Lines Matching refs:and

4 Netcat is a simple Unix utility which reads and writes data	 ====v====
7 be used directly or easily driven by other programs and		  / ___ \    /
9 debugging and exploration tool, since it can create almost	(((-----)))-'
10 any kind of connection you would need and has several		 /
17 and anything that comes back across the connection is sent to your standard
20 which shut everything down and exit after an end-of-file on the standard input.
23 on arbitrary ports and then doing the same reading and writing.  With minor
25 mode -- it still shovels data back and forth until there isn't any more left.
31 "U" implies, gives less reliable data transmission than TCP connections and
36 Valid question, and here are some reasons.  Telnet has the "standard input
40 binary data, because certain characters are interpreted as telnet options and
43 religiously separated from its *output* and will never modify any of the real
46 doesn't have any of these limitations, is much smaller and faster than telnet,
47 and has many other advantages.
59 	Hex dump of transmitted and received data
65 circumstances, please notify me and tell me how you think it should behave.
67 will probably fix that.  It provides a basic and easily-modified template for
68 writing other network applications, and I certainly encourage people to make
69 custom mods and send in any improvements they make to it.  This is the second
70 release; the overall differences from 1.00 are relatively minor and have mostly
71 to do with portability and bugfixes.  Many people provided greatly appreciated
72 fixes and comments on the 1.00 release.  Continued feedback from the Internet
79 responsibility for how anyone uses it.  If netcat makes you rich somehow and
82 questions, and patches to hobbit@avian.org.
88 matches yours, and do "make <systype>".  The executable "nc" should appear.
90 sections for generic.h and Makefile to support another platform, please follow
91 the given format and mail back the diffs.
95 edit the Makefile.  See the following discussions for what they are and do.
97 If you want to link against the resolver library on SunOS [recommended] and
109 Where to begin?  Netcat is at the same time so simple and versatile, it's like
111 go over the basics; you should also read the usage examples and notes later on
115 from standard input, and breaks it up into arguments internally.  This can be
120 will only accept numeric IP addresses and do no DNS lookups for anything.  If
121 -n is not given and -v is turned on, netcat will do a full forward and reverse
122 name and address lookup for the host, and warn you about the all-too-common
126 address and also connect there.  Netcat will just tell you all about it, saving
132 A port argument is required for outbound connections, and can be numeric or a
134 are valid.  Special syntax and/or more than one port argument cause different
146 some error happens, whereupon it describes the error and exits with a nonzero
148 unless you only asked for a single TCP port and it was refused.
153 more for good measure, and then closes and exits.  There are a lot of network
154 services now that accept a small amount of input and return a large amount of
155 output, such as Gopher and Web servers, which is the main reason netcat was
166 UDP server on the other end, and often you just can't tell.  Most UDP protocols
167 use timeouts and retries to do their thing and in many cases won't bother
168 answering at all, so you should specify a timeout and hope for the best.  You
174 "to the net", and contain the total count per direction, and hex and ascii
178 Netcat can bind to any local port, subject to privilege restrictions and ports
182 specific local port, and "-s ip-addr" or "-s name" to have that be your source
188 Listen mode will cause netcat to wait for an inbound connection, and then the
189 same data transfer happens.  Thus, you can do "nc -l -p 1234 < filename" and
193 assign one and tell you what it is if -v is turned on.  If you specify a target
194 host and optional port in listen mode, netcat will accept an inbound connection
195 only from that host and if you specify one, only from that foreign source port.
197 address and port it came from, and since listening on "any" applies to several
200 inbound connection and print them out in hex.
213 This allows it to connect to a telnetd and get past the initial negotiation
216 have to understand why you might need this and turn on the #define yourself.
219 efficiently as possible, using large 8K reads and writes.  Standard input is
222 large batches, but netcat then tries to find where line breaks exist and sends
229 accepts its commands with options first, then the target host, and everything
239 try connecting to every port between 20 and 30 [inclusive] at the target, and
240 will likely inform you about an FTP server, telnet server, and mailer along the
241 way.  The -z switch prevents sending any data to a TCP connection and very
242 limited probe data to a UDP connection, and is thus useful as a fast scanning
250 that range and reports open ports as it finds them.  [If you want them listed
254 You can exert fairly fine control over your scan by judicious use of -r and
264 connection, and the -G argument positions the "hop pointer" within the list.
265 If your network allows source-routed traffic in and out, you can test
268 clearly documented and the command syntax is somewhat clumsy.  Netcat's
272 terminal input modes, and does no end-of-line conversion.  Standard input from
274 can freely suspend out of an interactive connection and resume.  ^C or whatever
275 your interrupt character is will make netcat close the network connection and
282 sockets and/or nit/bpf/dlpi may appear at some point.  Such things are clearly
284 includes a tool to construct and send raw packets with any contents you want.
291 expect scripts is an easy and flexible way to do fairly complex tasks,
300 Web browser, which simply asks for the relevant parts of a URL and pipes
302 with telnet, and had to use calculated sleep times and other stupidity to
304 page, and since it transfers all the data unmodified, I can even pull down
305 binary image files and display them elsewhere later.  Some folks may find the
306 idea of a shell-script web browser silly and strange, but it starts up and
307 gets me my info a hell of a lot faster than a GUI browser and doesn't hide
308 any contents of links and forms and such.  This is included, as scripts/web,
312 For example, it is easier to type "nc host 25", talk to someone's mailer, and
315 connect to well-known services and collect greetings, or at least scan for open
322 r-services, X, IRC, and maybe a few you didn't expect.  Sending in QUIT and
324 error from each service, which usually indicates what it is and what version.
326 collect host information, and indeed some of the ideas herein were taken from
328 subnet space and just let it run, you will not only see all the services,
333 Netcat can be used as a simple data transfer agent, and it doesn't really
334 matter which end is the listener and which end is the client -- input at one
336 at the receiving side with no timeout specified, and then give the sending side
338 and after data stops flowing the client will time out, shut down, and take the
340 this should be completely reliable, and you can always increase the timeout.  A
345 and then on the other side
354 up listeners and backup handlers [which can be restricted to specific addresses
355 and ports between each other] and pipe "dump" or "tar" on one machine to "dd
358 easily log and reject connect attempts from third parties, and then retry.
361 any network applications yet except a TCP stack and a web browser.  Point the
363 something like http://unixbox:4444/foo, and have a listener on the Unix side
370 run under "inetd".  A script or program will have its input and output hooked
377 first and fall back to the ones bound to "any".  This allows for a one-off
379 inetd.conf.  Running with -v turned on and collecting a connection log from
382 Netcat as well can make an outbound connection and then run a program or script
383 on the originating end, with input and output connected to the same network
386 The possibilities are many and varied here; if such things are intended as
393 traffic through your firewall out to other places like web servers and mail
395 inetd and tcp_wrappers, perhaps thusly:
399 and you have a simple and effective "application relay" with access control
400 and logging.  Note use of the wait time as a "safety" in case realwww isn't
409 on one side and then hitting it with
413 from another host will saturate your wires with A's and B's.  The "very
414 verbose" switch usage will tell you how many of each were sent and received
417 stress-test kernels and network interfaces.  Firing random binary data into
429 to a local port, and have it run a script which in turn runs another netcat
430 to the real service and captures the hex dump to a log file.  This sets up a
431 transparent relay between your local port and wherever the real service is.
439 [where ^@ is a null, and root/joe could be any other local/remote username
445 trying to create that separate standard-error socket and still gives you an
447 things like this can be really useful sometimes, because rsh and rlogin
448 generally want a host *name* as an argument and won't accept IP addresses.  If
454 Make a UDP connection to port 514 and type in "<0>message", which should
455 correspond to "kern.emerg" and cause syslogd to scream into every file it has
456 open [and possibly all over users' terminals].  You can tame this down by
457 using a different number and use netcat inside routine scripts to send syslog
463 bind to a port normally protected against outside access and make a connection
465 your chosen port from the "outside" and should be blocked.  TCP may get through
475 playing around with source ports and addresses and watching the wires with a
479 access.  X is stupid enough to listen for connections on "any" and never tell
481 you have all your various X windows up and running you can use netcat to bind
482 just to your ethernet address and listen to port 6000.  Any new connections
483 from outside the machine will hit netcat instead your X server, and you get a
487 possible to authorize your X terminal only for its boot server, and run a relay
490 way you rig it causes another one to run and listen on 6000 soon afterward, or
498 which causes netcat to accept and then close any inbound connection to your
499 workstation's normal ethernet address, and another copy is immediately run by
502 X server on display ":1" or port 6001, and netcat can still function as a probe
507 of your choosing, and then just point to the port with a URL in your homepage.
510 the raw browser query as input it won't look like a typical CGI script, and
512 to write a netcat-based script as a wrapper that reads a query and sets up
514 netcat and scripts to handle Web stuff are almost endless.  Again, see the
532 dynamic filtering, and with -i you'll wait longer but avoid loading down the
541 and 400x...  Similar bypassing may be possible for UDP [and maybe TCP too] if a
546 sent in and feed your own back out.  At the very least you can log a hex dump
547 of someone else's session.  If you are root, you can certainly use -s and -e to
554 some platforms [yppasswdd, anyone?].  Kerberos tickets, X cookies, and IRC
557 SOCKS servers run on 1080.  Do "netstat -a" and get creative.
561 problem.  Named from recent BIND releases, and NTP, are two that come to mind.
567 servers and versions of "inetd" floating around that specifically bind as well,
573 something, and you can access-control it against other people by specifying a
574 client host and port.  Experience with this truly demonstrates how fragile the
575 barrier between being "logged in" or not really is, and is further expressed by
577 *outbound* connection and then run a shell; a small wrapper script can
578 periodically try connecting to a known place and port, you can later listen
579 there until the inbound connection arrives, and there's your shell.  Running
582 connections and may not be quite as subtle as you wanted.  Packets may also be
585 you ^C out of netcat or do a reboot on your side, and you only need to remember
587 connection creates the connected socket and starts the program immediately.  On
590 effect that only your client-side IP address and [chosen?] source port will
596 	arrange to block ICMP or UDP return traffic between it and your real
601 are simply the strings that get null-terminated and passed over an "rcmd"-style
606 the password is right, or "Permission denied."  Plug in a dictionary and go to
607 town.  If you're attacking rsh/rlogin, remember to be root and bind to a port
608 between 512 and 1023 on your end, and pipe in "rservice joe joe pwd" and such.
611 connection.  Use "nc -t" in place of telnet, and daemons that try to ask for
612 things like USER and TERM environment variables will get no useful answers, as
614 try to collect this stuff and then plug the USER variable into "login" so that
620 support for alias addresses?  Ifconfig one to be any address you like, and bind
626 there still blindly believe what they receive via RIP and other routing
627 protocols.  Although most UDP echo and chargen servers check if an incoming
643 wrappers and several other packages], which happens after the 3-way handshake
644 is completed.  If you send some data and observe the "send-q" side of "netstat"
647 the hop list and sticks it in the Received: header!
649 SYN bombing [sometimes called "hosing"] can disable many TCP servers, and if
653 than the default and the half-open timeout smaller can help, and indeed some
655 handle normal traffic.  Taking out mailers and web servers is sociopathic, but
669 A discussion of various caveats, subtleties, and the design of the innards.
672 and then some data to transfer.  Netcat is now smart enough to pick out the
673 first line and build the argument list, and send any remaining data across the
676 scenes does a large read() from standard input, perhaps 4096 bytes or so, and
679 uses raw read() everywhere and does the right thing whether reading from files,
689 advantages -- the read/write select loop is simplified, and ICMP errors can in
695 and/or my understanding of it is entirely complete here, so experiment...
701 delay equal to the round-trip time between you and the target.  Note that if
702 you have a -w timeout and -i timeout set, BOTH take effect and you wait twice
708 the ICMP error is delivered to the "connected socket" and the second write
711 the ICMP is not delivered, and netcat starts reporting that *all* the ports are
713 socket" concept, and netcat in its current form will not work for UDP at all.]
714 If -z is specified and only one UDP port is probed, netcat's exit status
718 returns, in which case everything will time out and return "open".  This all
723 -z generates will cause it to occasionally drop packets and indicate false
724 "opens".  A more "correct" way to do this is collect and analyze the ICMP
728 average and dynamically set its own response timeouts along with decoding any
734 other end and send that as standard input.  Netcat will read up to 8K of the
735 file and send the same data to every UDP port given.  Note that you must use a
744 workarounds.  First, compile with -DTELNET and use -t if you just want to get
745 past the option negotiation and talk to something on a telnet port.  You will
756 and then do
761 and your telnet should connect transparently through the exec'ed netcat to
767 if invoked with no address or port arguments, and sometimes it is unable to
772 in the makefile for SOCKS.  On the flip side, binding to localhost and sending
777 doesn't support source-routing, but they claim that it and many other network
787 the case, but most newer kernels seem to wait the full timeout and *then* pass
804 and all the other addresses in the list are shifted up to fill the hole.  Thus
806 *gateway*, and the options list now contains hop2, ..., destination.  During
809 some really bizarre return paths, and send your traffic fairly directly to the
812 reset the pointer anyway, and tries to send the packet [with options containing
818 desire and fruitless search for a tool resembling it and having the same
819 features.  After reading some other network code and realizing just how many
821 on the basics and the rest fell together pretty quickly.  Some port-scanning
822 ideas were taken from Venema/Farmer's SATAN tool kit, and Pluvius' "pscan"
824 dope out socket options and source-route handling; additional help was obtained
826 well-known code from "rsh" and Richard Stevens' "sock" program [which itself is
831 line as input allows greater versatility and is much less prone to cause
834 credited in generic.h and the Makefile.  Lauren Burka inspired the ascii art
836 the hex-dump code, and mudge@l0pht.com originally experimented with and
838 from a need to quietly bypass a firewall installation.  Other suggestions and
840 hours per day and a discussion of feature creep near the end of this document.
843 and solid, but it *will* get you there.  While the coding style is fairly
845 characters, dammit] and put in plenty of comments as to why certain things
854 once and not having to re-declare all my functions in a billion different
858 type and arguments and won't complain.  No function prototyping -- not even the
859 __P(()) crock -- is used, since it is more portable and a file of this size is
862 Loops and if-clauses are made as small and non-nested as possible, and the ends
865 Large structures and buffers are all malloc()ed up on the fly, slightly larger
866 than the size asked for and zeroed out.  This reduces the chances of damage
873 asked for which will be nonzero, and fd zero is simply left kicking around
875 always zero and "netfd" is always positive.  This may seem silly, but it was a
880 The catch-all message and error handlers are implemented with an ample list of
882 like deliberate obfuscation in the first place, and using it would also
888 gnarlier and more confusing than other parts.  This is NOT MY FAULT.  The
889 sockaddr and hostent abstractions are an abortion that forces the coder to
892 HINF structure, containing names, ascii-format IP addresses, and binary IP
893 addresses.  I fill this structure exactly once per host argument, and squirrel
894 everything safely away and handy for whatever wants to reference it later.
898 This makes everything very lock-step, relying on the network and filesystem
905 dump line is built into a single buffer and atomically written out using the
907 using writev() and eliminating all sprintf()s, but it seems to fly right along
908 as is.  If both exec-a-prog mode and a hexdump file is asked for, the hexdump
914 argv list and handle multiple ports, random mode, and exit status.  Efforts
919 the commercial vendors would have likely packaged it setuid root and with
921 will aid people in finding and fixing the no-brainer holes of this sort that
927 things which are truly relevant to making network connections and the everyday
932 mucks with the data stream, and is left as an optional piece.  Many people have
933 asked for example "how 'bout adding encryption?" and my response is that such
940 and the numerous companion programs and scripts to go with it as duct tape.
941 Duct tape of course has a light side and a dark side and binds the universe
942 together, and if I wrap enough of it around what I'm trying to accomplish,