Netcat (nc)

Netcat, commonly invoked as nc, does one thing: it connects your terminal to a network socket. Type something, it goes out. Something comes back, you see it.

That's the entire concept. And it's enough to debug any protocol ever invented.

What Netcat Actually Does

Netcat establishes TCP or UDP connections between two points. As a client, it connects to services. As a server, it listens for incoming connections. Once connected, it passes data back and forth—stdin becomes network output, network input becomes stdout.

This simplicity enables everything:

• Testing whether ports are open
• Debugging protocols by typing commands directly
• Transferring files between systems
• Creating simple chat servers
• Port scanning
• Banner grabbing to identify services
• Serving simple web pages for testing

Basic Syntax

Client mode (connect to a host):

nc hostname port

Server mode (listen for connections):

nc -l port

That's it.

Testing Port Connectivity

The most common use—is this port open?

nc -zv example.com 80

Flags:

• -z: Zero-I/O mode, just check connectivity without sending data
• -v: Verbose, show what's happening

Open port:

Connection to example.com 80 port [tcp/http] succeeded!

Closed port:

nc: connect to example.com port 81 (tcp) failed: Connection refused

Filtered port (firewall blocking):

nc: connect to example.com port 81 (tcp) failed: Connection timed out

Multiple ports:

nc -zv example.com 80 443 22 25

Port range:

nc -zv example.com 20-25

Talking to Protocols Directly

This is where netcat becomes genuinely strange and powerful. You can type protocol commands and watch servers respond. You're not using an HTTP client—you ARE the HTTP client.

HTTP:

nc example.com 80

Then type:

GET / HTTP/1.1
Host: example.com

(Press Enter twice after Host line)

You'll see the raw HTTP response—headers, body, everything. No browser abstraction. Just the protocol.

SMTP:

nc mail.example.com 25

Then:

EHLO test.com
MAIL FROM: <test@example.com>
RCPT TO: <recipient@example.com>
QUIT

You're literally having a conversation with the mail server. Every email client does exactly this, just with more automation.

Banner grabbing:

echo "" | nc -v example.com 22

Many services announce their version upon connection. SSH servers, FTP servers, mail servers—they often tell you exactly what software they're running before you even authenticate.

File Transfer

When you don't have SCP configured and just need to move a file:

Receiver (start first):

nc -l 9999 > received-file.txt

Sender:

nc receiving-host 9999 < file-to-send.txt

File transfers. Both sides close when done.

Transfer a directory (pipe through tar):

Receiver:

nc -l 9999 | tar xzf -

Sender:

tar czf - /path/to/directory | nc receiving-host 9999

With progress (using pv):

# Sender
pv file.iso | nc receiving-host 9999

# Receiver
nc -l 9999 > file.iso

Simple Servers

Minimal web server:

while true; do
  { echo -ne "HTTP/1.1 200 OK\r\nContent-Length: $(wc -c <index.html)\r\n\r\n"; cat index.html; } | nc -l 8080
done

Serves index.html to any browser hitting port 8080. Not production-ready. Perfect for testing.

Chat:

Server:

nc -l 9999

Client:

nc server-address 9999

Whatever either side types appears on the other. Ctrl+C to exit.

Echo server:

nc -l 9999 -e /bin/cat

The -e flag executes a program, connecting its stdin/stdout to the network socket.

Warning: -e can execute any program, including shells. Many netcat versions disable this flag by default for good reason.

UDP Mode

Add -u for UDP:

# Test UDP port (like DNS on port 53)
nc -zvu 8.8.8.8 53

# Send UDP data
echo "test" | nc -u remote-host 9999

# Listen for UDP
nc -u -l 9999

UDP testing is trickier—it's connectionless, so you might not get clear feedback about whether data arrived.

Port Scanning

For serious scanning, use nmap. For quick checks:

# Scan range
nc -zv example.com 1-1000

# Specific ports
nc -zv example.com 22 80 443 3306 5432

# With timeout (don't wait long for unresponsive ports)
nc -zv -w 2 example.com 1-100

Useful Options

Practical Examples

Test firewall rules:

# On internal server
nc -l 9999

# From external host
nc server-ip 9999

Connects? Firewall allows it. Doesn't? Blocked.

Quick backup:

# Destination
nc -l 9999 | gzip -d > backup.tar

# Source
tar cf - /data | gzip | nc destination-host 9999

Service monitoring script:

#!/bin/bash
if nc -z -w5 example.com 80; then
  echo "Service is up"
else
  echo "Service is down"
fi

Check multiple services:

#!/bin/bash
SERVICES="example.com:80 example.com:443 db.example.com:3306"

for service in $SERVICES; do
  HOST=$(echo $service | cut -d: -f1)
  PORT=$(echo $service | cut -d: -f2)
  
  if nc -z -w3 $HOST $PORT 2>/dev/null; then
    echo "✓ $service"
  else
    echo "✗ $service"
  fi
done

Security

No authentication: Anyone who can reach your netcat listener can connect.

No encryption: Everything transfers in cleartext. Don't send passwords.

The -e flag is dangerous: It can spawn shells. Never use it on untrusted networks.

Port scanning may be prohibited: Check your network's acceptable use policy before scanning anything you don't own.

Netcat Variants

Several versions exist:

• Traditional netcat: Original, basic features
• OpenBSD netcat: Security-focused, disables dangerous features like -e
• Ncat (from nmap): Adds SSL support and access control
• GNU netcat: Different option syntax

Check your version:

nc -h

For SSL connections, use ncat:

ncat --ssl example.com 443

Troubleshooting