nc(1) 맨 페이지 - 윈디하나의 솔라나라




     nc, netcat - arbitrary TCP and UDP connections and listens

     nc -h

     nc [-46dnrtuvz] [-i interval] [-P proxy_username] [-p port]
        [-s source_ip_address] [-T dspc] [-w timeout]
        [-X proxy_protocol] [-x proxy_address[:port]][-L timeout]
        [-e program] [-b bufsize] [-q timeout] [-m bytes]
        [-I bufsize][-O bufsize] [-S sla-prop] hostname port_list

     nc -l [-46DdEFnrtuvzZ] [-i interval] [-T dspc] [-e program]
        [-b bufsize] [-q timeout] [-R address/port[/proto]] [-m bytes]
        [-L timeout] [-I bufsize] [-O bufsize] [-S sla-prop] [hostname] port

     nc -l [-46DEFdnrtuvzZ] [-i interval] [-T dspc] [-e program]
        [-b bufsize] [-q timeout] [-R address/port[/proto]] [-m bytes]
        [-L timeout] [-I bufsize] [-O bufsize]
        [-S sla-prop] -p port [hostname]

     nc -U [-Ddtvz] [-i interval] [-w timeout] [-e program]
        [-b bufsize] [-q timeout] [-m bytes] path

     nc -Ul [-46DdktvZ] [-i interval]  [-e program] [-b bufsize]
        [-q timeout] [-R address/port[/proto]] [-m bytes] path

     The nc (or netcat) utility is used for a  variety  of  tasks
     associated  with  TCP  or  UDP. nc can open TCP connections,
     send UDP packets, listen on arbitrary  TCP  and  UDP  ports,
     perform  port  scanning,  and  deal with both IPv4 and IPv6.
     Unlike telnet(1), nc scripts  nicely,  and  separates  error
     messages  onto  standard  error  instead  of sending them to
     standard output.

     The nc command is often used for the following tasks:

         o    simple TCP proxies

         o    shell-script based HTTP clients and servers

         o    network daemon testing

         o    a SOCKS or HTTP ProxyCommand for ssh(1)

     The nc command can also be run as netcat, using the  identi-
     cal options.

     The following options are supported:

         Force nc to use IPv4 addresses only.

         Force nc to use IPv6 addresses only.

     -b bufsize
         Specify buffer size for read operations.

         The default value is 1024 bytes.

         Enable debugging on the socket.

         Do not attempt to read from stdin.

         Use exclusive bind for listening TCP or UDP socket.

         It is an error to use this option without the -l option.

         This option does not have any effect when used  in  con-
         junction with the -U option.

     -e program
         Execute external program after accepting a connection or
         making      connection.     Before     the     execution
         stdin,stdout,stderr  is  redirected   to   the   network
         descriptor. Only one port can be used with this option.

         It is an error to use this option in  conjunction   with
         the -R, -k, or -i options.

         Do not close network socket for writing after seeing EOF
         on stdin.

         Print nc help.

     -I bufsize
         Set receive (input) socket buffer size.

         This option does not have any effect when used  in  con-
         junction with the -U option.

     -i interval
         Specify a delay time of interval between lines  of  text
         sent and received.

         The interval is  specified  in  seconds,  with  possible

         This option also causes a delay time between connections
         to  multiple ports, and therefore also affects port scan

         Force nc to listen  for  another  connection  after  its
         current connection is closed.

         It is an error to use this option without the -l option.

         It is an error to use this option  in  conjunction  with
         the -e option.

     -L timeout
         Linger on close - wait for messages  to  be  sent  after
         network  descriptor is closed up to specified timeout in

         Listen for an incoming connection rather than initiate a
         connection to a remote host.

         It is an error to use this option  in  conjunction  with
         the -s or -z options.

         If the -l option is used with a wildcard socket  (no  IP
         address  or  hostname  specified) and without the -4 /-6
         options, it accepts both IPv4 and IPv6 connections.

     -m byte_count
         Quit after receiving at  least  byte_count  bytes.  When
         used  with -l option byte_count is compared to number of
         bytes received from the client.

         byte_count must be greater than 0 and less than INT_MAX.

     -N file
         Specifies file with pattern for UDP port  scanning.  The
         contents of this file are used as payload for each emit-
         ted UDP packet.

         It is an error to use this option without the -u and  -z

         Do  not  do  any  naming  or  service  lookups  on   any
         addresses, hostnames, or ports.

         Use of this option means that hostname  and  port  argu-
         ments are restricted to numeric values.

         If used with -v  option  all  addresses  and  ports  are
         printed  in numeric form, in addition to the restriction
         imposed on the arguments. This option does not have  any
         effect when used in conjunction with the -U option.

     -O bufsize
         Set send (output) socket buffer size.

         This option does not have any effect when used  in  con-
         junction with the -U option.

     -P proxy_username
         Specify a username  (proxy_username)  to  present  to  a
         proxy    server   that   requires   authentication.   If
         proxy_username is not specified, authentication  is  not
         attempted.  Proxy  authentication  is only supported for
         HTTP CONNECT proxies at present.

         It is an error to use this option  in  conjunction  with
         the -l option.

     -p port
         When used without -l option, specify the source port  nc
         should  use, subject to privilege restrictions and avai-
         lability. When used with the -l option, set  the  listen

         This option can be used with  -l  option  only  provided
         global port argument is not specified.

     -q timeout
         After receiving EOF on stdin, wait for specified  number
         of seconds and quit.

     -R addr/port[/proto]
         Perform port redirection to given host and port.

         After the connection has been accepted, nc  connects  to
         the  remote  host/port  and  passes all data between the
         client and the remote host. The proto (protocol) part of
         the  redirect specification can be either tcp or udp. If
         the proto is not specified,  redirector  uses  the  same
         protocol as the server.

         It is an error to use this option  in  conjunction  with
         the -z option.

         Choose destination ports  randomly  instead  of  sequen-
         tially    within    all    ports    specified   by   the

         It is an error to use this option  in  conjunction  with
         the -l option.

     -s source_ip_address
         Specify the IP of the interface which is  used  to  send
         the packets.

         It is an error to use this option  in  conjunction  with
         the -l option.

     -S sla-prop
         Specify properties of  the  MAC  flow  created  for  the
         socket.  sla-prop  is supplied as a comma-separated list
         of `name=value' of properties.

         Currently supported property names are maxbw,  priority,
         and inherit.

         maxbw and priority come from the properties  defined  in
         flowadm(1M) and denote maximum bandwidth and priority of
         the flow. Allowed values  for  maxbw  are  integer  plus
         optional  suffix,  which  defaults to Mega. priority can
         take values from `high', `medium' and `low'.

         At least one of maxbw and priority need to be  specified
         for flow creation.

         inherit can take values from `on' and `off' with default
         value  of  `off'.  By  default,  an  accepted/new socket
         (returned from accept(3C)) does not inherit the  proper-
         ties of the listener socket. When it is set to `on', the
         new socket will inherit the properties of  the  listener
         socket.  This  is useful with -l option when the proper-
         ties need to be enforced on the new socket.

         This option  requires  SYS_FLOW_CONFIG  privilege.  This
         option  also  requires the IP address or the hostname to
         be specified.

     -T dscp
         Specify Differentiated Services Code Point for the  con-

         For IPv4 this specifies the IP Type of Service (ToS)  IP
         header  field  and the valid values for the argument are
         the string tokens: lowdelay, throughput, reliability, or
         an 8-bit hexadecimal value preceded  by 0x.

         For IPv6 (Traffic Class) only hexadecimal value  can  be

         Cause nc to send RFC 854 DON'T and  WON'T  responses  to
         RFC  854 DO and WILL requests. This makes it possible to
         use nc to script telnet sessions.

         Specify the use of Unix Domain Sockets. If  you  specify
         this  option  without -l, nc, it becomes AF_UNIX client.
         If you specify this option with the -l option, a AF_UNIX
         server is created.

         Use of this option requires that a single argument of  a
         valid  Unix  domain path has to be provided to nc, not a
         host name or port.

         Use UDP instead of the default option of TCP.

         Specify verbose output.

     -w timeout
         Silently close the connection if a connection and  stdin
         are idle for more than timeout seconds.

         The default is no timeout.

         This option has no effect on the  connection  establish-
         ment          phase in client mode or waiting for a con-
         nection in server mode.

     -X proxy_protocol
         Use the specified protocol when  talking  to  the  proxy
         server.  Supported protocols are 4 (SOCKS v.4), 5 (SOCKS
         v.5) and connect (HTTP proxy). If the  protocol  is  not
         specified, SOCKS v. 5 is used.

         It is an error to use this option  in  conjunction  with
         the -l option.

     -x proxy_address[:port]
         Request  connection  to  hostname  using  a   proxy   at
         proxy_address  and  port.  If port is not specified, the
         well-known port for the proxy protocol is used (1080 for
         SOCKS, 3128 for HTTP).

         It is an error to use this option  in  conjunction  with
         the -l option.

         This option does not work with numeric representation of
         IPv6 addresses.

         In listening mode bind  to  address/port  in  all  zones
         using the SO_ALLZONES socket option.

         This option requires SYS_NET_CONFIG privilege.

         Perform port scan. For TCP ports (default), connect scan
         (full  3-way  handshake) is tried with no data sent. For
         UDP (-u) empty UDP  packets  are  sent  by  default.  To
         specify UDP payload the -N option can be used.

         The UDP scan mode is estimative, it considers a port  to
         be  open  if it does not receive negative response (ICMP
         Destination Port Unreachable message). For this mode the
         timeout  set  with the -w option is used to wait for the
         ICMP messages or data from  remote  node.  With  -v  any
         received data is dumped as hexadecimal bytes to stderr.

         As most of the operating systems  employ  rate  limiting
         for  sending ICMP messages in reaction to input packets,
         it is necessary to use -i when performing UDP scan  oth-
         erwise the results is not reliable.

         It is an error to use this option  in  conjunction  with
         the -l option.

     The following operands are supported:

                  Specify host name.

                  hostname can be a numerical  IP  address  or  a
                  symbolic  hostname  (unless  the  -n  option is

                  In general, hostname must be specified,  unless
                  the  -l option is given or -U is used (in which
                  case the argument is a path). If hostname argu-
                  ment  is  specified  with  -l  option then port
                  argument must be given as well and nc tries  to
                  bind  to  that  address  and  port. If hostname
                  argument is not specified with -l  option  then
                  nc  tries  to  listen  on a wildcard socket for
                  given port.

                  Specify pathname.

                  Specify port.

                  port_list can be specified as single  integers,
                  ranges  or combinations of both. Specify ranges
                  in the form of nn-mm. The port_list  must  have
                  at  least  one  member,  but  can have multiple
                  ports/ranges separated by commas.

                  In general, a destination port must  be  speci-
                  fied,  unless  the -U option is given, in which
                  case a Unix Domain Socket path must  be  speci-
                  fied instead of hostname.

                  It is an error to use list of ports  containing
                  more  than  one port in conjunction with the -e

  Client/Server Model
     It is quite simple to build a very basic client/server model
     using  nc.  On one console, start nc listening on a specific
     port for a connection. For example, the command:

       $ nc -l 1234

     listens on port 1234 for a connection. On a  second  console
     (or  a  second  machine), connect to the machine and port to
     which nc is listening:

       $ nc 1234

     There should now be a connection between the ports. Anything
     typed  at  the  second console is concatenated to the first,
     and vice-versa. After the connection has  been  set  up,  nc
     does  not  really  care which side is being used as a server
     and which side is being used as a client. The connection can
     be terminated using an EOF (Ctrl/d).

  Data Transfer
     The example in the previous section can be expanded to build
     a  basic data transfer model. Any information input into one
     end of the connection is output to the other end, and  input
     and  output  can be easily captured in order to emulate file

     Start by using nc to listen on a specific port, with  output
     captured into a file:

       $ nc -l 1234 > filename.out

     Using a second machine, connect to the listening nc process,
     feeding it the file which is to be transferred:

       $ nc 1234 <

     After the file has been transferred, the  connection  closes

  Talking to Servers
     It is sometimes useful to talk to  servers  by  hand  rather
     than  through  a user interface. It can aid in troubleshoot-
     ing, when it might be necessary to verify what data a server
     is sending in response to commands issued by the client.

     For example, to retrieve the home page of a web site:

       $ echo -n "GET / HTTP/1.0\r\n\r\n" | nc 80

     This also displays the headers sent by the web server.  They
     can  be  filtered,  if  necessary,  by  using a tool such as

     More complicated examples can be  built  up  when  the  user
     knows  the  format  of  requests  required by the server. As
     another example, an email can be submitted to an SMTP server

       $ nc localhost 25 << EOF
       MAIL FROM: <
       RCTP TO: <

       Body of email.

  Port Scanning
     It can be useful to know which ports are  open  and  running
     services  on  a  target  machine. The -z flag can be used to
     tell nc to report open ports, rather than to initiate a con-

     In this example:

       $ nc -z 20-30
       Connection to 22 port [tcp/ssh] succeeded!
       Connection to 25 port [tcp/smtp] succeeded!

     The port range was specified to limit the search to ports 20
     - 30.

     Alternatively, it might  be  useful  to  know  which  server
     software is running, and which versions. This information is
     often contained within the greeting  banners.  In  order  to
     retrieve  these, it is necessary to first make a connection,
     and then break the  connection  when  the  banner  has  been
     retrieved.  This  can  be accomplished by specifying a small
     timeout with the -w flag, or perhaps by issuing a QUIT  com-
     mand to the server:

       $ echo "QUIT" | nc 20-30
       Protocol mismatch.
       220 IMS SMTP Receiver Version 0.84 Ready

  inetd Capabilities
     One of the possible uses is to  create  simple  services  by
     using inetd(1M).

     The following example creates a redirect from TCP port  8080
     to port 80 on host realwww:

       # cat << EOF >> /etc/services
       wwwredir    8080/tcp    # WWW redirect
       # cat << EOF > /tmp/wwwredir.conf
       wwwredir stream tcp nowait nobody /usr/bin/nc /usr/bin/nc -w 3 realwww 80
       # inetconv -i /tmp/wwwredir.conf
       wwwredir -> /var/svc/manifest/network/wwwredir-tcp.xml
       Importing wwwredir-tcp.xml ...Done
       # inetadm -l wwwredir/tcp
       exec="/usr/bin/nc -w 3 realwww 80"
       default  bind_addr=""
       default  bind_fail_max=-1
       default  bind_fail_interval=-1
       default  max_con_rate=-1
       default  max_copies=-1
       default  con_rate_offline=-1
       default  failrate_cnt=40
       default  failrate_interval=60
       default  inherit_env=TRUE
       default  tcp_trace=TRUE
       default  tcp_wrappers=FALSE

     To bind to a privileged port number nc needs to  be  granted
     the  net_privaddr  privilege.  If Solaris Trusted Extensions
     are configured and the port nc should listen on  is  config-
     ured  as  a  multi-level  port nc also needs the net_bindmlp

     Privileges can be assigned to the user or role directly,  by
     specifying  them  in  the account's default privilege set in
     user_attr(4). However, this means that any application  that
     this  user  or role starts have these additional privileges.
     To only grant the privileges(5)  when  nc  is  invoked,  the
     recommended  approach  is  to  create  and assign an rbac(5)
     rights profile. See EXAMPLES for additional information.

     Example 1 Using nc

     Open a TCP connection to port 42 of,  using
     port 3141 as the source port, with a timeout of 5 seconds:

       $ nc -p 3141 -w 5 42

     Open a TCP connection to port 7777 of, set-
     ting a maximum bandwidth of 50Mbps on the socket:

       $ nc -M maxbw=50M 7777

     Open a UDP connection to port 53 of

       $ nc -u 53

     Open a TCP connection to port 42 of  using as the IP for the local end of the connection:

       $ nc -s 42

     Use a list of ports and port ranges for a port scan on vari-
     ous ports:

       $ nc -z 21-25,53,80,110-120,443

     Create and listen on a Unix Domain Socket:

       $ nc -lU /var/tmp/dsocket

     Create and listen on a UDP socket with associated port 8888:

       $ nc -u -l -p 8888

     which is the same as:

       $ nc -u -l 8888

     Create and listen on a TCP socket with associated port  2222
     and bind to address only:

       $ nc -l 2222

     Create and listen on a TCP socket with associated port  2222
     and  create a high priority MAC flow on the listener and the
     connected sockets:

       $ nc -l -M priority=high,inherit=on 2222

     Connect to TCP port, send some data and terminate  the  con-
     nection with TCP RST segment (instead of classic TCP closing
     handshake) by setting the linger option and timeout to 0:

       $ echo "foo" | nc -L 0 22

     Perform port redirection to port 22 on host
     from local port 4545:

       $ nc -R -l 4545

     After that, it should be possible to run ssh(1)  client  and
     connect  to  using  host
     running the above command:

       $ ssh -oStrictHostKeyChecking=no -p 4545

     It is also possible to let nc listen on TCP port and convert
     the TCP data stream to UDP (or vice versa):

       $ nc -R -l 4666

     Connect to port 42 of using an  HTTP  proxy
     at,  port 8080. This example could also be used by
     ssh(1). See the ProxyCommand directive in ssh_config(4)  for
     more information.

       $ nc -x10.2.3.4:8080 -Xconnect 42

     The same example again, this time enabling proxy authentica-
     tion with username ruser if the proxy requires it:

       $ nc -x10.2.3.4:8080 -Xconnect -Pruser 42

     Basic UDP port scan can be efficiently done like this:

       $ nc -z -w 3 -u -i 0.5 11-100

     Between each 2 ports it pauses for 0.5 second (thus  evading
     ICMP  message  rate  limiting) and waits up to 3 seconds for
     reply. If no reply comes then the port might be open.

     To run nc with the smallest possible set of privileges as  a
     user  or  role  that  has additional privileges (such as the
     default root account) it can be invoked  using  ppriv(1)  as
     well.  For  example,  limiting  it  to  only  run  with  the
     privilege to bind to a privileged port:

       $ ppriv -e -sA=basic,!file_link_any,!proc_exec,!proc_fork,\
       !proc_info,!proc_session,net_privaddr nc -l 42

     To allow a user or role to use only nc with the net_privaddr
     privilege, a rights profile needs to be created:

       Netcat privileged:solaris:cmd:::/usr/bin/nc:privs=net_privaddr

       Netcat privileged:::Allow nc to bind to privileged ports:help=None.html

     Assigning this rights profile using user_attr(4) permits the
     user or role to run nc allowing it to listen on any port. To
     permit a user or role to use nc only to listen  on  specific
     ports  a  wrapper  script  should be specified in the rights

       Netcat restricted:solaris:cmd:::/usr/bin/nc-restricted:privs=net_privaddr

       Netcat restricted:::Allow nc to bind to privileged ports:help=None.html

     and write a shell  script  that  restricts  the  permissible
     options,  for  example, one that permits one to bind only on
     ports between 42 and 64 (non-inclusive):


       [ $# -eq 1 ] && [ $1 -gt 42 -a $1 -lt 64 ] && /usr/bin/nc -l -p "$1"

     This grants the extra  privileges  when  the  user  or  role
     invokes  nc  using  the wrapper script from a profile shell.
     See pfsh(1), pfksh(1), pfcsh(1), and pfexec(1).

     Invoking nc directly does not run  it  with  the  additional
     privileges,  and  neither  does  invoking the script without
     using pfexec or a profile shell.

     See attributes(5) for descriptions of the  following  attri-

     tab() box; cw(2.75i) |cw(2.75i) lw(2.75i) |lw(2.75i)  ATTRI-
     BUTE  TYPEATTRIBUTE  VALUE  _  Availabilitynetwork/netcat  _
     Interface StabilitySee below.

     The package name is Committed. The command  line  syntax  is
     Committed for the -4, -6, -l, -n, -p, -u, and -w options and
     their arguments (if any). The name and port  list  arguments
     are  Committed.  The  port  range syntax is Uncommitted. The
     interface stability level for all other command line options
     and their arguments is Uncommitted.

See Also
     cat(1), pfcsh(1), pfexec(1),  pfksh(1),  pfsh(1),  ppriv(1),
     sed(1),   ssh(1),   telnet(1),   inetadm(1M),  inetconv(1M),
     inetd(1M),   ssh_config(4),   user_attr(4),   attributes(5),
     privileges(5), rbac(5)

     The original implementation of nc  was  written  by  Hobbit,

     nc  was  rewritten  with  IPv6  support  by  Eric   Jackson,

     If an instance of nc  is  listening  on  a  wildcard  socket
     (regardless  of  address  family  specification) it is still
     possible to bind another nc process to concrete  IP  address
     and  accept  connections  to this address. For example, with
     the following process running:

       $ nc -4 -l 5656

     it is possible  to  run  another  nc  process  listening  on
     specific IP address and the same port:

       $ nc -4 -l 5656

     TCP connection to  address  and  port  5656  is
     accepted  by the latter process, all TCP connections to port
     5656 and different addresses is accepted by the former  pro-

     Also, it is possible to steal IPv4 connections from  a  pro-
     cess  which  listens  on  a wildcard socket (without address
     family specification) by binding to IPv4 wildcard socket. To
     suppress this and the behavior described above the -E option
     could be used.
맨 페이지 내용의 저작권은 맨 페이지 작성자에게 있습니다.