Skip to main content

Netcat is a versatile utility for redirecting IO into a network stream.

# To start a listener on the specified TCP port and send a file into it:
nc -l -p <port> < <filename>

# To connect to a target listener on the specified port and receive a file from it:
nc <host> <port> > <received_filename>

# To scan the open TCP ports of a specified host:
nc -v -z -w <timeout_in_seconds> <host> <start_port>-<end_port>

# To start a listener on the specified TCP port and provide your local shell access to the connected party (this is dangerous and can be abused):
nc -l -p <port> -e <shell_executable>

# To connect to a target listener and provide your local shell access to the remote party (this is dangerous and can be abused):
nc <host> <port> -e <shell_executable>

# To act as a proxy and forward data from a local TCP port to the given remote host:
nc -l -p <local_port> | nc <host> <remote_port>

# To send an HTTP GET request:
echo -e "GET / HTTP/1.1\nHost: <host>\n\n" | nc <host> 80

# ---

##
# Transfer Files With Netcat
##

# You can also use netcat to transfer your files. Suppose we have a file named
# test.txt on machine A and we wan to transfer its content on machine B.
# The machine B will listen for a connection.
#
# Run the following command on `machine B` in order to wait and get the
# `test.txt` file.
nc -l -p 123 > test.txt
# Then run the following command on `machine A`.
cat test.txt | nc localhost 123


# To perform a banner grab with netcat run the following command.
nc -v 127.0.0.1 22

##
# Disable Reading from STDIN in Netcat
##

# Server:
$ nc -l 2389
# Client:
$ nc -d localhost 2389

###
# Force Netcat Server to Stay Up
###

# Server:
$ nc -k -l 2389

# Client:
$ nc localhost 2389

##
# Configure Netcat `Client` to Stay Up after EOF
##

# `-q` = number of seconds to wait before terminating
$ nc -q 5 localhost 2389

##
# Use Netcat with UDP Protocol
##

# `-u` UDP flag.
# `-4` indicates IPv4

# Server:
$ nc -4 -u -l 2389

# Client:
$ nc -4 -u localhost 2389

##
# How To Use Netcat as a Simple Web Server
##

# Server:
$ netcat -l 8888 < index.html
# open browser: http://server_IP:8888

# We can have netcat serve the page indefinitely by wrapping the last command in
# an infinite loop, like this:
$ while true; do nc -l 8888 < index.html; done
# We can stop the loop by typing CTRL-C on the server.



##
# Establish a connection and get some data over HTTP
##
$ nc example.com 80
  GET / HTTP/1.0


  # <HTML>
  # <!-- site's code here -->
  # </HTML>


# Open a raw connection to port 25 (like telnet)
nc mail.server.net 25


# Setting up a one-shot webserver on port 8080 to present the content of a file
{ echo -ne "HTTP/1.0 200 OK\r\nContent-Length: $(wc -c <some.file)\r\n\r\n"; cat some.file; } | nc -l 8080


# Checking if UDP ports (-u) 80-90 are open on 192.168.0.1 using zero mode I/O (-z)
nc -vzu 192.168.0.1 80-90


# Test if UDP port is open: simple UDP server and client (-4 force IPv4)
nc -ul -4 7000         # <-- On the listening host
nc -u -4 servname 7000 # <-- On the sending host

# Pipe via UDP (-u) with a wait time (-w) of 1 second to 'loggerhost' on port 514
echo '<0>message' | nc -w 1 -u loggerhost 514


##
# Port scanning
#   "-n" parameter here prevents DNS lookup
#   "-z" makes nc not receive any data from the server
#   "-w 1" makes the connection timeout after 1 second of inactivity
##
nc -v -n -z -w 1 192.168.1.2 1-1000


##
# Proxying
##

# Both ports and hosts can be redirected (Port 12345 represents the request)
nc -l 12345 | nc www.google.com 80

# This starts a nc server on port 12345 and all the connections get redirected
# to google.com:80. If a web browser makes a request to nc, the request
# will be sent to google but the response will not be sent to
# the web browser. That is because pipes are undirectional.
#
# This can be worked around with a named pipe to redirect the input and output.
mkfifo backpipe
nc -l 12345 0<backpipe | nc www.google.com 80 1>backpipe
# The "-c" option may also be used with the 'ncat' implementation
nc -l 12345 -c 'nc www.google.com 80'

##
# Making any process a network server
##

# `netcat` can listen on a port and pipe the input it receives to that process.
# The `-e` option spawns the executable with its input and output redirected
# via network socket.
#
# For example, it is possible to expose a bourne shell process to remote
# computers. To do so, on a computer A with IP 192.168.1.2, run this command:
nc -l -p 1234 -e /bin/sh
# Then, from any other computer on the same network, one could run this nc command:
nc 192.168.1.2 1234
ls -las
# And the output one would see might be like this:
#  total 4288
#  4 drwxr-xr-x 15 imsovain users 4096 2009-02-17 07:47 .
#  4 drwxr-xr-x 4 imsovain users 4096 2009-01-18 21:22 ..
#  8 -rw------- 1 imsovain users 8192 2009-02-16 19:30 .bash_history
#  4 -rw-r--r-- 1 imsovain users 220 2009-01-18 21:04 .bash_logout
#  ...

##
# Stream A Video With Netcat
##

# This is very useful when you want to watch a long video or movie from your
# server (another machine in your network) but you don't have time to copy it.
# Make sure you have mplayer installed in the machine that you want to watch the
# video. Ubuntu geeks and users can install mplayer with the following command.
sudo apt-get install mplayer

# In the server side (the machine where your video is stored) run the following
# command. It is very similar to the file transfer with netcat, but here we do
# not copy the file in our local machine, we play it with mplayer.
cat video_name.avi | nc -l 13

# Run the following command in the client side and everything should be ok. You
# will easily understand if this technique worked because a video will start to
# play.
nc server_ip_address 13 | mplayer -vo x11 -cache 3000

##
# Directory transfer
# http://mylinuxbook.com/linux-netcat-command/
##

# Server
$ tar -cvf – dir_name | nc -l 1567

# Client
$ nc -n 172.31.100.7 1567 | tar -xvf -

## Conserve bandwidth by compressing the archive

# Server
$ tar -cvf – dir_name| bzip2 -z | nc -l 1567

# Client
$ nc -n 172.31.100.7 1567 | bzip2 -d |tar -xvf -

##
# Encrypt your data when sending over the network
# http://mylinuxbook.com/linux-netcat-command/
##

# Server
$ nc localhost 1567 | mcrypt –flush –bare -F -q -d -m ecb > file.txt

# Client
$ mcrypt –flush –bare -F -q -m ecb < file.txt | nc -l 1567


##
# Stream a video
# http://mylinuxbook.com/linux-netcat-command/
##

# Server
$ cat video.avi | nc -l 1567

# Client
$ nc 172.31.100.7 1567 | mplayer -vo x11 -cache 3000 -


###
# Opening a shell
# http://mylinuxbook.com/linux-netcat-command/
##

# We have used remote Shell using the telnet and ssh but what if they are not
# installed and we do not have the permission to install them, then we can
# create remote shell using netcat also.

# If your netcat support `-c` and `-e` option (traditional netcat)

# Server
$nc -l 1567 -e /bin/bash -i

# Client
$ nc 172.31.100.7 1567

# Here we have created a netcat server and indicated it to run /bin/bash command
# when connection is successful.
#
# If netcat doesn't support `-c` or `-e` options(openbsd netcat) we can still
# crate remote shell.
#
# Server
$ mkfifo /tmp/tmp_fifo
$ cat /tmp/tmp_fifo | /bin/sh -i 2>&1 | nc -l 1567 > /tmp/tmp_fifo
#
# Here we have created a fifo. Then we have piped the content of this fifo file
# using pipe command to a shell `2>&1` is used to redirect stderr to same file
# where stdout is redirected which is piped to netcat server running at port
# `1567`. Now here again we have redirected the output of netcat to fifo file.
#
# Explanation:
#
# - The input received from network is written to fifo file.
# - The fifo file is read by cat command and it content is sent to sh command.
# - Sh command processes the received input and write it back to netcat.
# - Netcat send the output over the network to client.
#
# All this is possible because pipe causes the command to run in parallel. The
# fifo file is used instead of regular file because the fifo causes the read to
# wait while if it was an ordinary file the cat command would have ended as soon
# as started reading an empty file.
#
# At client is just as simple as conecting to server
#
# Client
$ nc -n 172.31.100.7 1567
# 
# And you will get a shell prompt at the client.