netcat | netstat | nice | nmap | nmcli | nproc | ntpd | ntsysv

netcat

The nc (or netcat) utility (supports IPv4 and IPv6) can be used for about anything involving TCP, UDP, or UNIX-domain sockets. It can open TCP connections, send UDP pkts, listen on arbitrary TCP/UDP ports, do port scanning, etc.

Typical usage:

For example, start nc as a server listening on tcp/2020:

nc -l 2020

Then, on a second terminal (console, terminal window, another computer, etc) connect to that server like this:

nc 127.0.0.1 2020

Now, anything typed at the second console will be concatenated to the first, and vice-versa. After the connection was established, nc does not care which side is "server". To terminate connection use CTRL+D (EOF).

Some other examples:

nc -p 32337 -w 5 host2.home.net 42

open a TCP connection to port 42 of the specified host using port 32337 as the source port, set timeout to 5 sec;

nc -zv host2.home.net 20-25 80

scan the specified host for the open ports in the range 20..30 and also try port 80;

Options
-4 use IPv4 addresses only;
-6 use IPv6 addresses only;
-b allow broadcast;
-C send CR/LF as line-ending;
-D enable the debug socket option;
-d detach from stdin;
-F pass the first connected socket using sendmsg (2) to stdout and exit; cannot be used with -U;
-h help;
-I n the size of the TCP receive buffer;
-i t sleep interval (sec) between lines of text sent and received, or between connections to multiple ports;
-k keep inbound sockets open for multiple connects;
-l listen for incoming connection requests; this cannot be used together with -x or -z;

-M ttl

set the TTL/hop limit of outgoing pkts;

-m m ask kernel to drop incoming pkts whose TTL/hop limit is less than m;
-N shutdown (2) the network socket after EOF on stdin (some servers require this);
-n no DNS or service lookups, do not try to resolve addresses, hostnames or ports;
-O n the size of the TCP send buffer;

-P user

use this username for proxy authentication;

-p src_port

use this source port, subject to privilege restrictions and availability;

-q t quit after EOF on stdin and delay of t sec;
-r choose source and/or destination ports randomly;
-S enable the TCP MD5 signature option;

-s source

send pkts from the interface with the source IP address;

-T keyword

change the IPv4 TOS/IPv6 traffic class value; options: critical, inetcontrol, lowcost, lowdelay, netcontrol, throughput, reliability, ... or a hex/decimal number;

-t answer TELNET negotiation;
-U use UNIX domain socket;
-u use UDP instead of TCP;

-V rtable

set the routing table to be used;

-v verbose;
-W n terminate after receiving n packets from the network;
-w t timeout connections which cannot be established or are idle after t sec; it does not apply to the listening mode (-l); the default is no timeout;

-X proxy_proto

use this proxy protocol when talking to a proxy server; supported protocols: 4 (SOCKS v.4), 5 (SOCKS v.5) and connect (HTTPS proxy); default is SOCKS version 5;

-x addr[:port]

connect to dest using a proxy at addr and port; if port is not specified, the well-known port for the proxy protocol is used (1080 for SOCKS, 3128 for HTTPS); an IPv6 address can be specified unambiguously by enclosing addr in square brackets; a proxy cannot be used with any of the options -lsuU;

-Z DCCP mode (Datagram Congestion Control Protocol);
-z only scan for listening daemons, do not send any data;

netstat

Deprecated

shows network connections, routing tables, interface statistics, masqueraded connections, multicast membership. Note that info won't be full unless you prepend it with sudo.

netstat -A inet -l -n -p | more

show listening sockets for inet address family, do not resolve names, show related programs;

netstat -tulpn | more

show listening sockets for tcp and udp protocols, do not resolve names, show related programs;

watch netstat -tulpn

like prev but in real time (exit - Ctrl + c);

netstat -nlpA inet,inet6 | more

show listening sockets for inet and inet6 addr families, do not resolve names, show related programs;

netstat

show active sockets of all configured addr families;

netstat -r

display the kernel’s routing tables;

netstat -r -n

the same as previous, but do not resolve names;

netstat -i

display a table of all network interfaces;

netstat --interfaces=eth0

show info on the first ethernet card only;

netstat -M

display a list of masqueraded connecions;

netstat -s

display summary statistics for each protocol;

The type of info displayed is controlled by the first arg (by default a list of open sockets):

-g --groups

show multicast group membership;

-i --interfaces

show a table of all network interface;

-M --masquerade

show a list of masqueraded connections;

-r --route

show kernel's routing tables;

-s --statistics

show summary stats for each protocol;

Options

-h    --help    -V    --version    -v    --verbose

-A family --protocol=family

the address families (low level protocols) for which connections are to be shown; family is a comma separated list of keywords: inet and inet6 (includes raw, udp, tcp protocol sockets), unix, ipx, ax25, netrom, ddp;

-a --all

show both listening and non-listening sockets;

-C show routing info from the routing cache;

-c --continuous

show the selected info continuously;

-e --extend

show additional info (-ee - max details);

-F show routing info from the FIB (default);

-l --listening

show only listening sockets;

-n --numeric

show numerical addresses, do not try to determine symbolic host, port or user names;

--numeric-hosts

shows numerical host addresses (it does not affect the resolution of port or user names);

--numeric-ports

show numerical port numbers (it does not affect the resolution of host or user names);

--numeric-users

shows numerical user IDs (it does not affect the resolution of host or port names);

-o --timers

include info related to networking timers;

-p --program

show the PID and the name of the program to which each socket belongs

-W --wide

do not truncate IP addresses;

Output (inet connections)

Proto

the protocol used by the socket;

Recv-Q

the count of bytes not copied by the user prog connected to this socket;

Send-Q

the count of bytes not acknowledged by the remote host;

Local Address

addr/port of the local end of the socket;

Foreign Address

addr/port of the remote end of the socket;

State

state of socket (usually blank for raw, udp):

ESTABLISHEDsocket has an established connection;
SYN_SENTsocket is trying to establish connection;
SYN_RECVconn request has been received from net;
FIN_WAIT1socket is closed and conn is shutting down;
FIN_WAIT2connection is closed and socket is waiting for a shutdow from the remote end;
TIME_WAITsocket is waiting after close to handle packets still in the network;
CLOSEDsocket is not used;
CLOSE_WAITremote end has shutdown, waiting for socket to close;
LAST_ACKremote end has shutdown and socket is closed; waiting for acknowledgement;
LISTENsocket is listening for incoming conns;
CLOSINGboth sockets are shutting down, but not all data sent;
UNKNOWNthe state of socket is unknown;

User

username or UID of the socket owner;

PID/Program name

PID and the process name of the process that owns the socket;

nice

modifies (adjusts) scheduling priority of a program.

nice -n 19 dd if=/dev/hda of=fc6.iso

run dd ... with lowered priority;

nice [options] [cmd [arg] ...]

If command is not specified, ~ shows the current scheduling priority. The larger number means lower priority.

Options

--help    --version

-n adjust, --adjustment=adjust

increment priority by adjust (which is 10 by default); the range is from -20 (highest priority) to 19 (lowest priority);

nmap

is a network security scanner. It detects which hosts are up, which TCP/UDP ports are open, what services are available, etc. Note, that ~ functionality is limited, unless user is root.

nmap -sU -p 1-1024 srv2

launch UDP scan of port range 1..1024 against srv2;

nmap -p 25 mail.acme.com

check if mail.acme.com accepts SMTP connections (tcp/25); use the default scan type (stealth TCP SYN);

nmap -PN -p 22 192.168.2.14

check if host 192.168.2.14 accepts SSH connections (tcp/22); skip host discovery, treat host as online (-PN);

nmap -p '1-1024,1521' db.acme.net

scan first 1024 TCP ports on db.acme.net, and check if Oracle database is available (Oracle Net usually listens on tcp/1521);

nmap -v 192.168.0.4

scan all reserved TCP ports on the specified host, and give verbose output;

nmap -sF -p 1-445 192.168.0.5

launch a stealth TCP FIN scan against a host 192.168.0.5; limit scan to the port range 1..445;

nmap -sP 192.168.0.0/24 -oN scan.log

find available hosts (up and running) in the net 192.168.0.0 (netmask is 24 bits), save scan results to a file named scan.log using simple text format;

nmap -sS -O ws54

try to find what OS is installed on ws54;

nmap -sX -p 22,53,110,143,4564 195.110.2.7-64

launch an Xmas tree scan (specified ports only) against a range of hosts (195.110.2.7..195.110.2.64); may be useless if the target system is Microsoft, Cisco, HP/UX;

nmap [scan_type] [options] host | network

Scan types
-sS stealth TCP SYN scan (default for root); we send a SYN pkt and wait for response; if we receive RST, it means this port is not listening; a SYN,ACK indicates that port is listening and we immediately send RST to break connection; the target host usually does not log this activity, but some firewalls do, if properly set;
-sT TCP connect scan (default for non-priv users); we try to connect to each interesting port; this activity can be easily detected and logged by the target host;

-sF, -sX, -sN

stealth FIN, Xmas Tree, Null scan modes; these are better hidden, than SYN scan; the basic idea is that closed ports must reply to probe pkts with an RST, while open ports ignore the pkts in question (RFC 793); FIN scan uses a bare FIN pkt as probe, Xmas tree turn on FIN,URG,PUSH, Null scan turns off all flags; some systems of Microsoft, Cisco, HP/UX, MVS, BSDI, IRIX do not obey RFC 793, and these types of scan detect no open ports, while SYN shows different;

-sP ping scan; does not really scan - just finds if the specified hosts are up; by default, if user is root, ~ sends in parallel ICMP echo request and TCP ACK to some port (80, by default); TCP SYN also can be used; non-privileged users send TCP connect instead of ACK or SYN; in fact ping is always performed when range of hosts is specified (no matter what type of scan is chosen), it allows to exclude inactive hosts;
-sV version detection; after tcp/udp ports are discovered by other scan methods, version detection communicates with those ports to find what OS is actually running there;
-sU UDP scan; we send 0 byte udp pkts to each port on the target; if we receive "ICMP port unreachable", then port is closed, otherwise we assume it is open; firewalls often block "port unreachable" msgs, causing the port to appear open; also, some hosts limit ICMP error msg rate, which makes udp scan slow; in general, it is not always easy to find what udp ports are really open;
-sO IP protocol scan (is used to find what IP protocols are supported on the target); we send raw IP pkts to each specified prot on a target host; if response is "ICMP protocol unreachable" msg, then prot is unavailable, otherwise we assume it is open; all problems related to ICMP (see above) can take place with this type of scan as well;

-sI <zombie_host[:probe_port]>

Idle scan, advanced scan method alowing to send packets on behalf of another host;

-sA ACK scan; an advanced method, which is usually used to map out firewall rulesets; we send ACK pkt with random looking acknowledgement / sequence numbers; if RST comes back, port is classified as "unfiltered"; if nothing or "ICMP unreachable" is returned, port is classified as "filtered";
-sW window scan; an advanced method, similar to previous (ACK scan), except that it can sometimes detect open ports as well as filtered / unfiltered;
-sR RPC scan, works in combination with other port scan methods; it takes all tcp/udp ports found open and floods them with SunRPC program NULL cmds in an attempt to determine whether they are RPC ports;
-sL list scan, generates and prints a list of IP addresses or hostnames without actually pinging or scanning them;

-b <ftp_relay_host>

FTP bounce attack;

Some options

--help    --version

-v verbose;
-6 scan via IPv6 rather than IPv4;

-Ddecoy1,decoy2,...

use decoys; it may be effective for hiding your IP among many decoys;

-e iface

use network interface iface;

-F fast scan mode; it means you want to scan only those ports listed in nmap-services file (distributed with ~);
-g n set source port number to be used in scans;

-iL file

get targets from file ('-' for stdin);

-n / -R

never / always do reverse DNS resolution (default is "sometimes resolve");

-0 use TCP/IP fingerprinting to guess remote OS;

-oN logfile

save scan output in normal format to logfile; there are also: XML (-oX) and grepable (-oG) formats;

-p range

ports to scan, for example: '1-1024,7779,8080';

-P0 do not try to ping hosts before scaning them;
-r randomize order in which ports are scanned;

-S ip_addr

use source address ip_addr;

-T policy

general timing policy; policy is one of (numbers 0..5 are also allowed):

Paranoid very slow, to avoid detection;
Sneaky slow, 15s between packets;
Polite serialize probes and wait at least 0.4s between them to reduce chances of crashing target;
Normal as quickly as possible without overloading network or missing hosts/ports (default);
Aggressive accelerates SYN scan against heavily filtered hosts; fast connection is required;
Insane for very fast networks, some scan info may be lost because individual probes are not waited more than 0.3s;

nmcli

is a cmdline tool for controlling NetworkManager daemon and reporting network status. It can be used to create, display, edit, delete, activate, and deactivate network connections, and to control and display network device status.

There are two main concepts used by NetworkManager: device and connection. To see devices detected by NetworkManager,

nmcli device

You can use some shortcuts, e.g. next cmds work exactly like prev:

nmcli dev

nmcli d

DEVICE  TYPE      STATE      CONNECTION         
enp7s0  ethernet  connected  Wired connection 1 
lo      loopback  unmanaged  --

If you want to exclude some device from NetworkManager control,

nmcli device set enp3s0 managed no

This is not persistent, and will be canceled after reboot. Or, you can return it back yourself:

nmcli device set enp3s0 managed yes

To see the IP config for each device, use:

nmcli

To get detailed info about the specified device:

nmcli device show enp7s0

or

nmcli d show enp7s0

To get status of all devices:

nmcli device status

To list the available connections,

nmcli connection

or

nmcli c

NAME                UUID               TYPE      DEVICE 
Wired connection 1  c883bc75-ca24 ...  ethernet  enp7s0

To list all currently active connections:

nmcli connection show --active

You can deactivate and activate connections with the following cmds:

nmcli connection down 'Wired connection 1'

nmcli connection up 'Wired connection 1'

To see the details of a connection (very long list, press Space to move on, or q to quit),

nmcli connection show 'Wired connection 1'

Wireless connections

SSID - Service Set Identifier; SSIDs serve as Wi-Fi network names and are typically natural language labels. The SSID is broadcast by stations in beacon packets to announce the presence of a network. Mobile devices will look for all networks in range when you attempt to connect to local Wi-Fi.

You can find if Wi-Fi is enabled in your system with this cmd:

nmcli radio wifi

But (!) enabled does not mean present. My desktop without Wi-Fi shows enabled, but does not show any Wi-Fi devices. As it was demonstrated before, you can check the presence of any network devices in your system with one of the following cmds:

nmcli

nmcli d

nmcli dev status

So, if your system has a Wi-Fi device, you can switch Wi-Fi support on/off (enable/disable):

nmcli radio wifi on

nmcli radio wifi off

NetworkManager scans Wi-Fi networks periodically. To list the SSIDs of Wi-Fi Access Points currently visible to your Linux system,

nmcli dev wifi list

If you see some SSIDs but don't see the desired one, try to rescan using

nmcli dev wifi rescan

If it does not help, then may be you are too far from AP, or its antennas are directed wrong, ...

If you know SSID and password, you can connect to Wi-Fi network using:

sudo nmcli dev wifi connect 'Cool Hotspot' password 'abracadabra'

or, without exposing pass on the cmdline,

nmcli --ask dev wifi con "Cool Hotspot"

Technically, the above cmds create connection. Now, to bring it down (disconnect) and up (connect again), you can do:

nmcli con down SSID

nmcli con up SSID

Instead SSID you can use connection's UUID (very long and very inconvenient unless you copy/paste). The connection info is displayed (it was demonstrated before) using

nmcli con sh

To delete an existing Wi-Fi connection you need either its name or UUID:

sudo nmcli con del 'Cool Hotspot'

Network connectivity

The connectivity argument shows the network connectivity state:

nmcli networking connectivity

Technically, this cmd displays the most recent known connectivity state, but you can initiate rechecking with the following cmd:

nmcli networking connectivity check

Possible states:

none The host is not connected to any network
portal The host is behind a captive portal and cannot reach the full Internet
limited The host is connected to a network, but it has no access to the Internet
full The host is connected to a network and has full access to the Internet
unknown The connectivity status cannot be determined
Service management

This simple cmd outputs one word (enabled or disabled indicating the current state of networking:

nmcli networking

You can stop/start/restart NetworkManager with the following cmds. Note that it requires superuser privilege:

sudo nmcli networking off

sudo nmcli networking on

Of course, you can control NetworkManager with systemctl like other system services.

The following cmd tells you whether NetworkManager is running or not:

nmcli -t -f RUNNING general

And this cmd shows the overall status of NetworkManager:

nmcli -t -f STATE general

But next cmd gives you more info:

nmcli general status

Some operations are available to a superuser only. To see what is allowed to you, as you are now (and you should be a regular user most of the time):

nmcli general permissions

Let's see current NetworkManager logging level:

nmcli general logging

Available logging levels are:

ERR Logs only critical errors
WARN Logs warnings that might reflect operation
INFO Logs various informational messages that are useful for tracking state and operations
DEBUG Enables verbose logging for debugging purposes

To set a new logging level for a specific domain or for all domains:

nmcli general logging level DEBUG domains IP4

nmcli general logging level INFO domains ALL

nproc

displays the number of processing units (CPUs/Cores) available to the current process, which may be less than the number of online processors.

nproc

show the number of processors (cores) available to this process;

nproc --all

show the total number of installed processors (cores);

nproc --ignore=2

if possible exclude 2 CPUs;

Other options are --help and --version.

ntpd, ntpdate, ntpq

ntpd is an OS daemon which sets and maintains the system time in synchronism with Internet standard time servers. By default it runs in continuous mode polling time servers at intervals determined by means of a non-trivial algorithm using measurements of the incidental roundtrip delay jitter, oscilator frequency deviation, etc. ntpdate (deprecated, but still widely used) sets the local date and time by polling the specified NTP server.

ntpd -q

sync system time (NTP servers must be set in /etc/ntp.conf); in this case ntpd exits after synchronizing (-q) or silently fails, if another instance of ntpd is already running as a daemon;

ntpd -q -g

similar to prev (one time sync), but ntpd is forced to ignore offset limits; it is used when the time difference is really big;

ntpd -q -x

sync system time with NTP server, adjust system clock smoothly; offset must be within 60s, otherwise it'll be long;

ntpdate ru.pool.ntp.org

sync system time with the specified NTP server; it fails if ntpd is running;

ntpq is used to monitor NTP daemon (ntpd) operations and determine performance. It may be used as a cmd line or interactive tool.

ntpq -p

get a list of known peers and a summary of their states (can be slow because of the name resolution);

ntpq -pn

like prev, but faster, because IPs are used instead of names;

Some ntpd options

--help    --version

-a enable authentication mode (default);
-A disable authentication mode;
-b synchronize using NTP broadcast messages;
-g normally ntpd exits if offset exceeds the sanity limit (1000 seconds); -g overrides this limit and forces ntpd to set the time ignoring precautions, but only once; the necessity to repeat this procedure usually means the hardware problem;
-L listen to virtual IPs;
-n do not fork;

-p file

the name of the pid file (usually /var/run/ntpd.pid);

-q exit after the first time the clock is set (ntpdate behaviour); -g and -x are often used with this option;

-u uid:gid

drop root privileges and change user/group IDs of the ntpd process to the specified uid:gid;

-x normally the time is slewed if the offset is below the step threshold (128 ms by default), and stepped otherwise; -x forces the time to be slewed in all cases; however, as the slew rate is limited to 0.5 ms/s, the adjustment process may take essential time (2000 sec for each second);

ntsysv

(outdated) (ncurses-based app) can be used to configure runlevel services (also, see chkconfig). By default ~ configures current runlevel.

ntsysv

start configuration of the current runlevel;

ntsysv --level 5

configure runlevel 5;

ntsysv --level 016

configure runlevels 0, 1, 6;

ntsysv --back --level 3

configure runlevel 3, show 'Back' button instead of 'Cancel';