Traditionally called the “Swiss Army knife” for reading, writing and redirecting traffic across network connections, Ncat is used in a variety of different ways, including controlling and debugging network connections. It is an improved replacement for netcat and is included when downloading Nmap.
Although for some use cases it can act as a drop-in replacement for netcat, it is different in several important areas in that it offers:
- Security and authentication via TLS
- Support for IPv6
- Connection brokering
- Proxy connections
Here are some of its use cases:
- Act as a TCP client or server for HTTP, FTP and other TCP/IP connections. This enables fine control over what a client sends to a server, and it also allows investigation into what a client is doing.
- Set up secure channels using TLS.
- Redirect or proxy TCP and UDP (among others) connections to other hosts.
- Acts as a network
Since Ncat is a pipeline tool that reads from
stdin and writes to
stdout, it can be used in any manner of of I/O redirection with which you’re accustomed. None of the streams are altered unless given the the
-C flag (adds
Ncat either operates in connect mode (client) or listen mode (server). Let’s take a look at some use cases.
One of the simplest uses is to connect to a TCP server, like Telnet:
$ ncat -C benjamintoll.com 80 > HTTP / GET/1.0 > >
$ ncat -C --ssl theowlsnestfarm.com 443 > HTTP / GET/1.0 > >
Here is Ncat listening as a server:
$ ncat -l localhost 10003 < <(echo -e "HTTP/1.0 200 OK\n\n<h1>hello world</h1>")
Or, in a loop:
$ while true; do ncat -l localhost 10003 < <(echo -e "HTTP/1.0 200 OK\n\n<h1>hello world</h1>"); done
Simply point a browser to
localhost:10003 (or curl)
Note that, in the previous example, Ncat is expecting a file descriptor to be redirected to
stdin, so you could replace the process substitution here with a regular file.
The following would also do the same as the previous listening Ncat example:
$ echo -e "HTTP/1.0 200 OK\n\n<h1>hello world</h1>" | ncat -l localhost 10003
$ cat | ncat -l localhost 10003 > HTTP/1.0 200 OK > > <h1>hello world</h1> >
Note that there are also many examples of using TLS with both server and client certificates in the Ncat guide.
Ncat also supports access control. You can whitelist and blacklist by host (
--deny, respectively) or by lists in a file (
--denyfile). Ncat supports the following syntax:
- IPv4 and IPv6 addresses
- IPv4 octet ranges
- CIDR netmasks
$ ncat -l --allow 2001:db8::7d $ ncat -l --deny google.com $ ncat -l --allow 192.168.0.0/24 $ ncat -l --allowfile trusted_hosts.txt
You can also limit the number of connections:
$ ncat -l --max-conns 3
Naturally, this is not secure and shouldn’t be replied upon in any significant way, but I think it’s good enough for a quick file transfer or chat session or the like.
Ncat allows a server to respond with the results of a command executed by means of:
- Directly executing a binary
- Passing a command string to be interpreted by a shell
- Invoking a Lua script
For example, the following commands will do the same thing, i.e., list the contents of the directory of the Ncat “server”. Open two terminals and execute the following command in the first terminal, which will then wait for a client connection:
$ ncat -le "/bin/ls -al" $ ncat -l --sh-exec "ls -al"
Then, in the other terminal, make the client request:
$ ncat localhost
Although I don’t use it very frequently, it does come in handy.
I usually prefer
scp over Ncat when transferring a single file, except in one instance - archive files. I find it preferable to use Ncat because doing the operation as a stream means that I don’t have to create a temporary archive file.
For example, the following will stream a bzip2 archive from
chomsky$ ncat -l 1972 | tar xjv trout$ tar cjv keygen.c Makefile | ncat --send-only chomsky 1972
As you can see, the listening Ncat on
chomsky receives the stream and pipes it to
tar, thereby “untarring” it without further intervention from me. As an added bonus, the
--send-only flag will automatically close the connection as soon as the transfer is complete.
Using a Broker
chomsky$ ncat -l --broker nero$ ncat chomsky > outputfile trout$ ncat --send-only chomsky < inputfile
Simple two user chat:
germanicus$ ncat -kl --max-conns 1 nero$ ncat germanicus
Note that without the access control flag other clients can connect to the listening Ncat process but that that will only establish its own channel with the “server”. In other words, none of the other clients will “hear” the conversation. Use it or don’t :)
If multi-user chat is desired, simply start Ncat in listening mode with the
$ ncat -l --broker
A multi-user chat with designated usernames can be used with the
--chat option. For example, all messages all prefaced with
n is the client connection’s file descriptor (this cannot be changed). This will automatically enable connection brokering.
$ ncat -l --chat
Anything received on one channel is broadcast out to all the other channels, but note that the server doesn’t receive any client messages.
Incidentally, I wrote a simple chat program that does the same, and it does allow the connecting client to choose a unique username.