1.\" Copyright (c) 1996 David Sacerdote All rights reserved. 2.\" Redistribution and use in source and binary forms, with or without 3.\" modification, are permitted provided that the following conditions are 4.\" met: 1. Redistributions of source code must retain the above copyright 5.\" notice, this list of conditions and the following disclaimer. 6.\" 7.\" 2. Redistributions in binary form must reproduce the above copyright 8.\" notice, this list of conditions and the following disclaimer in the 9.\" documentation and/or other materials provided with the distribution. 3. 10.\" The name of the author may not be used to endorse or promote products 11.\" derived from this 12.\" 13.\" software without specific prior written permission THIS SOFTWARE IS 14.\" PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, 15.\" INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF 16.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN 17.\" NO EVENT SHALL THE AUTHOR 18.\" 19.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 20.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 21.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR 22.\" BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23.\" WHETHER IN CONTRACT, 24.\" 25.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 26.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 27.\" POSSIBILITY OF SUCH DAMAGE. 28.\" 29.\" Portions Copyright (c) 2009, Sun Microsystems, Inc. All Rights Reserved. 30.\" Copyright 2024 Oxide Computer Company 31.\" 32.Dd April 15, 2024 33.Dt NC 1 34.Os 35.Sh NAME 36.Nm nc 37.Nd arbitrary TCP and UDP connections and listens 38.Sh SYNOPSIS 39.Nm 40.Fl h 41.Nm 42.Op Fl 46dnrStuvz 43.Op Fl i Ar interval 44.Op Fl P Ar proxy_username 45.Op Fl p Ar port 46.Op Fl s Ar source_ip_address 47.Op Fl T Ar ToS 48.Op Fl w Ar timeout 49.Op Fl X Ar proxy_protocol 50.Op Fl x Ar proxy_address Ns Op &: Ar port 51.Ar hostname 52.Ar port_list 53.Nm 54.Fl l 55.Op Fl 46DdnrStuvz 56.Op Fl i Ar interval 57.Op Fl T Ar ToS 58.Op Ar hostname 59.Ar port 60.Nm 61.Fl l 62.Op Fl 46DdnrStuvz 63.Op Fl i Ar interval 64.Op Fl T Ar ToS 65.Fl p Ar port 66.Nm 67.Fl U 68.Op Fl Ddtvz 69.Op Fl i Ar interval 70.Op Fl w Ar timeout 71.Fl p Ar path 72.Nm 73.Fl Ul 74.Op Fl 46Ddktv 75.Op Fl i Ar interval 76.Ar path 77.Sh DESCRIPTION 78The 79.Nm 80.Po 81or 82.Nm netcat 83.Pc 84utility is used for a variety of tasks associated with TCP or UDP. 85.Nm 86can open TCP connections, send UDP packets, listen on arbitrary TCP and UDP 87ports, perform port scanning, and deal with both IPv4 and IPv6. 88Unlike 89.Xr telnet 1 , 90.Nm 91scripts nicely, and separates error messages onto standard error instead of 92sending them to standard output. 93.Pp 94The 95.Nm 96command is often used for the following tasks: 97.Bl -bullet -width Ds 98.It 99simple TCP proxies 100.It 101shell-script based HTTP clients and servers 102.It 103network daemon testing 104.It 105a SOCKS or HTTP ProxyCommand for 106.Xr ssh 1 107.El 108.Sh OPTIONS 109The following options are supported: 110.Bl -tag -width Ds 111.It Fl 4 112Force 113.Nm 114to use IPv4 addresses only. 115.It Fl 6 116Force 117.Nm 118to use IPv6 addresses only. 119.It Fl D 120Enable debugging on the socket. 121.It Fl d 122Do not attempt to read from 123.Dv stdin . 124.It Fl h 125Print 126.Nm 127help. 128.It Fl i Ar interval 129Specify a delay time of 130.Ar interval 131between lines of text sent and received. 132This option also causes a delay time between connections to multiple ports. 133.It Fl k 134Force 135.Nm 136to listen for another connection after its current connection is closed. 137.Pp 138It is an error to use this option without the 139.Fl l 140option. 141.It Fl l 142Listen for an incoming connection rather than initiate a connection to a remote 143host. 144.Pp 145It is an error to use this option in conjunction with the 146.Fl s 147or 148.Fl z 149options. 150Additionally, any 151.Ar timeout 152specified with the 153.Fl w 154option is ignored. 155.It Fl n 156Do not do any naming or service lookups on any addresses, hostnames, or ports. 157.Pp 158Use of this option means that 159.Ar hostname 160and 161.Ar port 162arguments are restricted to numeric values. 163.Pp 164If used with 165.Fl v 166option all addresses and ports are printed in numeric form, in addition to the 167restriction imposed on the arguments. 168This option does not have any effect when used in conjunction with the 169.Fl U 170option. 171.It Fl P Ar proxy_username 172Specify a username 173.Po 174.Ar proxy_username 175.Pc 176to present to a proxy server that requires authentication. 177If 178.Ar proxy_username 179is not specified, authentication is not attempted. 180Proxy authentication is only supported for HTTP CONNECT proxies at present. 181.Pp 182It is an error to use this option in conjunction with the 183.Fl l 184option. 185.It Fl p Ar port 186When used without 187.Fl l 188option, specify the source port 189.Nm 190should use, subject to privilege restrictions and availability. 191When used with the 192.Fl l 193option, set the listen port. 194.Pp 195This option can be used with 196.Fl l 197option only provided global port argument is not specified. 198.It Fl r 199Choose source or destination ports randomly instead of sequentially within a 200range or in the order that the system assigns them. 201.Pp 202It is an error to use this option in conjunction with the 203.Fl l 204option. 205.It Fl S 206Enables the 207.%T RFC 2385 208TCP MD5 signature option. 209.Pp 210In order for packets to be sent or received in conjunction with this option, a 211security association that matches the traffic must also be created using 212.Xr tcpkey 8 . 213.It Fl s Ar source_ip_address 214Specify the IP of the interface which is used to send the packets. 215.Pp 216It is an error to use this option in conjunction with the 217.Fl l 218option. 219.It Fl T Ar ToS 220Specify IP Type of Service 221.Pq ToS 222for the connection. 223Valid values are the tokens: 224.Cm lowdelay , 225.Cm throughput , 226.Cm reliability , 227or an 8-bit hexadecimal value preceded by 0x. 228.It Fl t 229Cause 230.Nm 231to send 232.%T RFC 854 233.Dq DON'T 234and 235.Dq WON'T 236responses to 237.%T RFC 854 238.Dq DO 239and 240.Dq WILL 241requests. 242This makes it possible to use 243.Nm 244to script telnet sessions. 245.It Fl U 246Specify the use of Unix Domain Sockets. 247If you specify this option without 248.Fl l , 249it becomes an 250.Dv AF_UNIX 251client. 252If you specify this option with the 253.Fl l 254option, a 255.Dv AF_UNIX 256server is created. 257.Pp 258Use of this option requires that a single argument of a valid Unix domain path 259has to be provided to 260.Nm , 261not a host name or port. 262.It Fl u 263Use UDP instead of the default option of TCP. 264.It Fl v 265Specify verbose output. 266.It Fl w Ar timeout 267Silently close the connection if a connection and 268.Dv stdin 269are idle for more than 270.Ar timeout 271seconds. 272.Pp 273This option has no effect on the 274.Fl l 275option, that is, 276.Nm 277listens forever for a connection, with or without the 278.Fl w 279flag. 280The default is no timeout. 281.It Fl X Ar proxy_protocol 282Use the specified protocol when talking to the proxy server. 283Supported protocols are 4 284.Pq SOCKS v.4 , 2855 286.Pq SOCKS v.5 287and connect 288.Pq HTTP proxy . 289If the protocol is not specified, SOCKS v.5 is used. 290.Pp 291It is an error to use this option in conjunction with the 292.Fl l 293option. 294.It Fl x Ar proxy_address Ns Op &: Ar port 295Request connection to 296.Ar hostname 297using a proxy at 298.Ar proxy_address 299and 300.Ar port . 301If 302.Ar port 303is not specified, the well-known port for the proxy protocol is used 304.Pq 1080 for SOCKS, 3128 for HTTP . 305.Pp 306It is an error to use this option in conjunction with the 307.Fl l 308option. 309.It Fl z 310Scan for listening daemons, without sending any data to them. 311.Pp 312It is an error to use this option in conjunction with the 313.Fl l 314option. 315.El 316.Sh OPERANDS 317The following operands are supported: 318.Bl -tag -width Ds 319.It Ar hostname 320Specify host name. 321.Pp 322.Ar hostname 323can be a numerical IP address or a symbolic hostname 324.Po 325unless the 326.Fl n 327option is specified 328.Pc . 329.Pp 330In general, 331.Ar hostname 332must be specified, unless the 333.Fl l 334option is given or 335.Fl U 336is used 337.Pq in which case the argument is a path . 338If 339.Ar hostname 340argument is specified with 341.Fl l 342option then 343.Ar port 344argument must be given as well and 345.Nm 346tries to bind to that address and port. 347If 348.Ar hostname 349argument is not specified with 350.Fl l 351option then 352.Nm 353tries to listen on a wildcard socket for given 354.Ar port . 355.It Ar path 356Specify pathname. 357.It Ar port | port_list 358Specify port. 359.Pp 360.Ar port_list 361can be specified as single integers, ranges or combinations of both. 362Specify ranges in the form of nn-mm. 363The 364.Ar port_list 365must have at least one member, but can have multiple ports/ranges separated by 366commas. 367.Pp 368In general, a destination port must be specified, unless the 369.Fl U 370option is given, in which case a Unix Domain Socket path must be specified 371instead of 372.Ar hostname . 373.El 374.Sh USAGE 375.Ss Client/Server Model 376It is quite simple to build a very basic client/server model using 377.Nm . 378On one console, start 379.Nm 380listening on a specific port for a connection. 381For example, the command: 382.Pp 383.Dl $ nc -l 1234 384.Pp 385listens on port 1234 for a connection. 386On a second console 387.Pq or a second machine , 388connect to the machine and port to which 389.Nm 390is listening: 391.Pp 392.Dl $ nc 127.0.0.1 1234 393.Pp 394There should now be a connection between the ports. 395Anything typed at the second console is concatenated to the first, and 396vice-versa. 397After the connection has been set up, 398.Nm 399does not really care which side is being used as a server and which side is 400being used as a client. 401The connection can be terminated using an EOF 402.Pq Ctrl/d . 403.Ss Data Transfer 404The example in the previous section can be expanded to build a basic data 405transfer model. 406Any information input into one end of the connection is output to the other 407end, and input and output can be easily captured in order to emulate file 408transfer. 409.Pp 410Start by using 411.Nm 412to listen on a specific port, with output captured into a file: 413.Pp 414.Dl $ nc -l 1234 > filename.out 415.Pp 416Using a second machine, connect to the listening 417.Nm 418process, feeding it the file which is to be transferred: 419.Pp 420.Dl $ nc host.example.com 1234 < filename.in 421.Pp 422After the file has been transferred, the connection closes automatically. 423.Ss Talking to Servers 424It is sometimes useful to talk to servers by hand rather than through a user 425interface. 426It can aid in troubleshooting, when it might be necessary to verify what data a 427server is sending in response to commands issued by the client. 428.Pp 429For example, to retrieve the home page of a web site: 430.Pp 431.Dl $ echo -n \&"GET / HTTP/1.0\er\en\er\en\&" | nc host.example.com 80 432.Pp 433This also displays the headers sent by the web server. 434They can be filtered, if necessary, by using a tool such as 435.Xr sed 1 . 436.Pp 437More complicated examples can be built up when the user knows the format of 438requests required by the server. 439As another example, an email can be submitted to an SMTP server using: 440.Bd -literal -offset indent 441$ nc localhost 25 << EOF 442HELO host.example.com 443MAIL FROM: <user@host.example.com> 444RCPT TO: <user2@host.example.com> 445DATA 446Body of email. 447\&. 448QUIT 449EOF 450.Ed 451.Ss Port Scanning 452It can be useful to know which ports are open and running services on a target 453machine. 454The 455.Fl z 456flag can be used to tell 457.Nm 458to report open ports, rather than to initiate a connection. 459.Pp 460In this example: 461.Bd -literal -offset indent 462$ nc -z host.example.com 20-30 463Connection to host.example.com 22 port [tcp/ssh] succeeded! 464Connection to host.example.com 25 port [tcp/smtp] succeeded! 465.Ed 466.Pp 467The port range was specified to limit the search to ports 20 - 30. 468.Pp 469Alternatively, it might be useful to know which server software is running, and 470which versions. 471This information is often contained within the greeting banners. 472In order to retrieve these, it is necessary to first make a connection, and 473then break the connection when the banner has been retrieved. 474This can be accomplished by specifying a small timeout with the 475.Fl w 476flag, or perhaps by issuing a QUIT command to the server: 477.Bd -literal -offset indent 478$ echo "QUIT" | nc host.example.com 20-30 479SSH-2.0-Sun_SSH_1.1 480Protocol mismatch. 481220 host.example.com IMS SMTP Receiver Version 0.84 Ready 482.Ed 483.Ss inetd Capabilities 484One of the possible uses is to create simple services by using 485.Xr inetd 8 . 486.Pp 487The following example creates a redirect from TCP port 8080 to port 80 on host 488realwww: 489.Bd -literal -offset indent 490# cat << EOF >> /etc/services 491wwwredir 8080/tcp # WWW redirect EOF 492# cat << EOF > /tmp/wwwredir.conf 493wwwredir stream tcp nowait nobody /usr/bin/nc /usr/bin/nc -w 3 realwww 80 494EOF 495# inetconv -i /tmp/wwwredir.conf 496wwwredir -> /var/svc/manifest/network/wwwredir-tcp.xml 497Importing wwwredir-tcp.xml ...Done 498# inetadm -l wwwredir/tcp 499SCOPE NAME=VALUE 500name="wwwredir" 501endpoint_type="stream" 502proto="tcp" 503isrpc=FALSE 504wait=FALSE 505exec="/usr/bin/nc -w 3 realwww 80" 506arg0="/usr/bin/nc" 507user="nobody" 508default bind_addr="" 509default bind_fail_max=-1 510default bind_fail_interval=-1 511default max_con_rate=-1 512default max_copies=-1 513default con_rate_offline=-1 514default failrate_cnt=40 515default failrate_interval=60 516default inherit_env=TRUE 517default tcp_trace=TRUE 518default tcp_wrappers=FALSE 519.Ed 520.Ss Privileges 521To bind to a privileged port number 522.Nm 523needs to be granted the 524.Sy net_privaddr 525privilege. 526If Trusted Extensions are configured and the port 527.Nm 528should listen on is configured as a multi-level port 529.Nm 530also needs the 531.Sy net_bindmlp 532privilege. 533.Pp 534Privileges can be assigned to the user or role directly, by specifying them in 535the account's default privilege set in 536.Xr user_attr 5 . 537However, this means that any application that this user or role starts have 538these additional privileges. 539To only grant the 540.Xr privileges 7 541when 542.Nm 543is invoked, the recommended approach is to create and assign an 544.Xr rbac 7 545rights profile. 546See 547.Sx EXAMPLES 548for additional information. 549.Sh EXAMPLES 550Open a TCP connection to port 42 of host.example.com, using port 3141 as the 551source port, with a timeout of 5 seconds: 552.Pp 553.Dl $ nc -p 3141 -w 5 host.example.com 42 554.Pp 555Open a UDP connection to port 53 of host.example.com: 556.Pp 557.Dl $ nc -u host.example.com 53 558.Pp 559Open a TCP connection to port 42 of host.example.com using 10.1.2.3 as the IP 560for the local end of the connection: 561.Pp 562.Dl $ nc -s 10.1.2.3 host.example.com 42 563.Pp 564Use a list of ports and port ranges for a port scan on various ports: 565.Pp 566.Dl $ nc -z host.example.com 21-25,53,80,110-120,443 567.Pp 568Create and listen on a Unix Domain Socket: 569.Pp 570.Dl $ nc -lU /var/tmp/dsocket 571.Pp 572Create and listen on a UDP socket with associated port 8888: 573.Pp 574.Dl $ nc -u -l -p 8888 575.Pp 576which is the same as: 577.Pp 578.Dl $ nc -u -l 8888 579.Pp 580Create and listen on a TCP socket with associated port 2222 and bind to address 581127.0.0.1 only: 582.Pp 583.Dl $ nc -l 127.0.0.1 2222 584.Pp 585Connect to port 42 of host.example.com using an HTTP proxy at 10.2.3.4, port 5868080. 587This example could also be used by 588.Xr ssh 1 . 589See the 590.Cm ProxyCommand 591directive in 592.Xr ssh_config 5 593for more information. 594.Pp 595.Dl $ nc -x10.2.3.4:8080 -Xconnect host.example.com 42 596.Pp 597The same example again, this time enabling proxy authentication with username 598ruser if the proxy requires it: 599.Pp 600.Dl $ nc -x10.2.3.4:8080 -Xconnect -Pruser host.example.com 42 601.Pp 602To run 603.Nm 604with the smallest possible set of privileges as a user or role that has 605additional privileges 606.Pq such as the default root account 607it can be invoked using 608.Xr ppriv 1 609as well. 610For example, limiting it to only run with the privilege to bind to a privileged 611port: 612.Bd -literal -offset indent 613$ ppriv -e -sA=basic,!file_link_any,!proc_exec,!proc_fork,\e 614 !proc_info,!proc_session,net_privaddr nc -l 42 615.Ed 616.Pp 617To allow a user or role to use only 618.Nm 619with the 620.Sy net_privaddr 621privilege, a rights profile needs to be created: 622.Pp 623.Pa /etc/security/exec_attr: 624.Dl Netcat privileged:solaris:cmd:::/usr/bin/nc:privs=net_privaddr 625.Pa /etc/security/prof_attr 626.Dl Netcat privileged:::Allow nc to bind to privileged ports:help=None.html 627.Pp 628Assigning this rights profile using 629.Xr user_attr 5 630permits the user or role to run 631.Nm 632allowing it to listen on any port. 633To permit a user or role to use 634.Nm 635only to listen on specific ports a wrapper script should be specified in the 636rights profiles: 637.Pp 638.Pa /etc/security/exec_attr 639.Dl Netcat restricted:solaris:cmd:::/usr/bin/nc-restricted:privs=net_privaddr 640.Pa /etc/security/prof_attr 641.Dl Netcat restricted:::Allow nc to bind to privileged ports:help=None.html 642.Pp 643and write a shell script that restricts the permissible options, for example, 644one that permits one to bind only on ports between 42 and 64 non-inclusive: 645.Bd -literal -offset indent 646#!/bin/ksh 647 648(( $# == 1 )) || exit 1 649(( $1 > 42 && $1 < 64 )) || exit 1 650exec /usr/bin/nc -l -p "$1" 651.Ed 652.Pp 653This grants the extra privileges when the user or role invokes 654.Nm 655using the wrapper script from a profile shell. 656See 657.Xr pfsh 1 , 658.Xr pfksh 1 , 659.Xr pfcsh 1 , 660and 661.Xr pfexec 1 . 662.Pp 663Invoking 664.Nm 665directly does not run it with the additional privileges, and neither does 666invoking the script without using 667.Sy pfexec 668or a profile shell. 669.Sh INTERFACE STABILITY 670The command line syntax is 671.Sy Committed 672for the 673.Fl 4 , 674.Fl 6 , 675.Fl l , 676.Fl n , 677.Fl p , 678.Fl u , 679and 680.Fl w 681options and their arguments 682.Pq if any . 683The 684.Ar name 685and 686.Ar port 687list arguments are 688.Sy Committed . 689The port range syntax is 690.Sy Uncommitted . 691The interface stability level for all other command line options and their 692arguments is 693.Sy Uncommitted. 694.Sh SEE ALSO 695.Xr cat 1 , 696.Xr pfcsh 1 , 697.Xr pfexec 1 , 698.Xr pfksh 1 , 699.Xr pfsh 1 , 700.Xr ppriv 1 , 701.Xr sed 1 , 702.Xr ssh 1 , 703.Xr telnet 1 , 704.Xr ssh_config 5 , 705.Xr user_attr 5 , 706.Xr attributes 7 , 707.Xr privileges 7 , 708.Xr rbac 7 , 709.Xr inetadm 8 , 710.Xr inetconv 8 , 711.Xr inetd 8 , 712.Xr tcpkey 8 713.Sh AUTHORS 714The original implementation of 715.Nm 716was written by 717.An Hobbit Aq Mt hobbit@avian.org 718.Pp 719.Nm 720was rewritten with IPv6 support by 721.An -nosplit 722.An Eric Jackson Aq Mt ericj@monkey.org 723.Sh NOTES 724UDP port scans always succeed, that is, report the port as open, rendering the 725.Fl uz 726combination of flags relatively useless. 727