User Commands nc(1)
NAME
nc - arbitrary TCP and UDP connections and listens
SYNOPSIS
nc -h
nc [-46dnrtuvz] [-i interval] [-P proxyusername] [-p port]
[-s sourceipaddress] [-T ToS] [-w timeout]
[-X proxyprotocol] [-x proxyaddress[:port]
hostname portlist
nc -l [-46Ddnrtuvz] [-i interval] [-T ToS] [hostname] port
nc -l [-46Ddnrtuvz] [-i interval] [-T ToS] -p port
nc -U [-Ddtvz] [-i interval] [-w timeout] path
nc -Ul [-46Ddktv] [-i interval] path
DESCRIPTION
The nc (or netcat) utility is used for a variety of tasks
associated with TCP or UDP. nc can open TCP connections,
send UDP packets, listen on arbitrary TCP and UDP ports,
perform port scanning, and deal with both IPv4 and IPv6.
Unlike telnet(1), nc scripts nicely, and separates error
messages onto standard error instead of sending them to
standard output.
The nc command is often used for the following tasks:
o simple TCP proxies
o shell-script based HTP clients and servers
o network daemon testing
o a SOCKS or HTP ProxyCommand for ssh(1)
OPTIONS
The following options are supported:
-4
Force nc to use IPv4 addresses only.
SunOS 5.11 Last change: 5 Jan 2009 1
User Commands nc(1)
-6
Force nc to use IPv6 addresses only.
-D
Enable debugging on the socket.
-d
Do not attempt to read from stdin.
-h
Print nc help.
-i interval
Specify a delay time of interval between lines of text
sent and received. This option also causes a delay time
between connections to multiple ports.
-k
Force nc to listen for another connection after its
current connection is closed.
It is an error to use this option without the -l option.
-l
Listen for an incoming connection rather than initiate a
connection to a remote host.
It is an error to use this option in conjunction with
the -s or -z options. Additionally, any timeout speci-
fied with the -w option is ignored.
-n
Do not do any naming or service lookups on any
addresses, hostnames, or ports.
Use of this option means that hostname and port argu-
ments are restricted to numeric values.
SunOS 5.11 Last change: 5 Jan 2009 2
User Commands nc(1)
If used with -v option all addresses and ports are
printed in numeric form, in addition to the restriction
imposed on the arguments. This option does not have any
effect when used in conjunction with the -U option.
-P proxyusername
Specify a username (proxyusername) to present to a
proxy server that requires authentication. If
proxyusername is not specified, authentication is not
attempted. Proxy authentication is only supported for
HTP CONECT proxies at present.
It is an error to use this option in conjunction with
the -l option.
-p port
When used without -l option, specify the source port nc
should use, subject to privilege restrictions and avai-
lability. When used with the -l option, set the listen
port.
This option can be used with -l option only provided
global port argument is not specified.
-r
Choose source or destination ports randomly instead of
sequentially within a range or in the order that the
system assigns them.
It is an error to use this option in conjunction with
the -l option.
-s sourceipaddress
Specify the IP of the interface which is used to send
the packets.
It is an error to use this option in conjunction with
the -l option.
-T ToS
Specify IP Type of Service (ToS) for the connection.
Valid values are the tokens: lowdelay, throughput,
SunOS 5.11 Last change: 5 Jan 2009 3
User Commands nc(1)
reliability, or an 8-bit hexadecimal value preceded by
0x.
-t
Cause nc to send RFC 854 DON'T and WON'T responses to
RFC 854 DO and WIL requests. This makes it possible to
use nc to script telnet sessions.
-U
Specify the use of Unix Domain Sockets. If you specify
this option without -l, nc, it becomes AFUNIX client.
If you specify this option with the -l option, a AFUNIX
server is created.
Use of this option requires that a single argument of a
valid Unix domain path has to be provided to nc, not a
host name or port.
-u
Use UDP instead of the default option of TCP.
-v
Specify verbose output.
-w timeout
Silently close the connection if a connection and stdin
are idle for more than timeout seconds.
This option has no effect on the -l option, that is, nc
listens forever for a connection, with or without the -w
flag. The default is no timeout.
-X proxyprotocol
Use the specified protocol when talking to the proxy
server. Supported protocols are 4 (SOCKS v.4), 5 (SOCKS
v.5) and connect (HTP proxy). If the protocol is not
specified, SOCKS v. 5 is used.
It is an error to use this option in conjunction with
the -l option.
SunOS 5.11 Last change: 5 Jan 2009 4
User Commands nc(1)
-x proxyaddress[:port]
Request connection to hostname using a proxy at
proxyaddress and port. If port is not specified, the
well-known port for the proxy protocol is used (1080 for
SOCKS, 3128 for HTP).
It is an error to use this option in conjunction with
the -l option.
-z
Scan for listening daemons, without sending any data to
them.
It is an error to use this option in conjunction with
the -l option.
OPERANDS
The following operands are supported:
hostname Specify host name.
hostname can be a numerical IP address or a
symbolic hostname (unless the -n option is
specified).
In general, hostname must be specified, unless
the -l option is given or -U is used (in which
case the argument is a path). If hostname argu-
ment is specified with -l option then port
argument must be given as well and nc tries to
bind to that address and port. If hostname
argument is not specified with -l option then
nc tries to listen on a wildcard socket for
given port.
path Specify pathname.
port Specify port.
portlist
portlist can be specified as single integers,
ranges or combinations of both. Specify ranges
in the form of nn-mm. The portlist must have
at least one member, but can have multiple
ports/ranges separated by commas.
In general, a destination port must be
SunOS 5.11 Last change: 5 Jan 2009 5
User Commands nc(1)
specified, unless the -U option is given, in
which case a Unix Domain Socket path must be
specified instead of hostname.
USAGE
Client/Server Model
It is quite simple to build a very basic client/server model
using nc. On one console, start nc listening on a specific
port for a connection. For example, the command:
$ nc -l 1234
listens on port 1234 for a connection. On a second console
(or a second machine), connect to the machine and port to
which nc is listening:
$ nc 127.0.0.1 1234
There should now be a connection between the ports. Anything
typed at the second console is concatenated to the first,
and vice-versa. After the connection has been set up, nc
does not really care which side is being used as a server
and which side is being used as a client. The connection can
be terminated using an EOF (Ctrl/d).
Data Transfer
The example in the previous section can be expanded to build
a basic data transfer model. Any information input into one
end of the connection is output to the other end, and input
and output can be easily captured in order to emulate file
transfer.
Start by using nc to listen on a specific port, with output
captured into a file:
$ nc -l 1234 > filename.out
Using a second machine, connect to the listening nc process,
feeding it the file which is to be transferred:
$ nc host.example.com 1234 < filename.in
SunOS 5.11 Last change: 5 Jan 2009 6
User Commands nc(1)
After the file has been transferred, the connection closes
automatically.
Talking to Servers
It is sometimes useful to talk to servers by hand rather
than through a user interface. It can aid in troubleshoot-
ing, when it might be necessary to verify what data a server
is sending in response to commands issued by the client.
For example, to retrieve the home page of a web site:
0 nc host.example.com 80
$ echo -n "GET / HTP/1.0
This also displays the headers sent by the web server. They
can be filtered, if necessary, by using a tool such as
sed(1).
More complicated examples can be built up when the user
knows the format of requests required by the server. As
another example, an email can be submitted to an SMTP server
using:
$ nc localhost 25 << EOF
HELO host.example.com
MAIL FROM: > /etc/services
wwwredir 8080/tcp # W redirect
EOF
# cat << EOF > /tmp/wwwredir.conf
wwwredir stream tcp nowait nobody /usr/bin/nc /usr/bin/nc -w 3 realwww 80
EOF
# inetconv -i /tmp/wwwredir.conf
wwwredir -> /var/svc/manifest/network/wwwredir-tcp.xml
Importing wwwredir-tcp.xml ...Done
# inetadm -l wwwredir/tcp
SCOPE NAME=VALUE
name="wwwredir"
endpointtype="stream"
proto="tcp"
isrpc=FALSE
wait=FALSE
exec="/usr/bin/nc -w 3 realwww 80"
arg0="/usr/bin/nc"
user="nobody"
default bindaddr=""
default bindfailmax=-1
default bindfailinterval=-1
default maxconrate=-1
default maxcopies=-1
SunOS 5.11 Last change: 5 Jan 2009 8
User Commands nc(1)
default conrateoffline=-1
default failratecnt=40
default failrateinterval=60
default inheritenv=TRUE
default tcptrace=TRUE
default tcpwrappers=FALSE
Privileges
To bind to a privileged port number nc needs to be granted
the netprivaddr privilege. If Solaris Trusted Extensions
are configured and the port nc should listen on is config-
ured as a multi-level port nc also needs the netbindmlp
privilege.
Privileges can be assigned to the user or role directly, by
specifying them in the account's default privilege set in
userattr(4). However, this means that any application that
this user or role starts have these additional privileges.
To only grant the privileges(5) when nc is invoked, the
recommended approach is to create and assign an rbac(5)
rights profile. See EXAMPLES for additional information.
EXAMPLES
Example 1 Using nc
Open a TCP connection to port 42 of host.example.com, using
port 3141 as the source port, with a timeout of 5 seconds:
$ nc -p 3141 -w 5 host.example.com 42
Open a UDP connection to port 53 of host.example.com:
$ nc -u host.example.com 53
Open a TCP connection to port 42 of host.example.com using
10.1.2.3 as the IP for the local end of the connection:
$ nc -s 10.1.2.3 host.example.com 42
SunOS 5.11 Last change: 5 Jan 2009 9
User Commands nc(1)
Use a list of ports and port ranges for a port scan on vari-
ous ports:
$ nc -z host.example.com 21-25,53,80,110-120,443
Create and listen on a Unix Domain Socket:
$ nc -lU /var/tmp/dsocket
Create and listen on a UDP socket with associated port 8888:
$ nc -u -l -p 8888
which is the same as:
$ nc -u -l 8888
Create and listen on a TCP socket with associated port 2222
and bind to address 127.0.0.1 only:
$ nc -l 127.0.0.1 2222
Connect to port 42 of host.example.com using an HTP proxy
at 10.2.3.4, port 8080. This example could also be used by
ssh(1). See the ProxyCommand directive in sshconfig(4) for
more information.
$ nc -x10.2.3.4:8080 -Xconnect host.example.com 42
SunOS 5.11 Last change: 5 Jan 2009 10
User Commands nc(1)
The same example again, this time enabling proxy authentica-
tion with username ruser if the proxy requires it:
$ nc -x10.2.3.4:8080 -Xconnect -Pruser host.example.com 42
To run nc with the smallest possible set of privileges as a
user or role that has additional privileges (such as the
default root account) it can be invoked using ppriv(1) as
well. For example, limiting it to only run with the
privilege to bind to a privileged port:
$ ppriv -e -sA=basic,!filelinkany,!procexec,!procfork,\
!procinfo,!procsession,netprivaddr nc -l 42
To allow a user or role to use only nc with the netprivaddr
privilege, a rights profile needs to be created:
/etc/security/execattr
Netcat privileged:solaris:cmd:::/usr/bin/nc:privs=netprivaddr
/etc/security/profattr
Netcat privileged:::Allow nc to bind to privileged ports:help=None.html
Assigning this rights profile using userattr(4) permits the
user or role to run nc allowing it to listen on any port. To
permit a user or role to use nc only to listen on specific
ports a wrapper script should be specified in the rights
profiles:
/etc/security/execattr
Netcat restricted:solaris:cmd:::/usr/bin/nc-restricted:privs=netprivaddr
/etc/security/profattr
Netcat restricted:::Allow nc to bind to privileged ports:help=None.html
SunOS 5.11 Last change: 5 Jan 2009 11
User Commands nc(1)
and write a shell script that restricts the permissible
options, for example, one that permits one to bind only on
ports between 42 and 64 (non-inclusive):
/usr/bin/nc-restricted:
#!/bin/sh
[ $# -eq 1 ] && [ $1 -gt 42 -a $1 -lt 64 ] && /usr/bin/nc -l -p "$1"
This grants the extra privileges when the user or role
invokes nc using the wrapper script from a profile shell.
See pfsh(1), pfksh(1), pfcsh(1), and pfexec(1).
Invoking nc directly does not run it with the additional
privileges, and neither does invoking the script without
using pfexec or a profile shell.
ATRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
ATRIBUTE TYPE ATRIBUTE VALUE
Availability SUNWnetcat
Interface Stability See below.
The package name is Committed. The command line syntax is
Committed for the -4, -6, -l, -n, -p ,-u, and -w options and
their arguments (if any). The name and port list arguments
are Committed. The port range syntax is Uncommitted. The
interface stability level for all other command line options
and their arguments is Uncommitted.
SEE ALSO
cat(1), pfcsh(1), pfexec(1), pfksh(1), pfsh(1), ppriv(1),
sed(1), ssh(1), telnet(1), inetadm(1M), inetconv(1M),
inetd(1M), sshconfig(4), userattr(4), attributes(5),
privileges(5), rbac(5)
SunOS 5.11 Last change: 5 Jan 2009 12
User Commands nc(1)
AUTHORS
The original implementation of nc was written by Hobbit,
hobbit@avian.org.
nc was rewritten with IPv6 support by Eric Jackson,
ericj@monkey.org.
NOTES
UDP port scans always succeeds, that is, reports the port as
open, rendering the -uz combination of flags relatively use-
less.
SunOS 5.11 Last change: 5 Jan 2009 13
|
