Advanced Guide to
Linux Networking and Security

Home

Publishers Page

Chapter 1

Chapter 2

Chapter 3

Feedback

Errata


Bonus Material

Installing ngrep
Netcat
Nast
OpenNTPD
HTP Time Sync
Squid
Remote Backup

Netcat

The information on this page does not map to a specific certification objective.

Netcat is a simple program that reads and writes data across TCP or UDP network connections. It's included with many Linux distributions and a version is available for Windows. You can invoke the program with either the netcat command or the nc command.

In addition to reading the page, it may be useful to read the original author's README file so you can understand the author's motivation for writing the program.

Versions

There are two versions of netcat. The original was written by Avian Research in 1995. A later version was rewritten by Giovanni Giacobbi for the GNU netcat project. When installed, either version can be run with either the netcat or nc commands.

If you're running the original version, you'll see this when you use the -h command line option:

#nc -h
[v1.10]
connect to somewhere:   nc [-options] hostname port[s] [ports] ...
listen for inbound:     nc -l -p port [-options] [hostname] [port]
options:
        -c shell commands       as `-e'; use /bin/sh to exec [dangerous!!]
        -e filename             program to exec after connect [dangerous!!]
        -b                      allow broadcasts
        -g gateway              source-routing hop point[s], up to 8
        -G num                  source-routing pointer: 4, 8, 12, ...
        -h                      this cruft
        -i secs                 delay interval for lines sent, ports scanned
        -l                      listen mode, for inbound connects
        -n                      numeric-only IP addresses, no DNS
        -o file                 hex dump of traffic
        -p port                 local port number
        -r                      randomize local and remote ports
        -q secs                 quit after EOF on stdin and delay of secs
        -s addr                 local source address
        -t                      answer TELNET negotiation
        -u                      UDP mode
        -v                      verbose [use twice to be more verbose]
        -w secs                 timeout for connects and final net reads
        -z                      zero-I/O mode [used for scanning]
port numbers can be individual or ranges: lo-hi [inclusive];
hyphens in port names must be backslash escaped (e.g. 'ftp\-data').

If you're running the GNU version, you'll see this when you use the -h command line option:

#nc -h
GNU netcat 0.7.1, a rewrite of the famous networking tool.
Basic usages:
connect to somewhere:  nc [options] hostname port [port] ...
listen for inbound:    nc -l -p port [options] [hostname] [port] ...
tunnel to somewhere:   nc -L hostname:port -p port [options]

Mandatory arguments to long options are mandatory for short options too.
Options:
  -c, --close                close connection on EOF from stdin
  -e, --exec=PROGRAM         program to exec after connect
  -g, --gateway=LIST         source-routing hop point[s], up to 8
  -G, --pointer=NUM          source-routing pointer: 4, 8, 12, ...
  -h, --help                 display this help and exit
  -i, --interval=SECS        delay interval for lines sent, ports scanned
  -l, --listen               listen mode, for inbound connects
  -L, --tunnel=ADDRESS:PORT  forward local port to remote address
  -n, --dont-resolve         numeric-only IP addresses, no DNS
  -o, --output=FILE          output hexdump traffic to FILE (implies -x)
  -p, --local-port=NUM       local port number
  -r, --randomize            randomize local and remote ports
  -s, --source=ADDRESS       local source address (ip or hostname)
  -t, --tcp                  TCP mode (default)
  -T, --telnet               answer using TELNET negotiation
  -u, --udp                  UDP mode
  -v, --verbose              verbose (use twice to be more verbose)
  -V, --version              output version information and exit
  -x, --hexdump              hexdump incoming and outgoing traffic
  -w, --wait=SECS            timeout for connects and final net reads
  -z, --zero                 zero-I/O mode (used for scanning)

Remote port number can also be specified as range.  Example: '1-1024'

The GNU version also has a -V command line option:

#nc -V
netcat (The GNU Netcat) 0.7.1
Copyright (C) 2002 - 2003  Giovanni Giacobbi

This program comes with NO WARRANTY, to the extent permitted by law.
You may redistribute copies of this program under the terms of
the GNU General Public License.
For more information about these matters, see the file named COPYING.

Original idea and design by Avian Research ,
Written by Giovanni Giacobbi .

There's a variant of the original netcat, called Cryptcat, that's been modified to add encryption.

Getting It

The original version of netcat is available in source form. A Windows binary version is available.

The GNU version from the Sourceforge project page. There is no Windows version yet.

Cryptcat is available from http://farm9.org/Cryptcat/.

Telnet

The book showed you how to use the telnet program to communicate with Web and Email servers. You can do the same with netcat using this syntax:

nc host port

where host is the IP address or DNS name of a host to connect to and port is the TCP port number to connect to. By default, netcat uses TCP. Unlike telnet, netcat doesn't print anything to the screen when a connection is made unless you use the -v command line option. Here's an example of connecting to a Web server:

nc -v www.alcpress.com 80
DNS fwd/rev mismatch: www.alcpress.com != igor.alcpress.com
www.alcpress.com [69.30.87.202] 80 (http) open

A TCP connection now exists between your computer and the Web server. Now, use the keyboard to send data to the Web server. In the following example, the two lines in bold text is what was typed on the keyboard - the remainder of the text was sent by the Web server:

HEAD / HTTP/1.1
host:www.alcpress.com

HTTP/1.1 200 OK
Date: Thu, 15 Sep 2005 21:30:10 GMT
Server: Apache/1.3.28 (Unix)
Cache-Control: max-age=86400
Expires: Fri, 16 Sep 2005 21:30:10 GMT
Last-Modified: Sat, 12 Jun 2004 10:43:25 GMT
ETag: "6ced7-ab3-40cade4d"
Accept-Ranges: bytes
Content-Length: 2739
Content-Type: text/html

To exit the telnet program you had to press the Ctrl-] keys and then type exit. To exit Netcat, just press Ctrl-C.

UDP Connections

Using telnet for communicating with other hosts can only be done with TCP. Telnet doesn't speak UDP. Netcat does by specifying the -u command line option. Here's an example of connecting to an RFC 867 time server using UDP. Note the IP address or DNS name of the other host is specified first and the port number is specified second - just like most telnet programs. After the connection is made you'll probably need to press the Enter key to get the time server to send you the current time.

nc -u igor.alcpress.com 13

Thu Sep 15 14:41:57 2005

Since UDP is not a connection-oriented protocol, the connection will remain "open" until you terminate the program by pressing Ctrl-C.

Listening for Connections

You can instruct netcat to listen for TCP or UDP connections by using the -l (that's lower case L) command line option. A common usage for this is for moving files between computers. Assume that there are two computers: A and B and you want to move a file from B to A. On computer A, you run this command:

nc -l -p 1234 < testfile

On computer B, you run this command:

nc IP 1234 > testfile

Windows Remote Command Prompt

If you have netcat installed on Windows, go to the directory that netcat is installed in and enter this command:

nc -l -p1000 -d -e cmd.exe -L
This tells netcat to execute the cmd.exe program when a connection is made. Anyone who connects to the Windows computer's port 1000 will see a command (DOS) prompt. When you disconnect from the Windows computer, the -L option will restart Netcat with the same command line, thus allowing another host to connect.

This is still under construction.


Back