It is great fun to interact with text-based network protocols with
nothing more than Ncat and a keyboard. Here's a short example
showing how to send email by talking to an SMTP server. SMTP is
but you don't need to know much about the protocol to send a simple
message. The service's assigned port number is 25, and we use
-C because it requires CRLF line endings.
contains a transcript of a session.
Example 8. Ncat as mail client
ncat -C mail.example.com 25
220 mail.example.com ESMTP
250 mail.example.com Hello client.example.com
354 Enter message, ending with "." on a line by itself
Subject: Greetings from Ncat
Hello. This short message is being sent by Ncat.
221 mail.example.com closing connection
To make this example work for you, change
mail.example.com to your SMTP server and
client.example.com to your domain
name. Naturally you'll want to change the email addresses and
message too. It will likely only work when using your normal mail
server with your real email address, or when using the recipient's
mail server (look up the MX record for the domain name in their
Obviously this technique can be used for more than just sending
mail. Ncat is a great interactive debugging tool for any text-based
protocol. Such debugging is sometimes done with the
telnet command, because it provides something
like a raw text stream. Ncat offers a few advantages over
telnet, though. Ncat doesn't print anything
except what is sent by the remote host. Telnet isn't suitable for
arbitrary binary data because it reserves some bytes as control
characters. The telnet command quits when its
input runs out, so you may not see what the other end sends. And
finally, telnet doesn't do UDP.
Turn Ncat into a simple web server
Continuing the example from the section called “A Listen Mode Example”, we can
create a simple HTTP server that serves the
index.html file using the following command:
ncat -lk -p 8080 --sh-exec "echo -e 'HTTP/1.1 200 OK\r\n'; cat index.html"
Or, if you're a Windows user:
ncat -lk -p 8080 --sh-exec "echo HTTP/1.1 200 OK& echo(&type index.html"
This will start the HTTP server, serving the
file from your current working directory. To try it out, visit
your web browser. You can also skip
:8080 from the
URL if you specified
-p 80 instead of
-p 8080 in the command above. Note that it will send
this file regardless of the entered URL - to change the file being sent,
you need to change the Ncat command or use the httpd.lua script (see
Since Ncat v6.40, it is possible to use --lua-exec feature to run a Lua
script turning Ncat into a web server. In order to do that, need the
httpd.lua script which is bundled with the Ncat source in the
ncat/scripts/ directory. With the httpd.lua script in
your working directory, run Ncat in listening mode:
ncat --lua-exec httpd.lua --listen 8080 --keep-open
This will spawn a HTTP server on TCP port 8080. Unlike the previous
example though, the httpd.lua script works without modification on all
POSIX-compatible systems and also on Windows. Moreover, you can specify
in the URL any other file from the current directory or one of its
subdirectories and it will be sent to the user, unlike the
The Ncat HTTP server examples shown above are very simple and may be not
as powerful as complete HTTP servers, such as Apache HTTPD. It is not
advised to use them in production environments (such as public website
hosting). It might be useful, though, if you need to quickly spawn a HTTP
server to copy some files or for educational purposes.
Ncat is designed to work within a pipeline, so naturally the output
of one instance of Ncat can be fed into the input of another. Here
is one way to send a log file from host1 to host3 by way of host2:
ncat -l > log.txt
ncat -l | ncat host3
ncat --send-only host2 < log.txt
A possible problem with this technique is that it is one-way: host1 can
send to host3 but there is no way for host3 to send anything back to
host1. In this case it doesn't matter, but it can be done with a
small change. Consider this:
ncat -l > log.txt
ncat -l --sh-exec "ncat host3"
ncat --send-only host2 < log.txt
The Ncat listening on host2, upon receiving a connection, creates a
new Ncat to speak to host3 and connects the inputs and outputs of
the programs running on host1 and host3 together. The same trick can
be used on the local host too. This example forwards the local port
8080 to the web server on example.org:
ncat -l localhost 8080 --sh-exec "ncat example.org 80"
Suppose you need to connect to an
IMAP server that
requires SSL, but your mail reader doesn't support SSL. Ncat can act
as the encrypted bridge to connect the client and server. You will
connect the mail client to a local port and Ncat will forward the
traffic, encrypted, to the server. Here's how to connect IMAP (port
143) on the local host to
IMAP over SSL (port 993)
ncat -l localhost 143 --sh-exec "ncat --ssl imap.example.com 993"
Once this is in place, instruct the mail client to connect to the
IMAP server on localhost.
This trick works for protocols that pass traffic strictly between
two hosts. It doesn't work well for
because HTTP is usually aware of hostnames and often involves
Use SSH Through an Ncat Tunnel
With Ncat and OpenSSH
you can SSH to a host behind a NAT
router without having to forward ports on the router. The router
must have Ncat installed. Here is how to SSH to
ssh -o ProxyCommand="ssh -q
<router> ncat %h %p"
ProxyCommand option of ssh
tells how to open the SSH connection to
. It does this
by opening another SSH session to
connecting it to
If your SSH server administrator did not disable tunneling (which is
enabled in most default configurations), you can use the proxy server
built into SSH. Use the following command to spawn a proxy server on
TCP port 8080 of your local machine that tunnels the traffic through
the SSH connection:
Now you can make connections inside the network using Ncat's proxy client
capabilities. For example, to connect to host with IP address
192.168.1.123 that is behind the router, you can use the following
command if you spawned the tunnel:
ncat --proxy localhost:8080 --proxy-type socks4 192.168.1.123
Watch What Nmap's Version Detection is Doing
Ncat can show you at a low level what's going on when Nmap
version-scans a service. We'll make a service that only listens and
instruct Nmap to use every version probe in the book. Set up Ncat to
listen and record a hex dump log. The
option will make Ncat keep listening and accepting more connections
after the first one is finished, contrary to the normal listen mode
behavior of quitting when the first connection ends. Some version
probes are binary so redirect standard output to
to avoid writing them to the screen.
ncat -l --keep-open 5200 --hex-dump vscan.log > /dev/null
Now scan the open port you made:
nmap -d -sV --version-all localhost -p 5200
An except of the hex dump is shown in
Example 9. Hex dump of Nmap version detection
 0D 0A 0D 0A ....
 47 45 54 20 2F 20 48 54 54 50 2F 31 2E 30 0D 0A GET / HT TP/1.0..
 0D 0A ..
 4F 50 54 49 4F 4E 53 20 2F 20 48 54 54 50 2F 31 OPTIONS / HTTP/1
 2E 30 0D 0A 0D 0A .0....
 4F 50 54 49 4F 4E 53 20 2F 20 52 54 53 50 2F 31 OPTIONS / RTSP/1
 2E 30 0D 0A 0D 0A .0....
 80 00 00 28 72 FE 1D 13 00 00 00 00 00 00 00 02 ...(r... ........
 00 01 86 A0 00 01 97 7C 00 00 00 00 00 00 00 00 .......| ........
 00 00 00 00 00 00 00 00 00 00 00 00 ........ ....
 00 1E 00 06 01 00 00 01 00 00 00 00 00 00 07 76 ........ .......v
 65 72 73 69 6F 6E 04 62 69 6E 64 00 00 10 00 03 ersion.b ind.....
 00 0C 00 00 10 00 00 00 00 00 00 00 00 00 ........ ......
 45 48 4C 4F 0D 0A EHLO..
 48 45 4C 50 0D 0A HELP..
At the beginning, Nmap would have sent its
which isn't shown in the log file because the NULL probe doesn't
send anything. At the top of
the log is the GenericLines probe
0D 0A 0D 0A, or
\r\n\r\n). After that is our old
friend the HTTP GET
request. Then come all the other probes in the
file. In this excerpt are shown probes designed to get a response
from RPC, DNS, and SMTP.