Jan 082010


In the simplest terms, netcat is a utility that reads and writes data across the network. The netcat utility, or just nc, works on the same principle as the cat utility, but over the network. This can be very useful in a number of situations, such as testing remote services, or for use in scripts, or just to copy files over the network. According to one source, you can even clone a hard drive over the network using netcat and dd.

As you probably know already, you can write to a file or read from a file on your local machine using the cat utility. By running cat filename > filename2 , you can write the contents of a file to another file. By using cat > filename , you can write directly to a file from standard input.

The netcat utility works on the same principle as the cat utility, but over the network. This can be very useful in a number of situations, such as testing remote services, or for use in scripts, or just to copy files over the network. According to one source, you can even clone a hard drive over the network using netcat and dd.

Most *nix-type operating systems should already have a package for netcat. The most popular version of netcat is available from the SecurityFocus Web site. This is the version that ships with most Linux distros, and the most recent release seems to have been in 1996, so it should be current even if you’re running an older version of Linux. There is also a version called GNU Netcat in the works, though I believe it lacks some of the functionality of the original. There are even versions of netcat available for Windows.

The syntax for netcat is pretty simple: netcat hostname port will connect you to a server on the port specified, and allow you to send input to whatever service answers on that port. For example, if you use netcat mailserver.mydomain.com 25, you’ll connect to the SMTP daemon running on mailserver.mydomain.com — assuming one is running, of course.

You can then send input to that host, and you’ll see any response from the host. This is perfect for testing services like SMTP, IMAP, POP3, and HTTP interactively. You can do this with Telnet, but (as many readers pointed out) there can be problems with using Telnet. Telnet can interfere with some tests by sending additional data, the Telnet client can’t be set up to listen for incoming connections, and Telnet doesn’t easily lend itself to use in a script. Telnet is also limited in that it has support only for TCP and not UDP.

Using netcat

The netcat utility can also be used to transmit a file over the network, much as cat can be used to write the contents of a file to another file locally. Note that there are other methods that are usually more efficient, but there are occasions when netcat might come in handy.

To transmit a file, you use netcat on the host that’s receiving the file and the host that’s sending the file. On the receiving host, run
netcat -l -p 1234 > filename
The -l option tells netcat to listen, and the -p option tells netcat the port number to listen on. You can replace the port number (1234) with any port number you’d like, though you need to run as root to bind to ports below 1024.

To send the file, run

cat filename | netcat hostname 1234 -q 10

This sends the file to netcat, which then sends the data to the host you specify, on port 1234. The -q option tells netcat to quit 10 seconds after the end of the file (EOF).

You can also use netcat to copy the output of a command to a remote server. For instance, if you want to do a quick and dirty backup to another host, you can pipe the output of the tar command on your local server to a remote server. On the remote machine, run
netcat -l -p 1234 > filename.tgz
This will tell netcat to listen on port 1234, and to output the data it receives to a file called filename.tgz.

On the local server, run
tar -zcf – file | netcat -w 10 hostname 1234
This will run the tar command against the file specified on the command line. This will work with a directory as well; just replace file with the name of the directory. The “-” after the tar options tells tar to send its output to standard out, rather than to a file. The pipe symbol redirects the output from tar to netcat, which copies it to the host specified on the command line. The -w option tells netcat to wait for 10 seconds after it has copied the data, and then close the connection.

If you want to glean a little more information about what’s going on with netcat, the -v option makes netcat more verbose. If you use -v with netcat in listening mode, it will tell you when a connection is made, and from where, like this:

$ netcat -l -p 3333 -v > filename.tgz
listening on [any] 3333 ...
connect to [] from dhoffryn [] 57450

If that’s not enough information for you, turn on extra verbosity with -vv:

netcat -l -p 3333 -vv > filename.tgz
listening on [any] 3333 ...
connect to [] from dhoffryn [] 57451
sent 0, rcvd 133120

This has the added bonus of showing how much data was sent and received. This works either way, so you can turn on verbosity when using netcat to send data or act as a client for remote services, and netcat will show the host and port it’s connecting to, and how much data has been sent or received.

Another option that may come in handy is the -c option, which tells netcat to execute a command with /bin/sh after it connects — sending the output to the other side of the connection. This can be used on either side of the connection. To send data from a command to a remote host, you could use netcat -c ‘/bin/command’ hostname port . When netcat connects to the service on the remote host, it will attempt to send the output of /bin/command. If you use

netcat -l -p 1234 -c '/bin/comman

Further Uses

The simplest example of its usage is to create a server-client chat system. Although this is a very primitive way to chat, it shows how netcat works. In the following examples it is assumed that the machine that creates the listening socket (server) has the IP address. So, create the chat server on this machine and set it to listen to 3333 TCP port:

$ nc -l 3333

On the other end, connect to the server with the following:

$ nc 3333

In this case, the keyboard acts as the stdin. Anything you type in the server machine’s terminal is transfered to the client machine and vice-versa.

Transfering Files

In the very same way it can be used to transfer files between two computers. You can create a server that serves the file with the following:

cat backup.iso | nc -l 3333

Receive backup.iso on the client machine with the following:

nc 3333 > backup.iso

As you may have noticed, netcat does not show any info about the progress of the data transfer. This is inconvenient when dealing with large files. In such cases, a pipe-monitoring utility like pv can be used to show a progress indicator. For example, the following shows the total amount of data that has been transfered in real-time on the server side:

cat backup.iso | pv -b | nc -l 3333

Of course, the same can be implemented on the client side by piping netcat’s output through pv:

nc 3333 | pv -b > backup.iso

Other Examples

Netcat is extremely useful for creating a partition image and sending it to a remote machine on-the-fly:

dd if=/dev/hdb5 | gzip -9 | nc -l 3333

On the remote machine, connect to the server and receive the partition image with the following command:

nc 3333 | pv -b > myhdb5partition.img.gz

This might not be as classy as the partition backups using partimage, but it is efficient.

Another useful thing is to compress the critical files on the server machine with tar and have them pulled by a remote machine:

tar -czf - /etc/ | nc -l 3333

As you can see, there is a dash in the tar options instead of a filename. This is because tar’s output needs to be passed to netcat.

On the remote machine, the backup is pulled in the same way as before:

nc 3333 | pv -b > mybackup.tar.gz


It is obvious that using netcat in the way described above, the data travels in the clear across the network. This is acceptable in case of a local network, but, in case of transfers across the internet, then it would be a wise choice to do it through an SSH tunnel.

Using an SSH tunnel has two advantages:

1. The data is transfered inside an encrypted tunnel, so it is well-protected.
2. You do not need to keep any open ports in the firewall configuration of the machine that will act as the server, as the connections will take place through SSH.

You pipe the file to a listening socket on the server machine in the same way as before. It is assumed that an SSH server runs on this machine too.

cat backup.iso | nc -l 3333

On the client machine connect to the listening socket through an SSH tunnel:

ssh -f -L 23333: [email protected] sleep 10; \nc 23333 | pv -b > backup.iso

This way of creating and using the SSH tunnel has the advantage that the tunnel is automagically closed after file transfer finishes. For more information and explanation about it please read my article about auto-closing SSH tunnels.
Telnet-like Usage

Netcat can be used in order to talk to servers like telnet does. For example, in order to get the definition of the word “server” from the “WordNet” database at the dict.org dictionary server, I’d do:

$ nc dict.org 2628
220 ..............some WELCOME.....
DEFINE wn server
150 1 definitions retrieved
151 "server" wn "WordNet (r) 2.0"
n 1: a person whose occupation is to serve at table (as in a
restaurant) [syn: {waiter}]
2: (court games) the player who serves to start a point
3: (computer science) a computer that provides client stations
with access to files and printers as shared resources to a
computer network [syn: {host}]
4: utensil used in serving food or drink
250 ok [d/m/c = 1/0/18; 0.000r 0.000u 0.000s]
221 bye [d/m/c = 0/0/0; 16.000r 0.000u 0.000s]

Works as a Port Scanner too

A useful command line flag is -z. When it is used, netcat does not initiate a connection to the server, but just informs about the open port it has found. Also, instead of a single port, it can accept a port-range to scan. For example:

$ nc -z 80-90
Connection to 80 port [tcp/http] succeeded!

In this example, netcat scanned the 80-90 range of ports and reported that port 80 is open on the remote machine.

The man page contains some more interesting examples, so take the time to read it.

 Posted by at 8:13 pm