Hacker News new | comments | ask | show | jobs | submit login
Cool stuff you can do with netcat (wikipedia.org)
126 points by ma2rten on Nov 5, 2010 | hide | past | web | favorite | 39 comments

Poor man's skype:


    arecord -f cd -c 2 | lame -b128 - - | netcat -u your-ip 6881 | mpg123 -

   arecord -f cd -c 2 | lame -b128 - - | netcat -u -l 6881 | mpg123 -

I used to do this with a friend in the days when modems tied up phone lines. You have to pass a much lower number to lame's -b option, though.

If you love nc, also check out socat (http://www.dest-unreach.org/socat/)

Or ncat (http://nmap.org/ncat/). My personal favorite useless example is the persistent webserver:

    ncat -lkp 8080 --sh-exec 'echo -ne "HTTP/1.0 200 OK\r\n\r\nThe date is "; date;'

Don't forget easy ssh host hopping.

ssh -oProxyCommand="ssh host1 nc host2 22" host2

Interesting. Thanks for the tip! I'd never heard of ssh host hopping, but have been doing 2-3 sequential ssh logins for years. I always wondered if this was possible somehow! I found this nice tutorial that explains your tip in detail:


This made all the time I've spent on HN in the past week worthwhile! :)

At $EMPLOYER, I have a script that takes a description of the network topology, converts it to a sequence of Host stanzas and writes them to ~/.ssh/config. The source file is simple enough that the sysad team can keep it up-to-date when they change the network configuration, and most people just have to run the 'update' script occasionally to have Super SSH Powers. It's quite popular.

Don't suppose you'd be willing to post this uber-script somewhere?

Unfortunately it's not really self-contained enough to post; the most complicated thing in it is basically a copy/paste of the "Dijkstra's Algorithm" sample-code on Wikipedia, though.

I used nc to do just this for years until I switched companies and found that many of the hosts didn't have nc installed.

To get around that I just added the following to my bashrc

alias remote_host="ssh -t bastion ssh -t host1 ssh host2"

Thanks for the tip, it inspired me to do the following:

user@host3# ssh-keygen -t rsa -f ~/.ssh/id_rsa_hopping

user@host3# echo command=\"nc host2 22\" `cat ~/.ssh/id_rsa_hopping.pub` | ssh user@host1 "cat >> ~/.ssh/authorized_keys"

user@host3# scp ~/.ssh/id_rsa_hopping* user@host4:~/.ssh/

The point of all of this being that host4 should be able to do anything on host2, but only be able to use host1 as a hop:

user@host4# ssh -oProxyCommand="ssh -i ~/.ssh/id_rsa_hopping host1" host2

Anyone want to give a few examples of cool things they actually do with netcat?

I use it for:

- creating quick and dirty proxies (nc > fifo > nc). (edit: you can also bridge udp->tcp this way, which makes proxying UDP through an ssh tunnel possible)

- making simple GET requests (printf "GET / HTTP/1.0\r\nHost: www\r\n\r\n" | nc host 80, or save the full request and pipe that to netcat)

- checking if a port is open (nc -p 8080 host, tends to be quicker than nmap and less to type)

- dumb file transfers ('nc -l port > file' on one machine, 'file | nc host2 port') on another (or using tar for directories). Usually I use ssh/scp, but sometimes that nc trick works just fine..

I use netcat to simulate a network connectivity failures.

For instance, if server:port 1000 is the normal host and port my application would connect to, I set up a forward from port 2000:

    nc -L server:1000 2000
then run my application to connect to localhost:2000

    my_application --server=localhost --port=2000
Now my application is connected to localhost:2000, which is forwarded to server:1000 through netcat. To simulate a network connectivity failure I just kill netcat.

A few days ago I was wondering if the link between two remote hosts was 100Mbps or 1Gbps, and didn't have root access to run ethtool (sidenote: is there an easier way for an unprivileged user to determine this?), so out came netcat and dd:

  host1$ dd if=/dev/zero | nc host2 5432

  host2$ nc -l 5432 > /dev/null
Let it run for a moment and then ctrl-C'd host1; the stats dd printed on exit gave a pretty clear answer to my question.

For an easier way, consider ifconfig. You can run it as non-root, you know - you just won't be able to change anything.

I spent a few summers at the National Institutes of Health building a DICOM (Digital Imaging and Communications in Medicine) suite for the storage and retrieval of Nuclear Medicine and CT images. It consisted of a client and a server and was built completely in IDL. It used Netcat both to listen/respond on the server side and to issue queries and retrieve (meta)data on the client side.

Like others in this thread, I too received a few bureaucratic slaps on the wrist for doing unauthorized port-scanning during the development process (we were trying to find a set of suitable unused ports for the package). Apparently it was worth the trouble, though--it was nearly 10 years ago that I built the package, and the software's still in use!

This is pretty much the fastest way I've found to clone a disk over a network. To clone from one host's /dev/sda to another host's /dev/sda in Linux, try this.

On the target host, run the following:

nc -l 31337 | bzip2 -d | dd bs=16M of=/dev/sda

On the host you're copying from, do this:

dd bs=16M if=/dev/sda | bzip2 -c |nc dest.host.com 31337

Bear in mind that this isn't secure (everything goes over the wire in clear and there's no auth) and that for best results you should only do this from a live cd (if you're dd'ing from or to the live drive you've mounted there's a high risk that you'll change the filesystem mid-copy, depending on source FS used, this could corrupt the destination).

As a method of obscuring the data slightly (although really it doesn't add much), I sometimes like to add "conv=swab" to the dd. But for the CPU that's being spent on the bzip2, you could do it slightly more easily with a single command on one machine:

    dd bs=16M if=/dev/sda | ssh dest.host.com 'bzip2 -d >/dev/sda'
Of course, that presupposes a running sshd on dest.host.com. You could secure it from being observed (although not from being interfered with) under Linux using loopback devices:

    ## On the destination machine:
    LOD=`losetup -f`
    losetup -e aes $LOD /dev/sda
    # You'll be prompted for a password for the encryption.
    nc -l 31337 | bzip2 -d | dd bs=16M of=$LOD

    ## On the source machine:
    LOD=`losetup -f`
    losetup -e aes $LOD /dev/sda
    # You'll be prompted for a password; use the same one.
    dd bs=16M if=$LOD | bzip2 -c |nc dest.host.com 31337
Most people just use encrypted loopback devices for things like disk encryption, but losetup (like netcat) has so many other fun potential applications.

(Edited twice due to formatting sadness.)

That second one's really interesting. I've tried the SSH route and while it works (and works well) it really knocks up the time to send an image over the wire.

We've used this for forensic imaging in the past and have relied upon digital signatures as integrity checks. It's not great I know, but it's the best way to get disk images from a big server onto a NAS (when you can't plug the NAS into the server).

The second one is way more fun, using the real device as the plaintext and the loopback as the cyphered version.

Have you tried using the -C (compression) option to ssh instead of the bzip2 pipe? I don't often have occasion to do this sort of thing, so if you've tried that already, it would be interesting to know relative timing. pbzip2 ( compression.ca/pbzip2/ ) might be helpful sometimes, but I don't suspect that it's carried on most live CDs (unless you guys are rolling your own) and the CPU probably isn't the bottleneck anyway.

9P2000 has recently made it into the Linux kernel and it gets way better throughput than NFS, but (and I'm not too familiar with NAS hardware or software, so I may be saying something foolish) I don't suspect it's a supported protocol on those things. Either way, I also don't suspect that adding the overhead of an FS protocol could be helpful in cases where netcat would do, but it's a nice tool to have in the box.

I haven't tried -C on SSH, but I'll make a note to try it next time I get the chance. We use QNAP NAS so we're more or less stuck to specific kernel versions, but the userland is fairly complete (as you have basically got a ton of disk space for userland apps!)

Poor man's remote command execution (when compiled with -DGAPING_SECURITY_HOLE):

nc -l -p 80 -e /bin/sh

And then just telnet or netcat to that port and you get yourself a shell.

1. Schlepping files between computers.

computer A:

    nc -l $ARBITRARY_PORT | tar vzxf -
computer B:

    tar vzcf - files_or_directories | nc computer_a $ARBITRARY_PORT
2. Testing socket servers:

    cat canned_request | nc server 80
There are probably other things, but I don't think, "Oh, this is a good use for netcat", I just do it. It's almost as handy as awk.

> Schlepping files between computers.

What about using rsync instead ?

nc is simple and I know its syntax. rsync is more powerful, but I need to look up its options half the time.

"rsync source host:destination" just works, no need for options :)

I use it to poll our memcached servers w/o first jumping into telnet.

echo "STATS" | nc localhost 11211

STATS can be replaced w/ other memcached-accepted arguments

Shutting down redis (from default init.d script):

    echo -n "Sending SHUTDOWN\r\n" | nc localhost $REDISPORT &

I actually got in trouble trying to use netcat for something quite legitimate in my former job at RandomBigCorp... Oops.

Please elaborate?

At my current place of employment, "hacking tools" are banned. On that list is netcat. It is installed on every unix desktop and server, and I use it daily. I have decided to just not point out the stupidity of this -- they might do something that's even more stupid as a response.

I always wondered about screwball policies like that. It just seems so incredibly short-sighted to not use the best tools for the job.

"If you want me to defend you from the bad people on the net, then don't send me to a gun fight with only a knife."

I've always found that it's better to ask for forgiveness than permission in a large bureaucratic technically simplified corporation, otherwise I'd get nothing done. Ask, and they say "no".

It's always wise to exercise discretion: http://db.tidbits.com/article/8886

Yes, that Randall Schwartz.

It's too bad you can't expunge lawyers' fees. Yikes.

And no blame, but it's probably a good idea to say, "We're scanning for weak passwords" first. The sysadmin at the library I used to work at ran password crackers occasionally, and sent out an e-mail once saying that he suddenly knew a lot of staffs' boyfriends names. It's a delicate issue.

Yeah that is ridiculous. It's misleading for potential netcat users. And by banning it there can be no discussion about how to actually use it safely and responsibly.

"hacking tools" are banned.

If you are asked about it. The best way is to respond that you use it as a a diagnostic tool or analysis tool.

As for arguing it's not a hacking tool - A person could take something as innocent as VBScript for Office and write viruses with it. Nothing you can do about your tools ability to be abused.

The whole thing plays out like banning sharp knives for chefs' safety. It's a useless, infuriating gesture, but it probably looked good for someone on paper. Politics is an ugly beast.

This is exactly why I got in trouble... It's a stupid policy but there it is not worth fighting the bureaucracy. Also I was using it in a test environment.

If you add the live_console gem to a rails app, you can use netcat to run IRB against the live application. You can change the app's state from a console, like flushing a cache or even making a patch, without having to restart the app.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact