Netcat Field Guide

The following excerpt from the Linux man pages introduces netcat (nc) well:

The nc (or netcat) utility is used for just about anything under the sun involving TCP or UDP. It can open TCP connections, send UDP packets, listen on arbitrary TCP and UDP ports, do port scanning, and deal with both IPv4 and IPv6.

Although it may sound simple, netcat can be a surprisingly versatile and powerful tool - it is often referred to as the 'Swiss Army Knife' of TCP/IP.

You should only use netcat to communicate with computers that you have permission to access.

Netcat Implementations

There are several different implementations of netcat. Here we will focus on the default implementation available with most Linux distributions. It is typically available as nc so we will use that command throughout.

There are various implementations available for Windows and also Ncat, which is integrated into Nmap.

If you get stuck using netcat, you can always use man nc (on a Unix system) or nc --help to get help.

Netcat as a client

At it's most simple, we can use netcat as a client to connect to a server for sending and receiving data. By default, netcat uses TCP as a transport protocol.

Netcat doesn't care what application protocol a server uses and will display the raw data. This capability makes it great at 'banner grabbing'.

Banner grabbing is a simple technique of connecting to network services to retrieve any 'banner' which is displayed. Thisinformation can help identify information about the service such as what type of service it is (e.g. SSH or HTTP) and what version of that service is running.

To do this, we need to supply is an IP address (or domain name) and a port number.

Basic use of the netcat command is as follows:

nc <IP ADDRESS> <PORT>

Example 1 - SSH

$ nc -v 192.168.1.123 22
Connection to 192.168.1.123 22 port [tcp/*] succeeded!
SSH-2.0-OpenSSH

Here we've used the -v option for verbose which means netcat tells us when the connection has succeeded.

We can then see the SSH banner (SSH runs on port 22) which includes some information about which version of SSH is running.

Example 2 - HTTP

When connecting to an HTTP service, the server will be expecting a request from the client in the first instance. Therefore, to get a response using netcat, we have to manually type in our HTTP request (and press enter) to send it to the server.

$ nc -v example.com 80
Connection to example.com 80 port [tcp/http] succeeded!
GET / HTTP/1.1          # Entered by user
Host: example.com       # Entered by user

HTTP/1.1 200 OK
# some details removed for brevity
Cache-Control: max-age=604800
Content-Type: text/html; charset=UTF-8
X-Cache: HIT
Content-Length: 1256

<!doctype html>
<html>
<head>
    <title>Example Domain</title>
    # head content removed for brevity
</head>

<body>
<div>
    <h1>Example Domain</h1>
    <p>This domain is for use in illustrative examples in documents. You may use
    this domain in literature without prior coordination or asking for permission.</p>
    <p><a href="https://www.iana.org/domains/example">More information...</a></p>
</div>
</body>
</html>

First, we connect with netcat (nc -v example.com 80) and establish a connection with the server. Once the connection has succeeded, we manually enter a basic request into the client:

GET / HTTP/1.1
Host: example.com

Which the server sees as valid and therefore returns an appropriate response (HTTP/1.1 200 OK) including the full body of the page.

Netcat as a server/listener

We can also use netcat as a server which will listen for inbound connections by adding the -l flag to our command.

By default, the listener will listen on all available IP addresses (IPv4 and IPv6). Otherwise, you can specify which IP address to listen on.

Example 4 - Listener and Client

We start the listener as follows:

nc -l 2468

Then on the same machine, we can use a netcat client to connect and start exchanging messages:

nc 127.0.0.1 2468

Because both client and server are on the same machine, we have used the localhost address (127.0.0.1). To connect over a network, from a remote machine, we would need to use the IP address assigned to an interface on the listening computer.

Using UDP

As mentioned above, netcat uses TCP by default. We can use the -u option to use UDP as the transport protocol for our connection.

Example 5 - UDP Server

The following command line creates a netcat UDP listener.

nc -ul 10000

Example 6 - UDP Client

The following command line will communicate with a local UDP server on port 10000 (such as the netcat listener in Example 5).

nc localhost -u 10000

Using IPv6

Modern implementations of nc will use IPv6 (and IPv4) by default. You can see below that when running on localhost, netcat listens on both the IPv6 and IPv4 address for localhost.

$ nc -v -l 2468 # here we're running the Nmap implementation, 'Ncat'
Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Listening on :::2468
Ncat: Listening on 0.0.0.0:2468

However, you can explicitly force the use of IPv6 (or IPv4) if required. For IPv6, use the -6 option and for IPv4, use the -4 option.

Example 7 - IPv6 with netcat

IPv6 Listener

We force the listener to use IPv6 and enter 'hello world'.

$ nc -l6 2468
hello world

IPv6 Client

Now if we try to connect to the IPv4 address for localhost (127.0.0.1), it will fail. Connecting to the IPv6 address for localhost (::1) will succeed though.

$ nc 127.0.0.1 2468
Ncat: Connection refused.
$ nc ::1 2468
hello world

Transferring files with netcat

On Unix systems, we can use built-in functionality to combined with netcat to transfer files. We can use cat with a pipe (|), or redirection (with <), to send the file and then use redirection to write the data to a file at the receiver. We can send the file from the client or the listener.

Example 8 - Transfering Data to the Client

Here we will use cat with a pipe (|) to pass the data to a netcat listener. We then use redirection with the client to write the received data to a file.

Server / Listener

cat data.txt | nc -vl 2468

Client

nc localhost 2468 > client_received.txt

Example 9 - Transfering Data from the Client

Here we start by setting up the listener to redirect any output to a file. Then we run the client and use redirection to read in the input that we want to send. The client will connect, send the data and then disconnect.

Server / Listener

nc -l 2468 > listener_received.txt
nc localhost 2468 < data.txt

Check open ports with netcat

There are many tools which can be used to look for open ports, with Nmap being an effective option. However, netcat can also achieve this with the -z option which will test for open ports (or 'listening daemons') without sending any data. This option only works over TCP so shouldn't be used with the -u option.

Example - Port Scanning

The example below will scan for open ports between 1 and 1000 on localhost. We could use an IP address or domain instead of localhost. We use -v for verbose so that netcat displays information about whether the connection has succeeded or failed for each port.

nc -zv localhost 1-1000

Questions

Question 1

What is the default transport protocol used by netcat?

Question 2

What is banner grabbing?

Question 3

Which option can be used with netcat to check for open ports without sending any data?

  1. -x

  2. -p

  3. -z

  4. -u

References

nc(1) - Linux man page

die.net Linux man pages

Prerequisite Skills

lesson

TCP: The Transmission Control Protocol

Most Internet applications use TCP for the transport layer (layer 4 in the OSI model). It is a connection-oriented protocol which provides…

lesson

UDP: User Datagram Protocol

UDP (User Datagram Protocol) is a simple transport layer protocol defined in RFC 768. It is designed to run on top of IP and is assigned…

lesson

The Linux Terminal and Shell

Terminal, shell, bash and other terminology are often used interchangeably, some definitions of the technical differences are given below…