- Netcat listening on port 567/TCP:
nc -l 567
- Connecting to that port from another machine:
nc 1.2.3.4 5676
- To pipe a text file to the listener:
cat infile | nc 1.2.3.4 567 -q 10
- To have the listener save a received text file:
nc -l -p 567 > textfile.in
- File transfer
nc -l -p <port> < file.txt # send
nc <ip> <port> > file.txt # receive
# or
nc -l -p <port> > file.txt # receive
nc <ip> <port> < file.txt # send
- To transfer a directory, first at the receiving end set up:
nc -l -p 678 | tar xvfpz
- Then send the directory:
tar zcfp - /path/to/directory | nc -w 3 1.2.3.4 678
- To send a message to your syslog server (the <0> means emerg):
echo '<0>message' | nc -w 1 -u syslogger 514
- Setting up a remote shell listener:
nc -v -e '/bin/bash' -l -p 1234 -t
or
nc l p 1234 e "c:\windows\system32\cmd.exe"
Then telnet to port 1234 from elsewhere to get the shell.
- Using netcat to make an HTTP request:
echo -e "GET http://www.google.com HTTP/1.0nn" | nc -w 5 www.google.com 80
- Making a one-page webserver; this will feed homepage.txt to all comers:
cat homepage.txt | nc -v -l -p 80
- port scan
nc -v -v <site|ip> <port_range:1-1000>
- Make single use network proxy
nc -l -p 4444 -c " nc example.com 4444"
- Simple Netcat chat with added user name
mawk -W interactive '$0="USER1: "$0"' | nc -l -p [port] [USER1_IP] # Server
mawk -W interactive '$0="USER2: "$0"' | nc [USER1_IP] [port] # Client
Netcat Options
The following options are supported.
-p source_port
Specifies the source port nc should use, subject to privilege restrictions and availability
-l
Used to specify that nc should listen for an incoming connection rather than initiate a connection to a remote host.
-k
Force nc to listen for another connection after its current connection is closed. It is an error to use this option without the –l option. It is an error to use this option in conjunction with the –e option.
-i interval
Specify a delay time of interval between lines of text sent and received. The interval is specified in seconds, with possible fractions. This option also causes a delay time between connections to multiple ports, and therefore also affects port scan mode.
-n
Do not do any naming or service lookups on any addresses, hostnames, or ports. Use of this option means that hostname and port arguments are restricted to numeric values. If used with –v option all addresses and ports are printed in numeric form, in addition to the restriction imposed on the arguments. This option does not have any effect when used in conjunction with the –U option.
-4
Forces nc to use ipv4 only
-6
Forces nc to use ipv6 only
-r
Specifies that source and/or destination ports should be chosen randomly instead of sequentially within a range or in the order that the system assigns them.
-S
Enables the RFC 2385 TCP MD5 signature option.
-s source ip
Specifies the IP of the interface which is used to send the packets. It is an error to use this option in conjunction with the -l option.
-T ToS
Specifies IP Type of Service (ToS) for the connection. Valid values are the tokens ‘’lowdelay’’, ‘’throughput’’, ‘‘reliability’’, or an 8-bit hexadecimal value preceded by ‘‘0x’’.
-u
Use UDP instead of the default TCP
-v
Have nc produce more verbose output
-w timeout
If a connection and stdin are idle for more than timeout seconds, then the connection is silently closed. The -w flag has no effect on the -l option, i.e. nc will listen forever for a connection, with or without the -w flag. The default is no timeout.
-X proxy_version
Requests that nc should use the specified protocol when talking to the proxy server. Supported protocols are ‘‘4’’ (SOCKS v.4), ‘‘5’’ (SOCKS v.5) and ‘‘connect’’ (HTTPS proxy). If the protocol is not specified, SOCKS version 5 is used.
-x proxy_host:port
Requests that nc should connect to hostname using a proxy at proxy_address and port. If port is not specified, the well-known port for the proxy protocol is used (1080 for SOCKS, 3128 for HTTPS).
-z
Specifies that nc should just scan for listening daemons, without sending any data to them. It is an error to use this option in conjunction with the -l option.