nc 1.10()                                               nc 1.10()


NAME
       nc - Swiss army knife of network tools

SYNOPSIS
       nc [ -vnlputrgsi ] [host] [port|port list|port-range]

DESCRIPTION
       nc is a network/security tool that can act as a TCP or UDP
       client or server, as well as a port scanning tool for both
       protocols.  If executed without arguments, nc reads a line
       from the standard input for arguments,  a  feature  useful
       when  used in scripts.  A by-product is that the arguments
       will not appear in a ps listing.

       The most common use of nc is as a simple  network  client.
       Many  TCP/IP  servers  expect ASCII command sequences, and
       simply typing "nc hostname port" provides a TCP connection
       to  port  on  hostname, somewhat like telnet but much sim­
       pler.  Adding -v makes diagnostic output more verbose, and
       it  can  be added multiple times.  Adding -w 3 tells nc to
       wait no more than three  seconds  for  the  connection  to
       open.  The wait time also applies after the standard input
       is closed.

       nc uses TCP by default, but will use the UDP  protocol  if
       -u  is  specified.   nc  can  also  work  as a server when
       started with -l -p port (remember  'l'  for  listen).   If
       your  host  is  multihomed,  -s  ip-address  will bind the
       server to that interface.

       nc will scan if started with the -z switch,  and  provided
       with  a list of port numbers or a range of ports (20-515).
       Adding -r will randomize the  scan  (instead  of  scanning
       ports in sequence).  The -g option permits the creation of
       source-routed packets, for adding up  to  8  loose  source
       routes  (routers along the path to a destination otherwise
       unreachable).

OPTIONS
       -v     Verbose output; use more than once for more output.

       -u     Use UDP instead of TCP protocol.

       -w N   Wait  N  seconds  for  a  connection,  a return UDP
              packet, or  before  exiting  after  standard  input
              closes and no more packets are received.  

	-l    Listen for connections on the local system;  if  not  used
              with  -p,  a  random  port  will  be  assigned (and
              reported if -v is used).

       -p     Used with -l, designates port to listen to.

       -g host|ip-address
              Add loose source route.  Any  half-decent  firewall



                                                                1





nc 1.10()                                               nc 1.10()


              should block this.

       -r     Randomize port list during scanning

       -n     Accept  numeric IP addresses only, disables the the
              forward and reverse name and address lookup for the
              host enabled with -v.

       -z     Scan  target;  target  name should be followed by a
              port list or port range

       -e command
              Not compiled in by default, works both with -l and
	      when acting as a client, executes a command when a
	      connection (or packet) is received (requires compi
	      lation with  -DGAPING_SECURITY_HOLE); note that ma
	      ny Linux distros and most Windows versions include
	      this useful and insecure feature

       -o file
              Sends a hex dump of what it receives to file.

       -s name|ip-address
              Interface  to listen on if the system has more than
              one.

       -i number
              Add a delay (interval) between sending packets.

       -t     If compiled with -DTELNET, handle  telnet  negotia­
              tion  by  always answering in the negative (WONT or
              DONT).

EXAMPLES
       nc www.raptor.com 80

       connects to port 80, typically HTTP,  on  system  www.rap­
       tor.com.

       echo  QUIT  |  nc -v -w 5 -o results target 20-250 500-600
       5990-7000

       sends the string "QUIT" followed  by  a  RETURN  to  ports
       listed on system target waiting five seconds for each con­
       nection, and stores hexdump output in results.  Similar to
       what SATAN does during a scan (excpet for the hexdump).

       nc -l -p 80

       starts  nc  in listen mode on port 80.  This is useful for
       seeing what your friendly Web browser is  sending  to  Web
       servers (you may be surprised).

       tar cf - . | gzip -c | nc receiver 53

       creates a tar archive of the current directory, compresses



                                                                2





nc 1.10()                                               nc 1.10()


       it, and sends it  to  port  53  (usually  DNS)  on  system
       receiver.

       nc -l -p 53 | gunzip -c | tar xf -

       on  system  receiver  listens  for the connection (this is
       started first), uncompresses it, and turns it back into  a
       file  hierarchy.   Note  that  DNS  can  not be running on
       receiver for  this  to  work.   Useful  for  copying  data
       through Firewall-1 and some other firewalls.


BUGS
       nc  can  accept  port names unless they contain a dash; if
       the dash is present, a numeric port range is assumed.   nc
       uses  TCP connection scanning, and implements UDP scanning
       by waiting for errors from the socket.

       On RedHat and Fedora Core versions running 2.6.6 kernels a
       nd later, you must use execstack -s nc or nc will seg faul
       t.

AUTHOR
       _hobbit
       Man page: Rik Farrow
       Note: A better man page than this was written for OpenBSD,
       and also appears in Linux distros. Try man nc.

OFFICAL DISTRIBUTION
       ftp.avian.org/src/hacks/nc110.tgz


































                                                                3