Linux netcat - nc command examples

netcat - nc - Utility

The netcat utility or nc is often referred to as the Swiss Army Knife for working with TCP/IP networks. This tool is very popular amongst System Administrators and Network Administrators because of its wide range of capabilities. The netcat utility is used for almost anything under the sun involving TCP, UDP, or UNIX-domain sockets. Netcat can open TCP connections, send UDP packets of data, listen on arbitrary TCP and UDP ports, carry out port scanning, transfer data from one server to another. In the following examples I will be using a Linux Mint system and a CentOS system.

Installing netcat on Ubuntu/Mint

If you need to install netcat, you can use the following commands:


$ sudo ap update
$ sudo apt install netcat

Installing nmap-netcat on RHEL/CentOS Systems

On RHEL 8 and CentOS 8 systems, "netcat" has been replaced by a package called "nmap-ncat". To install this package, issue the following command:

dnf install nmap-ncat -y


# dnf install nmap-ncat -y

Examples of netcat utility

In the following examples we will take a quick look at some of the popular uses of netcat/nmap-ncat.

Checking for an Open Port

In this example we will use netcat to interrogate a port to see if it is open. We will use the netcat command in conjunction with the "-v" and "-n" flags. The "-v" flag specifies that we would like verbose output (more detailed). The "-n" option specifies that we do not wish to use DNS or service lookups on any addresses, hostnames or ports.

Example Command: nc -vn 192.168.122.75 22

In the above example we have specified the IP address of a CentOS 8 server followed by the port we wish to interrogate. In this example we are looking at port 22 (normally used for ssh).


$ nc -vn 192.168.122.75 22
Connection to 192.168.122.75 22 port [tcp/*] succeeded!
SSH-2.0-OpenSSH_8.0

As we can see from the output port 22 is open for connections. If we now check for a port which is closed, you will see the difference in the output from the command:


$ nc -vn 192.168.122.75 2000
nc: connect to 192.168.122.75 port 2000 (tcp) failed: Connection refused

netcat as a Port Scanner

Another popular use of the netcat command is to use it as a port scanner. In this example we will be using the flags "-w" and "-z" in addition to the "-v" and "-n" flags. The "-w" flag is used to specify a timeout limit. By default, netcat will listen forever, however, in this example we are going to use a more realistic value of "1" second. The "-z" flag specifies that netcat should scan for listening daemons without sending any data. We will also specify a range of ports to check. In this example we are only going to check ports 1 through to 30.

Example Command: nc -vnz -w 1 192.168.122.75 1-30


$ nc -vnz -w 1 192.168.122.75 1-30
nc: connect to 192.168.122.75 port 1 (tcp) failed: Connection refused
nc: connect to 192.168.122.75 port 2 (tcp) failed: Connection refused
nc: connect to 192.168.122.75 port 3 (tcp) failed: Connection refused
nc: connect to 192.168.122.75 port 4 (tcp) failed: Connection refused
nc: connect to 192.168.122.75 port 5 (tcp) failed: Connection refused
nc: connect to 192.168.122.75 port 6 (tcp) failed: Connection refused
nc: connect to 192.168.122.75 port 7 (tcp) failed: Connection refused
nc: connect to 192.168.122.75 port 8 (tcp) failed: Connection refused
nc: connect to 192.168.122.75 port 9 (tcp) failed: Connection refused
nc: connect to 192.168.122.75 port 10 (tcp) failed: Connection refused
nc: connect to 192.168.122.75 port 11 (tcp) failed: Connection refused
nc: connect to 192.168.122.75 port 12 (tcp) failed: Connection refused
nc: connect to 192.168.122.75 port 13 (tcp) failed: Connection refused
nc: connect to 192.168.122.75 port 14 (tcp) failed: Connection refused
nc: connect to 192.168.122.75 port 15 (tcp) failed: Connection refused
nc: connect to 192.168.122.75 port 16 (tcp) failed: Connection refused
nc: connect to 192.168.122.75 port 17 (tcp) failed: Connection refused
nc: connect to 192.168.122.75 port 18 (tcp) failed: Connection refused
nc: connect to 192.168.122.75 port 19 (tcp) failed: Connection refused
nc: connect to 192.168.122.75 port 20 (tcp) failed: Connection refused
nc: connect to 192.168.122.75 port 21 (tcp) failed: Connection refused
Connection to 192.168.122.75 22 port [tcp/*] succeeded!
nc: connect to 192.168.122.75 port 23 (tcp) failed: Connection refused
nc: connect to 192.168.122.75 port 24 (tcp) failed: Connection refused
nc: connect to 192.168.122.75 port 25 (tcp) failed: Connection refused
nc: connect to 192.168.122.75 port 26 (tcp) failed: Connection refused
nc: connect to 192.168.122.75 port 27 (tcp) failed: Connection refused
nc: connect to 192.168.122.75 port 28 (tcp) failed: Connection refused
nc: connect to 192.168.122.75 port 29 (tcp) failed: Connection refused
nc: connect to 192.168.122.75 port 30 (tcp) failed: Connection refused

We can see from the above output that a connection to port 22 has succeeded.

You can also specify more than one port to scan.

Example Command: nc -vnz -w 1 192.168.122.75 20 21 22 23 24 25

In the above example, we are going to scan ports "20, 21, 22, 23, 24 and 25".


$ nc -vnz -w 1 192.168.122.75 20 21 22 23 24 25
nc: connect to 192.168.122.75 port 20 (tcp) failed: Connection refused
nc: connect to 192.168.122.75 port 21 (tcp) failed: Connection refused
Connection to 192.168.122.75 22 port [tcp/*] succeeded!
nc: connect to 192.168.122.75 port 23 (tcp) failed: Connection refused
nc: connect to 192.168.122.75 port 24 (tcp) failed: Connection refused
nc: connect to 192.168.122.75 port 25 (tcp) failed: Connection refused

Port Scanning UDP ports

In this example we are going to specify "UDP" ports to be scanned. To specify UDP we will use the "-u" flag. In the example below we are going to scan ports "60 through to 80".

Example Command: nc -vnzu -w 1 192.168.0.33 60-80


# nc -vnzu -w 1 192.168.0.33 60-80
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Connected to 192.168.0.33:60.
Ncat: Connection refused.

Having a Chat with Netcat

In this example we will use a Linux Mint 20 terminal and connect this to a remote terminal on a CentOS 8 Server.

On the Linux Mint system, we need to identify the IP address. This can be done by issuing the command: ip a s


john@mint01a:~$ ip a s 
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp5s0:  mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 04:92:26:d2:1d:65 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.33/24 brd 192.168.0.255 scope global dynamic noprefixroute enp5s0
       valid_lft 79682sec preferred_lft 79682sec
    inet6 fe80::8165:fa2a:fe2:94f5/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

From the above we can see that the IP address in use on interface "enp1s0" is "192.168.0.33".

This IP address is needed by the CentOS server. Now, on the Linux Mint system we issue the following command:

nc -lp 2468. Here we are instructing netcat to listen on port 2468.


john@mint01a:~$ nc -lp 2468

Now on the remote CentOS server we issue the following command:

nc 192.168.0.33 2468

Here we are telling our CentOS server to make a connection to our Linux Mint system on port 2468.

Now any text typed on one terminal will now appear on the other terminal screen. (Warning, this is not a secure way to chat!)

Linux Mint System


john@mint01a:~$ nc -lp 2468
Hello Remote CentOS Server

CentOS Server


[root@centos8a ~]# nc 192.168.0.33 2468
Hello Remote CentOS Server

For more information regarding netcat/nc command

As always a vast amount of information can be looked at via the man pages. To view more information regarding netcat/nc, issue the command: man nc

Basic Syntax of netcat/nc


usage: nc [-46CDdFhklNnrStUuvZz] [-I length] [-i interval] [-M ttl]
	  [-m minttl] [-O length] [-P proxy_username] [-p source_port]
	  [-q seconds] [-s source] [-T keyword] [-V rtable] [-W recvlimit] [-w timeout]
	  [-X proxy_protocol] [-x proxy_address[:port]] 	  [destination] [port]
	Command Summary:
		-4		Use IPv4
		-6		Use IPv6
		-b		Allow broadcast
		-C		Send CRLF as line-ending
		-D		Enable the debug socket option
		-d		Detach from stdin
		-F		Pass socket fd
		-h		This help text
		-I length	TCP receive buffer length
		-i interval	Delay interval for lines sent, ports scanned
		-k		Keep inbound sockets open for multiple connects
		-l		Listen mode, for inbound connects
		-M ttl		Outgoing TTL / Hop Limit
		-m minttl	Minimum incoming TTL / Hop Limit
		-N		Shutdown the network socket after EOF on stdin
		-n		Suppress name/port resolutions
		-O length	TCP send buffer length
		-P proxyuser	Username for proxy authentication
		-p port		Specify local port for remote connects
		-q secs		quit after EOF on stdin and delay of secs
		-r		Randomize remote ports
		-S		Enable the TCP MD5 signature option
		-s source	Local source address
		-T keyword	TOS value
		-t		Answer TELNET negotiation
		-U		Use UNIX domain socket
		-u		UDP mode
		-V rtable	Specify alternate routing table
		-v		Verbose
		-W recvlimit	Terminate after receiving a number of packets
		-w timeout	Timeout for connects and final net reads
		-X proto	Proxy protocol: "4", "5" (SOCKS) or "connect"
		-x addr[:port]	Specify proxy address and port
		-Z		DCCP mode
		-z		Zero-I/O mode [used for scanning]
	Port numbers can be individual or ranges: lo-hi [inclusive]