Ncat can execute an external command after establishing a connection. The command's standard input, output, and error streams are redirected to use Ncat's network connection. Anything received over the connection is given to the command's stdin, and anything the command writes is sent back out over the connection. This makes almost any terminal application accessible over a network (with some caveats).

The --exec option (alias -e) takes the full pathname of a command to execute, along with its arguments. The command is executed directly; Ncat does not interpret the given string beyond splitting the command and its arguments. Example 3 shows an example of usage.

The --sh-exec (-c) works the same way as --exec, except that it executes the command by passing it to /bin/sh -c on Unix or cmd.exe /C on Windows. You don't have to use the full pathname of the command if the command is in the PATH. Additionally you have access to shell facilities such as pipelines and environment variable expansion. Example 4 shows a command run with --sh-exec. This server, when connected to, sends back the name of its working directory.

The exec options can be used in connect mode and listen mode. In listen mode, Ncat accepts one connection, runs the command, and then quits, just like listen mode without exec. But when listen mode is combined with --keep-open, Ncat will accept multiple connections, forking off a new handler for each. This works even in UDP mode; the usual limit of only one client doesn't apply. The server will keep running until you press ctrl+C or otherwise terminate it externally. In this way Ncat can work much like inetd. Many examples of the use of --exec and --sh-exec in listen mode are found in the section called “Emulating Diagnostic Services”.

Any program that takes input and produces output can be executed by Ncat, but not all programs are suited for interaction. The reason is that many programs buffer their input and output, so if they receive some bytes, they many not process those bytes and write output until their input buffer is full, or the output may be deferred until the output buffer is full. If another program sends a few bytes and then waits for a response, it may hang indefinitely. Buffers are flushed when input or output ends, so even those programs that don't work interactively will work when run on an entire file at a time.

Be careful when using the --exec and --sh-exec options. It can be dangerous to connect a new application to a network, especially one that wasn't written with potentially hostile input in mind. Any local vulnerabilities in an application may become remote vulnerabilities when you execute it through Ncat.