1nc(1)                            User Commands                           nc(1)
2
3
4

NAME

6       nc - arbitrary TCP and UDP connections and listens
7

SYNOPSIS

9       nc -h
10
11
12       nc [-46dnrtuvz] [-i interval] [-P proxy_username] [-p port]
13            [-s source_ip_address] [-T ToS] [-w timeout]
14            [-X proxy_protocol] [-x proxy_address[:port]]
15            hostname port_list
16
17
18       nc -l [-46Ddnrtuvz] [-i interval] [-T ToS] [hostname] port
19
20
21       nc -l [-46Ddnrtuvz] [-i interval] [-T ToS] -p port
22
23
24       nc -U [-Ddtvz] [-i interval] [-w timeout] path
25
26
27       nc -Ul [-46Ddktv] [-i interval] path
28
29

DESCRIPTION

31       The  nc  (or  netcat) utility is used for a variety of tasks associated
32       with TCP or UDP. nc can open TCP connections, send UDP packets,  listen
33       on  arbitrary  TCP  and UDP ports, perform port scanning, and deal with
34       both IPv4 and IPv6. Unlike telnet(1), nc scripts nicely, and  separates
35       error  messages onto standard error instead of sending them to standard
36       output.
37
38
39       The nc command is often used for the following tasks:
40
41           o      simple TCP proxies
42
43           o      shell-script based HTTP clients and servers
44
45           o      network daemon testing
46
47           o      a SOCKS or HTTP ProxyCommand for ssh(1)
48

OPTIONS

50       The following options are supported:
51
52       -4
53
54           Force nc to use IPv4 addresses only.
55
56
57       -6
58
59           Force nc to use IPv6 addresses only.
60
61
62       -D
63
64           Enable debugging on the socket.
65
66
67       -d
68
69           Do not attempt to read from stdin.
70
71
72       -h
73
74           Print nc help.
75
76
77       -i interval
78
79           Specify a delay time of interval between lines  of  text  sent  and
80           received.  This option also causes a delay time between connections
81           to multiple ports.
82
83
84       -k
85
86           Force nc to listen for another connection after its current connec‐
87           tion is closed.
88
89           It is an error to use this option without the -l option.
90
91
92       -l
93
94           Listen for an incoming connection rather than initiate a connection
95           to a remote host.
96
97           It is an error to use this option in conjunction with the -s or  -z
98           options.  Additionally, any timeout specified with the -w option is
99           ignored.
100
101
102       -n
103
104           Do not do any naming or service lookups  on  any  addresses,  host‐
105           names, or ports.
106
107           Use  of  this  option  means  that  hostname and port arguments are
108           restricted to numeric values.
109
110           If used with -v option all  addresses  and  ports  are  printed  in
111           numeric  form,  in addition to the restriction imposed on the argu‐
112           ments. This option does not have any effect when used  in  conjunc‐
113           tion with the -U option.
114
115
116       -P proxy_username
117
118           Specify  a  username  (proxy_username) to present to a proxy server
119           that requires authentication. If proxy_username is  not  specified,
120           authentication  is not attempted. Proxy authentication is only sup‐
121           ported for HTTP CONNECT proxies at present.
122
123           It is an error to use  this  option  in  conjunction  with  the  -l
124           option.
125
126
127       -p port
128
129           When used without -l option, specify the source port nc should use,
130           subject to privilege restrictions and availability. When used  with
131           the -l option, set the listen port.
132
133           This  option  can  be used with -l option only provided global port
134           argument is not specified.
135
136
137       -r
138
139           Choose source or destination ports randomly instead of sequentially
140           within a range or in the order that the system assigns them.
141
142           It  is  an  error  to  use  this  option in conjunction with the -l
143           option.
144
145
146       -s source_ip_address
147
148           Specify the IP of the interface which is used to send the packets.
149
150           It is an error to use  this  option  in  conjunction  with  the  -l
151           option.
152
153
154       -T ToS
155
156           Specify  IP  Type of Service (ToS) for the connection. Valid values
157           are the tokens: lowdelay,  throughput,  reliability,  or  an  8-bit
158           hexadecimal value preceded by 0x.
159
160
161       -t
162
163           Cause  nc  to  send RFC 854 DON'T and WON'T responses to RFC 854 DO
164           and WILL requests. This makes it possible to use nc to script  tel‐
165           net sessions.
166
167
168       -U
169
170           Specify  the use of Unix Domain Sockets. If you specify this option
171           without -l, nc, it becomes AF_UNIX  client.  If  you  specify  this
172           option with the -l option, a AF_UNIX server is created.
173
174           Use  of this option requires that a single argument of a valid Unix
175           domain path has to be provided to nc, not a host name or port.
176
177
178       -u
179
180           Use UDP instead of the default option of TCP.
181
182
183       -v
184
185           Specify verbose output.
186
187
188       -w timeout
189
190           Silently close the connection if a connection and  stdin  are  idle
191           for more than timeout seconds.
192
193           This  option  has  no  effect on the -l option, that is, nc listens
194           forever for a connection, with or without the -w flag. The  default
195           is no timeout.
196
197
198       -X proxy_protocol
199
200           Use  the  specified protocol when talking to the proxy server. Sup‐
201           ported protocols are 4 (SOCKS v.4), 5 (SOCKS v.5) and connect (HTTP
202           proxy). If the protocol is not specified, SOCKS v. 5 is used.
203
204           It  is  an  error  to  use  this  option in conjunction with the -l
205           option.
206
207
208       -x proxy_address[:port]
209
210           Request connection to hostname using a proxy at  proxy_address  and
211           port.  If  port is not specified, the well-known port for the proxy
212           protocol is used (1080 for SOCKS, 3128 for HTTP).
213
214           It is an error to use  this  option  in  conjunction  with  the  -l
215           option.
216
217
218       -z
219
220           Scan for listening daemons, without sending any data to them.
221
222           It  is  an  error  to  use  this  option in conjunction with the -l
223           option.
224
225

OPERANDS

227       The following operands are supported:
228
229       hostname     Specify host name.
230
231                    hostname can be a numerical IP address or a symbolic host‐
232                    name (unless the -n option is specified).
233
234                    In  general,  hostname  must  be  specified, unless the -l
235                    option is given or -U is used (in which case the  argument
236                    is  a  path).  If  hostname  argument is specified with -l
237                    option then port argument must be given  as  well  and  nc
238                    tries  to bind to that address and port. If hostname argu‐
239                    ment is not specified with -l option then nc tries to lis‐
240                    ten on a wildcard socket for given port.
241
242
243       path         Specify pathname.
244
245
246       port         Specify port.
247       port_list
248                    port_list  can  be specified as single integers, ranges or
249                    combinations of both. Specify ranges in the form of nn-mm.
250                    The  port_list must have at least one member, but can have
251                    multiple ports/ranges separated by commas.
252
253                    In general, a destination port must be  specified,  unless
254                    the -U option is given, in which case a Unix Domain Socket
255                    path must be specified instead of hostname.
256
257

USAGE

259   Client/Server Model
260       It is quite simple to build a very basic client/server model using  nc.
261       On one console, start nc listening on a specific port for a connection.
262       For example, the command:
263
264         $ nc -l 1234
265
266
267
268
269       listens on port 1234 for a connection. On a second console (or a second
270       machine), connect to the machine and port to which nc is listening:
271
272         $ nc 127.0.0.1 1234
273
274
275
276
277       There  should  now be a connection between the ports. Anything typed at
278       the second console is concatenated to the first, and vice-versa.  After
279       the  connection  has been set up, nc does not really care which side is
280       being used as a server and which side is being used as  a  client.  The
281       connection can be terminated using an EOF (Ctrl/d).
282
283   Data Transfer
284       The  example  in  the previous section can be expanded to build a basic
285       data transfer model. Any information input into one end of the  connec‐
286       tion  is  output  to  the other end, and input and output can be easily
287       captured in order to emulate file transfer.
288
289
290       Start by using nc to listen on a specific port,  with  output  captured
291       into a file:
292
293         $ nc -l 1234 > filename.out
294
295
296
297
298       Using a second machine, connect to the listening nc process, feeding it
299       the file which is to be transferred:
300
301         $ nc host.example.com 1234 < filename.in
302
303
304
305
306       After the file has been transferred, the  connection  closes  automati‐
307       cally.
308
309   Talking to Servers
310       It is sometimes useful to talk to servers by hand rather than through a
311       user interface. It can aid in troubleshooting, when it might be  neces‐
312       sary  to  verify  what data a server is sending in response to commands
313       issued by the client.
314
315
316       For example, to retrieve the home page of a web site:
317
318         $ echo -n "GET / HTTP/1.0\r\n\r\n" | nc host.example.com 80
319
320
321
322
323       This also displays the headers sent by the web server. They can be fil‐
324       tered, if necessary, by using a tool such as sed(1).
325
326
327       More  complicated examples can be built up when the user knows the for‐
328       mat of requests required by the server. As another  example,  an  email
329       can be submitted to an SMTP server using:
330
331         $ nc localhost 25 << EOF
332         HELO host.example.com
333         MAIL FROM: <user@host.example.com
334         RCTP TO: <user2@host.example.com
335         DATA
336         Body of email.
337         .
338         QUIT
339         EOF
340
341
342
343   Port Scanning
344       It can be useful to know which ports are open and running services on a
345       target machine. The -z flag can be used  to  tell  nc  to  report  open
346       ports, rather than to initiate a connection.
347
348
349       In this example:
350
351         $ nc -z host.example.com 20-30
352         Connection to host.example.com 22 port [tcp/ssh] succeeded!
353         Connection to host.example.com 25 port [tcp/smtp] succeeded!
354
355
356
357
358       The port range was specified to limit the search to ports 20 - 30.
359
360
361       Alternatively, it might be useful to know which server software is run‐
362       ning, and which versions. This information is  often  contained  within
363       the  greeting  banners.  In order to retrieve these, it is necessary to
364       first make a connection, and then break the connection when the  banner
365       has  been  retrieved.  This  can  be accomplished by specifying a small
366       timeout with the -w flag, or perhaps by issuing a QUIT command  to  the
367       server:
368
369         $ echo "QUIT" | nc host.example.com 20-30
370         SSH-2.0-Sun_SSH_1.1
371         Protocol mismatch.
372         220 host.example.com IMS SMTP Receiver Version 0.84 Ready
373
374
375
376   inetd Capabilities
377       One  of  the  possible  uses  is  to  create  simple  services by using
378       inetd(1M).
379
380
381       The following example creates a redirect from TCP port 8080 to port  80
382       on host realwww:
383
384         # cat << EOF >> /etc/services
385         wwwredir    8080/tcp    # WWW redirect
386         EOF
387         # cat << EOF > /tmp/wwwredir.conf
388         wwwredir stream tcp nowait nobody /usr/bin/nc /usr/bin/nc -w 3 realwww 80
389         EOF
390         # inetconv -i /tmp/wwwredir.conf
391         wwwredir -> /var/svc/manifest/network/wwwredir-tcp.xml
392         Importing wwwredir-tcp.xml ...Done
393         # inetadm -l wwwredir/tcp
394         SCOPE    NAME=VALUE
395         name="wwwredir"
396         endpoint_type="stream"
397         proto="tcp"
398         isrpc=FALSE
399         wait=FALSE
400         exec="/usr/bin/nc -w 3 realwww 80"
401         arg0="/usr/bin/nc"
402         user="nobody"
403         default  bind_addr=""
404         default  bind_fail_max=-1
405         default  bind_fail_interval=-1
406         default  max_con_rate=-1
407         default  max_copies=-1
408         default  con_rate_offline=-1
409         default  failrate_cnt=40
410         default  failrate_interval=60
411         default  inherit_env=TRUE
412         default  tcp_trace=TRUE
413         default  tcp_wrappers=FALSE
414
415
416
417   Privileges
418       To bind to a privileged port number nc needs to be granted the net_pri‐
419       vaddr privilege. If Solaris Trusted Extensions are configured  and  the
420       port  nc  should  listen on is configured as a multi-level port nc also
421       needs the net_bindmlp privilege.
422
423
424       Privileges can be assigned to the user or role directly, by  specifying
425       them  in  the account's default privilege set in user_attr(4). However,
426       this means that any application that this  user  or  role  starts  have
427       these additional privileges. To only grant the privileges(5) when nc is
428       invoked, the recommended approach is to create and  assign  an  rbac(5)
429       rights profile. See EXAMPLES for additional information.
430

EXAMPLES

432       Example 1 Using nc
433
434
435       Open  a  TCP connection to port 42 of host.example.com, using port 3141
436       as the source port, with a timeout of 5 seconds:
437
438
439         $ nc -p 3141 -w 5 host.example.com 42
440
441
442
443
444       Open a UDP connection to port 53 of host.example.com:
445
446
447         $ nc -u host.example.com 53
448
449
450
451
452       Open a TCP connection to port 42 of host.example.com using 10.1.2.3  as
453       the IP for the local end of the connection:
454
455
456         $ nc -s 10.1.2.3 host.example.com 42
457
458
459
460
461       Use a list of ports and port ranges for a port scan on various ports:
462
463
464         $ nc -z host.example.com 21-25,53,80,110-120,443
465
466
467
468
469       Create and listen on a Unix Domain Socket:
470
471
472         $ nc -lU /var/tmp/dsocket
473
474
475
476
477       Create and listen on a UDP socket with associated port 8888:
478
479
480         $ nc -u -l -p 8888
481
482
483
484
485       which is the same as:
486
487
488         $ nc -u -l 8888
489
490
491
492
493       Create and listen on a TCP socket with associated port 2222 and bind to
494       address 127.0.0.1 only:
495
496
497         $ nc -l 127.0.0.1 2222
498
499
500
501
502       Connect to port 42 of host.example.com using an HTTP proxy at 10.2.3.4,
503       port  8080.  This  example could also be used by ssh(1). See the Proxy‐
504       Command directive in ssh_config(4) for more information.
505
506
507         $ nc -x10.2.3.4:8080 -Xconnect host.example.com 42
508
509
510
511
512       The same example again, this time enabling  proxy  authentication  with
513       username ruser if the proxy requires it:
514
515
516         $ nc -x10.2.3.4:8080 -Xconnect -Pruser host.example.com 42
517
518
519
520
521       To  run  nc  with  the smallest possible set of privileges as a user or
522       role that has additional privileges (such as the default root  account)
523       it  can  be invoked using ppriv(1) as well. For example, limiting it to
524       only run with the privilege to bind to a privileged port:
525
526
527         $ ppriv -e -sA=basic,!file_link_any,!proc_exec,!proc_fork,\
528         !proc_info,!proc_session,net_privaddr nc -l 42
529
530
531
532
533       To allow a user or role to use only nc with the net_privaddr privilege,
534       a rights profile needs to be created:
535
536
537         /etc/security/exec_attr
538         Netcat privileged:solaris:cmd:::/usr/bin/nc:privs=net_privaddr
539
540         /etc/security/prof_attr
541         Netcat privileged:::Allow nc to bind to privileged ports:help=None.html
542
543
544
545
546       Assigning  this  rights  profile using user_attr(4) permits the user or
547       role to run nc allowing it to listen on any port. To permit a  user  or
548       role to use nc only to listen on specific ports a wrapper script should
549       be specified in the rights profiles:
550
551
552         /etc/security/exec_attr
553         Netcat restricted:solaris:cmd:::/usr/bin/nc-restricted:privs=net_privaddr
554
555         /etc/security/prof_attr
556         Netcat restricted:::Allow nc to bind to privileged ports:help=None.html
557
558
559
560
561       and write a shell script that restricts the  permissible  options,  for
562       example,  one  that permits one to bind only on ports between 42 and 64
563       (non-inclusive):
564
565
566         /usr/bin/nc-restricted:
567
568         #!/bin/sh
569         [ $# -eq 1 ] && [ $1 -gt 42 -a $1 -lt 64 ] && /usr/bin/nc -l -p "$1"
570
571
572
573
574       This grants the extra privileges when the user or role invokes nc using
575       the  wrapper  script  from  a  profile  shell.  See  pfsh(1), pfksh(1),
576       pfcsh(1), and pfexec(1).
577
578
579
580       Invoking nc directly does not run it with  the  additional  privileges,
581       and  neither does invoking the script without using pfexec or a profile
582       shell.
583
584

ATTRIBUTES

586       See attributes(5) for descriptions of the following attributes:
587
588
589
590
591       ┌─────────────────────────────┬─────────────────────────────┐
592       │      ATTRIBUTE TYPE         │      ATTRIBUTE VALUE        │
593       ├─────────────────────────────┼─────────────────────────────┤
594       │Availability                 │SUNWnetcat                   │
595       ├─────────────────────────────┼─────────────────────────────┤
596       │Interface Stability          │See below.                   │
597       └─────────────────────────────┴─────────────────────────────┘
598
599
600       The package name is Committed. The command line syntax is Committed for
601       the  -4,  -6,  -l,  -n,  -p ,-u, and -w options and their arguments (if
602       any). The name and port list arguments are Committed.  The  port  range
603       syntax is Uncommitted. The interface stability level for all other com‐
604       mand line options and their arguments is Uncommitted.
605

SEE ALSO

607       cat(1),  pfcsh(1),  pfexec(1),  pfksh(1),  pfsh(1),  ppriv(1),  sed(1),
608       ssh(1), telnet(1), inetadm(1M), inetconv(1M), inetd(1M), ssh_config(4),
609       user_attr(4), attributes(5), privileges(5), rbac(5)
610

AUTHORS

612       The  original  implementation  of  nc  was  written  by  Hobbit,   hob‐
613       bit@avian.org.
614
615
616       nc was rewritten with IPv6 support by Eric Jackson, ericj@monkey.org.
617

NOTES

619       UDP port scans always succeeds, that is, reports the port as open, ren‐
620       dering the -uz combination of flags relatively useless.
621
622
623
624SunOS 5.11                        Apr 9 2009                             nc(1)
Impressum