Netcat is a simple but useful tool used for TCP, UDP, Unix-domain sockets. Netcat can listen or connect specified sockets easily. Netcat is a platform-independent command supported by Linux, Unix, Windows, BSD, macOS, etc. Common use cases for Netcat are;
- Simple TCP proxy
- Shell script-based HTTP clients and Servers
- Network daemon testing
- A SOCKS or HTTP ProxyCommand for ssh
netcat Command Syntax
We will use the following syntax for `nc` command.
netcat OPTIONS DESTINATION PORT
OPTIONSused to set some special behavior like timeout, help, jumbo frame, etc.
DESTINATIONis used to specify remote system IP or Hostname.
PORTis the remote system port number.
If we will use
netcat as server the following syntax is valid.
nc OPTIONS PORT
- OPTIONS used to set some special behavior like timeout, help, jumbo
- PORT is the port number the server will listen
netcat Command Help
nc or netcat command has a lot of different options. Help and information about these options can get or printed with the
-h option like below.
$ nc -h
We can see that
netcat command provides a lot of different options.
Port Scan with netcat Command
Penetration testers generally use port scan techniques for information gathering. Nmap is one of the most popular tools to find open ports. Netcat can provide port scan functionality. The advantage of
netcat is simplicity and no library dependency. Single
netcat binary is enough for port scan and can be used for all operating systems like Windows, Linux, Unix, MacOS, BSD.
We will use
-z options for a port scan like below. In this example, we will scan IP address
192.168.122.1 which can be also a domain name like
poftut.com . The port range is specified as
$ nc -z -v 192.168.122.1 1-30
The screenshot shows detailed output only port 22 is open as we can see. Make the IP scan faster with the
-n option. This will disable the DNS resolutions about the target IP address.
$ nc -z -v 192.168.122.1 1-30
Verbose Scan with netcat Command
In the previous example, we have scanned our host in a silent mode. Silent mode is the default mode which means only open ports will be printed to the console. There is an option
-v that will produce more detailed information. The verbose mode can be also used for banner grabbing purposes. In the following example, we will scan the port range from 1 to 1000.
$ nc -z -v -n 192.168.122.1 1-1000
Start Netcat TCP Server
Another useful feature of
netcat is acting as a TCP server. Netcat can listen to the specified TCP port. But as a security measure in Linux systems only privileged users can listen to ports between 1-1024 . In this example, we will listen to TCP ports 30. To give required privileges we use
$ sudo nc -l -p 30
In the example screenshot, we see that a client is connected to our server and provided text like
test . This client tool can be telnet or
netcat too. If we do not provide the
sudo command to get root privileges we will get an error like
Connect Netcat TCP Server
In the previous example, we have examined the TCP server. Netcat also provides client capabilities. To use
netcat as a client we should provide hostname or IP address and the port information. There is no special option for this.
$ nc localhost 30
In this example, we have connected to the localhost ssh port number 22. SSH server sends us some text about it and waiting for the response.
Send Files Trough Netcat
Another useful feature of the
netcat is file transfer. As we see previous examples
netcat can transfer text easily with server-client architecture. There is no limit on transfer data. This data can be a normal program or a movie. But keep in mind the transfer time will change according to data size. In order to transfer we need to set up a server which is the destination. And in the server configuration, we will redirect the incoming data into a filename
$ netcat -l -p 4444 > myfile.txt
Now we can send the file from the client. We will read file
thefile.txt in the client-side by redirecting to the netcat file like below.
$ nc 192.168.122.239 4444 < thefile.txt
After the transfer is completed both server and client-side netcat instances will be closed.
Simple Web Server With Netcat Command
Netcat has another interesting feature for simple usage. Netcat can be used as a simple web server. Actually, web servers are very simple if there are no special configuration requirements. Web servers only send HTML pages over HTTP protocol. Netcat can also send HTML code with redirection.
$ nc -l 4444 < index.html
In the client-side, we will use Google Chrome to navigate IP address
192.168.122.239 with port number
Prevent DNS Lookup
While using DNS lookup can be disabled with the option
-n this will make operations faster.
$ netcat -n google.com 80
Continue Listening After Client Has Disconnected
netcat will stop listening on the specified port and IP address after a client has ended its connection. This means
netcat works as server listener. We can provide the
-k option which will continue listening given port and IP address even the remote client ends its connection.
$ nc -k -l 4444
Specify Timeout For netcat Connection
After establishing a connection to the remote
netcat server we transfer some data. If there is no transfer for during the specified time which is called
timeout we can drop or close the connection. We will use
-w option with the timeout value we want to set. In this example, we will set a timeout value as
$ nc -w 120 192.168.1.10 8888
Use IPv4 Only with netcat Command
netcat is a tool that supports both IPv4 and IPv6 and in some cases, we may want to only enable the IPv4 protocol. This is especially useful for listening to a specific port. We will use
-4 as an option to enable only IPv4.
$ nc -k -4 -l 4444
Use IPv6 Only with netcat Command
On the other side, we can also enable only IPv6.This is a very rare case but may be useful in some rare situations. We can enable only IPv6 with the
-6 option like below.
$ nc -k -6 -l 4444
Banner Grabbing with netcat Command
netcat or nc can be used to grab banners of different ports like SSH, HTTP, HTTPS, VNC, FTP etc. Netcat will initiate a connection to the remote system specified port and print returned response as text to the console with the
$ nc 220.127.116.11 443
Then we will issue the following HTTP command in order to make a request to the remote HTTP server. The server will respond to this with the information or banner of itself.
GET / HTTP 2.0