jump to navigation

Learning to use netcat – The TCP/IP swiss army knife January 18, 2011

Posted by Tournas Dimitrios in Linux admin tools.

NC – short form for Netcat is a very useful tool available on all Posix OSes which allow one to transfer data across the network via TCP/UDP with ease. The principle is simple… There is a server mode and a client mode. You run the netcat tool as a server listening to a particular port on the machine which sends the data and you use netcat as a client connecting to that particular port on the machine it is running as a server. The basic syntax of netcat is as follows :
nc -l  portnumber
… where -l option stands for “listen” and the client connects to the server machine as follows :
nc   ip_address   portnumber
And in which all ways can you put it to use ? For one,

  • You can transfer files by this method between remote machines.
  • You can serve a file on a particular port on a machine and multiple remote machines can connect to that port and access the file.
  • Create a partition image and send it to the remote machine on the fly.
  • Compress critical files on the server machine and then have them pulled by a remote machine.
  • And you can do all this securely using a combination of netcat and SSH.
  • It can be used as a port scanner too by use of the -z option.

Nc has endless possibilities , for example ,  I use it often as an portscanner to verify that my iptables rules are well configured or to transfer very quickly files between boxes on my local network . This article will demonstrate some practical implementations of nc . Newcomers must understand that this tool can be used for good and bad purposes , so be ware of it .

Let see some practical examples .

On my box (CentOs 5.x ) it was already installed , but it is a good practice to verify that with the rpm  -q  nc  . The latest version at this time of writing the article is  ” 1.84 rel 10″ .

Don’t confuse Netcat (nc) with ncat , the later was written for the NMAP Project . While ncat is similar to netcat (nc) in spirit , they don’t share any source code . Instead . ncat makes use of Nmap’s well optimized  and tested libraries . Ncat  has SSL support , proxy connections ,connection brokering and more .But Ncat omitted port scanner functionality , because it relay on nmap  .

To make things more complicated , I have to remember that there are two versions of netcat . The original was written by Avian Research in 1995 , a later version was rewritten by Giovanni Giacobi for the GNU netcat project . The official repository (base) for CentOs 5.x provides the original version . But this version in not compiled with the -e option .
The -e option gives nc the capability to execute a program after connection is established (like /bin/bash) . The ncat from NMAP project has the -e option enabled , so I have downloaded both rpm’s to my Linux box . The -e option is very dangerous , it can be used to export  a bash shell as a background process to another computer (even a Windows box) .

Practical examples with nc
nc  -z   1-1024 List the open ports on the specified ipNote : 

  • A port range must be specified .
  • Only one ip can be scanned at a time . So nmap is a better tool for complex scanning techniques
  • By default the TCP protocol  scanning is implemented , use -u to scan the UDP protocol
nc  -l  5555
  • Open a socket on localhost with port 5555
  • On the other end, connect to the server with the following:
    nc  5555

The simplest example of its usage is to create a server-client chat system. Although this is a very primitive way to chat, it shows how netcat works.

Note : By default the connection is established through TCP protocol , the -u must be specified if the connection needs to established through UDP

echo “hello from server1” | nc -l  5555 On the other end  connect with the server1 :   nc 5555
The message will be echoed the client and the connection will be closed automatically
cat backup.iso | nc -l 5555 On the other end connect with the server :  nc 5555  > backup.iso
The file will be transferred behind the scenes and the socket connection will close automatically .Note : As you may have noticed, netcat does not show any info about the progress of the data transfer. This is inconvenient when dealing with large files. In such cases, a pipe-monitoring utility like pv can be used to show a progress indicator. For example, the following shows the total amount of data that has been transferred in real-time on the server side: 

nc 5555 | pv -m  > backup.iso

dd if=/dev/hda1 |gzip -9 | nc -l 5555 On the other end connect with server : nc 5555 > myimage.img.gz  

This will copy an image to the client

tar -czf – /tmp/ | nc -l 5555 On the other end : nc 5555 |pv -b > copied.tar.gz  

Note the dash in the tar options instead of a filename. This is because tar’s output needs to be passed to netcat.

# at the server side
$ netcat -l 4000 -e /bin/sh 


# at the client side
$ nc > 4000 

# now start typing the commands to be executed at the remote computer.

Remote Terminal Session

open a remote terminal session without the need to run a network service like telnet or ssh. The data within the example is send in clear text via the network. When you are planning to use this kind of communication to build-up adhoc network connections please consider to use cryptcat instead of netcat, or try to pipe data through chains of encrypting/decrypting tools like openssl. Additionally there is no need to perform a login. Every command is executed in the context of the user/process that did start Netcat at the server side.

Resources :

  • Socat, netcat’s “twin brother


1. Mitch - July 25, 2012

The netcat with options -c -e -t is for the netcat traditional written by the Hobbit, which latest version is 1.10:

Those options won’t work on the newer netcat:

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s