Netcat: The TCP/IP Swiss army knife

Posted by Steve on Thu 16 Dec 2004 at 11:28

Of all the networking tools I'm familiar with I use four more than any other; ping, traceroute, nmap, and netcat. The first two utilities are standard on many operating systems. nmap is a port scanner which makes it simple to identify the services running on a machine. Netcat? That's a general purpose tool described by its author as a TCP/IP swiss army knife.

The utility of netcat comes from its extreme simplicity, it does one simple job very well. The main job of the package is to open up a network pipe, you connect to a host and it sends all input to it, and shows you the output.

It's almost the same as a telnet client, but much more scriptable.

For example we can connect to a webserver using netcat and send a command to it - getting the result piped back to us.

skx@lappy:~$ echo -e "HEAD / HTTP/1.0\n" | nc www.foo.com 80
Date: Wed, 15 Dec 2004 23:05:36 GMT
Server: Apache/1.3.29 (Unix) PHP/4.3.8
X-Powered-By: PHP/4.3.8
X-Accelerated-By: PHPA/1.3.3r2
Location: http://0.0.0.0/
Connection: close
Content-Type: text/html

Here we used the echo command to send get input to the process, instead we could type it manually:

nc www.foo.com 80
HEAD / HTTP/1.0
[ret]
HTTP/1.1 302 Found
Date: Wed, 15 Dec 2004 23:06:41 GMT
Server: Apache/1.3.29 (Unix) PHP/4.3.8
X-Powered-By: PHP/4.3.8
X-Accelerated-By: PHPA/1.3.3r2
Location: http://0.0.0.0/
Connection: close
Content-Type: text/html

As well as setting up a pipe to a remote machine sending our input to it, and showing us the output from the far side we can use it in the reverse manner.

In this case we tell it to listen to a port - and send some text back to anybody who connects to us:

skx@lappy:~$ nc -l  -p 2000 -e /usr/bin/uptime

The command line flags used here are -l for listen, -p 2000 for listening on port 2000, and -e /usr/bin/uptime to execute the uptime command when clients connect.

From a different machine you can test this, by connecting to port 2000 and seeing the output:

skx@lappy:~$ telnet localhost 2000
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
 00:07:50 up  3:03,  4 users,  load average: 0.08, 0.11, 0.20
Connection closed by foreign host.

There we see that we've been sent the output of the uptime command, after which the netcat process has exited.

We can write a very simple servers that do simple jobs, or forward traffic between machines using this principle.

For example if you wished to redirect traffic from port 24 on one machine to port 22 on another then you could insert a line like this inside your /etc/inetd.conf file:

24		stream 	tcp	nowait	nobody	/usr/sbin/tcpd /bin/nc 192.168.1.1 22

(Don't forget to restart inetd by executing /etc/init.d/inetd restart).

Now when you connect to your server on port 24 you'll be seamlessly redirected to the SSH port (22) on the remote machine 192.168.1.1.

This is just one example of the kind of job netcat can be setup to handle, for more inspiration read the manpage by running "man netcat".

There's also a good page online with a few samples of fun things to do with netcat here:

 

 


Posted by Anonymous (205.201.xx.xx) on Thu 21 Apr 2005 at 22:30
Nice little tutorial. I've known about netcat for a while now, but never really got around to learning what it can do. Thanks.

One comment: why not just use PRE tags instead of putting your code samples in a TEXTAREA? I find the TEXTAREA really
annoying to try to read.

[ Parent | Reply to this comment ]

Posted by Steve (82.41.xx.xx) on Thu 21 Apr 2005 at 22:41
[ Send Message | View Steve's Scratchpad | View Weblogs ]

Ironically the code is in a pre area, the formatting is designed to make it stand out and make it easier to copy + paste.

True a textarea would work well for that too, but I tend to get distracted by the scroll bars - and to be honest it hadn't occurred to me.

Steve
-- Steve.org.uk

[ Parent | Reply to this comment ]

Posted by bdf (134.184.xx.xx) on Thu 5 Jan 2006 at 12:10
[ Send Message ]
nc's main mode of operation is to connect stdin or stdout to a network port. This can be really neat to set up a shell pipe that sends data from one host to another.

For example, instead of doing "srccmd | destcmd" locally, on the receiver side, you do:
nc -l -p 2000 -q 0 | destcmd
After which, on the sender side, you invoke:
srccmd | nc -q 0 otherhost 2000
This will send the data from srccmd across the network to destcmd. (The option -q 0, in case you were wondering, instructs nc to quit when the data stream is complete.)

If you transfer large amounts of data (e.g. backup), it can be useful to compress the data that passes over the network. This can be done almost transparently by inserting gzip as a filter on both sides, like this:
nc -l -p 2000 -q 0 | gzip -d | destcmd
srccmd | gzip | nc -q 0 otherhost 2000
Note that you can acomplish something similar with ssh:
srccmd | ssh user@otherhost destcmd
Using ssh is of course more secure because of authentication and encryption, but nc can be handy if you're looking for a simple solution with very little overhead.

[ Parent | Reply to this comment ]

Posted by bdf (134.184.xx.xx) on Thu 5 Jan 2006 at 12:10
[ Send Message ]
nc's main mode of operation is to connect stdin or stdout to a network port. This can be really neat to set up a shell pipe that sends data from one host to another.

For example, instead of doing "srccmd | destcmd" locally, on the receiver side, you do:
nc -l -p 2000 -q 0 | destcmd
After which, on the sender side, you invoke:
srccmd | nc -q 0 otherhost 2000
This will send the data from srccmd across the network to destcmd. (The option -q 0, in case you were wondering, instructs nc to quit when the data stream is complete.)

If you transfer large amounts of data (e.g. backup), it can be useful to compress the data that passes over the network. This can be done almost transparently by inserting gzip as a filter on both sides, like this:
nc -l -p 2000 -q 0 | gzip -d | destcmd
srccmd | gzip | nc -q 0 otherhost 2000
Note that you can acomplish something similar with ssh:
srccmd | ssh user@otherhost destcmd
Using ssh is of course more secure because of authentication and encryption, but nc can be handy if you're looking for a simple solution with very little overhead.

[ Parent | Reply to this comment ]

Posted by Anonymous (218.20.xx.xx) on Sat 7 Mar 2009 at 07:17
http://admon.org/planet/netcat-tcpip-swiss-army-knife
I just found another version of using netcat, this one gives more examples.

[ Parent | Reply to this comment ]

Sign In

Username:

Password:

[Register|Advanced]

 

Flattr

 

Current Poll

Which init system are you using in Debian?






( 1068 votes ~ 7 comments )

 

 

Related Links