Ncat always operates in one of two basic modes:
connect mode and
In connect mode, Ncat initiates a connection (or sends UDP data) to a service that is
listening somewhere. For those familiar with socket programming,
connect mode is like using the
In listen mode, Ncat waits for an incoming connection (or data receipt), like using the
You can think of connect mode as “client” mode and listen
mode as “server” mode.
To use Ncat in connect mode, run
<host> may be a hostname or IP
<port> is a port number. Listen mode is the
same, with the addition of the
--listen option (or
ncat --listen [
ncat -l [
In listen mode,
<host> controls the address
on which Ncat listens; if you omit it, Ncat will bind to all local interfaces (INADDR_ANY). If the port number is omitted, Ncat uses its
Typically only privileged
users may bind to a port number lower than
A listening TCP server normally accepts only one connection and will
exit after the client disconnects. Combined with the
option, Ncat accepts multiple concurrent connections up
to the connection limit. With
-k for short), the server receives everything sent by
any of its clients, and anything the server sends is sent to all of
them. A UDP server will communicate with only one client (the first
one to send it data), because in UDP there is no list of
By default, Ncat uses TCP and IPv4. The option
enables UDP instead,
enables IPv6. See the section called “Protocols” for more details.
The rest of this guide documents all the Ncat options through
descriptions and examples. For a quick summary of options at any time,
or man ncat.
A good way to start learning about Ncat (and network protocols in
general) is to connect to a network service and talk with it. In
this case we use Ncat to manually retrieve a web page from an HTTP
server, just as web browsers do in the background when you visit a
shows a (truncated) sample session. Try it yourself!
Text in bold is what you type; everything else is what comes
back. The blank line after the
GET line is
required—just hit enter twice.
Example 1. Ncat as a web browser
ncat -C scanme.nmap.org 80
GET / HTTP/1.0
HTTP/1.1 200 OK
Date: Thu, 05 Feb 2009 15:31:40 GMT
Server: Apache/2.2.2 (Fedora)
Last-Modified: Mon, 19 May 2008 04:49:49 GMT
Content-Type: text/html; charset=UTF-8
<title>Go ahead and ScanMe!</title>
Here we have instructed Ncat to connect to the host
on port 80, the port for HTTP. The
-C option turns
on CRLF replacement,
which replaces any line endings you type with CRLF. CRLF line
endings are required by many protocols, including HTTP, though many servers will accept a plain newline (LF) character.
GET / HTTP/1.0 requests the root document of
the server; we are retrieving the same document named by the URL
http://scanme.nmap.org:80/. The web server responds with a status code
HTTP/1.1 200 OK), followed by the
HTTP header and the text of the web page. If you try this with other
web servers, note that many of them are actually virtual hosts and you
will need to send the
Host header field. See
RFC 2616 for
more information about HTTP.
So much for using Ncat as a web browser. What about a web server?
That's possible too; it just takes a bit of preparation. The first
step is to create the document to serve. Create a text file called
hello.http with these contents:
HTTP/1.0 200 OK
Now run the command
ncat -l localhost 8080 < hello.http. This
instructs Ncat to listen on the local port 8080 and read
hello.http on its input. Ncat is now primed to
send the contents of the file as soon as it receives a connection.
Now open a web browser and type in the address
shows a sample of what will appear.
Figure 1. Web page served by Ncat
In the terminal where you ran Ncat, you will see everything the web
browser sent to request the page. You should see a
line like the one you sent in
the connect mode example. This shows that Ncat by default both sends
If you try to refresh the page, it won't work. That's because Ncat
ran out of input; it won't re-send what has already been sent. For
more information on making a server that continually responds to
requests, see the examples in
the section called “Emulating Diagnostic Services”.