Summary of NC command in Linux


Netcat, known as “Swiss Army Knife” in network tools, has windows and Linux versions. Because it is short and compact (1.84 version is only 25K, old version or reduced version or even smaller) and practical function, it is designed as a simple and reliable network tool, which can transmit read and write data through TCP or UDP protocol. At the same time, it is also a network application debug analyzer, because it can create various types of network connections as needed.

1、 Version

Usually, the Linux distribution comes with netcat (NC for short). Even in the rescue mode CD, busybox provides a simple version of NC tool. However, the use of parameters is slightly different in different versions.

Official address of netcat:

Citation[ [email protected] ~]# cat /etc/asianux-release

Asianux release 2.0 (Trinity SP2)
[[email protected] ~]# cat /etc/redflag-release
Red Flag DC Server release 5.0 (Trinity SP2)
[[email protected] ~]# type -a nc
nc is /usr/bin/nc
[[email protected] ~]# rpm -q nc

It is suggested to use man NC before using it. Here, the version 1.10 on red flag DC Server 5.0 is briefly described.
Suppose two server information:


2、 Common use

1. Copying files remotely
Copy the file from Server1 to server2. You need to activate monitoring with NC on server2, and then run the following on server2:

Citation[ [email protected] tmp]# nc -lp 1234 > install.log

Run on Server1:

Citation[ [email protected] ~]# ll install.log
-R-69r root install.log
[[email protected] ~]# nc -w 1 1234 < install.log

2. Clone hard disk or partition

The operation is the same as the copy above, just need to get the data of hard disk or partition by DD, and then transfer it.

The operation of cloning hard disk or partition should not be carried out on the system that has been mounted. Therefore, you need to use the installation CD to boot and enter rescue mode (or knoppix)

After starting the system, perform similar monitoring actions on server2

# nc -l -p 1234 | dd of=/dev/sda

The task of cloning SDA hard disk from Server1 to server2 can be completed by executing the transfer on Server1

# dd if=/dev/sda | nc 1234

The premise of completing the above work is to implement the rescue mode of CD-ROM, support the network card on the server, and configure IP correctly.

3. Port scan
Can execute:

Reference ා NC – V – W 1 – Z 1-1000
hatest2 [] 22 (ssh) open

4. Save web page

# while true; do nc -l -p 80 -q 1 < somepage.html; done

5. Simulate HTTP headers

Citation[ [email protected] ~]# nc Eighty

GET / HTTP/1.1
User-Agent: my-browser

HTTP/1.1 200 OK
Date: Tue, 16 Dec 2008 07:23:24 GMT
Server: Apache/2.2.6 (Unix) DAV/2 mod_mono/1.2.1 mod_python/3.2.8 Python/2.4.3 mod_perl/2.0.2 Perl/v5.8.8
Set-Cookie: PHPSESSID=bbadorbvie1gn037iih6lrdg50; path=/
Expires: 0
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Cache-Control: private, post-check=0, pre-check=0, max-age=0
Set-Cookie: oWn_sid=xRutAY; expires=Tue, 23-Dec-2008 07:23:24 GMT; path=/
Vary: Accept-Encoding
Transfer-Encoding: chunked
Content-Type: text/html

After the NC command, enter the red part of the content, and then press enter twice to get the HTTP headers content from the other party.

6. Chat
NC can also be used as a simple chat tool under characters. Similarly, it is necessary to start monitoring on server2

[[email protected] tmp]# nc -lp 1234

Transfer on Server1:

[[email protected] ~]# nc 1234

In this way, the two sides can communicate with each other. Use Ctrl + D to exit normally.

7. Transfer directory

Copy the contents of nginx-0.6.34 directory from Server1 to server2. You need to activate monitoring with NC on server2, and then run the following on server2:

Citation[ [email protected] tmp]# nc -l 1234 |tar xzvf –

Run on Server1:

Citation[ [email protected] ~]# ll -d nginx-0.6.34

drwxr-xr-x 8 1000 1000 4096 12-23 17:25 nginx-0.6.34
[[email protected] ~]# tar czvf – nginx-0.6.34|nc 1234

8. Parameter introduction

This is only a brief description of version 1.10. For detailed parameter usage, please refer to man:

Reference wants to connect somewhere: NC [- options] host name port [S] [ports]

Binding port waiting for connection: NC – L – P port [- options] [hostname] [port]


-g gateway source-routing hop point[s], up to 8
-G num source-routing pointer: 4, 8, 12, …
-H help information
-I secs delay interval
-L listening mode for inbound connections
-N specifies a numeric IP address, cannot use hostname
-O file records hexadecimal transmission
-P port local port number
-R arbitrarily specify local and remote ports
-S addr local source address
-U UDP mode
-V detailed output — use two – V to get more detailed content
-Time of W secs timeout

-Z turn off the I / O — when used for scanning, the port number can be specified as a range or in the lo hi form.

9. Introduction to version 1.84 parameters1. nc [-46DdhklnrStUuvzC] [-i interval] [-p source_port]

2.    [-s source_ip_address] [-T ToS] [-w timeout] [-X proxy_protocol] [-x

3.    proxy_address[:port]] [hostname] [port[s]]  

1. – 4 mandatory use of IPv4

2. – 6 mandatory use of IPv6

3. – D allows socket communication to return debug information

4. – D is not allowed to read from standard input

5. – H display NC help document

6. -i interval 

7. Specify the content delay between each line, send and receive, and delay the connection between multiple ports

8. – K when a connection ends, forces the NC to listen to the other connection. Must be used with – L

9. – L is used to listen for incoming data links and cannot be used with – P – Z – S. -The timeout for the w parameter is also ignored

10. – N does not perform any address, host name, port, or DNS query

11. – P specifies the source port used by NC, which is restricted by permissions and cannot be used together with – L

12. – R specifies the source port and destination port used by NC, and cannot use those ports originally specified by the system

13. – s allows TCP MD5 signature option in RFC 2385

14. -s source_ip_address 

15. Specify the IP address of the interface to be used for the contract, and cannot be used with – L

16. -T ToS

17. Specify the type of IP service (TOS) of the link

18. – C wrap

19. – t enables NC to interact with telnet

20. – u using UNIX domain socket

21. – U uses UDP instead of the default TCP option

22. – V output detailed report

23. -w timeout

24. If a link has no operation for a period of time, it will be automatically disconnected, and there is no timeout by default

25. -X proxy_version

26. Specify the protocol used by NC when using proxy. The optional protocols are socksv4, Socks5 and HTTPS. Default Socks5

27. -x proxy_address[:port]

28. Specify the proxy address and port used by the NC. Default settings: 1080 (socks), 3128 (HTTPS)

29. – Z listens only and does not send any packets

3、 Version differences

The NC version provided by the system will be different if it is not used, and the parameter usage method provided by the system is also slightly different.
For example, the version on the red flag asianux 3.0 SP1 Rescue CD is available with only a few parameters:

Reference ා NC – H

BusyBox v1.2.0 (2008.04.14-01:35+0000) multi-call binary
Usage: nc [OPTIONS] [IP] [port]
Netcat opens a pipe to IP:port

         -l               listen mode, for inbound connects
         -p PORT         local port number
         -i SECS         delay interval for lines sent
         -e PROG         program to exec after connect (dangerous!)
         -w SECS         timeout for connects and final net reads

However, the NC version provided in the asianux 3.0 SP1 system is 1.84, which cannot be executed according to the above parameter usage

Citation[ [email protected] ~]# rpm -q nc

[[email protected] ~]# nc -lp 1234
usage: nc [-46DdhklnrStUuvzC] [-i interval] [-p source_port]
           [-s source_ip_address] [-T ToS] [-w timeout] [-X proxy_version]
           [-x proxy_address[:port]] [hostname] [port[s]]

Looking at the man document, it can be seen that in this version, – l cannot be used with – s, – P, – Z. the – W parameter will also be ignored. Therefore, the correct usage is as follows:

[[email protected] tmp]# nc -l 1234

4、 Used in scripts

Each time NC starts monitoring, the server will exit at the same time when the client connection is completed and exits. Therefore, if you need to use NC for data transmission, you need to use loops in the script. To achieve more functions with NC, refer to the reference script provided by its rpm

Reference ා RPM – QD NC