In this blog post, I'll focus on the basics of netcat. More advanced options and scenarios will follow in separate posts at some point.

Netcat is available on almost any Linux host and is easy to use. It is an excellent tool for troubleshooting network issues or gathering information and a great addition to any tool portfolio.

Basics of netcat

Netcat and nc can be used interchangeably. I've decided to use nc for this blog post. On RHEL, it is often called ncat and part of the nmap packet.

The basic syntax is:

nc [ options ] host port

nc 10.20.10.7 22

Netcat uses TCP by default, which would be a simple TCP connection comparable to telnet.

You can close the connection with CTRL + d or c.

Get some help:

nc --help

man nc

Don't resolve hostnames:

-n

Get more verbose output:

-v

Use a specific internet protocol:

-4 # IPv4 only

-6 # IPv6 only

Use UDP instead of TCP:

-u

I don't focus on UDP in this post, but I might add more related content in the future

Interfaces & source port #

Sometimes it is necessary to specify an interface since hosts often enough have multiple. You can choose the source/interface IP on both sides with the -s flag and the source port on the client with the -p flag.

Example as a client:

nc -p 10101 -s 10.20.10.8 10.20.10.7 9999

-p 10101 # use the source port 10101

-s 10.20.10.8 # use the source IP to connect to the server

10.20.10.7 # IP of the server

9999 # destination port of the server

Destination Ports #

You can choose multiple destination ports for most Netcat functions on the client side.

Range of ports:

1-90

Multiple ports:

80 443

separated by a space

Examples of service names:

http

ssh

smtp

Combination:

ssh 2222 10022-10080

Simple port scan

There are better options like nmap, but it is often enough all you need.

Example:

nc -v -z example.com 20-23

-z # scan instead of initiating a connection

-v # get a more verbose output

Output

nc -vz 10.20.10.8 20-23
nc: connect to 10.20.10.8 port 20 (tcp) failed: Connection refused
nc: connect to 10.20.10.8 port 21 (tcp) failed: Connection refused
Connection to 10.20.10.8 22 port [tcp/ssh] succeeded!
nc: connect to 10.20.10.8 port 23 (tcp) failed: Connection refused

Side note: The results are being sent to standard error, and not standard out. If you want to filter the results with grep, you need to redirect standard error to standard out with 2>&1 like in the following example:

nc -vz 10.20.10.8 20-23 2>&1 | grep succeeded
Connection to 10.20.10.8 22 port [tcp/ssh] succeeded!

More information about the running service #

You can get more information about the running service with the following command:

Information about the SSH Service

kuser@pleasejustwork: echo "QUIT" | nc 10.20.10.8 22
SSH-2.0-OpenSSH_8.0

Information about the Web server

kuser@pleasejustwork: echo "QUIT" | nc ittavern.com 443
HTTP/1.1 400 Bad Request
Server: nginx
Date: Sun, 23 Jul 2023 09:18:01 GMT
Content-Type: text/html
Content-Length: 150
Connection: close

<html>
<head><title>400 Bad Request</title></head>
<body>
<center><h1>400 Bad Request</h1></center>
<hr><center>nginx</center>
</body>
</html>

Simple chat via netcat

Two Netcat instances can connect to each other in a server-client relationship to let you transfer text and files in both directions. Which host is the server, and which is the client only relevant for the initial connection?

You can use the -l flag to let Netcat listen on a specific port like this:

Server:

nc -l 9999

Client:

nc 10.20.10.7 9999

Side note: Netcat will listen to all interfaces by default. To limit it to a single one, use the -s flag with the desired IP as a parameter. You'll need to add the -p flag in front of the port, or it will run in a syntax error as a side note within the side note.

There won't be any notifications on either side, but after successfully connecting to the server, you can send messages to each host. You can close the connection with CTRL + d or c.

When the connection is closed, the server will stop listening by default. You can use -k to keep the server listening. There can be only one active TCP connection per server and port.

Side note: Non-root users are by default limited to ports above 1023 for security reasons, and all communication is unencrypted by default!

File Transfer

With Netcat, we are not limited to chat messages and can use it to transfer files in both directions. Just as a reminder: the transfer will be unencrypted by default!

Server / receiver:

nc -l 9999 > random-config.txt

Client / sender:

nc -N 10.20.10.8 9999 < random-config.txt

-N # shuts down the network socket after the transfer

In this example, we would transfer the file random-config.txt from the sender to the receiver in the current directory. The files don't need to have the same name.

Conclusion

Netcat is one of my most used tools for my day-to-day work as it is easy to use and installed on almost any Linux host. I've provided you with the basics of Netcat, so you can add it to your portfolio of tools.

In the future, I plan to provide you with more advanced Netcat functions like a simple web server, bandwidth check, TCP proxy, encryption, and reverse shell.

---