Netcat is a brilliant tool that embodies everything that is brilliant about Unix. I have been using Netcat for a long, long time but have finally decided to give it its own set of notes because I’m dealing with so many different variants and it’s getting hard to keep it all straight.

Variants

  • net-analyzer/nc110-r9 - This seems to be the original by hobbit@avian.org. This is the one with the ASCII art cat. No -X feature. This is what is normally installed on normal Gentoo. Project page.

  • nc.traditional - On Debian GNU/Linux 8 both nc and netcat link to same name links in /etc/alternatives/. Those links both link to /bin/nc.traditional. On Debian the version (from -h) is [v1.10-41]. The man page is almost identical to nc110-r9’s except the ASCII art is regrettably elided. This version has a -C for CRLF line endings and -T to set the TOS flag; otherwise the options are identical to nc110-r9.

  • net-analyzer/gnu-netcat - This is an alternative GNU version currently at 0.7.1-r3 and hosted on this project page.

  • BSD nc (Mac) - On a Mac with a Feb 2016 kernel, there is no netcat but there is a /usr/bin/nc. This one seems to be written by Eric Jackson and its man page is dated 2001-06-25. This one claims to support connections to HTTPS proxies. See -X and -x in the man page. 

    usage: nc [-46AacCDdEFhklMnOortUuvz] [-K tc] [-b boundif] [-i
interval] [-p source_port] [--apple-delegate-pid pid]
[--apple-delegate-uuid uuid]
    [-s source_ip_address] [-w timeout] [-X proxy_version]
        [-x proxy_address[:port]] [hostname] [port[s]]

  • BSD nc (CentOS 6) - On a CentOS 6.7 machine I have the BSD version, also claiming to support the -X. This one’s man page is from 2006-08-22 (weird coincidence - exactly 10 years ago today). True to form, there is no netcat on this machine. Strangely for a much newer model, there are far fewer options. Too bad there’s no --version. 

    usage: nc [-46DdhklnrStUuvzC] [-i interval] [-p source_port]
    [-s source_ip_address] [-T ToS] [-w timeout] [-X proxy_version]
        [-x proxy_address[:port]] [hostname] [port[s]]

  • ncat - On a CentOS 7.2.1511 installation, I find that /usr/bin/nc links to /usr/bin/ncat. This seems to be an effort by the same people who created and maintain nmap. A very good sign is that it is described well in /usr/share/doc/nmap-ncat-6.40/README like so. 

    Ncat is a reimplementation of the currently splintered and
reasonably unmaintained Netcat family.  Ncat will do pretty much
everything that all the other Netcat's do, all in one place.  Plus
it has the added benefit of spanky new features and ongoing
development.
....
Ncat has support for HTTP "CONNECT" via an HTTP proxy server such as
Squid.

Bandwidth Testing

Let’s say you want to check the ethernet cable for its ability to send a bunch of 1s and 0s at full speed. You can go to the receiving end and do something like this.

$ nc -l -p 4000 > /tmp/testwrite

Then go to the sender and do something like this.

$ nc -w0 192.168.1.64 4000 < /tmp/testwrite

Note that the -w0 will prevent it waiting for more data to transmit after the command runs.

This is probably roughly the correct strategy for moving whole file systems using tar.

Browser User-Agent Checking

If you want to know what headers your web browser is merrily handing out to all and sundry, open a terminal and do this.

$ nc -l -p 8888

It will sit there waiting. Now go to a browser and put in this URL: http://localhost:8888/. You should see a dump like this.

GET / HTTP/1.1
Host: localhost:8888
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive

This shows that the browser is requesting the top level document / with the GET instruction. But the complete and exact User-Agent string is now clear to see.

SSH Through HTTP Proxy

SSH has a fancy trick that allows connections to be run through a HTTP proxy using "nc". The canonical example of this is found here.

:->[usb64][~]$ man ssh_config | grep /usr/bin/nc
    ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p

See my proxy forwarding notes.

Corkscrew

There may be other ways. Corkscrew is a tool that claims to be able to "tunnel TCP connections through HTTP proxies". Obtain Corkscrew with apt-get install corkscrew or from the project page.

ProxyCommand /usr/local/bin/corkscrew avproxy.example.com 3128 %h %p

Although its source code seems to be from 2001, it compiles fine. I didn’t get it to work, but it may be a fussy proxy. Worth keeping in mind.

Bash Instead

Bash can do many of the basic things netcat can do all by itself. It provides support for special device files that do things with arbitrary network sockets. The format for these is:

/dev/${protocol}/${host}/${port}

Here’s how to create a connect back shell on a remote system using nothing but Bash.