nc Command in Linux
The nc (netcat) command is often referred to as the "Swiss Army knife" of networking tools due to its versatility and wide range of applications.
- nc can establish TCP connections to other systems, allowing you to communicate with them. It can also send UDP packets to other systems, which is useful for certain types of network communication.
- nc can listen on arbitrary TCP and UDP ports, making it useful for setting up servers or services on specific ports. Besides that, nc can scan for open ports on a target system, helping you identify which services are running.
- Unlike telnet, nc is more script-friendly. This means you can easily use nc in shell scripts to automate network tasks.
In addition, nc separates error messages onto standard error (stderr) instead of standard output (stdout). This makes it easier to handle errors in scripts, as you can redirect and process error messages separately from regular output.
Table of Contents
Here is a comprehensive guide to the options available with the nc command −
Syntax of nc Command
The following is the general syntax for the nc command −
nc [options] [hostname] [port]
Where −
- Hostname − The hostname can be either a numerical IP address (e.g., 192.168.1.1) or a symbolic hostname (e.g., example.com). If the -n option is used, nc will not perform DNS resolution, meaning it will only accept numerical IP addresses. If the -l option is given, nc will listen on the local host, and you don't need to specify a hostname.
- Port − The port can be a single integer (e.g., 80) or a range of ports (e.g., 20-30). In general, you need to specify a destination port unless you are using the -U option. If the -U option is given, you need to specify a Unix domain socket instead of a port.
nc Command Options
The following are different options that provide a wide range of functionalities for the nc command −
| Options | Description |
|---|---|
| -4 | Forces nc to use IPv4 addresses only. |
| -6 | Forces nc to use IPv6 addresses only. |
| -D | Enables debugging on the socket. |
| -d | Do not attempt to read from stdin. |
| -h | Prints out nc help. |
| -i interval | Specifies a delay time interval between lines of text sent and received. Also causes a delay time between connections to multiple ports. |
| -k | Forces nc to stay listening for another connection after its current connection is completed. It is an error to use this option without the -l option. |
| -l | Used to specify that nc should listen for an incoming connection rather than initiate a connection to a remote host. It is an error to use this option in conjunction with the -p, -s, or -z options. Additionally, any timeouts specified with the -w option are ignored. |
| -n | Do not do any DNS or service lookups on any specified addresses, hostnames, or ports. |
| -p source_port | Specifies the source port nc should use, subject to privilege restrictions and availability. It is an error to use this option in conjunction with the -l option. |
| -r | Specifies that source and/or destination ports should be chosen randomly instead of sequentially within a range or in the order that the system assigns them. |
| -S | Enables the RFC 2385 TCP MD5 signature option. |
| -s source_ip_address | Specifies the IP of the interface which is used to send the packets. It is an error to use this option in conjunction with the -l option. |
| -T ToS | Specifies IP Type of Service (ToS) for the connection. Valid values are the tokens "lowdelay", "throughput", "reliability", or an 8-bit hexadecimal value preceded by "0x". |
| -t | Causes nc to send RFC 854 DON'T and WON'T responses to RFC 854 DO and WILL requests. This makes it possible to use nc to script telnet sessions. |
| -U | Specifies to use Unix Domain Sockets. |
| -u | Use UDP instead of the default option of TCP. |
| -v | Have nc give more verbose output. |
| -w timeout | If a connection and stdin are idle for more than timeout seconds, then the connection is silently closed. The -w flag has no effect on the -l option, i.e., nc will listen forever for a connection, with or without the -w flag. The default is no timeout. |
| -X proxy_version | Requests that nc should use the specified protocol when talking to the proxy server. Supported protocols are "4" (SOCKS v.4), "5" (SOCKS v.5), and "connect" (HTTPS proxy). If the protocol is not specified, SOCKS version 5 is used. |
| -x proxy_address[:port] | Requests that nc should connect to hostname using a proxy at proxy_address and port. If port is not specified, the well-known port for the proxy protocol is used (1080 for SOCKS, 3128 for HTTPS). |
| -z | Specifies that nc should just scan for listening daemons, without sending any data to them. It is an error to use this option in conjunction with the -l option. |
Examples of nc Command in Linux
The following are some practical examples, which demonstrate the versatility and power of the nc command for various networking tasks −
Listening on a Port
To listen to port 22 for incoming connections, you can use the following command −
sudo nc -l 22
Upon running this command, the terminal will just hang, waiting for someone to connect. If you connect to it from another machine, the connection will be accepted, and anything sent will be visible on both ends.
Connecting to a Listening Port
To connect to a listening port, you can simply use the following command −
sudo nc 127.0.0.1 22
This command connects to the machine at IP address 127.0.0.1 (localhost) on port 22.
Receiving Data
To receive data using nc, you can use the following syntax −
sudo nc -l 22 > filename.txt
This command listens on port 22 and saves any incoming data to filename.txt.
Sending Data
Consequently, on the the sending end (on a different machine or terminal), use a command like echo "Hello, World!" | nc <destination_ip> 22 to send data to that port −
echo "Hello, Netcat!" | nc localhost 22
Retrieving a Web Page
To retrieve a webpage, you can use the following command −
echo -n "GET / HTTP/1.0\r\n\r\n" | nc Tutorialspoint.com 80
This command sends an HTTP GET request to Tutorialspoint.com on port 80.
Sending an Email
To send an email using the SMTP protocol with nc, you can use the following syntax −
nc localhost 80 << EOF HELO Tutorialspoint.com MAIL FROM: <jameskiarie455@gmail.com> RCPT TO: <asiagoneville@gmail.com> DATA Hello, this is a test email. . QUIT EOF
This command initiates an SMTP session to the mail server running on localhost, sends the email, and then closes the connection.
Scanning for Open Ports
To scan for open ports on a remote host using nc, you can use the following command −
sudo nc -z Tutorialspoint.com 20-80
This command scans ports 20 to 80 on Tutorialspoint.com and reports which ports are open.
Retrieving Server Banners
If you want to retrieve server banners, you can connect to services like HTTP (port 80), SMTP (port 25), FTP (port 21), etc., and send commands that will trigger a response, typically the banner or welcome message.
To retrieve a banner from an HTTP server, you can simply run −
echo -ne "HEAD / HTTP/1.0\r\nHost: Tutorialspoint.com\r\n\r\n" | nc Tutorialspoint.com 80
This command sends an HTTP HEAD request (which asks for the headers of the web page, not the full content) to the server on port 80. The response will typically include the HTTP headers, which may include a server banner.
Open a TCP Connection
To open a TCP connection, you can use the following command −
sudo nc -p 31337 -w 5 Tutorialspoint.com 42
This command opens a TCP connection to Tutorialspoint.com on port 42, using port 31337 as the source port and a timeout of 5 seconds.
Open a UDP Connection
To open a UDP connection using nc, you can simply run −
sudo nc -u Tutorialspoint.com 53
This command opens a UDP connection to Tutorialspoint.com port 53.
Specify Local IP Address
To specify a local IP address when using nc to open a connection, you can use the "-s" option −
sudo nc -s 192.168.43.95 Tutorialspoint.com 42
This command opens a TCP connection to the specified hostname on port 42, using 192.168.43.95 as the local IP address.
Create and Listen on a Unix Domain Socket
To create and listen on a Unix domain socket using nc, you can use the following command −
sudo nc -lU /var/tmp/dsocket
This command creates and listens on a Unix domain socket at /var/tmp/dsocket. Initially, you won't see any output because nc is just waiting for incoming data on the socket. When a program sends data to this socket, you should see that data printed on your terminal.
Conclusion
By using the various options provided by nc, such as specifying timeouts, using IPv4/IPv6, or connecting via a proxy, you can tailor the tool to fit a wide variety of network troubleshooting, security, and communication scenarios.
Whether you are setting up a quick test server, performing network diagnostics, or exploring communication protocols, nc proves to be an indispensable utility for network administrators and system engineers.