1.\" $NetBSD: nc.1,v 1.3 2017/02/06 16:08:56 wiz Exp $ 2.\" $OpenBSD: nc.1,v 1.81 2017/01/26 22:59:55 jmc Exp $ 3.\" 4.\" Copyright (c) 1996 David Sacerdote 5.\" All rights reserved. 6.\" 7.\" Redistribution and use in source and binary forms, with or without 8.\" modification, are permitted provided that the following conditions 9.\" are met: 10.\" 1. Redistributions of source code must retain the above copyright 11.\" notice, this list of conditions and the following disclaimer. 12.\" 2. Redistributions in binary form must reproduce the above copyright 13.\" notice, this list of conditions and the following disclaimer in the 14.\" documentation and/or other materials provided with the distribution. 15.\" 3. The name of the author may not be used to endorse or promote products 16.\" derived from this software without specific prior written permission 17.\" 18.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 19.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 20.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 21.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 22.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 23.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 24.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 25.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 27.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28.\" 29.Dd February 2, 2017 30.Dt NC 1 31.Os 32.Sh NAME 33.Nm nc 34.Nd arbitrary TCP and UDP connections and listens 35.Sh SYNOPSIS 36.Nm nc 37.Op Fl 46cDdFhklNnrStUuvz 38.Op Fl C Ar certfile 39.Op Fl e Ar name 40.Op Fl H Ar hash 41.Op Fl I Ar length 42.Op Fl i Ar interval 43.Op Fl K Ar keyfile 44.Op Fl M Ar ttl 45.Op Fl m Ar minttl 46.Op Fl O Ar length 47.Op Fl o Ar staplefile 48.Op Fl P Ar proxy_username 49.Op Fl p Ar source_port 50.Op Fl R Ar CAfile 51.Op Fl s Ar source 52.Op Fl T Ar keyword 53.\" .Op Fl V Ar rtable 54.Op Fl w Ar timeout 55.Op Fl X Ar proxy_protocol 56.Op Fl x Ar proxy_address Ns Op : Ns Ar port 57.Op Ar destination 58.Op Ar port 59.Sh DESCRIPTION 60The 61.Nm 62(or 63.Nm netcat ) 64utility is used for just about anything under the sun involving TCP, 65UDP, or 66.Ux Ns -domain 67sockets. 68It can open TCP connections, send UDP packets, listen on arbitrary 69TCP and UDP ports, do port scanning, and deal with both IPv4 and 70IPv6. 71Unlike 72.Xr telnet 1 , 73.Nm 74scripts nicely, and separates error messages onto standard error instead 75of sending them to standard output, as 76.Xr telnet 1 77does with some. 78.Pp 79Common uses include: 80.Pp 81.Bl -bullet -offset indent -compact 82.It 83simple TCP proxies 84.It 85shell-script based HTTP clients and servers 86.It 87network daemon testing 88.It 89a SOCKS or HTTP ProxyCommand for 90.Xr ssh 1 91.It 92and much, much more 93.El 94.Pp 95The options are as follows: 96.Bl -tag -width Ds 97.It Fl 4 98Forces 99.Nm 100to use IPv4 addresses only. 101.It Fl 6 102Forces 103.Nm 104to use IPv6 addresses only. 105.It Fl C Ar certfile 106Specifies the filename from which the public key part of the TLS 107certificate is loaded, in PEM format. 108May only be used with TLS. 109.It Fl c 110If using a TCP socket to connect or listen, use TLS. 111Illegal if not using TCP sockets. 112.It Fl D 113Enable debugging on the socket. 114.It Fl d 115Do not attempt to read from stdin. 116.It Fl e Ar name 117Specify the name that must be present in the peer certificate when using TLS. 118Illegal if not using TLS. 119.It Fl F 120Pass the first connected socket using 121.Xr sendmsg 2 122to stdout and exit. 123This is useful in conjunction with 124.Fl X 125to have 126.Nm 127perform connection setup with a proxy but then leave the rest of the 128connection to another program (e.g.\& 129.Xr ssh 1 130using the 131.Xr ssh_config 5 132.Cm ProxyUseFdpass 133option). 134.It Fl H Ar hash 135Specifies the required hash string of the peer certificate when using TLS. 136The string format required is that used by 137.Xr tls_peer_cert_hash 3 . 138Illegal if not using TLS, and may not be used with -T noverify. 139.It Fl h 140Prints out 141.Nm 142help. 143.It Fl I Ar length 144Specifies the size of the TCP receive buffer. 145.It Fl i Ar interval 146Specifies a delay time interval between lines of text sent and received. 147Also causes a delay time between connections to multiple ports. 148.It Fl K Ar keyfile 149Specifies the filename from which the private key 150is loaded in PEM format. 151May only be used with TLS. 152.It Fl k 153Forces 154.Nm 155to stay listening for another connection after its current connection 156is completed. 157It is an error to use this option without the 158.Fl l 159option. 160When used together with the 161.Fl u 162option, the server socket is not connected and it can receive UDP datagrams from 163multiple hosts. 164.It Fl l 165Used to specify that 166.Nm 167should listen for an incoming connection rather than initiate a 168connection to a remote host. 169It is an error to use this option in conjunction with the 170.Fl p , 171.Fl s , 172or 173.Fl z 174options. 175Additionally, any timeouts specified with the 176.Fl w 177option are ignored. 178.It Fl M Ar ttl 179Set the TTL / hop limit of outgoing packets. 180.It Fl m Ar minttl 181Ask the kernel to drop incoming packets whose TTL / hop limit is under 182.Ar minttl . 183.It Fl N 184.Xr shutdown 2 185the network socket after EOF on the input. 186Some servers require this to finish their work. 187.It Fl n 188Do not do any DNS or service lookups on any specified addresses, 189hostnames or ports. 190.It Fl O Ar length 191Specifies the size of the TCP send buffer. 192.It Fl o Ar staplefile 193Specifies the filename from which to load data to be stapled 194during the TLS handshake. 195The file is expected to contain an OCSP response from an OCSP server in 196DER format. 197May only be used with TLS and when a certificate is being used. 198.It Fl P Ar proxy_username 199Specifies a username to present to a proxy server that requires authentication. 200If no username is specified then authentication will not be attempted. 201Proxy authentication is only supported for HTTP CONNECT proxies at present. 202.It Fl p Ar source_port 203Specifies the source port 204.Nm 205should use, subject to privilege restrictions and availability. 206It is an error to use this option in conjunction with the 207.Fl l 208option. 209.It Fl R Ar CAfile 210Specifies the filename from which the root CA bundle for certificate 211verification is loaded, in PEM format. 212Illegal if not using TLS. 213The default is 214.Pa /etc/ssl/cert.pem . 215.It Fl r 216Specifies that source and/or destination ports should be chosen randomly 217instead of sequentially within a range or in the order that the system 218assigns them. 219.It Fl S 220Enables the RFC 2385 TCP MD5 signature option. 221.It Fl s Ar source 222Specifies the IP of the interface which is used to send the packets. 223For 224.Ux Ns -domain 225datagram sockets, specifies the local temporary socket file 226to create and use so that datagrams can be received. 227It is an error to use this option in conjunction with the 228.Fl l 229option. 230.It Fl T Ar keyword 231Change IPv4 TOS value or TLS options. 232For TLS options 233.Ar keyword 234may be one of 235.Ar tlsall ; 236which allows the use of all supported TLS protocols and ciphers, 237.Ar noverify ; 238which disables certificate verification; 239.Ar noname , 240which disables certificate name checking; 241.Ar clientcert , 242which requires a client certificate on incoming connections; or 243.Ar muststaple , 244which requires the peer to provide a valid stapled OCSP response 245with the handshake. 246It is illegal to specify TLS options if not using TLS. 247.Pp 248For IPv4 TOS value 249.Ar keyword 250may be one of 251.Ar critical , 252.Ar inetcontrol , 253.Ar lowdelay , 254.Ar netcontrol , 255.Ar throughput , 256.Ar reliability , 257or one of the DiffServ Code Points: 258.Ar ef , 259.Ar af11 ... af43 , 260.Ar cs0 ... cs7 ; 261or a number in either hex or decimal. 262.It Fl t 263Causes 264.Nm 265to send RFC 854 DON'T and WON'T responses to RFC 854 DO and WILL requests. 266This makes it possible to use 267.Nm 268to script telnet sessions. 269.It Fl U 270Specifies to use 271.Ux Ns -domain 272sockets. 273.It Fl u 274Use UDP instead of the default option of TCP. 275For 276.Ux Ns -domain 277sockets, use a datagram socket instead of a stream socket. 278If a 279.Ux Ns -domain 280socket is used, a temporary receiving socket is created in 281.Pa /tmp 282unless the 283.Fl s 284flag is given. 285.\" .It Fl V Ar rtable 286.\" Set the routing table to be used. 287.It Fl v 288Have 289.Nm 290give more verbose output. 291.It Fl w Ar timeout 292Connections which cannot be established or are idle timeout after 293.Ar timeout 294seconds. 295The 296.Fl w 297flag has no effect on the 298.Fl l 299option, i.e.\& 300.Nm 301will listen forever for a connection, with or without the 302.Fl w 303flag. 304The default is no timeout. 305.It Fl X Ar proxy_protocol 306Requests that 307.Nm 308should use the specified protocol when talking to the proxy server. 309Supported protocols are 310.Dq 4 311(SOCKS v.4), 312.Dq 5 313(SOCKS v.5) 314and 315.Dq connect 316(HTTPS proxy). 317If the protocol is not specified, SOCKS version 5 is used. 318.It Fl x Ar proxy_address Ns Op : Ns Ar port 319Requests that 320.Nm 321should connect to 322.Ar destination 323using a proxy at 324.Ar proxy_address 325and 326.Ar port . 327If 328.Ar port 329is not specified, the well-known port for the proxy protocol is used (1080 330for SOCKS, 3128 for HTTPS). 331.It Fl z 332Specifies that 333.Nm 334should just scan for listening daemons, without sending any data to them. 335It is an error to use this option in conjunction with the 336.Fl l 337option. 338.El 339.Pp 340.Ar destination 341can be a numerical IP address or a symbolic hostname 342(unless the 343.Fl n 344option is given). 345In general, a destination must be specified, 346unless the 347.Fl l 348option is given 349(in which case the local host is used). 350For 351.Ux Ns -domain 352sockets, a destination is required and is the socket path to connect to 353(or listen on if the 354.Fl l 355option is given). 356.Pp 357.Ar port 358can be a specified as a numeric port number, or as a service name. 359Ports may be specified in a range of the form nn-mm. 360In general, 361a destination port must be specified, 362unless the 363.Fl U 364option is given. 365.Sh CLIENT/SERVER MODEL 366It is quite simple to build a very basic client/server model using 367.Nm . 368On one console, start 369.Nm 370listening on a specific port for a connection. 371For example: 372.Pp 373.Dl $ nc -l 1234 374.Pp 375.Nm 376is now listening on port 1234 for a connection. 377On a second console 378.Pq or a second machine , 379connect to the machine and port being listened on: 380.Pp 381.Dl $ nc 127.0.0.1 1234 382.Pp 383There should now be a connection between the ports. 384Anything typed at the second console will be concatenated to the first, 385and vice-versa. 386After the connection has been set up, 387.Nm 388does not really care which side is being used as a 389.Sq server 390and which side is being used as a 391.Sq client . 392The connection may be terminated using an 393.Dv EOF 394.Pq Sq ^D . 395.Sh DATA TRANSFER 396The example in the previous section can be expanded to build a 397basic data transfer model. 398Any information input into one end of the connection will be output 399to the other end, and input and output can be easily captured in order to 400emulate file transfer. 401.Pp 402Start by using 403.Nm 404to listen on a specific port, with output captured into a file: 405.Pp 406.Dl $ nc -l 1234 \*(Gt filename.out 407.Pp 408Using a second machine, connect to the listening 409.Nm 410process, feeding it the file which is to be transferred: 411.Pp 412.Dl $ nc -N host.example.com 1234 \*(Lt filename.in 413.Pp 414After the file has been transferred, the connection will close automatically. 415.Sh TALKING TO SERVERS 416It is sometimes useful to talk to servers 417.Dq by hand 418rather than through a user interface. 419It can aid in troubleshooting, 420when it might be necessary to verify what data a server is sending 421in response to commands issued by the client. 422For example, to retrieve the home page of a web site: 423.Bd -literal -offset indent 424$ printf "GET / HTTP/1.0\er\en\er\en" | nc host.example.com 80 425.Ed 426.Pp 427Note that this also displays the headers sent by the web server. 428They can be filtered, using a tool such as 429.Xr sed 1 , 430if necessary. 431.Pp 432More complicated examples can be built up when the user knows the format 433of requests required by the server. 434As another example, an email may be submitted to an SMTP server using: 435.Bd -literal -offset indent 436$ nc localhost 25 \*(Lt\*(Lt EOF 437HELO host.example.com 438MAIL FROM:\*(Ltuser@host.example.com\*(Gt 439RCPT TO:\*(Ltuser2@host.example.com\*(Gt 440DATA 441Body of email. 442\&. 443QUIT 444EOF 445.Ed 446.Sh PORT SCANNING 447It may be useful to know which ports are open and running services on 448a target machine. 449The 450.Fl z 451flag can be used to tell 452.Nm 453to report open ports, 454rather than initiate a connection. 455For example: 456.Bd -literal -offset indent 457$ nc -z host.example.com 20-30 458Connection to host.example.com 22 port [tcp/ssh] succeeded! 459Connection to host.example.com 25 port [tcp/smtp] succeeded! 460.Ed 461.Pp 462The port range was specified to limit the search to ports 20 \- 30. 463.Pp 464Alternatively, it might be useful to know which server software 465is running, and which versions. 466This information is often contained within the greeting banners. 467In order to retrieve these, it is necessary to first make a connection, 468and then break the connection when the banner has been retrieved. 469This can be accomplished by specifying a small timeout with the 470.Fl w 471flag, or perhaps by issuing a 472.Qq Dv QUIT 473command to the server: 474.Bd -literal -offset indent 475$ echo "QUIT" | nc host.example.com 20-30 476SSH-1.99-OpenSSH_3.6.1p2 477Protocol mismatch. 478220 host.example.com IMS SMTP Receiver Version 0.84 Ready 479.Ed 480.Sh EXAMPLES 481Open a TCP connection to port 42 of host.example.com, using port 31337 as 482the source port, with a timeout of 5 seconds: 483.Pp 484.Dl $ nc -p 31337 -w 5 host.example.com 42 485.Pp 486Open a TCP connection to port 443 of www.google.ca, and negotiate TLS. 487Check for a different name in the certificate for validation. 488.Pp 489.Dl $ nc -v -c -e adsf.au.doubleclick.net www.google.ca 443 490.Pp 491Open a UDP connection to port 53 of host.example.com: 492.Pp 493.Dl $ nc -u host.example.com 53 494.Pp 495Open a TCP connection to port 42 of host.example.com using 10.1.2.3 as the 496IP for the local end of the connection: 497.Pp 498.Dl $ nc -s 10.1.2.3 host.example.com 42 499.Pp 500Create and listen on a 501.Ux Ns -domain 502stream socket: 503.Pp 504.Dl $ nc -lU /var/tmp/dsocket 505.Pp 506Connect to port 42 of host.example.com via an HTTP proxy at 10.2.3.4, 507port 8080. 508This example could also be used by 509.Xr ssh 1 ; 510see the 511.Cm ProxyCommand 512directive in 513.Xr ssh_config 5 514for more information. 515.Pp 516.Dl $ nc -x10.2.3.4:8080 -Xconnect host.example.com 42 517.Pp 518The same example again, this time enabling proxy authentication with username 519.Dq ruser 520if the proxy requires it: 521.Pp 522.Dl $ nc -x10.2.3.4:8080 -Xconnect -Pruser host.example.com 42 523.Sh SEE ALSO 524.Xr cat 1 , 525.Xr ssh 1 526.Sh AUTHORS 527Original implementation by *Hobbit* 528.Aq Mt hobbit@avian.org . 529.br 530Rewritten with IPv6 support by 531.An Eric Jackson Aq Mt ericj@monkey.org . 532.Sh CAVEATS 533UDP port scans using the 534.Fl uz 535combination of flags will always report success irrespective of 536the target machine's state. 537However, 538in conjunction with a traffic sniffer either on the target machine 539or an intermediary device, 540the 541.Fl uz 542combination could be useful for communications diagnostics. 543Note that the amount of UDP traffic generated may be limited either 544due to hardware resources and/or configuration settings. 545