1nc(1) User Commands nc(1)
2
6 nc - arbitrary TCP and UDP connections and listens
7
9 nc -h
10 nc [-46dnrtuvz] [-i interval] [-P proxy_username] [-p port]
13 [-s source_ip_address] [-T ToS] [-w timeout]
14 [-X proxy_protocol] [-x proxy_address[:port]]
15 hostname port_list
16 nc -l [-46Ddnrtuvz] [-i interval] [-T ToS] [hostname] port
19 nc -l [-46Ddnrtuvz] [-i interval] [-T ToS] -p port
22 nc -U [-Ddtvz] [-i interval] [-w timeout] path
25 nc -Ul [-46Ddktv] [-i interval] path
28
31 The nc (or netcat) utility is used for a variety of tasks associated
32 with TCP or UDP. nc can open TCP connections, send UDP packets, listen
33 on arbitrary TCP and UDP ports, perform port scanning, and deal with
34 both IPv4 and IPv6. Unlike telnet(1), nc scripts nicely, and separates
35 error messages onto standard error instead of sending them to standard
36 output.
37 The nc command is often used for the following tasks:
40 o simple TCP proxies
42 o shell-script based HTTP clients and servers
44 o network daemon testing
46 o a SOCKS or HTTP ProxyCommand for ssh(1)
48
50 The following options are supported:
51 -4
53 Force nc to use IPv4 addresses only.
55 -6
58 Force nc to use IPv6 addresses only.
60 -D
63 Enable debugging on the socket.
65 -d
68 Do not attempt to read from stdin.
70 -h
73 Print nc help.
75 -i interval
78 Specify a delay time of interval between lines of text sent and
80 received. This option also causes a delay time between connections
81 to multiple ports.
82 -k
85 Force nc to listen for another connection after its current connec‐
87 tion is closed.
88 It is an error to use this option without the -l option.
90 -l
93 Listen for an incoming connection rather than initiate a connection
95 to a remote host.
96 It is an error to use this option in conjunction with the -s or -z
98 options. Additionally, any timeout specified with the -w option is
99 ignored.
100 -n
103 Do not do any naming or service lookups on any addresses, host‐
105 names, or ports.
106 Use of this option means that hostname and port arguments are
108 restricted to numeric values.
109 If used with -v option all addresses and ports are printed in
111 numeric form, in addition to the restriction imposed on the argu‐
112 ments. This option does not have any effect when used in conjunc‐
113 tion with the -U option.
114 -P proxy_username
117 Specify a username (proxy_username) to present to a proxy server
119 that requires authentication. If proxy_username is not specified,
120 authentication is not attempted. Proxy authentication is only sup‐
121 ported for HTTP CONNECT proxies at present.
122 It is an error to use this option in conjunction with the -l
124 option.
125 -p port
128 When used without -l option, specify the source port nc should use,
130 subject to privilege restrictions and availability. When used with
131 the -l option, set the listen port.
132 This option can be used with -l option only provided global port
134 argument is not specified.
135 -r
138 Choose source or destination ports randomly instead of sequentially
140 within a range or in the order that the system assigns them.
141 It is an error to use this option in conjunction with the -l
143 option.
144 -s source_ip_address
147 Specify the IP of the interface which is used to send the packets.
149 It is an error to use this option in conjunction with the -l
151 option.
152 -T ToS
155 Specify IP Type of Service (ToS) for the connection. Valid values
157 are the tokens: lowdelay, throughput, reliability, or an 8-bit
158 hexadecimal value preceded by 0x.
159 -t
162 Cause nc to send RFC 854 DON'T and WON'T responses to RFC 854 DO
164 and WILL requests. This makes it possible to use nc to script tel‐
165 net sessions.
166 -U
169 Specify the use of Unix Domain Sockets. If you specify this option
171 without -l, nc, it becomes AF_UNIX client. If you specify this
172 option with the -l option, a AF_UNIX server is created.
173 Use of this option requires that a single argument of a valid Unix
175 domain path has to be provided to nc, not a host name or port.
176 -u
179 Use UDP instead of the default option of TCP.
181 -v
184 Specify verbose output.
186 -w timeout
189 Silently close the connection if a connection and stdin are idle
191 for more than timeout seconds.
192 This option has no effect on the -l option, that is, nc listens
194 forever for a connection, with or without the -w flag. The default
195 is no timeout.
196 -X proxy_protocol
199 Use the specified protocol when talking to the proxy server. Sup‐
201 ported protocols are 4 (SOCKS v.4), 5 (SOCKS v.5) and connect (HTTP
202 proxy). If the protocol is not specified, SOCKS v. 5 is used.
203 It is an error to use this option in conjunction with the -l
205 option.
206 -x proxy_address[:port]
209 Request connection to hostname using a proxy at proxy_address and
211 port. If port is not specified, the well-known port for the proxy
212 protocol is used (1080 for SOCKS, 3128 for HTTP).
213 It is an error to use this option in conjunction with the -l
215 option.
216 -z
219 Scan for listening daemons, without sending any data to them.
221 It is an error to use this option in conjunction with the -l
223 option.
224
227 The following operands are supported:
228 hostname Specify host name.
230 hostname can be a numerical IP address or a symbolic host‐
232 name (unless the -n option is specified).
233 In general, hostname must be specified, unless the -l
235 option is given or -U is used (in which case the argument
236 is a path). If hostname argument is specified with -l
237 option then port argument must be given as well and nc
238 tries to bind to that address and port. If hostname argu‐
239 ment is not specified with -l option then nc tries to lis‐
240 ten on a wildcard socket for given port.
241 path Specify pathname.
244 port Specify port.
247 port_list
248 port_list can be specified as single integers, ranges or
249 combinations of both. Specify ranges in the form of nn-mm.
250 The port_list must have at least one member, but can have
251 multiple ports/ranges separated by commas.
252 In general, a destination port must be specified, unless
254 the -U option is given, in which case a Unix Domain Socket
255 path must be specified instead of hostname.
256
259 Client/Server Model
260 It is quite simple to build a very basic client/server model using nc.
261 On one console, start nc listening on a specific port for a connection.
262 For example, the command:
263 $ nc -l 1234
265 listens on port 1234 for a connection. On a second console (or a second
270 machine), connect to the machine and port to which nc is listening:
271 $ nc 127.0.0.1 1234
273 There should now be a connection between the ports. Anything typed at
278 the second console is concatenated to the first, and vice-versa. After
279 the connection has been set up, nc does not really care which side is
280 being used as a server and which side is being used as a client. The
281 connection can be terminated using an EOF (Ctrl/d).
282 Data Transfer
284 The example in the previous section can be expanded to build a basic
285 data transfer model. Any information input into one end of the connec‐
286 tion is output to the other end, and input and output can be easily
287 captured in order to emulate file transfer.
288 Start by using nc to listen on a specific port, with output captured
291 into a file:
292 $ nc -l 1234 > filename.out
294 Using a second machine, connect to the listening nc process, feeding it
299 the file which is to be transferred:
300 $ nc host.example.com 1234 < filename.in
302 After the file has been transferred, the connection closes automati‐
307 cally.
308 Talking to Servers
310 It is sometimes useful to talk to servers by hand rather than through a
311 user interface. It can aid in troubleshooting, when it might be neces‐
312 sary to verify what data a server is sending in response to commands
313 issued by the client.
314 For example, to retrieve the home page of a web site:
317 $ echo -n "GET / HTTP/1.0\r\n\r\n" | nc host.example.com 80
319 This also displays the headers sent by the web server. They can be fil‐
324 tered, if necessary, by using a tool such as sed(1).
325 More complicated examples can be built up when the user knows the for‐
328 mat of requests required by the server. As another example, an email
329 can be submitted to an SMTP server using:
330 $ nc localhost 25 << EOF
332 HELO host.example.com
333 MAIL FROM: <user@host.example.com
334 RCTP TO: <user2@host.example.com
335 DATA
336 Body of email.
337 .
338 QUIT
339 EOF
340 Port Scanning
344 It can be useful to know which ports are open and running services on a
345 target machine. The -z flag can be used to tell nc to report open
346 ports, rather than to initiate a connection.
347 In this example:
350 $ nc -z host.example.com 20-30
352 Connection to host.example.com 22 port [tcp/ssh] succeeded!
353 Connection to host.example.com 25 port [tcp/smtp] succeeded!
354 The port range was specified to limit the search to ports 20 - 30.
359 Alternatively, it might be useful to know which server software is run‐
362 ning, and which versions. This information is often contained within
363 the greeting banners. In order to retrieve these, it is necessary to
364 first make a connection, and then break the connection when the banner
365 has been retrieved. This can be accomplished by specifying a small
366 timeout with the -w flag, or perhaps by issuing a QUIT command to the
367 server:
368 $ echo "QUIT" | nc host.example.com 20-30
370 SSH-2.0-Sun_SSH_1.1
371 Protocol mismatch.
372 220 host.example.com IMS SMTP Receiver Version 0.84 Ready
373 inetd Capabilities
377 One of the possible uses is to create simple services by using
378 inetd(1M).
379 The following example creates a redirect from TCP port 8080 to port 80
382 on host realwww:
383 # cat << EOF >> /etc/services
385 wwwredir 8080/tcp # WWW redirect
386 EOF
387 # cat << EOF > /tmp/wwwredir.conf
388 wwwredir stream tcp nowait nobody /usr/bin/nc /usr/bin/nc -w 3 realwww 80
389 EOF
390 # inetconv -i /tmp/wwwredir.conf
391 wwwredir -> /var/svc/manifest/network/wwwredir-tcp.xml
392 Importing wwwredir-tcp.xml ...Done
393 # inetadm -l wwwredir/tcp
394 SCOPE NAME=VALUE
395 name="wwwredir"
396 endpoint_type="stream"
397 proto="tcp"
398 isrpc=FALSE
399 wait=FALSE
400 exec="/usr/bin/nc -w 3 realwww 80"
401 arg0="/usr/bin/nc"
402 user="nobody"
403 default bind_addr=""
404 default bind_fail_max=-1
405 default bind_fail_interval=-1
406 default max_con_rate=-1
407 default max_copies=-1
408 default con_rate_offline=-1
409 default failrate_cnt=40
410 default failrate_interval=60
411 default inherit_env=TRUE
412 default tcp_trace=TRUE
413 default tcp_wrappers=FALSE
414 Privileges
418 To bind to a privileged port number nc needs to be granted the net_pri‐
419 vaddr privilege. If Solaris Trusted Extensions are configured and the
420 port nc should listen on is configured as a multi-level port nc also
421 needs the net_bindmlp privilege.
422 Privileges can be assigned to the user or role directly, by specifying
425 them in the account's default privilege set in user_attr(4). However,
426 this means that any application that this user or role starts have
427 these additional privileges. To only grant the privileges(5) when nc is
428 invoked, the recommended approach is to create and assign an rbac(5)
429 rights profile. See EXAMPLES for additional information.
430
432 Example 1 Using nc
433 Open a TCP connection to port 42 of host.example.com, using port 3141
436 as the source port, with a timeout of 5 seconds:
437 $ nc -p 3141 -w 5 host.example.com 42
440 Open a UDP connection to port 53 of host.example.com:
445 $ nc -u host.example.com 53
448 Open a TCP connection to port 42 of host.example.com using 10.1.2.3 as
453 the IP for the local end of the connection:
454 $ nc -s 10.1.2.3 host.example.com 42
457 Use a list of ports and port ranges for a port scan on various ports:
462 $ nc -z host.example.com 21-25,53,80,110-120,443
465 Create and listen on a Unix Domain Socket:
470 $ nc -lU /var/tmp/dsocket
473 Create and listen on a UDP socket with associated port 8888:
478 $ nc -u -l -p 8888
481 which is the same as:
486 $ nc -u -l 8888
489 Create and listen on a TCP socket with associated port 2222 and bind to
494 address 127.0.0.1 only:
495 $ nc -l 127.0.0.1 2222
498 Connect to port 42 of host.example.com using an HTTP proxy at 10.2.3.4,
503 port 8080. This example could also be used by ssh(1). See the Proxy‐
504 Command directive in ssh_config(4) for more information.
505 $ nc -x10.2.3.4:8080 -Xconnect host.example.com 42
508 The same example again, this time enabling proxy authentication with
513 username ruser if the proxy requires it:
514 $ nc -x10.2.3.4:8080 -Xconnect -Pruser host.example.com 42
517 To run nc with the smallest possible set of privileges as a user or
522 role that has additional privileges (such as the default root account)
523 it can be invoked using ppriv(1) as well. For example, limiting it to
524 only run with the privilege to bind to a privileged port:
525 $ ppriv -e -sA=basic,!file_link_any,!proc_exec,!proc_fork,\
528 !proc_info,!proc_session,net_privaddr nc -l 42
529 To allow a user or role to use only nc with the net_privaddr privilege,
534 a rights profile needs to be created:
535 /etc/security/exec_attr
538 Netcat privileged:solaris:cmd:::/usr/bin/nc:privs=net_privaddr
539 /etc/security/prof_attr
541 Netcat privileged:::Allow nc to bind to privileged ports:help=None.html
542 Assigning this rights profile using user_attr(4) permits the user or
547 role to run nc allowing it to listen on any port. To permit a user or
548 role to use nc only to listen on specific ports a wrapper script should
549 be specified in the rights profiles:
550 /etc/security/exec_attr
553 Netcat restricted:solaris:cmd:::/usr/bin/nc-restricted:privs=net_privaddr
554 /etc/security/prof_attr
556 Netcat restricted:::Allow nc to bind to privileged ports:help=None.html
557 and write a shell script that restricts the permissible options, for
562 example, one that permits one to bind only on ports between 42 and 64
563 (non-inclusive):
564 /usr/bin/nc-restricted:
567 #!/bin/sh
569 [ $# -eq 1 ] && [ $1 -gt 42 -a $1 -lt 64 ] && /usr/bin/nc -l -p "$1"
570 This grants the extra privileges when the user or role invokes nc using
575 the wrapper script from a profile shell. See pfsh(1), pfksh(1),
576 pfcsh(1), and pfexec(1).
577 Invoking nc directly does not run it with the additional privileges,
581 and neither does invoking the script without using pfexec or a profile
582 shell.
583
586 See attributes(5) for descriptions of the following attributes:
587 ┌─────────────────────────────┬─────────────────────────────┐
592 │ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
593 ├─────────────────────────────┼─────────────────────────────┤
594 │Availability │SUNWnetcat │
595 ├─────────────────────────────┼─────────────────────────────┤
596 │Interface Stability │See below. │
597 └─────────────────────────────┴─────────────────────────────┘
598 The package name is Committed. The command line syntax is Committed for
601 the -4, -6, -l, -n, -p ,-u, and -w options and their arguments (if
602 any). The name and port list arguments are Committed. The port range
603 syntax is Uncommitted. The interface stability level for all other com‐
604 mand line options and their arguments is Uncommitted.
605
607 cat(1), pfcsh(1), pfexec(1), pfksh(1), pfsh(1), ppriv(1), sed(1),
608 ssh(1), telnet(1), inetadm(1M), inetconv(1M), inetd(1M), ssh_config(4),
609 user_attr(4), attributes(5), privileges(5), rbac(5)
610
612 The original implementation of nc was written by Hobbit, hob‐
613 bit@avian.org.
614 nc was rewritten with IPv6 support by Eric Jackson, ericj@monkey.org.
617
619 UDP port scans always succeeds, that is, reports the port as open, ren‐
620 dering the -uz combination of flags relatively useless.
621SunOS 5.11 Apr 9 2009 nc(1)