by anil on May 26, 2009
Many of us use
telnet as a network debugging tool quite often. Just with its
port options we find it very useful. But, I’m sure that many would recall following situations where we find the
telnet client inadequate:
- To test a UDP service
- Want to send a pre-prepared set of request/responses to a server (to test a service)
- Specify a Gateway for the TCP or UDP connection (checking routing and firewalling)
- Receive and store dump of the traffic (network and application troubleshooting)
- Send a UDP broadcast over the subnet (Network and application testing)
- To set the ToS (type of service) flag in IP packet (to test QoS settings)
- To copy a file over network without any regular services running
- Do a port scan (without opening I/O)
- Mimic the request/response sequence of a service/client you want to test
There is a less-known tool called
nc–acronym for Netcat–which was ranked 4th in the latest Top 100 Network Security Tools 2006 conducted by
Insecure.org and always in the top 5 in previous years as well.
nc can perform all the above and more. As it is rightly assigned with the caption of “TCP/IP swiss army knife.” Here is a quick set of commands to use
nc for the use of a network administrator/troubleshooter.
Please note that Linux and BSD ports of
nc differs in behaviour and syntax. This post is mostly based on the Linux port. I have tried to mention the difference where ever possible.
- Test a TCP Service:
nc <hostname> <port number>
nc www.google.com 80
If you need to run a shell command after the TCP connection is established, use the “-c” option.
nc -c wwwclient www.google.com 80
There is an important behaviour you need to notice while using -c and -e (invokes a script) options: the called command is supposed to handle both input and output of
nc. This means that while passing an
echocommand, for example, with -c option, you cannot expect nc to print the response to standard out. For example, the following command writes nothing to standard out:
nc -c “echo GET / HTTP/1.0″ www.google.com 80
This is because nc pipes the HTTP response from www.google.com to
echo. The -e option has the same behaviour. In the BSD port of
ncthere is no
-coption available. And the
-ehas a very different meaning.
If you want to make a request to a server in two or more lines (as in the case of, say, HTTP protocol), write them down in a file and cat-pipe that file to NC. For example if you want to find the public IP address of your Internet gateway, create a text file http.txt with the following content:
GET /ip HTTP/1.0
Now issue this command:
cat http.txt|nc www.linuxense.com 80
In certain protocols, such as SMTP, it needs to wait for the server to make a response before nc sends the next request. In such situation the -i option comes handy; it waits for the specified number of seconds before it sends the next line.
Now try this SMTP transaction. Save the following in to a file named, say, smtp.txt
mail from: <me@myhost>
rcpt to: <you@yourhost>
Subject: test from Netcat
This is a test from Netcat
Now play out this transaction:
cat smtp.txt | nc -i 2 your_smtp_server 25
There is a
-noption that disables any DNS look up. This is useful if you are providing the IP address of the host and to explicitly say so to
-poption to specify a source port. It is even possible to specify a range of port as in
80-1024(both inclusive). If you omit the
-poption, it will use a random port.
- Emulate TCP Service
-lflag to instruct
ncto stay in listen mode. Use the following to bind
ncto port 8000:
nc -l 8000
ncquits when the remote connection closes. To make it stay listening for another connection, use
-k(found to work only in BSD port).
-poption to specify the port it is listening to is allowed in Linux. In the BSD port, this is illegal.
- Emulate a UDP Service
ncwill turn the protocol to UDP. Almost all options which are valid for TCP mode (default mode) are valid with this option too.
Emulate a DNS service:
nc -u -l -p 53(note that all parameters are similar to those in TCP mode. The option
-umakes all the difference).
-pis a required option in Linux where us in BSD it is not permitted.
Now, run a dig command at it:
dig @localhost www.linuxense.com
You will see a partially readable line being printed on the console and this is how a DNS query looks like. Capture this into a file:
nc -u -i -p 53 > dns-query.txt
And playback it at a functional DNS server and see the output:
cat dns-query.txt |nc -u mydnsserver 53
Specifying Source IP Address:
If you are on your gateway and you want to specify the source IP address of packets leaving the gateway, use the
-soption. For example:
nc -s 192.168.1.1 remotehost 80
- Run a Zero I/O Port Scan
See this example:
nc -z -v remotehost 80
ncin zero I/O scan mode.
-voption is to turn on the verbose mode.
It is also possible to specify a range of IP addresses as follows (both IP addresses are inclusive):
nc -zv remotehost 80-1024
- Set "Type of Service" (ToS) Flag
-xallows to set the IP ToS flag. Possible values are "Minimize-Delay", "Maximize-Throughput", Maximize-Reliability", "Minimize-Cost".
- Set Up a Service Gateway/Proxy
This is a quick and trivial service gateway you can try out in a few seconds. You device more sophisticated gateways with
nc. BSD port of
ncprovides built-in support for this functionality with
If you enjoy reading this post and liked
nc, please post here the
nc tricks and hacks you invent.
Learn IP Networking