1NCAT(1) Ncat Reference Guide NCAT(1)
2
6 ncat - Concatenate and redirect sockets
7
9 ncat [OPTIONS...] [hostname] [port]
10
12 Ncat is a feature-packed networking utility which reads and writes data
13 across networks from the command line. Ncat was written for the Nmap
14 Project and is the culmination of the currently splintered family of
15 Netcat incarnations. It is designed to be a reliable back-end tool to
16 instantly provide network connectivity to other applications and users.
17 Ncat will not only work with IPv4 and IPv6 but provides the user with a
18 virtually limitless number of potential uses.
19 Among Ncat's vast number of features there is the ability to chain
21 Ncats together; redirection of TCP, UDP, and SCTP ports to other sites;
22 SSL support; and proxy connections via SOCKS4, SOCKS5 or HTTP proxies
23 (with optional proxy authentication as well). Some general principles
24 apply to most applications and thus give you the capability of
25 instantly adding networking support to software that would normally
26 never support it.
27
29 Ncat 7.70 ( https://nmap.org/ncat )
30 Usage: ncat [options] [hostname] [port]
31 Options taking a time assume seconds. Append 'ms' for milliseconds,
33 's' for seconds, 'm' for minutes, or 'h' for hours (e.g. 500ms).
34 -4 Use IPv4 only
35 -6 Use IPv6 only
36 -U, --unixsock Use Unix domain sockets only
37 -C, --crlf Use CRLF for EOL sequence
38 -c, --sh-exec <command> Executes the given command via /bin/sh
39 -e, --exec <command> Executes the given command
40 --lua-exec <filename> Executes the given Lua script
41 -g hop1[,hop2,...] Loose source routing hop points (8 max)
42 -G <n> Loose source routing hop pointer (4, 8, 12, ...)
43 -m, --max-conns <n> Maximum <n> simultaneous connections
44 -h, --help Display this help screen
45 -d, --delay <time> Wait between read/writes
46 -o, --output <filename> Dump session data to a file
47 -x, --hex-dump <filename> Dump session data as hex to a file
48 -i, --idle-timeout <time> Idle read/write timeout
49 -p, --source-port port Specify source port to use
50 -s, --source addr Specify source address to use (doesn't affect -l)
51 -l, --listen Bind and listen for incoming connections
52 -k, --keep-open Accept multiple connections in listen mode
53 -n, --nodns Do not resolve hostnames via DNS
54 -t, --telnet Answer Telnet negotiations
55 -u, --udp Use UDP instead of default TCP
56 --sctp Use SCTP instead of default TCP
57 -v, --verbose Set verbosity level (can be used several times)
58 -w, --wait <time> Connect timeout
59 -z Zero-I/O mode, report connection status only
60 --append-output Append rather than clobber specified output files
61 --send-only Only send data, ignoring received; quit on EOF
62 --recv-only Only receive data, never send anything
63 --allow Allow only given hosts to connect to Ncat
64 --allowfile A file of hosts allowed to connect to Ncat
65 --deny Deny given hosts from connecting to Ncat
66 --denyfile A file of hosts denied from connecting to Ncat
67 --broker Enable Ncat's connection brokering mode
68 --chat Start a simple Ncat chat server
69 --proxy <addr[:port]> Specify address of host to proxy through
70 --proxy-type <type> Specify proxy type ("http" or "socks4" or "socks5")
71 --proxy-auth <auth> Authenticate with HTTP or SOCKS proxy server
72 --ssl Connect or listen with SSL
73 --ssl-cert Specify SSL certificate file (PEM) for listening
74 --ssl-key Specify SSL private key (PEM) for listening
75 --ssl-verify Verify trust and domain name of certificates
76 --ssl-trustfile PEM file containing trusted SSL certificates
77 --ssl-ciphers Cipherlist containing SSL ciphers to use
78 --ssl-alpn ALPN protocol list to use.
79 --version Display Ncat's version information and exit
80 See the ncat(1) manpage for full options, descriptions and usage examples
82
85 Ncat operates in one of two primary modes: connect mode and listen
86 mode. Other modes, such as the HTTP proxy server, act as special cases
87 of these two. In connect mode, Ncat works as a client. In listen mode
88 it is a server.
89 In connect mode, the hostname and port arguments tell what to connect
91 to. hostname is required, and may be a hostname or IP address. If port
92 is supplied, it must be a decimal port number. If omitted, it defaults
93 to 31337.
94 In listen mode, hostname and port control the address the server will
96 bind to. Both arguments are optional in listen mode. If hostname is
97 omitted, it defaults to listening on all available addresses over IPv4
98 and IPv6. If port is omitted, it defaults to 31337.
99
101 -4 (IPv4 only)
102 Force the use of IPv4 only.
103 -6 (IPv6 only)
105 Force the use of IPv6 only.
106 -U, --unixsock (Use Unix domain sockets)
108 Use Unix domain sockets rather than network sockets. This option
109 may be used on its own for stream sockets, or combined with --udp
110 for datagram sockets. A description of -U mode is in the section
111 called “UNIX DOMAIN SOCKETS”.
112 -u, --udp (Use UDP)
114 Use UDP for the connection (the default is TCP).
115 --sctp (Use SCTP)
117 Use SCTP for the connection (the default is TCP). SCTP support is
118 implemented in TCP-compatible mode.
119
121 -g hop1[,hop2,...] (Loose source routing)
122 Sets hops for IPv4 loose source routing. You can use -g once with a
123 comma-separated list of hops, use -g multiple times with single
124 hops to build the list, or combine the two. Hops can be given as IP
125 addresses or hostnames.
126 -G ptr (Set source routing pointer)
128 Sets the IPv4 source route “pointer” for use with -g. The argument
129 must be a multiple of 4 and no more than 28. Not all operating
130 systems support setting this pointer to anything other than four.
131 -p port, --source-port port (Specify source port)
133 Set the port number for Ncat to bind to.
134 -s host, --source host (Specify source address)
136 Set the address for Ncat to bind to.
137
139 See the section called “ACCESS CONTROL OPTIONS” for information on
140 limiting the hosts that may connect to the listening Ncat process.
141 -l, --listen (Listen for connections)
143 Listen for connections rather than connecting to a remote machine
144 -m numconns, --max-conns numconns (Specify maximum number of
146 connections)
147 The maximum number of simultaneous connections accepted by an Ncat
148 instance. 100 is the default (60 on Windows).
149 -k, --keep-open (Accept multiple connections)
151 Normally a listening server accepts only one connection and then
152 quits when the connection is closed. This option makes it accept
153 multiple simultaneous connections and wait for more connections
154 after they have all been closed. It must be combined with --listen.
155 In this mode there is no way for Ncat to know when its network
156 input is finished, so it will keep running until interrupted. This
157 also means that it will never close its output stream, so any
158 program reading from Ncat and looking for end-of-file will also
159 hang.
160 --broker (Connection brokering)
162 Allow multiple parties to connect to a centralised Ncat server and
163 communicate with each other. Ncat can broker communication between
164 systems that are behind a NAT or otherwise unable to directly
165 connect. This option is used in conjunction with --listen, which
166 causes the --listen port to have broker mode enabled.
167 --chat (Ad-hoc “chat server”)
169 The --chat option enables chat mode, intended for the exchange of
170 text between several users. In chat mode, connection brokering is
171 turned on. Ncat prefixes each message received with an ID before
172 relaying it to the other connections. The ID is unique for each
173 connected client. This helps distinguish who sent what.
174 Additionally, non-printing characters such as control characters
175 are escaped to keep them from doing damage to a terminal.
176
178 --ssl (Use SSL)
179 In connect mode, this option transparently negotiates an SSL
180 session with an SSL server to securely encrypt the connection. This
181 is particularly handy for talking to SSL enabled HTTP servers, etc.
182 In server mode, this option listens for incoming SSL connections,
184 rather than plain untunneled traffic.
185 In UDP connect mode, this option enables Datagram TLS (DTLS). This
187 is not supported in server mode.
188 --ssl-verify (Verify server certificates)
190 In client mode, --ssl-verify is like --ssl except that it also
191 requires verification of the server certificate. Ncat comes with a
192 default set of trusted certificates in the file ca-bundle.crt.
193 Some operating systems provide a default list of trusted
194 certificates; these will also be used if available. Use
195 --ssl-trustfile to give a custom list. Use -v one or more times to
196 get details about verification failures. Ncat does not check for
197 revoked certificates.
198 This option has no effect in server mode.
200 --ssl-cert certfile.pem (Specify SSL certificate)
202 This option gives the location of a PEM-encoded certificate files
203 used to authenticate the server (in listen mode) or the client (in
204 connect mode). Use it in combination with --ssl-key.
205 --ssl-key keyfile.pem (Specify SSL private key)
207 This option gives the location of the PEM-encoded private key file
208 that goes with the certificate named with --ssl-cert.
209 --ssl-trustfile cert.pem (List trusted certificates)
211 This option sets a list of certificates that are trusted for
212 purposes of certificate verification. It has no effect unless
213 combined with --ssl-verify. The argument to this option is the name
214 of a PEM file containing trusted certificates. Typically, the file
215 will contain certificates of certification authorities, though it
216 may also contain server certificates directly. When this option is
217 used, Ncat does not use its default certificates.
218 --ssl-ciphers cipherlist (Specify SSL ciphersuites)
220 This option sets the list of ciphersuites that Ncat will use when
221 connecting to servers or when accepting SSL connections from
222 clients. The syntax is described in the OpenSSL ciphers(1) man
223 page, and defaults to
224 ALL:!aNULL:!eNULL:!LOW:!EXP:!RC4:!MD5:@STRENGTH
225 --ssl-alpn ALPN list (Specify ALPN protocol list)
227 This option allows you to specify a comma-separated list of
228 protocols to send via the Application-Layer Protocol Negotiation
229 (ALPN) TLS extension. Not supported by all versions of OpenSSL.
230
232 --proxy host[:port] (Specify proxy address)
233 Requests proxying through host:port, using the protocol specified
234 by --proxy-type.
235 If no port is specified, the proxy protocol's well-known port is
237 used (1080 for SOCKS and 3128 for HTTP). However, when specifying
238 an IPv6 HTTP proxy server using the IP address rather than the
239 hostname, the port number MUST be specified as well. If the proxy
240 requires authentication, use --proxy-auth.
241 --proxy-type proto (Specify proxy protocol)
243 In connect mode, this option requests the protocol proto to connect
244 through the proxy host specified by --proxy. In listen mode, this
245 option has Ncat act as a proxy server using the specified protocol.
246 The currently available protocols in connect mode are http
248 (CONNECT), socks4 (SOCKSv4), and socks5 (SOCKSv5). The only server
249 currently supported is http. If this option is not used, the
250 default protocol is http.
251 --proxy-auth user[:pass] (Specify proxy credentials)
253 In connect mode, gives the credentials that will be used to connect
254 to the proxy server. In listen mode, gives the credentials that
255 will be required of connecting clients. For use with --proxy-type
256 http or --proxy-type socks5, the form should be username:password.
257 For --proxy-type socks4, it should be a username only.
258
260 -e command, --exec command (Execute command)
261 Execute the specified command after a connection has been
262 established. The command must be specified as a full pathname. All
263 input from the remote client will be sent to the application and
264 responses sent back to the remote client over the socket, thus
265 making your command-line application interactive over a socket.
266 Combined with --keep-open, Ncat will handle multiple simultaneous
267 connections to your specified port/application like inetd. Ncat
268 will only accept a maximum, definable, number of simultaneous
269 connections controlled by the -m option. By default this is set to
270 100 (60 on Windows).
271 -c command, --sh-exec command (Execute command via sh)
273 Same as -e, except it tries to execute the command via /bin/sh.
274 This means you don't have to specify the full path for the command,
275 and shell facilities like environment variables are available.
276 --lua-exec file (Execute a .lua script)
278 Runs the specified file as a Lua script after a connection has been
279 established, using a built-in interpreter. Both the script's
280 standard input and the standard output are redirected to the
281 connection data streams.
282 All exec options add the following variables to the child's
284 environment:
285 NCAT_REMOTE_ADDR, NCAT_REMOTE_PORT
287 The IP address and port number of the remote host. In connect mode,
288 it's the target's address; in listen mode, it's the client's
289 address.
290 NCAT_LOCAL_ADDR, NCAT_LOCAL_PORT
292 The IP address and port number of the local end of the connection.
293 NCAT_PROTO
295 The protocol in use: one of TCP, UDP, and SCTP.
296
298 --allow host[,host,...] (Allow connections)
299 The list of hosts specified will be the only hosts allowed to
300 connect to the Ncat process. All other connection attempts will be
301 disconnected. In case of a conflict between --allow and --deny,
302 --allow takes precedence. Host specifications follow the same
303 syntax used by Nmap.
304 --allowfile file (Allow connections from file)
306 This has the same functionality as --allow, except that the allowed
307 hosts are provided in a new-line delimited allow file, rather than
308 directly on the command line.
309 --deny host[,host,...] (Deny connections)
311 Issue Ncat with a list of hosts that will not be allowed to connect
312 to the listening Ncat process. Specified hosts will have their
313 session silently terminated if they try to connect. In case of a
314 conflict between --allow and --deny, --allow takes precedence. Host
315 specifications follow the same syntax used by Nmap.
316 --denyfile file (Deny connections from file)
318 This is the same functionality as --deny, except that excluded
319 hosts are provided in a new-line delimited deny file, rather than
320 directly on the command line.
321
323 These options accept a time parameter. This is specified in seconds by
324 default, though you can append ms, s, m, or h to the value to specify
325 milliseconds, seconds, minutes, or hours.
326 -d time, --delay time (Specify line delay)
328 Set the delay interval for lines sent. This effectively limits the
329 number of lines that Ncat will send in the specified period. This
330 may be useful for low-bandwidth sites, or have other uses such as
331 coping with annoying iptables --limit options.
332 -i time, --idle-timeout time (Specify idle timeout)
334 Set a fixed timeout for idle connections. If the idle timeout is
335 reached, the connection is terminated.
336 -w time, --wait time (Specify connect timeout)
338 Set a fixed timeout for connection attempts.
339
341 -o file, --output file (Save session data)
342 Dump session data to a file
343 -x file, --hex-dump file (Save session data in hex)
345 Dump session data in hex to a file.
346 --append-output (Append output)
348 Issue Ncat with --append-ouput along with -o and/or -x and it will
349 append the resulted output rather than truncating the specified
350 output files.
351 -v, --verbose (Be verbose)
353 Issue Ncat with -v and it will be verbose and display all kinds of
354 useful connection based information. Use more than once (-vv,
355 -vvv...) for greater verbosity.
356
358 -C, --crlf (Use CRLF as EOL)
359 This option tells Ncat to convert LF line endings to CRLF when
360 taking input from standard input. This is useful for talking to
361 some stringent servers directly from a terminal in one of the many
362 common plain-text protocols that use CRLF for end-of-line.
363 -h, --help (Help screen)
365 Displays a short help screen with common options and parameters,
366 and then exits.
367 --recv-only (Only receive data)
369 If this option is passed, Ncat will only receive data and will not
370 try to send anything.
371 --send-only (Only send data)
373 If this option is passed, then Ncat will only send data and will
374 ignore anything received. This option also causes Ncat to close the
375 network connection and terminate after EOF is received on standard
376 input.
377 --no-shutdown (Do not shutdown into half-duplex mode)
379 If this option is passed, Ncat will not invoke shutdown on a socket
380 aftering seeing EOF on stdin. This is provided for
381 backward-compatibility with OpenBSD netcat, which exhibits this
382 behavior when executed with its '-d' option.
383 -t, --telnet (Answer Telnet negotiations)
385 Handle DO/DONT WILL/WONT Telnet negotiations. This makes it
386 possible to script Telnet sessions with Ncat.
387 --version (Display version)
389 Displays the Ncat version number and exits.
390
392 The -U option (same as --unixsock) causes Ncat to use Unix domain
393 sockets rather than network sockets. Unix domain sockets exist as an
394 entry in the filesystem. You must give the name of a socket to connect
395 to or to listen on. For example, to make a connection,
396 ncat -U ~/unixsock
398 To listen on a socket:
400 ncat -l -U ~/unixsock
402 Listen mode will create the socket if it doesn't exist. The socket will
404 continue to exist after the program ends.
405 Both stream and datagram domain sockets are supported. Use -U on its
407 own for stream sockets, or combine it with --udp for datagram sockets.
408 Datagram sockets require a source socket to connect from. By default, a
409 source socket with a random filename will be created as needed, and
410 deleted when the program ends. Use the --source with a path to use a
411 source socket with a specific name.
412
414 Connect to example.org on TCP port 8080.
415 ncat example.org 8080
416 Listen for connections on TCP port 8080.
418 ncat -l 8080
419 Redirect TCP port 8080 on the local machine to host on port 80.
421 ncat --sh-exec "ncat example.org 80" -l 8080 --keep-open
422 Bind to TCP port 8081 and attach /bin/bash for the world to access
424 freely.
425 ncat --exec "/bin/bash" -l 8081 --keep-open
426 Bind a shell to TCP port 8081, limit access to hosts on a local
428 network, and limit the maximum number of simultaneous connections to 3.
429 ncat --exec "/bin/bash" --max-conns 3 --allow 192.168.0.0/24 -l
430 8081 --keep-open
431 Connect to smtphost:25 through a SOCKS4 server on port 1080.
433 ncat --proxy socks4host --proxy-type socks4 --proxy-auth joe
434 smtphost 25
435 Connect to smtphost:25 through a SOCKS5 server on port 1080.
437 ncat --proxy socks5host --proxy-type socks5 --proxy-auth joe:secret
438 smtphost 25
439 Create an HTTP proxy server on localhost port 8888.
441 ncat -l --proxy-type http localhost 8888
442 Send a file over TCP port 9899 from host2 (client) to host1 (server).
444 HOST1$ ncat -l 9899 > outputfile
445 HOST2$ ncat HOST1 9899 < inputfile
447 Transfer in the other direction, turning Ncat into a “one file” server.
449 HOST1$ ncat -l 9899 < inputfile
450 HOST2$ ncat HOST1 9899 > outputfile
452
454 The exit code reflects whether a connection was made and completed
455 successfully. 0 means there was no error. 1 means there was a network
456 error of some kind, for example “Connection refused” or “Connection
457 reset”. 2 is reserved for all other errors, like an invalid option or a
458 nonexistent file.
459
461 Like its authors, Ncat isn't perfect. But you can help make it better
462 by sending bug reports or even writing patches. If Ncat doesn't behave
463 the way you expect, first upgrade to the latest version available from
464 https://nmap.org. If the problem persists, do some research to
465 determine whether it has already been discovered and addressed. Try
466 Googling the error message or browsing the nmap-dev archives at
467 http://seclists.org/.
468 Read this full manual page as well. If nothing comes of this, mail a
470 bug report to <dev@nmap.org>. Please include everything you have
471 learned about the problem, as well as what version of Ncat you are
472 running and what operating system version it is running on. Problem
473 reports and Ncat usage questions sent to dev@nmap.org are far more
474 likely to be answered than those sent to Fyodor directly.
475 Code patches to fix bugs are even better than bug reports. Basic
477 instructions for creating patch files with your changes are available
478 at https://svn.nmap.org/nmap/HACKING. Patches may be sent to nmap-dev
479 (recommended) or to Fyodor directly.
480
482 · Chris Gibson <chris@linuxops.net>
483 · Kris Katterjohn <katterjohn@gmail.com>
485 · Mixter <mixter@gmail.com>
487 · Fyodor <fyodor@nmap.org> (http://insecure.org)
489 The original Netcat was written by *Hobbit* <hobbit@avian.org>. While
491 Ncat isn't built on any code from the “traditional” Netcat (or any
492 other implementation), Ncat is most definitely based on Netcat in
493 spirit and functionality.
494
496 Ncat Copyright and Licensing
497 Ncat is (C) 2005–2012 Insecure.Com LLC. It is distributed as free and
498 open source software under the same license terms as our Nmap software.
499 Precise terms and further details are available from
500 https://nmap.org/man/man-legal.html.
501 Creative Commons License for this Ncat Guide
503 This Ncat Reference Guide is (C) 2005–2012 Insecure.Com LLC. It is
504 hereby placed under version 3.0 of the Creative Commons Attribution
505 License[1]. This allows you redistribute and modify the work as you
506 desire, as long as you credit the original source. Alternatively, you
507 may choose to treat this document as falling under the same license as
508 Ncap itself (discussed previously).
509 Source Code Availability and Community Contributions
511 Source is provided to this software because we believe users have a
512 right to know exactly what a program is going to do before they run it.
513 This also allows you to audit the software for security holes (none
514 have been found so far).
515 Source code also allows you to port Nmap (which includes Ncat) to new
517 platforms, fix bugs, and add new features. You are highly encouraged to
518 send your changes to <dev@nmap.org> for possible incorporation into the
519 main distribution. By sending these changes to Fyodor or one of the
520 Insecure.Org development mailing lists, it is assumed that you are
521 offering the Nmap Project (Insecure.Com LLC) the unlimited,
522 non-exclusive right to reuse, modify, and relicense the code. Nmap will
523 always be available open source, but this is important because the
524 inability to relicense code has caused devastating problems for other
525 Free Software projects (such as KDE and NASM). We also occasionally
526 relicense the code to third parties as discussed in the Nmap man page.
527 If you wish to specify special license conditions of your
528 contributions, just say so when you send them.
529 No Warranty
531 This program is distributed in the hope that it will be useful, but
532 WITHOUT ANY WARRANTY; without even the implied warranty of
533 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
534 General Public License v2.0 for more details at
535 http://www.gnu.org/licenses/gpl-2.0.html, or in the COPYING file
536 included with Nmap.
537 Inappropriate Usage
539 Ncat should never be installed with special privileges (e.g. suid
540 root). That would open up a major security vulnerability as other
541 users on the system (or attackers) could use it for privilege
542 escalation.
543 Third-Party Software
545 This product includes software developed by the Apache Software
546 Foundation[2]. A modified version of the Libpcap portable packet
547 capture library[3] is distributed along with Ncat. The Windows version
548 of Ncat utilized the Libpcap-derived Npcap library[4] instead. Certain
549 raw networking functions use the Libdnet[5] networking library, which
550 was written by Dug Song. A modified version is distributed with Ncat.
551 Ncat can optionally link with the OpenSSL cryptography toolkit[6] for
552 SSL version detection support. All of the third-party software
553 described in this paragraph is freely redistributable under BSD-style
554 software licenses.
555
557 1. Creative Commons Attribution License
558 http://creativecommons.org/licenses/by/3.0/
559 2. Apache Software Foundation
561 http://www.apache.org
562 3. Libpcap portable packet capture library
564 http://www.tcpdump.org
565 4. Npcap library
567 http://www.npcap.org
568 5. Libdnet
570 http://libdnet.sourceforge.net
571 6. OpenSSL cryptography toolkit
573 http://www.openssl.org
574Ncat 03/15/2018 NCAT(1)