Netcat (nc) Command Tutorial

Netcat is a computer network tool used to create, connect network connections. Netcat also abbreviated as nc. Netcat tool supports TCP and UDP protocols. Even it is not complicated it is a very powerful tool used by system administrators, network administrators, and security professionals. The netcat tool is cross-platform which is supported and provided platforms like Linux, macOS, Windows, BSD, etc.

Install Netcat/nc

Netcat comes as preinstalled with most of the Linux distributions. But sometimes you may need to install netcat if it is uninstalled or does not install by default.

Install Ubuntu, Debian, Mint, Kali:

sudo apt install netcat

Install Fedora,CentOS,RHEL:

sudo yum install netcat

Display Help Information

Netcat command is executed as nc . The help information about the Netcat tool can be displayed by using the -h option.

nc -h

The help output contains options and their descriptions.

OpenBSD netcat (Debian patchlevel 1.217-2ubuntu1)
 usage: nc [-46CDdFhklNnrStUuvZz] [-I length] [-i interval] [-M ttl]
       [-m minttl] [-O length] [-P proxy_username] [-p source_port]
       [-q seconds] [-s sourceaddr] [-T keyword] [-V rtable] [-W recvlimit]
       [-w timeout] [-X proxy_protocol] [-x proxy_address[:port]]
       [destination] [port]
     Command Summary:
         -4      Use IPv4
         -6      Use IPv6
         -b      Allow broadcast
         -C      Send CRLF as line-ending
         -D      Enable the debug socket option
         -d      Detach from stdin
         -F      Pass socket fd
         -h      This help text
         -I length   TCP receive buffer length
         -i interval Delay interval for lines sent, ports scanned
         -k      Keep inbound sockets open for multiple connects
         -l      Listen mode, for inbound connects
         -M ttl      Outgoing TTL / Hop Limit
         -m minttl   Minimum incoming TTL / Hop Limit
         -N      Shutdown the network socket after EOF on stdin
         -n      Suppress name/port resolutions
         -O length   TCP send buffer length
         -P proxyuser    Username for proxy authentication
         -p port     Specify local port for remote connects
         -q secs     quit after EOF on stdin and delay of secs
         -r      Randomize remote ports
         -S      Enable the TCP MD5 signature option
         -s sourceaddr   Local source address
         -T keyword  TOS value
         -t      Answer TELNET negotiation
         -U      Use UNIX domain socket
         -u      UDP mode
         -V rtable   Specify alternate routing table
         -v      Verbose
         -W recvlimit    Terminate after receiving a number of packets
         -w timeout  Timeout for connects and final net reads
         -X proto    Proxy protocol: "4", "5" (SOCKS) or "connect"
         -x addr[:port]  Specify proxy address and port
         -Z      DCCP mode
         -z      Zero-I/O mode [used for scanning]
     Port numbers can be individual or ranges: lo-hi [inclusive]

Alternatively the Linux and BSD systems provides the manual page of the netcat tool with the following command. The manual page provides more detailed information and description about the nc command.

man nc

Netcat/nc Command Syntax

The netcat tool or nc command has very simple syntax. As a network based tool it is mainly used with host and port information.

nc OPTIONS HOST PORT
  • OPTIONS is used to provide different options. This is optional.
  • HOST is used to specify the IP address. Generally used to connect remote system. This is optional.
  • PORT is used to specify the local or remote port. This is required.
See also  How To Change Directory In Linux?

Scan TCP Ports

One of the most interesting and popular feature of the netcat command is network or port scanning. But as you expect netcat do not provides similar experience to the nmap. netcat command simply scans single host which is specified with its IP address and the port range we want to scan. In the following example we will scan the remote host 192.168.252.134 .

nc -z -v 192.168.253.134 20-800

This port scan create a lot of output where the result of the every port is printed to the terminal like below.

...
nc: connect to 192.168.253.134 port 73 (tcp) failed: Connection refused
nc: connect to 192.168.253.134 port 74 (tcp) failed: Connection refused
nc: connect to 192.168.253.134 port 75 (tcp) failed: Connection refused
nc: connect to 192.168.253.134 port 76 (tcp) failed: Connection refused
nc: connect to 192.168.253.134 port 77 (tcp) failed: Connection refused
nc: connect to 192.168.253.134 port 78 (tcp) failed: Connection refused
nc: connect to 192.168.253.134 port 79 (tcp) failed: Connection refused
Connection to 192.168.253.134 80 port [tcp/http] succeeded!
nc: connect to 192.168.253.134 port 81 (tcp) failed: Connection refused
nc: connect to 192.168.253.134 port 82 (tcp) failed: Connection refused
nc: connect to 192.168.253.134 port 83 (tcp) failed: Connection refused
nc: connect to 192.168.253.134 port 84 (tcp) failed: Connection refused
nc: connect to 192.168.253.134 port 85 (tcp) failed: Connection refused
nc: connect to 192.168.253.134 port 86 (tcp) failed: Connection refused
nc: connect to 192.168.253.134 port 87 (tcp) failed: Connection refused
...

By default the netcat tool prints all port results wheter they are open or closed. We can make output more readable by only printing the opne ports. Only open ports can be listed by using the grep command. We will filter only lines those contains “succeeded” which means port is open.

nc -z -v 192.168.253.134 20-800 2>&1 | grep succeeded

Only open ports are listed like below as we can see there is only 2 ports which are open.

Connection to 192.168.253.134 22 port [tcp/ssh] succeeded!
Connection to 192.168.253.134 80 port [tcp/http] succeeded!

Scan UDP Ports

Even not popular as TCP the netcat can be used to scan UDP ports similar fashion to the TCP scan. In order to scan UDP ports the -u option is provided to the nc command. Other options are the same with the TCP scan where the hostname and port range is provided. In the following example we will scan the 192.168.253.134 for UDP port range 100-200.

nc -z -u -v 192.168.253.134 100-200

Send Data/Text To Remote Host

As a simple tool netcat can be used for simple operations like sending some data to the remote system. Also some text can be send to the remote system specified port. In the following example we will send the data or message “HELO” to the remote port number 25 which is SMTP port by default.

echo "HELO" | nc 192.168.10.10 25

Send File To Remote Host

Another useful feature of the netcat tool is the ability to send file into the remote system via network. Simply the provided file is transferred into the remote host like a simple binary copy and paste. As there is two parts the remote system should listed a port in order to accept data from the local host. With the following command the remote system starts listening port number 3333 and write all incoming data into the myfile.

nc -l 3333  myfile

Now the remote system is listening for port 3333. In the local system we will read the file we want to transfer and transmit it with the nc command to the remote system. The remote system IP address is 192.168.1.10 . We will redirect the local file named myfile into the nc command like below.

nc 192.168.1.10 3333 < myfile

Create Chat Server

Interestingly the nc command can be used to create chat server where multiple users can connect and send messages. The methodology used to create chat server is the same with file transfer. In this case simple text is transferred between local and remote systems. First we will create a listening port which will be 4444 in this case.

nc -l 4444

On the other side we will connect to the chat server by providing its IP address and port number which is 4444.

nc 192.168.253.134 4444
Create Chat Server

Make HTTP Request

The nc command can be used to make HTTP Requests to the remote web server. Even there are more useful tools nc provides basic usage about making HTTP Requests. The HTTP Request text is redirected into the nc command where the nc command uses the specified remote web server IP address/Hostname and port number.

printf "GET / HTTP/1.1" | nc google.com 80

Alternatively the multiple lines for the HTTP Request can be expressed by using the “\r\n” end of line.

printf "GET / HTTP/1.1\r\nHost:google.com\r\n\r\n" | nc google.com 80

Leave a Comment