[termux-packages] / packages / netcat / nc.1

.\"     $OpenBSD: nc.1,v 1.60 2012/02/07 12:11:43 lum Exp $
.\"
.\" Copyright (c) 1996 David Sacerdote
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\"    notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\"    notice, this list of conditions and the following disclaimer in the
.\"    documentation and/or other materials provided with the distribution.
.\" 3. The name of the author may not be used to endorse or promote products
.\"    derived from this software without specific prior written permission
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd $Mdocdate: February 7 2012 $
.Dt NC 1
.Os
.Sh NAME
.Nm nc
.Nd arbitrary TCP and UDP connections and listens
.Sh SYNOPSIS
.Nm nc
.Bk -words
.Op Fl 46bCDdhklnrStUuvZz
.Op Fl I Ar length
.Op Fl i Ar interval
.Op Fl O Ar length
.Op Fl P Ar proxy_username
.Op Fl p Ar source_port
.Op Fl q Ar seconds
.Op Fl s Ar source
.Op Fl T Ar toskeyword
.Op Fl V Ar rtable
.Op Fl w Ar timeout
.Op Fl X Ar proxy_protocol
.Oo Xo
.Fl x Ar proxy_address Ns Oo : Ns
.Ar port Oc
.Xc Oc
.Op Ar destination
.Op Ar port
.Ek
.Sh DESCRIPTION
The
.Nm
(or
.Nm netcat )
utility is used for just about anything under the sun involving TCP,
UDP, or
.Ux Ns -domain
sockets.
It can open TCP connections, send UDP packets, listen on arbitrary
TCP and UDP ports, do port scanning, and deal with both IPv4 and
IPv6.
Unlike
.Xr telnet 1 ,
.Nm
scripts nicely, and separates error messages onto standard error instead
of sending them to standard output, as
.Xr telnet 1
does with some.
.Pp
Common uses include:
.Pp
.Bl -bullet -offset indent -compact
.It
simple TCP proxies
.It
shell-script based HTTP clients and servers
.It
network daemon testing
.It
a SOCKS or HTTP ProxyCommand for
.Xr ssh 1
.It
and much, much more
.El
.Pp
The options are as follows:
.Bl -tag -width Ds
.It Fl 4
Forces
.Nm
to use IPv4 addresses only.
.It Fl 6
Forces
.Nm
to use IPv6 addresses only.
.It Fl b
Allow broadcast.
.It Fl C
Send CRLF as line-ending.
.It Fl D
Enable debugging on the socket.
.It Fl d
Do not attempt to read from stdin.
.It Fl h
Prints out
.Nm
help.
.It Fl I Ar length
Specifies the size of the TCP receive buffer.
.It Fl i Ar interval
Specifies a delay time interval between lines of text sent and received.
Also causes a delay time between connections to multiple ports.
.It Fl k
Forces
.Nm
to stay listening for another connection after its current connection
is completed.
It is an error to use this option without the
.Fl l
option.
.It Fl l
Used to specify that
.Nm
should listen for an incoming connection rather than initiate a
connection to a remote host.
It is an error to use this option in conjunction with the
.Fl p ,
.Fl s ,
or
.Fl z
options.
Additionally, any timeouts specified with the
.Fl w
option are ignored.
.It Fl n
Do not do any DNS or service lookups on any specified addresses,
hostnames or ports.
.It Fl O Ar length
Specifies the size of the TCP send buffer.
.It Fl P Ar proxy_username
Specifies a username to present to a proxy server that requires authentication.
If no username is specified then authentication will not be attempted.
Proxy authentication is only supported for HTTP CONNECT proxies at present.
.It Fl p Ar source_port
Specifies the source port
.Nm
should use, subject to privilege restrictions and availability.
.It Fl q Ar seconds
after EOF on stdin, wait the specified number of seconds and then quit. If
.Ar seconds
is negative, wait forever.
.It Fl r
Specifies that source and/or destination ports should be chosen randomly
instead of sequentially within a range or in the order that the system
assigns them.
.It Fl S
Enables the RFC 2385 TCP MD5 signature option.
.It Fl s Ar source
Specifies the IP of the interface which is used to send the packets.
For
.Ux Ns -domain
datagram sockets, specifies the local temporary socket file
to create and use so that datagrams can be received.
It is an error to use this option in conjunction with the
.Fl l
option.
.It Fl T Ar toskeyword
Change IPv4 TOS value.
.Ar toskeyword
may be one of
.Ar critical ,
.Ar inetcontrol ,
.Ar lowcost ,
.Ar lowdelay ,
.Ar netcontrol ,
.Ar throughput ,
.Ar reliability ,
or one of the DiffServ Code Points:
.Ar ef ,
.Ar af11 ... af43 ,
.Ar cs0 ... cs7 ;
or a number in either hex or decimal.
.It Fl t
Causes
.Nm
to send RFC 854 DON'T and WON'T responses to RFC 854 DO and WILL requests.
This makes it possible to use
.Nm
to script telnet sessions.
.It Fl U
Specifies to use
.Ux Ns -domain
sockets.
.It Fl u
Use UDP instead of the default option of TCP.
For
.Ux Ns -domain
sockets, use a datagram socket instead of a stream socket.
If a
.Ux Ns -domain
socket is used, a temporary receiving socket is created in
.Pa /tmp
unless the
.Fl s
flag is given.
.It Fl V Ar rtable
Set the routing table to be used.
The default is 0.
.It Fl v
Have
.Nm
give more verbose output.
.It Fl w Ar timeout
Connections which cannot be established or are idle timeout after
.Ar timeout
seconds.
The
.Fl w
flag has no effect on the
.Fl l
option, i.e.\&
.Nm
will listen forever for a connection, with or without the
.Fl w
flag.
The default is no timeout.
.It Fl X Ar proxy_protocol
Requests that
.Nm
should use the specified protocol when talking to the proxy server.
Supported protocols are
.Dq 4
(SOCKS v.4),
.Dq 5
(SOCKS v.5)
and
.Dq connect
(HTTPS proxy).
If the protocol is not specified, SOCKS version 5 is used.
.It Xo
.Fl x Ar proxy_address Ns Oo : Ns
.Ar port Oc
.Xc
Requests that
.Nm
should connect to
.Ar destination
using a proxy at
.Ar proxy_address
and
.Ar port .
If
.Ar port
is not specified, the well-known port for the proxy protocol is used (1080
for SOCKS, 3128 for HTTPS).
.It Fl Z
DCCP mode.
.It Fl z
Specifies that
.Nm
should just scan for listening daemons, without sending any data to them.
It is an error to use this option in conjunction with the
.Fl l
option.
.El
.Pp
.Ar destination
can be a numerical IP address or a symbolic hostname
(unless the
.Fl n
option is given).
In general, a destination must be specified,
unless the
.Fl l
option is given
(in which case the local host is used).
For
.Ux Ns -domain
sockets, a destination is required and is the socket path to connect to
(or listen on if the
.Fl l
option is given).
.Pp
.Ar port
can be a single integer or a range of ports.
Ranges are in the form nn-mm.
In general,
a destination port must be specified,
unless the
.Fl U
option is given.
.Sh CLIENT/SERVER MODEL
It is quite simple to build a very basic client/server model using
.Nm .
On one console, start
.Nm
listening on a specific port for a connection.
For example:
.Pp
.Dl $ nc -l 1234
.Pp
.Nm
is now listening on port 1234 for a connection.
On a second console
.Pq or a second machine ,
connect to the machine and port being listened on:
.Pp
.Dl $ nc 127.0.0.1 1234
.Pp
There should now be a connection between the ports.
Anything typed at the second console will be concatenated to the first,
and vice-versa.
After the connection has been set up,
.Nm
does not really care which side is being used as a
.Sq server
and which side is being used as a
.Sq client .
The connection may be terminated using an
.Dv EOF
.Pq Sq ^D .
.Pp
There is no
.Fl c
or
.Fl e
option in this netcat, but you still can execute a command after connection
being established by redirecting file descriptors. Be cautious here because
opening a port and let anyone connected execute arbitrary command on your
site is DANGEROUS. If you really need to do this, here is an example:
.Pp
On
.Sq server
side:
.Pp
.Dl $ rm -f /tmp/f; mkfifo /tmp/f
.Dl $ cat /tmp/f | /bin/sh -i 2>&1 | nc -l 127.0.0.1 1234 > /tmp/f
.Pp
On
.Sq client
side:
.Pp
.Dl $ nc host.example.com 1234
.Dl $ (shell prompt from host.example.com)
.Pp
By doing this, you create a fifo at /tmp/f and make nc listen at port 1234
of address 127.0.0.1 on
.Sq server
side, when a
.Sq client
establishes a connection successfully to that port, /bin/sh gets executed
on
.Sq server
side and the shell prompt is given to
.Sq client
side.
.Pp
When connection is terminated,
.Nm
quits as well. Use
.Fl k
if you want it keep listening, but if the command quits this option won't
restart it or keep
.Nm
running. Also don't forget to remove the file descriptor once you don't need
it anymore:
.Pp
.Dl $ rm -f /tmp/f
.Pp
.Sh DATA TRANSFER
The example in the previous section can be expanded to build a
basic data transfer model.
Any information input into one end of the connection will be output
to the other end, and input and output can be easily captured in order to
emulate file transfer.
.Pp
Start by using
.Nm
to listen on a specific port, with output captured into a file:
.Pp
.Dl $ nc -l 1234 \*(Gt filename.out
.Pp
Using a second machine, connect to the listening
.Nm
process, feeding it the file which is to be transferred:
.Pp
.Dl $ nc host.example.com 1234 \*(Lt filename.in
.Pp
After the file has been transferred, the connection will close automatically.
.Sh TALKING TO SERVERS
It is sometimes useful to talk to servers
.Dq by hand
rather than through a user interface.
It can aid in troubleshooting,
when it might be necessary to verify what data a server is sending
in response to commands issued by the client.
For example, to retrieve the home page of a web site:
.Bd -literal -offset indent
$ printf "GET / HTTP/1.0\er\en\er\en" | nc host.example.com 80
.Ed
.Pp
Note that this also displays the headers sent by the web server.
They can be filtered, using a tool such as
.Xr sed 1 ,
if necessary.
.Pp
More complicated examples can be built up when the user knows the format
of requests required by the server.
As another example, an email may be submitted to an SMTP server using:
.Bd -literal -offset indent
$ nc [\-C] localhost 25 \*(Lt\*(Lt EOF
HELO host.example.com
MAIL FROM:\*(Ltuser@host.example.com\*(Gt
RCPT TO:\*(Ltuser2@host.example.com\*(Gt
DATA
Body of email.
\&.
QUIT
EOF
.Ed
.Sh PORT SCANNING
It may be useful to know which ports are open and running services on
a target machine.
The
.Fl z
flag can be used to tell
.Nm
to report open ports,
rather than initiate a connection. Usually it's useful to turn on verbose
output to stderr by use this option in conjunction with
.Fl v
option.
.Pp
For example:
.Bd -literal -offset indent
$ nc \-zv host.example.com 20-30
Connection to host.example.com 22 port [tcp/ssh] succeeded!
Connection to host.example.com 25 port [tcp/smtp] succeeded!
.Ed
.Pp
The port range was specified to limit the search to ports 20 \- 30, and is
scanned by increasing order.
.Pp
You can also specify a list of ports to scan, for example:
.Bd -literal -offset indent
$ nc \-zv host.example.com 80 20 22
nc: connect to host.example.com 80 (tcp) failed: Connection refused
nc: connect to host.example.com 20 (tcp) failed: Connection refused
Connection to host.example.com port [tcp/ssh] succeeded!
.Ed
.Pp
The ports are scanned by the order you given.
.Pp
Alternatively, it might be useful to know which server software
is running, and which versions.
This information is often contained within the greeting banners.
In order to retrieve these, it is necessary to first make a connection,
and then break the connection when the banner has been retrieved.
This can be accomplished by specifying a small timeout with the
.Fl w
flag, or perhaps by issuing a
.Qq Dv QUIT
command to the server:
.Bd -literal -offset indent
$ echo "QUIT" | nc host.example.com 20-30
SSH-1.99-OpenSSH_3.6.1p2
Protocol mismatch.
220 host.example.com IMS SMTP Receiver Version 0.84 Ready
.Ed
.Sh EXAMPLES
Open a TCP connection to port 42 of host.example.com, using port 31337 as
the source port, with a timeout of 5 seconds:
.Pp
.Dl $ nc -p 31337 -w 5 host.example.com 42
.Pp
Open a UDP connection to port 53 of host.example.com:
.Pp
.Dl $ nc -u host.example.com 53
.Pp
Open a TCP connection to port 42 of host.example.com using 10.1.2.3 as the
IP for the local end of the connection:
.Pp
.Dl $ nc -s 10.1.2.3 host.example.com 42
.Pp
Create and listen on a
.Ux Ns -domain
stream socket:
.Pp
.Dl $ nc -lU /var/tmp/dsocket
.Pp
Connect to port 42 of host.example.com via an HTTP proxy at 10.2.3.4,
port 8080.
This example could also be used by
.Xr ssh 1 ;
see the
.Cm ProxyCommand
directive in
.Xr ssh_config 5
for more information.
.Pp
.Dl $ nc -x10.2.3.4:8080 -Xconnect host.example.com 42
.Pp
The same example again, this time enabling proxy authentication with username
.Dq ruser
if the proxy requires it:
.Pp
.Dl $ nc -x10.2.3.4:8080 -Xconnect -Pruser host.example.com 42
.Sh SEE ALSO
.Xr cat 1 ,
.Xr ssh 1
.Sh AUTHORS
Original implementation by *Hobbit*
.Aq hobbit@avian.org .
.br
Rewritten with IPv6 support by
.An Eric Jackson Aq ericj@monkey.org .
.br
Modified for Debian port by Aron Xu
.Aq aron@debian.org .
.Sh CAVEATS
UDP port scans using the
.Fl uz
combination of flags will always report success irrespective of
the target machine's state.
However,
in conjunction with a traffic sniffer either on the target machine
or an intermediary device,
the
.Fl uz
combination could be useful for communications diagnostics.
Note that the amount of UDP traffic generated may be limited either
due to hardware resources and/or configuration settings.
Commit	Line	Data
9d57b270 FF	1	.\" $OpenBSD: nc.1,v 1.60 2012/02/07 12:11:43 lum Exp $
	2	.\"
	3	.\" Copyright (c) 1996 David Sacerdote
	4	.\" All rights reserved.
	5	.\"
	6	.\" Redistribution and use in source and binary forms, with or without
	7	.\" modification, are permitted provided that the following conditions
	8	.\" are met:
	9	.\" 1. Redistributions of source code must retain the above copyright
	10	.\" notice, this list of conditions and the following disclaimer.
	11	.\" 2. Redistributions in binary form must reproduce the above copyright
	12	.\" notice, this list of conditions and the following disclaimer in the
	13	.\" documentation and/or other materials provided with the distribution.
	14	.\" 3. The name of the author may not be used to endorse or promote products
	15	.\" derived from this software without specific prior written permission
	16	.\"
	17	.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
	18	.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
	19	.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
	20	.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
	21	.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
	22	.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
	23	.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
	24	.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
	25	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
	26	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
	27	.\"
	28	.Dd $Mdocdate: February 7 2012 $
	29	.Dt NC 1
	30	.Os
	31	.Sh NAME
	32	.Nm nc
	33	.Nd arbitrary TCP and UDP connections and listens
	34	.Sh SYNOPSIS
	35	.Nm nc
	36	.Bk -words
	37	.Op Fl 46bCDdhklnrStUuvZz
	38	.Op Fl I Ar length
	39	.Op Fl i Ar interval
	40	.Op Fl O Ar length
	41	.Op Fl P Ar proxy_username
	42	.Op Fl p Ar source_port
	43	.Op Fl q Ar seconds
	44	.Op Fl s Ar source
	45	.Op Fl T Ar toskeyword
	46	.Op Fl V Ar rtable
	47	.Op Fl w Ar timeout
	48	.Op Fl X Ar proxy_protocol
	49	.Oo Xo
	50	.Fl x Ar proxy_address Ns Oo : Ns
	51	.Ar port Oc
	52	.Xc Oc
	53	.Op Ar destination
	54	.Op Ar port
	55	.Ek
	56	.Sh DESCRIPTION
	57	The
	58	.Nm
	59	(or
	60	.Nm netcat )
	61	utility is used for just about anything under the sun involving TCP,
	62	UDP, or
	63	.Ux Ns -domain
	64	sockets.
65	It can open TCP connections, send UDP packets, listen on arbitrary
66	TCP and UDP ports, do port scanning, and deal with both IPv4 and
67	IPv6.
68	Unlike
69	.Xr telnet 1 ,
70	.Nm
71	scripts nicely, and separates error messages onto standard error instead
72	of sending them to standard output, as
73	.Xr telnet 1
74	does with some.
75	.Pp
76	Common uses include:
77	.Pp
78	.Bl -bullet -offset indent -compact
79	.It
80	simple TCP proxies
81	.It
82	shell-script based HTTP clients and servers
83	.It
84	network daemon testing
85	.It
86	a SOCKS or HTTP ProxyCommand for
87	.Xr ssh 1
88	.It
89	and much, much more
90	.El
91	.Pp
92	The options are as follows:
93	.Bl -tag -width Ds
94	.It Fl 4
95	Forces
96	.Nm
97	to use IPv4 addresses only.
98	.It Fl 6
99	Forces
100	.Nm
101	to use IPv6 addresses only.
102	.It Fl b
103	Allow broadcast.
104	.It Fl C
105	Send CRLF as line-ending.
106	.It Fl D
107	Enable debugging on the socket.
108	.It Fl d
109	Do not attempt to read from stdin.
110	.It Fl h
111	Prints out
112	.Nm
113	help.
114	.It Fl I Ar length
115	Specifies the size of the TCP receive buffer.
116	.It Fl i Ar interval
117	Specifies a delay time interval between lines of text sent and received.
118	Also causes a delay time between connections to multiple ports.
119	.It Fl k
120	Forces
121	.Nm
122	to stay listening for another connection after its current connection
123	is completed.
124	It is an error to use this option without the
125	.Fl l
126	option.
127	.It Fl l
128	Used to specify that
129	.Nm
130	should listen for an incoming connection rather than initiate a
131	connection to a remote host.
132	It is an error to use this option in conjunction with the
133	.Fl p ,
134	.Fl s ,
135	or
136	.Fl z
137	options.
138	Additionally, any timeouts specified with the
139	.Fl w
140	option are ignored.
141	.It Fl n
142	Do not do any DNS or service lookups on any specified addresses,
143	hostnames or ports.
144	.It Fl O Ar length
145	Specifies the size of the TCP send buffer.
146	.It Fl P Ar proxy_username
147	Specifies a username to present to a proxy server that requires authentication.
148	If no username is specified then authentication will not be attempted.
149	Proxy authentication is only supported for HTTP CONNECT proxies at present.
150	.It Fl p Ar source_port
151	Specifies the source port
152	.Nm
153	should use, subject to privilege restrictions and availability.
154	.It Fl q Ar seconds
155	after EOF on stdin, wait the specified number of seconds and then quit. If
156	.Ar seconds
157	is negative, wait forever.
158	.It Fl r
159	Specifies that source and/or destination ports should be chosen randomly
160	instead of sequentially within a range or in the order that the system
161	assigns them.
162	.It Fl S
163	Enables the RFC 2385 TCP MD5 signature option.
164	.It Fl s Ar source
165	Specifies the IP of the interface which is used to send the packets.
166	For
167	.Ux Ns -domain
168	datagram sockets, specifies the local temporary socket file
169	to create and use so that datagrams can be received.
170	It is an error to use this option in conjunction with the
171	.Fl l
172	option.
173	.It Fl T Ar toskeyword
174	Change IPv4 TOS value.
175	.Ar toskeyword
176	may be one of
177	.Ar critical ,
178	.Ar inetcontrol ,
179	.Ar lowcost ,
180	.Ar lowdelay ,
181	.Ar netcontrol ,
182	.Ar throughput ,
183	.Ar reliability ,
184	or one of the DiffServ Code Points:
185	.Ar ef ,
186	.Ar af11 ... af43 ,
187	.Ar cs0 ... cs7 ;
188	or a number in either hex or decimal.
189	.It Fl t
190	Causes
191	.Nm
192	to send RFC 854 DON'T and WON'T responses to RFC 854 DO and WILL requests.
193	This makes it possible to use
194	.Nm
195	to script telnet sessions.
196	.It Fl U
197	Specifies to use
198	.Ux Ns -domain
199	sockets.
200	.It Fl u
201	Use UDP instead of the default option of TCP.
202	For
203	.Ux Ns -domain
204	sockets, use a datagram socket instead of a stream socket.
205	If a
206	.Ux Ns -domain
207	socket is used, a temporary receiving socket is created in
208	.Pa /tmp
209	unless the
210	.Fl s
211	flag is given.
212	.It Fl V Ar rtable
213	Set the routing table to be used.
214	The default is 0.
215	.It Fl v
216	Have
217	.Nm
218	give more verbose output.
219	.It Fl w Ar timeout
220	Connections which cannot be established or are idle timeout after
221	.Ar timeout
222	seconds.
223	The
224	.Fl w
225	flag has no effect on the
226	.Fl l
227	option, i.e.\&
228	.Nm
229	will listen forever for a connection, with or without the
230	.Fl w
231	flag.
232	The default is no timeout.
233	.It Fl X Ar proxy_protocol
234	Requests that
235	.Nm
236	should use the specified protocol when talking to the proxy server.
237	Supported protocols are
238	.Dq 4
239	(SOCKS v.4),
240	.Dq 5
241	(SOCKS v.5)
242	and
243	.Dq connect
244	(HTTPS proxy).
245	If the protocol is not specified, SOCKS version 5 is used.
246	.It Xo
247	.Fl x Ar proxy_address Ns Oo : Ns
248	.Ar port Oc
249	.Xc
250	Requests that
251	.Nm
252	should connect to
253	.Ar destination
254	using a proxy at
255	.Ar proxy_address
256	and
257	.Ar port .
258	If
259	.Ar port
260	is not specified, the well-known port for the proxy protocol is used (1080
261	for SOCKS, 3128 for HTTPS).
262	.It Fl Z
263	DCCP mode.
264	.It Fl z
265	Specifies that
266	.Nm
267	should just scan for listening daemons, without sending any data to them.
268	It is an error to use this option in conjunction with the
269	.Fl l
270	option.
271	.El
272	.Pp
273	.Ar destination
274	can be a numerical IP address or a symbolic hostname
275	(unless the
276	.Fl n
277	option is given).
278	In general, a destination must be specified,
279	unless the
280	.Fl l
281	option is given
282	(in which case the local host is used).
283	For
284	.Ux Ns -domain
285	sockets, a destination is required and is the socket path to connect to
286	(or listen on if the
287	.Fl l
288	option is given).
289	.Pp
290	.Ar port
291	can be a single integer or a range of ports.
292	Ranges are in the form nn-mm.
293	In general,
294	a destination port must be specified,
295	unless the
296	.Fl U
297	option is given.
298	.Sh CLIENT/SERVER MODEL
299	It is quite simple to build a very basic client/server model using
300	.Nm .
301	On one console, start
302	.Nm
303	listening on a specific port for a connection.
304	For example:
305	.Pp
306	.Dl $ nc -l 1234
307	.Pp
308	.Nm
309	is now listening on port 1234 for a connection.
310	On a second console
311	.Pq or a second machine ,
312	connect to the machine and port being listened on:
313	.Pp
314	.Dl $ nc 127.0.0.1 1234
315	.Pp
316	There should now be a connection between the ports.
317	Anything typed at the second console will be concatenated to the first,
318	and vice-versa.
319	After the connection has been set up,
320	.Nm
321	does not really care which side is being used as a
322	.Sq server
323	and which side is being used as a
324	.Sq client .
325	The connection may be terminated using an
326	.Dv EOF
327	.Pq Sq ^D .
328	.Pp
329	There is no
330	.Fl c
331	or
332	.Fl e
333	option in this netcat, but you still can execute a command after connection
334	being established by redirecting file descriptors. Be cautious here because
335	opening a port and let anyone connected execute arbitrary command on your
336	site is DANGEROUS. If you really need to do this, here is an example:
337	.Pp
338	On
339	.Sq server
340	side:
341	.Pp
342	.Dl $ rm -f /tmp/f; mkfifo /tmp/f
343	.Dl $ cat /tmp/f \| /bin/sh -i 2>&1 \| nc -l 127.0.0.1 1234 > /tmp/f
344	.Pp
345	On
346	.Sq client
347	side:
348	.Pp
349	.Dl $ nc host.example.com 1234
350	.Dl $ (shell prompt from host.example.com)
351	.Pp
352	By doing this, you create a fifo at /tmp/f and make nc listen at port 1234
353	of address 127.0.0.1 on
354	.Sq server
355	side, when a
356	.Sq client
357	establishes a connection successfully to that port, /bin/sh gets executed
358	on
359	.Sq server
360	side and the shell prompt is given to
361	.Sq client
362	side.
363	.Pp
364	When connection is terminated,
365	.Nm
366	quits as well. Use
367	.Fl k
368	if you want it keep listening, but if the command quits this option won't
369	restart it or keep
370	.Nm
371	running. Also don't forget to remove the file descriptor once you don't need
372	it anymore:
373	.Pp
374	.Dl $ rm -f /tmp/f
375	.Pp
376	.Sh DATA TRANSFER
377	The example in the previous section can be expanded to build a
378	basic data transfer model.
379	Any information input into one end of the connection will be output
380	to the other end, and input and output can be easily captured in order to
381	emulate file transfer.
382	.Pp
383	Start by using
384	.Nm
385	to listen on a specific port, with output captured into a file:
386	.Pp
387	.Dl $ nc -l 1234 \*(Gt filename.out
388	.Pp
389	Using a second machine, connect to the listening
390	.Nm
391	process, feeding it the file which is to be transferred:
392	.Pp
393	.Dl $ nc host.example.com 1234 \*(Lt filename.in
394	.Pp
395	After the file has been transferred, the connection will close automatically.
396	.Sh TALKING TO SERVERS
397	It is sometimes useful to talk to servers
398	.Dq by hand
399	rather than through a user interface.
400	It can aid in troubleshooting,
401	when it might be necessary to verify what data a server is sending
402	in response to commands issued by the client.
403	For example, to retrieve the home page of a web site:
404	.Bd -literal -offset indent
405	$ printf "GET / HTTP/1.0\er\en\er\en" \| nc host.example.com 80
406	.Ed
407	.Pp
408	Note that this also displays the headers sent by the web server.
409	They can be filtered, using a tool such as
410	.Xr sed 1 ,
411	if necessary.
412	.Pp
413	More complicated examples can be built up when the user knows the format
414	of requests required by the server.
415	As another example, an email may be submitted to an SMTP server using:
416	.Bd -literal -offset indent
417	$ nc [\-C] localhost 25 \(Lt\(Lt EOF
418	HELO host.example.com
419	MAIL FROM:\(Ltuser@host.example.com\(Gt
420	RCPT TO:\(Ltuser2@host.example.com\(Gt
421	DATA
422	Body of email.
423	\&.
424	QUIT
425	EOF
426	.Ed
427	.Sh PORT SCANNING
428	It may be useful to know which ports are open and running services on
429	a target machine.
430	The
431	.Fl z
432	flag can be used to tell
433	.Nm
434	to report open ports,
435	rather than initiate a connection. Usually it's useful to turn on verbose
436	output to stderr by use this option in conjunction with
437	.Fl v
438	option.
439	.Pp
440	For example:
441	.Bd -literal -offset indent
442	$ nc \-zv host.example.com 20-30
443	Connection to host.example.com 22 port [tcp/ssh] succeeded!
444	Connection to host.example.com 25 port [tcp/smtp] succeeded!
445	.Ed
446	.Pp
447	The port range was specified to limit the search to ports 20 \- 30, and is
448	scanned by increasing order.
449	.Pp
450	You can also specify a list of ports to scan, for example:
451	.Bd -literal -offset indent
452	$ nc \-zv host.example.com 80 20 22
453	nc: connect to host.example.com 80 (tcp) failed: Connection refused
454	nc: connect to host.example.com 20 (tcp) failed: Connection refused
455	Connection to host.example.com port [tcp/ssh] succeeded!
456	.Ed
457	.Pp
458	The ports are scanned by the order you given.
459	.Pp
460	Alternatively, it might be useful to know which server software
461	is running, and which versions.
462	This information is often contained within the greeting banners.
463	In order to retrieve these, it is necessary to first make a connection,
464	and then break the connection when the banner has been retrieved.
465	This can be accomplished by specifying a small timeout with the
466	.Fl w
467	flag, or perhaps by issuing a
468	.Qq Dv QUIT
469	command to the server:
470	.Bd -literal -offset indent
471	$ echo "QUIT" \| nc host.example.com 20-30
472	SSH-1.99-OpenSSH_3.6.1p2
473	Protocol mismatch.
474	220 host.example.com IMS SMTP Receiver Version 0.84 Ready
475	.Ed
476	.Sh EXAMPLES
477	Open a TCP connection to port 42 of host.example.com, using port 31337 as
478	the source port, with a timeout of 5 seconds:
479	.Pp
480	.Dl $ nc -p 31337 -w 5 host.example.com 42
481	.Pp
482	Open a UDP connection to port 53 of host.example.com:
483	.Pp
484	.Dl $ nc -u host.example.com 53
485	.Pp
486	Open a TCP connection to port 42 of host.example.com using 10.1.2.3 as the
487	IP for the local end of the connection:
488	.Pp
489	.Dl $ nc -s 10.1.2.3 host.example.com 42
490	.Pp
491	Create and listen on a
492	.Ux Ns -domain
493	stream socket:
494	.Pp
495	.Dl $ nc -lU /var/tmp/dsocket
496	.Pp
497	Connect to port 42 of host.example.com via an HTTP proxy at 10.2.3.4,
498	port 8080.
499	This example could also be used by
500	.Xr ssh 1 ;
501	see the
502	.Cm ProxyCommand
503	directive in
504	.Xr ssh_config 5
505	for more information.
506	.Pp
507	.Dl $ nc -x10.2.3.4:8080 -Xconnect host.example.com 42
508	.Pp
509	The same example again, this time enabling proxy authentication with username
510	.Dq ruser
511	if the proxy requires it:
512	.Pp
513	.Dl $ nc -x10.2.3.4:8080 -Xconnect -Pruser host.example.com 42
514	.Sh SEE ALSO
515	.Xr cat 1 ,
516	.Xr ssh 1
517	.Sh AUTHORS
518	Original implementation by Hobbit
519	.Aq hobbit@avian.org .
520	.br
521	Rewritten with IPv6 support by
522	.An Eric Jackson Aq ericj@monkey.org .
523	.br
524	Modified for Debian port by Aron Xu
525	.Aq aron@debian.org .
526	.Sh CAVEATS
527	UDP port scans using the
528	.Fl uz
529	combination of flags will always report success irrespective of
530	the target machine's state.
531	However,
532	in conjunction with a traffic sniffer either on the target machine
533	or an intermediary device,
534	the
535	.Fl uz
536	combination could be useful for communications diagnostics.
537	Note that the amount of UDP traffic generated may be limited either
538	due to hardware resources and/or configuration settings.