocols in client-mode are “http”
216 (CONNECT) and “socks4” (SOCKSv4). The only server currently
217 supported is “http”.
218
219 If this option is not used, the default protocol is http.
220
221 --proxy-auth user[:pass] (Specify proxy credentials) .
222 Used to specify proxy authentication credentials for client-mode.
223 For use with --proxy-type http, the form should be user:pass. For
224 --proxy-type socks4, it should just be a username.
225
227 -e command, --exec command (Execute command) .
228 Execute the specified command after a connection has been
229 established. The command must be specified as a full pathname. All
230 input from the remote client will be sent to the application and
231 responses sent back to the remote client over the socket. Thus,
232 effectively instantly making your application interactive over a
233 socket. Ncat will handle multiple simultaneous connections to your
234 specified port/application rather like inetd does. Ncat will only
235 accept a maximum, definable, number of simultaneous connections. By
236 default this is set to 100.
237
238 -c command, --sh-exec command (Execute command via sh) .
239 Same as -e, except it tries to execute the command via /bin/sh (so
240 you don´t have to specify the full path for the command).
241
243 --allow host[,host,...] (Allow connections) .
244 The list of hosts specified will be the only hosts allowed to
245 connect to the Ncat process. All other connection attempts will be
246 silently dropped. Host specifications follow the same syntax used
247 by Nmap.
248
249 --allowfile file (Allow connections from file) .
250 This has the same functionality as --allow, except that the allowed
251 hosts are provided in a new-line delimited allow file, rather than
252 directly on the command line.
253
254 --deny host[,host,...] (Deny connections) .
255 Issue Ncat with a list of hosts that will not be allowed to connect
256 to the listening Ncat process. Specified hosts will have their
257 session silently terminated if they try to connect. The syntax for
258 hosts is the same as for --allow.
259
260 --denyfile file (Deny connections from file) .
261 This is the same functionality as --deny, except that excluded
262 hosts are provided in a new-line delimited deny file, rather than
263 directly on the command line.
264
266 These options accept a time parameter. This is specified in
267 milliseconds by default, though you can append “s”, “m”, or “h” to the
268 value to specify seconds, minutes, or hours.
269
270 -d time, --delay time (Specify line delay) .
271 Set the delay interval for lines sent. This effectively limits the
272 number of lines that Ncat will send in the specified period. This
273 may be useful for low bandwidth sites, or have other uses such as
274 annoying iptables --limit options.
275
276 -i time, --idle-timeout time (Specify idle timeout) .
277 Set a fixed timeout for idle connections. If the idle timeout is
278 reached, the connection is terminated.
279
280 -w time, --wait time (Specify connect timeout) .
281 Set a fixed timeout for connection attempts.
282
284 -o file, --output file (Save session data) .
285 Dump session data to a file
286
287 -x file, --hex-dump file (Save session data in hex) .
288 Dump session data in hex to a file. This can be used to “replay”
289 sessions, etc.
290
291 -v, --verbose (Verbosity) .
292 Issue Ncat with -v and it will be verbose and display all kinds of
293 useful connection based information. If you issue this twice (-vv)
294 then you will get all the code debugging information. Issue it
295 three times (-vvv) and you get the connection information and the
296 code debugging information.
297
299 -C, --crlf (Use CRLF as EOL) .
300 This option tells Ncat to try to use CRLF for line-endings if only
301 an LF is found. This doesn´t convert all LFs to CRLFs, only if it´s
302 at the end of the read buffer. This is useful for talking to some
303 stringent servers directly from a terminal in one of the many
304 common plain-text protocols which specify CRLF as the required EOL
305 sequence.
306
307 -h, --help (Help screen) .
308 Displays a short help screen with common options and parameters,
309 and then exits.
310
311 --recv-only (Only receive data) .
312 If this option is passed, Ncat will only receive data and will not
313 try to send anything.
314
315 --send-only (Only send data) .
316 If this option is passed, then Ncat will only send data and will
317 ignore anything received. This option also causes Ncat to close the
318 network connection and terminate after EOF is received on standard
319 input.
320
321 -t, --telnet (Answer Telnet negotiations) .
322 Handle DO/DONT WILL/WONT Telnet negotiations. This makes it
323 possible to script Telnet sessions with Ncat.
324
325 --version (Display version) .
326 This displays the Ncat version, release information and any
327 additional build information and exits.
328
330 Connect to example.org on TCP port 8080
331
332 ncat example.org 8080
333
334 Listen for connections on TCP port 8080
335
336 ncat -l 8080
337
338 Redirect TCP port 8080 on the local machine to host example.org on port
339 80
340
341 ncat --sh-exec “ncat example.org 80” -l 8080
342
343 Bind to TCP port 8081 and attach /bin/bash for the world to access
344 freely
345
346 ncat --exec “/bin/bash” -l 8081
347
348 Bind a shell to TCP port 8081, limit access to hosts on a local network
349 and limit the maximum number of simultaneous connections to three
350
351 ncat --exec “/bin/bash” --max-conns 3 --allow 192.168.0.0/24 -l 8081
352
353 Connect to a SOCKS4 server on port 1080
354
355 ncat --proxy socks4host --proxy-type socks4 --proxy-auth user smtphost
356 25
357
358 Create an HTTP proxy server on localhost port 8888
359
360 ncat -l --proxy-type http localhost 8888
361
362 Send a file over TCP port 9899 from HOST2 (client) to HOST1 (server)
363
364 HOST1$ ncat -l 9899 >outputfile
365
366 HOST2$ ncat HOST1 9899 <inputfile
367
368 Transfer in the other direction, turning Ncat into a “one file” server
369
370 HOST1$ ncat -l 9899 <inputfile
371
372 HOST2$ ncat HOST1 9899 >outputfile
373
375 The exit code reflects whether a connection was made and completed
376 successfully. 0 means there was no error. 1 means there was a network
377 error of some kind, for example “Connection refused” or “Connection
378 reset”. 2 is reserved for all other errors, like an invalid option or a
379 nonexistent file.
380
382 Like its author, Ncat isn´t perfect. But you can help make it better by
383 sending bug reports or even writing patches. If Ncat doesn´t behave the
384 way you expect, first upgrade to the latest version available from
385 http://nmap.org. If the problem persists, do some research to determine
386 whether it has already been discovered and addressed. Try Googling the
387 error message or browsing the nmap-dev archives at
388 http://seclists.org/. Read this full manual page as well. If nothing
389 comes of this, mail a bug report to nmap-dev@insecure.org. Please
390 include everything you have learned about the problem, as well as what
391 version of Ncat you are running and what operating system version it is
392 running on. Problem reports and Ncat usage questions sent to
393 nmap-dev@insecure.org are far more likely to be answered than those
394 sent to Fyodor directly.
395
396 Code patches to fix bugs are even better than bug reports. Basic
397 instructions for creating patch files with your changes are available
398 at http://nmap.org/data/HACKING. Patches may be sent to nmap-dev
399 (recommended) or to Fyodor directly.
400
402 Chris Gibson chris@linuxops.net
403
404 Kris Katterjohn katterjohn@gmail.com
405
406 Mixter mixter@gmail.com
407
408 Fyodor fyodor@insecure.org (http://insecure.org)
409
410 The original Netcat was written by *Hobbit* hobbit@avian.org. While
411 Ncat isn´t built on any code from the “traditional” Netcat (or any
412 other implementation), Ncat is most definitely based on Netcat in
413 spirit and functionality.
414
415
416
417Ncat 01/26/2010 NCAT(1)