netcat (nc)
Port testing, banner grabbing, file transfers, and ad-hoc network relays.
Port Testing
Test if a TCP port is open — zero I/O mode, verbose output, the quickest connectivity check
nc -zv 10.50.1.20 443Scan a range of ports — check which ports are open, lightweight alternative to nmap for quick checks
nc -zv 10.50.1.20 1-1024 2>&1 | grep succeededTest with a timeout — give up after 3 seconds, prevents hanging on filtered ports
nc -zv -w 3 10.50.1.20 8443Test UDP port reachability — UDP is connectionless so "open" means no ICMP unreachable came back
nc -zuv -w 3 10.50.1.50 53Test multiple specific ports — check ISE admin and RADIUS ports in sequence
for p in 443 1812 1813 8443 8444; do nc -zv -w 2 10.50.1.20 $p 2>&1; doneBanner Grabbing
Grab a service banner — connect and read whatever the service sends on connect
nc -v -w 3 10.50.1.10 22Send an HTTP request by hand — raw HTTP without curl, useful for debugging headers
printf 'HEAD / HTTP/1.1\r\nHost: 10.50.1.20\r\nConnection: close\r\n\r\n' | nc 10.50.1.20 443SMTP banner check — verify the mail server responds and identify the MTA
nc -v -w 5 mail.example.com 25Listeners
Start a TCP listener on a port — waits for one connection, prints received data to stdout
nc -l -p 4444Start a listener that stays open after disconnect — keeps listening for new connections (ncat/nmap version)
ncat -l -k -p 4444Listen and log to a file — capture everything received to a file for later analysis
nc -l -p 4444 > /tmp/received.logFile Transfer
Send a file — receiver listens, sender connects and pipes the file
# Receiver (run first):
nc -l -p 4444 > received-file.tar.gz
# Sender:
nc 10.50.1.100 4444 < file-to-send.tar.gzTransfer a directory — tar on the fly, no intermediate file on either side
# Receiver:
nc -l -p 4444 | tar xzf -
# Sender:
tar czf - /var/log | nc 10.50.1.100 4444Transfer with progress — pv shows bytes transferred and speed
# Sender with progress:
pv file.iso | nc 10.50.1.100 4444Relay and Proxy
Simple TCP relay — forward local port 8080 to a remote host:port using a named pipe
mkfifo /tmp/backpipe
nc -l -p 8080 < /tmp/backpipe | nc 10.50.1.20 443 > /tmp/backpipePort forwarding with ncat — cleaner syntax, built-in relay support
ncat -l -p 8080 --sh-exec "ncat 10.50.1.20 443"Chat and Debugging
Two-way chat between hosts — simple bidirectional text channel for testing
# Host A (listener):
nc -l -p 4444
# Host B (connector):
nc 10.50.1.100 4444
# Now type on either side — text appears on the otherSend a test string to a syslog server — verify UDP syslog reception
echo '<14>Test syslog message from netcat' | nc -u -w 1 10.50.1.90 514Send a DNS query via UDP — raw UDP to port 53 (use dig for real DNS work)
nc -u -w 3 10.50.1.50 53Bash Built-in Alternative
/dev/tcp as a netcat alternative — no external tool needed, works in bash (not zsh)
bash -c 'echo > /dev/tcp/10.50.1.20/443 && echo "Port open" || echo "Port closed"' 2>/dev/null/dev/tcp for HTTP request — fetch a page without curl or nc
bash -c 'exec 3<>/dev/tcp/10.50.1.20/80; printf "GET / HTTP/1.1\r\nHost: 10.50.1.20\r\nConnection: close\r\n\r\n" >&3; cat <&3; exec 3>&-'Port check in a script with timeout — portable connectivity test
timeout 3 bash -c '</dev/tcp/10.50.1.20/443' 2>/dev/null && echo "OPEN" || echo "CLOSED"Netcat Variants
Which netcat do you have — behavior differs between implementations
# ncat (nmap project): Most features, --ssl, --sh-exec, -k keep-open
# nc.openbsd: -X proxy support, common on Debian/Ubuntu
# nc.traditional: Original, fewest features
# Check which one: readlink -f $(which nc)ncat with TLS — connect to an HTTPS port and speak raw TLS
ncat --ssl -v 10.50.1.20 443ncat listener with TLS — encrypted listener for secure file transfer
ncat --ssl -l -p 4444 --ssl-cert /tmp/cert.pem --ssl-key /tmp/key.pem