Netcat Field Guide
The following excerpt from the Linux man pages introduces netcat (
The nc (or netcat) utility is used for just about anything under the sun involving TCP or UDP. It can open TCP connections, send UDP packets, listen on arbitrary TCP and UDP ports, do port scanning, and deal with both IPv4 and IPv6.
Although it may sound simple, netcat can be a surprisingly versatile and powerful tool - it is often referred to as the 'Swiss Army Knife' of TCP/IP.
You should only use netcat to communicate with computers that you have permission to access.
There are several different implementations of netcat. Here we will focus on the
default implementation available with most Linux distributions. It is typically
nc so we will use that command throughout.
There are various implementations available for Windows and also Ncat, which is integrated into Nmap.
If you get stuck using netcat, you can always use
man nc (on a Unix system) or
nc --help to get help.
Netcat as a client
At it's most simple, we can use netcat as a client to connect to a server for sending and receiving data. By default, netcat uses TCP as a transport protocol.
Netcat doesn't care what application protocol a server uses and will display the raw data. This capability makes it great at 'banner grabbing'.
Banner grabbing is a simple technique of connecting to network services to retrieve any 'banner' which is displayed. Thisinformation can help identify information about the service such as what type of service it is (e.g. SSH or HTTP) and what version of that service is running.
To do this, we need to supply is an IP address (or domain name) and a port number.
Basic use of the netcat command is as follows:
nc <IP ADDRESS> <PORT>
Example 1 - SSH
$ nc -v 192.168.1.123 22 Connection to 192.168.1.123 22 port [tcp/*] succeeded! SSH-2.0-OpenSSH
Here we've used the
-v option for verbose which means netcat tells us when the
connection has succeeded.
We can then see the SSH banner (SSH runs on port 22) which includes some information about which version of SSH is running.
Example 2 - HTTP
When connecting to an HTTP service, the server will be expecting a request from the
client in the first instance. Therefore, to get a response using netcat, we have
to manually type in our HTTP request (and press
enter) to send it to the server.
$ nc -v example.com 80 Connection to example.com 80 port [tcp/http] succeeded! GET / HTTP/1.1 # Entered by user Host: example.com # Entered by user HTTP/1.1 200 OK # some details removed for brevity Cache-Control: max-age=604800 Content-Type: text/html; charset=UTF-8 X-Cache: HIT Content-Length: 1256 <!doctype html> <html> <head> <title>Example Domain</title> # head content removed for brevity </head> <body> <div> <h1>Example Domain</h1> <p>This domain is for use in illustrative examples in documents. You may use this domain in literature without prior coordination or asking for permission.</p> <p><a href="https://www.iana.org/domains/example">More information...</a></p> </div> </body> </html>
First, we connect with netcat (
nc -v example.com 80) and establish a connection
with the server. Once the connection has succeeded, we manually enter a basic request
into the client:
GET / HTTP/1.1 Host: example.com
Which the server sees as valid and therefore returns an appropriate response
HTTP/1.1 200 OK) including the full body of the page.
Netcat as a server/listener
We can also use netcat as a server which will listen for inbound connections by
-l flag to our command.
By default, the listener will listen on all available IP addresses (IPv4 and IPv6). Otherwise, you can specify which IP address to listen on.
Example 4 - Listener and Client
We start the listener as follows:
nc -l 2468
Then on the same machine, we can use a netcat client to connect and start exchanging messages:
nc 127.0.0.1 2468
Because both client and server are on the same machine, we have used the localhost address (127.0.0.1). To connect over a network, from a remote machine, we would need to use the IP address assigned to an interface on the listening computer.
As mentioned above, netcat uses TCP by default. We can use the
-u option to use
UDP as the transport protocol for our connection.
Example 5 - UDP Server
The following command line creates a netcat UDP listener.
nc -ul 10000
Example 6 - UDP Client
The following command line will communicate with a local UDP server on port 10000 (such as the netcat listener in Example 5).
nc localhost -u 10000
Modern implementations of
nc will use IPv6 (and IPv4) by default. You can see
below that when running on localhost, netcat listens on both the IPv6 and IPv4
address for localhost.
$ nc -v -l 2468 # here we're running the Nmap implementation, 'Ncat' Ncat: Version 7.50 ( https://nmap.org/ncat ) Ncat: Listening on :::2468 Ncat: Listening on 0.0.0.0:2468
However, you can explicitly force the use of IPv6 (or IPv4) if required. For IPv6,
-6 option and for IPv4, use the
Example 7 - IPv6 with netcat
We force the listener to use IPv6 and enter 'hello world'.
$ nc -l6 2468 hello world
Now if we try to connect to the IPv4 address for localhost (
127.0.0.1), it will
fail. Connecting to the IPv6 address for localhost (
::1) will succeed though.
$ nc 127.0.0.1 2468 Ncat: Connection refused. $ nc ::1 2468 hello world
Transferring files with netcat
On Unix systems, we can use built-in functionality to combined with netcat to transfer
files. We can use
cat with a pipe (
|), or redirection (with
<), to send the
file and then use redirection to write the data to a file at the receiver. We can
send the file from the client or the listener.
Example 8 - Transfering Data to the Client
Here we will use
cat with a pipe (
|) to pass the data to a netcat listener.
We then use redirection with the client to write the received data to a file.
Server / Listener
cat data.txt | nc -vl 2468
nc localhost 2468 > client_received.txt
Example 9 - Transfering Data from the Client
Here we start by setting up the listener to redirect any output to a file. Then we run the client and use redirection to read in the input that we want to send. The client will connect, send the data and then disconnect.
Server / Listener
nc -l 2468 > listener_received.txt
nc localhost 2468 < data.txt
Check open ports with netcat
There are many tools which can be used to look for open ports, with Nmap being an
effective option. However, netcat can also achieve this with the
-z option which
will test for open ports (or 'listening daemons') without sending any data. This
option only works over TCP so shouldn't be used with the
Example - Port Scanning
The example below will scan for open ports between 1 and 1000 on localhost. We could
use an IP address or domain instead of localhost. We use
-v for verbose so that
netcat displays information about whether the connection has succeeded or failed
for each port.
nc -zv localhost 1-1000
What is the default transport protocol used by netcat?
What is banner grabbing?
Which option can be used with netcat to check for open ports without sending any data?