Do you want to test connectivity to your mail server on port 25? Do you want to make a quick port scan? Perhaps you want to open a local port on your server to listen for incoming connections. The topic of this article is about a command that can and will offer you all this functionality, and more. Welcome to netcat.
Do you have nc on your system?
Netcat, henceforth nc, is not shipped by default on a typical Linux installation. You can test this by typing nc on your shell. If you see a few lines describing the command arguments and switches, then you’re ready. If not, you’ll have to install it. If you are on a Red Hat variant (Red Hat, Fedora, Centos, Oracle Linux…etc.) you’d issue sudo yum install nc. If you are on Ubuntu, you’d use sudo apt-get install nc. If you are on a third Linux variant or on a UNIX box, use the OS specific installation command. In all cases, you can download the source code from this link http://sourceforge.net/projects/nc110/files/latest/download?source=files and build it manually.
Before listing the examples, please note that nc sometimes differs in the options that it offers and the way it works from one system to another. For example, on some systems it’s enough to issue nc -l 8000 to let nc listen on port 8000, while on other systems you have to add -p before the port number. So please check the man page on your system if you encounter syntax errors.
Now let’s see what nc has to offer.
A general network client
The simplest usage of nc is to be used the same way telnet is used to test connections. Imagine you want to test whether or not a specific port in your system is open, and also whether it has the correct service bound to it. For example, an SMTP server usually listens on port 25. Now you want to test SMTP connectivity to this port. Use nc as follows:
$ nc smtp.gmail.com 25
220 smtp.gmail.com ESMTP h4sm13305463wjx.41 - gsmtp
The server sent the correct reply. This means that the service is up and running normally. Nice!
It’s your first day in the information security department. Your boss wants you to scan the new server for open ports. You try to use the main security assessment application of your department only to find that the support team has not installed it yet on your machine. But fortunately, you find nc installed.
nc -v -w 1 newserver.com -z 1-1000
This command will let you scan newserver.com for all open ports in the range from 1 to 1000. Note the command switches used:
-v to provide more verbose output
-w specifies the timeout period to be 1 second. That is, the time the program will wait for the server to respond before dropping the connection.
-z inputs the port or port range that the program will scan
Of course there are more specialized utilities to do port scanning in Linux, nmap is among the top of them but it’s nice to have this feature in nc.
A very temporary webserver
Let’s admit it: systems do fail. Webservers are not an exception. Imagine you are in charge of the company’s webserver, which suddenly crashed. Your boss does not care about the time when the server will be back as much as he cares about the feedback the users will have when they try to access the company’s homepage only to find a 404 error. You must find a way to let anyone visiting the homepage find a nice message informing that the site is under maintenance, and to “please check back later”. Once again, nc to the rescue. You quickly design the HTML page (error.html) and use the following command to display it as the company’s homepage:
nc -l 80 < error.html
A proxy server
You can use nc to redirect requests to another host and relay the results, just like a minimalist proxy server. Consider this example:
nc -l 8080 0<mypipe | nc www.google.com 80 1>mypipe
The machine on which you type this command will act as relay server to www.google.com. Imagine that you are behind a firewall (or a corporate proxy?) and you do have access to this machine but not to the Internet, while this machine does have access to the Internet. In such a case all what you have to do is direct your browser to to have immediate access to google.com. Things are starting to get interesting!
Before leaving this example, notice the mkfifo command. This command is used to make a bi-directional pipe, because the normal pipe (|) is unidirectional. In other words if I used the command like this nc -l 8080 | nc www.google.com 80, when the user connects to the proxy machine, the proxy machine will connect to google but the response will not get redirected to the user. Accordingly, we had to devise our own bi-directional pipe that will make requests and responses pass to and from the user as needed.
Online disk cloning
The situation is as follows: you have an up and running Linux box hosting a complex application. Adjusting the application prerequisites and tuning the server took you and your team a lot of time and effort. Now the application team is requesting another brand new machine that will be hosting the same application. You have two options: either to install Linux from scratch on the new server and re-do all the work you did on the first server, or simply clone the existing one. Detaching the hard disk and attaching it to the second machine to start cloning (using dd) might be an option. But I have a better one, use nc.
In order for the following scenario to work, both servers must have exactly the same disk size.
Server 2 (destination):
- Boot the system with a live CD, or use the installation media and enter the rescue mode.
- Ensure that the machine has network access. Setup the IP and gateway.
- Assuming that the disk you want cloned is /dev/sda, issue the following command:
nc -l 2222 | dd of=/dev/sda
you’re ready now
Server 1 (source):
- Ensure that all the applications are shutdown and nobody is doing anything on the server. You can enter rescue mode if you want to be completely sure no files are being changed.
- Assuming that the disk to be cloned is /dev/sda, issue the following command
nohup dd if=/dev/sda | nc server2 2222 &
- Check the status of the clone process by issuing ps -ef | grep dd. When the process is done, you have successfully cloned the disk to another machine.
If the OS is installed on more than one disk (using volume manager), make sure you clone all the disks using the same procedure.
How did it happen?
First, you instructed the destination server to listen on port 2222 for incoming connections using nc. Then redirect any data coming from this connection to dd, setting it’s output file (of) to the disk. On the source server, you used dd, setting it’s input file (if) to the disk you want to clone, and redirected the output to nc, which will transfer the data to the destination server on port 2222.
Despite the great power nc offers, it has one major flaw: data is transferred unencrypted. If security is a major concern to you, then you might consider using an SSH tunnel between the machines, and using this tunnel for your nc connections.