Neat Tricks

Send Mail

It is great fun to interact with text-based network protocols with nothing more than Ncat and a keyboard. Here's a short example showing how to send email by talking to an SMTP server. SMTP is described in RFC 5321, but you don't need to know much about the protocol to send a simple message. The service's assigned port number is 25, and we use -C because it requires CRLF line endings. Example 8 contains a transcript of a session.

Example 8. Ncat as mail client
$ ncat -C 25
250 Hello
250 OK
250 Accepted
354 Enter message, ending with "." on a line by itself
Subject: Greetings from Ncat

Hello. This short message is being sent by Ncat.
250 OK
221 closing connection

To make this example work for you, change to your SMTP server and to your domain name. Naturally you'll want to change the email addresses and message too. It will likely only work when using your normal mail server with your real email address, or when using the recipient's mail server (look up the MX record for the domain name in their email address).

Obviously this technique can be used for more than just sending mail. Ncat is a great interactive debugging tool for any text-based protocol. Such debugging is sometimes done with the telnet command, because it provides something like a raw text stream. Ncat offers a few advantages over telnet, though. Ncat doesn't print anything except what is sent by the remote host. Telnet isn't suitable for arbitrary binary data because it reserves some bytes as control characters. The telnet command quits when its input runs out, so you may not see what the other end sends. And finally, telnet doesn't do UDP.

Turn Ncat into a simple web server

Continuing the example from the section called “A Listen Mode Example”, we can create a simple HTTP server that serves the index.html file using the following command:

ncat -lk -p 8080 --sh-exec "echo -e 'HTTP/1.1 200 OK\r\n'; cat index.html"

Or, if you're a Windows user:

ncat -lk -p 8080 --sh-exec "echo HTTP/1.1 200 OK& echo(&type index.html"

This will start the HTTP server, serving the index.html file from your current working directory. To try it out, visit http://localhost:8080/ using your web browser. You can also skip :8080 from the URL if you specified -p 80 instead of -p 8080 in the command above. Note that it will send this file regardless of the entered URL - to change the file being sent, you need to change the Ncat command or use the httpd.lua script (see below).

Since Ncat v6.40, it is possible to use --lua-exec feature to run a Lua script turning Ncat into a web server. In order to do that, need the httpd.lua script which is bundled with the Ncat source in the ncat/scripts/ directory. With the httpd.lua script in your working directory, run Ncat in listening mode:

ncat --lua-exec httpd.lua --listen 8080 --keep-open

This will spawn a HTTP server on TCP port 8080. Unlike the previous example though, the httpd.lua script works without modification on all POSIX-compatible systems and also on Windows. Moreover, you can specify in the URL any other file from the current directory or one of its subdirectories and it will be sent to the user, unlike the --sh-exec example.


The Ncat HTTP server examples shown above are very simple and may be not as powerful as complete HTTP servers, such as Apache HTTPD. It is not advised to use them in production environments (such as public website hosting). It might be useful, though, if you need to quickly spawn a HTTP server to copy some files or for educational purposes.

Chain Ncats Together

Ncat is designed to work within a pipeline, so naturally the output of one instance of Ncat can be fed into the input of another. Here is one way to send a log file from host1 to host3 by way of host2:

host3$ ncat -l > log.txt
host2$ ncat -l | ncat host3
host1$ ncat --send-only host2 < log.txt

A possible problem with this technique is that it is one-way: host1 can send to host3 but there is no way for host3 to send anything back to host1. In this case it doesn't matter, but it can be done with a small change. Consider this:

host3$ ncat -l > log.txt
host2$ ncat -l --sh-exec "ncat host3"
host1$ ncat --send-only host2 < log.txt

The Ncat listening on host2, upon receiving a connection, creates a new Ncat to speak to host3 and connects the inputs and outputs of the programs running on host1 and host3 together. The same trick can be used on the local host too. This example forwards the local port 8080 to the web server on

ncat -l localhost 8080 --sh-exec "ncat 80"

Unwrap SSL

Suppose you need to connect to an IMAP server that requires SSL, but your mail reader doesn't support SSL. Ncat can act as the encrypted bridge to connect the client and server. You will connect the mail client to a local port and Ncat will forward the traffic, encrypted, to the server. Here's how to connect IMAP (port 143) on the local host to IMAP over SSL (port 993) on

ncat -l localhost 143 --sh-exec "ncat --ssl 993"

Once this is in place, instruct the mail client to connect to the IMAP server on localhost.

This trick works for protocols that pass traffic strictly between two hosts. It doesn't work well for HTTP because HTTP is usually aware of hostnames and often involves multiple hosts.

Use SSH Through an Ncat Tunnel

With Ncat and OpenSSH you can SSH to a host behind a NAT router without having to forward ports on the router. The router must have Ncat installed. Here is how to SSH to <host> through <router>:

ssh -o ProxyCommand="ssh -q <router> ncat %h %p" <host>

The ProxyCommand option of ssh tells how to open the SSH connection to <host>. It does this by opening another SSH session to <router> and connecting it to <host> with Ncat.

If your SSH server administrator did not disable tunneling (which is enabled in most default configurations), you can use the proxy server built into SSH. Use the following command to spawn a proxy server on TCP port 8080 of your local machine that tunnels the traffic through the SSH connection:

ssh router -D 8080

Now you can make connections inside the network using Ncat's proxy client capabilities. For example, to connect to host with IP address that is behind the router, you can use the following command if you spawned the tunnel:

ncat --proxy localhost:8080 --proxy-type socks4

Watch What Nmap's Version Detection is Doing

Ncat can show you at a low level what's going on when Nmap version-scans a service. We'll make a service that only listens and instruct Nmap to use every version probe in the book. Set up Ncat to listen and record a hex dump log. The --keep-open option will make Ncat keep listening and accepting more connections after the first one is finished, contrary to the normal listen mode behavior of quitting when the first connection ends. Some version probes are binary so redirect standard output to /dev/null to avoid writing them to the screen.

ncat -l --keep-open 5200 --hex-dump vscan.log > /dev/null

Now scan the open port you made:

nmap -d -sV --version-all localhost -p 5200

An except of the hex dump is shown in Example 9.

Example 9. Hex dump of Nmap version detection
[0000]   0D 0A 0D 0A                                         ....
[0000]   47 45 54 20 2F 20 48 54   54 50 2F 31 2E 30 0D 0A   GET / HT TP/1.0..
[0010]   0D 0A                                               ..
[0000]   4F 50 54 49 4F 4E 53 20   2F 20 48 54 54 50 2F 31   OPTIONS  / HTTP/1
[0010]   2E 30 0D 0A 0D 0A                                   .0....
[0000]   4F 50 54 49 4F 4E 53 20   2F 20 52 54 53 50 2F 31   OPTIONS  / RTSP/1
[0010]   2E 30 0D 0A 0D 0A                                   .0....
[0000]   80 00 00 28 72 FE 1D 13   00 00 00 00 00 00 00 02   ...(r... ........
[0010]   00 01 86 A0 00 01 97 7C   00 00 00 00 00 00 00 00   .......| ........
[0020]   00 00 00 00 00 00 00 00   00 00 00 00               ........ ....
[0000]   00 1E 00 06 01 00 00 01   00 00 00 00 00 00 07 76   ........ .......v
[0010]   65 72 73 69 6F 6E 04 62   69 6E 64 00 00 10 00 03   ersion.b ind.....
[0000]   00 0C 00 00 10 00 00 00   00 00 00 00 00 00         ........ ......
[0000]   45 48 4C 4F 0D 0A                                   EHLO..
[0000]   48 45 4C 50 0D 0A                                   HELP..

At the beginning, Nmap would have sent its NULL probe, which isn't shown in the log file because the NULL probe doesn't send anything. At the top of the log is the GenericLines probe (0D 0A 0D 0A, or \r\n\r\n). After that is our old friend the HTTP GET request. Then come all the other probes in the nmap-service-probes file. In this excerpt are shown probes designed to get a response from RPC, DNS, and SMTP.