The nc
(or netcat
) utility (supports IPv4 and
IPv6) can be used for about anything involving TCP, UDP, or UNIX-domain
sockets. It can open TCP connections, send UDP pkts, listen on arbitrary
TCP/UDP ports, do port scanning, etc.
Typical usage:
- simple TCP proxies;
- shell-script based HTTP clients/servers;
- network daemon testing;
- a SOCKS or HTTP ProxyCommand for
ssh
;
For example, start nc
as a server listening on
tcp/2020:
nc -l 2020
Then, on a second terminal (console, terminal window, another computer, etc) connect to that server like this:
nc 127.0.0.1 2020
Now, anything typed at the second console will be concatenated to the first,
and vice-versa. After the connection was established, nc
does not
care which side is "server". To terminate connection use
CTRL+D (EOF).
Some other examples:
nc -p 32337 -w 5 host2.home.net 42
open a TCP connection to port 42 of the specified host using port 32337 as the source port, set timeout to 5 sec;
nc -zv host2.home.net 20-25 80
scan the specified host for the open ports in the range 20..30 and also try port 80;
Options
-4 |
use IPv4 addresses only; |
-6 |
use IPv6 addresses only; |
-b |
allow broadcast; |
-C |
send CR/LF as line-ending; |
-D |
enable the debug socket option; |
-d |
detach from stdin; |
-F |
pass the first connected socket using sendmsg (2) to stdout and exit; cannot be used with -U; |
-h |
help; |
-I n |
the size of the TCP receive buffer; |
-i t |
sleep interval (sec) between lines of text sent and received, or between connections to multiple ports; |
-k |
keep inbound sockets open for multiple connects; |
-l |
listen for incoming connection requests; this cannot be used together with -x or -z; |
-M
ttl
set the TTL/hop limit of outgoing pkts;
-m m |
ask kernel to drop incoming pkts whose TTL/hop limit is less than m; |
-N |
shutdown (2) the network socket after EOF on stdin (some servers require this); |
-n |
no DNS or service lookups, do not try to resolve addresses, hostnames or ports; |
-O n |
the size of the TCP send buffer; |
-P
user
use this username for proxy authentication;
-p
src_port
use this source port, subject to privilege restrictions and availability;
-q t |
quit after EOF on stdin and delay of t sec; |
-r |
choose source and/or destination ports randomly; |
-S |
enable the TCP MD5 signature option; |
-s
source
send pkts from the interface with the source IP address;
-T
keyword
change the IPv4 TOS/IPv6 traffic class value; options: critical, inetcontrol, lowcost, lowdelay, netcontrol, throughput, reliability, ... or a hex/decimal number;
-t |
answer TELNET negotiation; |
-U |
use UNIX domain socket; |
-u |
use UDP instead of TCP; |
-V
rtable
set the routing table to be used;
-v |
verbose; |
-W n |
terminate after receiving n packets from the network; |
-w t |
timeout connections which cannot be established or are idle after t sec; it does not apply to the listening mode (-l); the default is no timeout; |
-X
proxy_proto
use this proxy protocol when talking to a proxy server; supported protocols: 4 (SOCKS v.4), 5 (SOCKS v.5) and connect (HTTPS proxy); default is SOCKS version 5;
-x addr[:port]
connect to dest using a proxy at addr and port; if port is not specified, the well-known port for the proxy protocol is used (1080 for SOCKS, 3128 for HTTPS); an IPv6 address can be specified unambiguously by enclosing addr in square brackets; a proxy cannot be used with any of the options -lsuU;
-Z |
DCCP mode (Datagram Congestion Control Protocol); |
-z |
only scan for listening daemons, do not send any data; |
Deprecated
shows network connections, routing tables, interface statistics,
masqueraded connections, multicast membership. Note that info won't be
full unless you prepend it with sudo
.
netstat -A inet -l -n -p | more
show listening sockets for inet address family, do not resolve names, show related programs;
netstat -tulpn | more
show listening sockets for tcp and udp protocols, do not resolve names, show related programs;
watch netstat -tulpn
like prev but in real time (exit - Ctrl + c);
netstat -nlpA inet,inet6 | more
show listening sockets for inet and inet6 addr families, do not resolve names, show related programs;
netstat
show active sockets of all configured addr families;
netstat -r
display the kernel’s routing tables;
netstat -r -n
the same as previous, but do not resolve names;
netstat -i
display a table of all network interfaces;
netstat --interfaces=eth0
show info on the first ethernet card only;
netstat -M
display a list of masqueraded connecions;
netstat -s
display summary statistics for each protocol;
The type of info displayed is controlled by the first arg (by default a list of open sockets):
-g --groups
show multicast group membership;
-i --interfaces
show a table of all network interface;
-M --masquerade
show a list of masqueraded connections;
-r --route
show kernel's routing tables;
-s --statistics
show summary stats for each protocol;
Options
-h
--help
-V
--version
-v
--verbose
-A family
--protocol=family
the address families (low level protocols) for which connections are to be shown; family is a comma separated list of keywords: inet and inet6 (includes raw, udp, tcp protocol sockets), unix, ipx, ax25, netrom, ddp;
-a --all
show both listening and non-listening sockets;
-C |
show routing info from the routing cache; |
-c --continuous
show the selected info continuously;
-e --extend
show additional info (-ee
- max details);
-F |
show routing info from the FIB (default); |
-l --listening
show only listening sockets;
-n --numeric
show numerical addresses, do not try to determine symbolic host, port or user names;
--numeric-hosts
shows numerical host addresses (it does not affect the resolution of port or user names);
--numeric-ports
show numerical port numbers (it does not affect the resolution of host or user names);
--numeric-users
shows numerical user IDs (it does not affect the resolution of host or port names);
-o --timers
include info related to networking timers;
-p --program
show the PID and the name of the program to which each socket belongs
-W --wide
do not truncate IP addresses;
Output (inet connections)
Proto
the protocol used by the socket;
Recv-Q
the count of bytes not copied by the user prog connected to this socket;
Send-Q
the count of bytes not acknowledged by the remote host;
Local Address
addr/port of the local end of the socket;
Foreign Address
addr/port of the remote end of the socket;
State
state of socket (usually blank for raw, udp):
ESTABLISHED | socket has an established connection; |
SYN_SENT | socket is trying to establish connection; |
SYN_RECV | conn request has been received from net; |
FIN_WAIT1 | socket is closed and conn is shutting down; |
FIN_WAIT2 | connection is closed and socket is waiting for a shutdow from the remote end; |
TIME_WAIT | socket is waiting after close to handle packets still in the network; |
CLOSED | socket is not used; |
CLOSE_WAIT | remote end has shutdown, waiting for socket to close; |
LAST_ACK | remote end has shutdown and socket is closed; waiting for acknowledgement; |
LISTEN | socket is listening for incoming conns; |
CLOSING | both sockets are shutting down, but not all data sent; |
UNKNOWN | the state of socket is unknown; |
User
username or UID of the socket owner;
PID/Program name
PID and the process name of the process that owns the socket;
modifies (adjusts) scheduling priority of a program.
nice -n 19 dd if=/dev/hda of=fc6.iso
run dd ...
with lowered priority;
nice
[options] [cmd [arg] ...]
If command is not specified, ~
shows the current scheduling
priority. The larger number means lower priority.
Options
--help
--version
-n
adjust, --adjustment=
adjust
increment priority by adjust (which is 10 by default); the range is from -20 (highest priority) to 19 (lowest priority);
is a network security scanner. It detects which hosts are up, which TCP/UDP
ports are open, what services are available, etc. Note, that ~
functionality is limited, unless user is root.
nmap -sU -p 1-1024 srv2
launch UDP scan of port range 1..1024 against srv2;
nmap -p 25 mail.acme.com
check if mail.acme.com accepts SMTP connections (tcp/25); use the default scan type (stealth TCP SYN);
nmap -PN -p 22 192.168.2.14
check if host 192.168.2.14 accepts SSH connections
(tcp/22); skip host discovery, treat host as online (-PN
);
nmap -p '1-1024,1521' db.acme.net
scan first 1024 TCP ports on db.acme.net, and check if Oracle database is available (Oracle Net usually listens on tcp/1521);
nmap -v 192.168.0.4
scan all reserved TCP ports on the specified host, and give verbose output;
nmap -sF -p 1-445 192.168.0.5
launch a stealth TCP FIN scan against a host 192.168.0.5; limit scan to the port range 1..445;
nmap -sP 192.168.0.0/24 -oN scan.log
find available hosts (up and running) in the net 192.168.0.0 (netmask is 24 bits), save scan results to a file named scan.log using simple text format;
nmap -sS -O ws54
try to find what OS is installed on ws54;
nmap -sX -p 22,53,110,143,4564 195.110.2.7-64
launch an Xmas tree scan (specified ports only) against a range of hosts (195.110.2.7..195.110.2.64); may be useless if the target system is Microsoft, Cisco, HP/UX;
nmap
[scan_type] [options] host | network
Scan types
-sS |
stealth TCP SYN scan (default for root); we send a SYN pkt and wait for response; if we receive RST, it means this port is not listening; a SYN,ACK indicates that port is listening and we immediately send RST to break connection; the target host usually does not log this activity, but some firewalls do, if properly set; |
-sT |
TCP connect scan (default for non-priv users); we try to connect to each interesting port; this activity can be easily detected and logged by the target host; |
-sF
, -sX
, -sN
stealth FIN, Xmas Tree, Null scan modes; these are better hidden, than SYN scan; the basic idea is that closed ports must reply to probe pkts with an RST, while open ports ignore the pkts in question (RFC 793); FIN scan uses a bare FIN pkt as probe, Xmas tree turn on FIN,URG,PUSH, Null scan turns off all flags; some systems of Microsoft, Cisco, HP/UX, MVS, BSDI, IRIX do not obey RFC 793, and these types of scan detect no open ports, while SYN shows different;
-sP |
ping scan; does not really scan - just finds if
the specified hosts are up; by default, if user is root,
~ sends in parallel ICMP echo request and TCP ACK to some port
(80, by default); TCP SYN also can be used; non-privileged users send TCP
connect instead of ACK or SYN; in fact ping is always performed when range
of hosts is specified (no matter what type of scan is chosen), it allows
to exclude inactive hosts; |
-sV |
version detection; after tcp/udp ports are discovered by other scan methods, version detection communicates with those ports to find what OS is actually running there; |
-sU |
UDP scan; we send 0 byte udp pkts to each port on the target; if we receive "ICMP port unreachable", then port is closed, otherwise we assume it is open; firewalls often block "port unreachable" msgs, causing the port to appear open; also, some hosts limit ICMP error msg rate, which makes udp scan slow; in general, it is not always easy to find what udp ports are really open; |
-sO |
IP protocol scan (is used to find what IP protocols are supported on the target); we send raw IP pkts to each specified prot on a target host; if response is "ICMP protocol unreachable" msg, then prot is unavailable, otherwise we assume it is open; all problems related to ICMP (see above) can take place with this type of scan as well; |
-sI
<zombie_host[:
probe_port]>
Idle scan, advanced scan method alowing to send packets on behalf of another host;
-sA |
ACK scan; an advanced method, which is usually used to map out firewall rulesets; we send ACK pkt with random looking acknowledgement / sequence numbers; if RST comes back, port is classified as "unfiltered"; if nothing or "ICMP unreachable" is returned, port is classified as "filtered"; |
-sW |
window scan; an advanced method, similar to previous (ACK scan), except that it can sometimes detect open ports as well as filtered / unfiltered; |
-sR |
RPC scan, works in combination with other port scan methods; it takes all tcp/udp ports found open and floods them with SunRPC program NULL cmds in an attempt to determine whether they are RPC ports; |
-sL |
list scan, generates and prints a list of IP addresses or hostnames without actually pinging or scanning them; |
-b
<ftp_relay_host>
FTP bounce attack;
Some options
--help
--version
-v |
verbose; |
-6 |
scan via IPv6 rather than IPv4; |
-D
decoy1,
decoy2,
...
use decoys; it may be effective for hiding your IP among many decoys;
-e
iface
use network interface iface;
-F |
fast scan mode; it means you want to scan only those
ports listed in nmap-services file (distributed with
~ ); |
-g n |
set source port number to be used in scans; |
-iL
file
get targets from file ('-
' for stdin);
-n
/ -R
never / always do reverse DNS resolution (default is "sometimes resolve");
-0 |
use TCP/IP fingerprinting to guess remote OS; |
-oN
logfile
save scan output in normal format to logfile;
there are also: XML (-oX
) and grep
able
(-oG
) formats;
-p
range
ports to scan, for example: '1-1024,7779,8080';
-P0 |
do not try to ping hosts before scaning them; |
-r |
randomize order in which ports are scanned; |
-S
ip_addr
use source address ip_addr;
-T
policy
general timing policy; policy is one of (numbers 0..5 are also allowed):
Paranoid | very slow, to avoid detection; |
Sneaky | slow, 15s between packets; |
Polite | serialize probes and wait at least 0.4s between them to reduce chances of crashing target; |
Normal | as quickly as possible without overloading network or missing hosts/ports (default); |
Aggressive | accelerates SYN scan against heavily filtered hosts; fast connection is required; |
Insane | for very fast networks, some scan info may be lost because individual probes are not waited more than 0.3s; |
is a cmdline tool for controlling NetworkManager daemon and reporting network status. It can be used to create, display, edit, delete, activate, and deactivate network connections, and to control and display network device status.
There are two main concepts used by NetworkManager: device and connection. To see devices detected by NetworkManager,
nmcli device
You can use some shortcuts, e.g. next cmds work exactly like prev:
nmcli dev
nmcli d
DEVICE TYPE STATE CONNECTION enp7s0 ethernet connected Wired connection 1 lo loopback unmanaged --
If you want to exclude some device from NetworkManager control,
nmcli device set enp3s0 managed no
This is not persistent, and will be canceled after reboot. Or, you can return it back yourself:
nmcli device set enp3s0 managed yes
To see the IP config for each device, use:
nmcli
To get detailed info about the specified device:
nmcli device show enp7s0
or
nmcli d show enp7s0
To get status of all devices:
nmcli device status
To list the available connections,
nmcli connection
or
nmcli c
NAME UUID TYPE DEVICE Wired connection 1 c883bc75-ca24 ... ethernet enp7s0
To list all currently active connections:
nmcli connection show --active
You can deactivate and activate connections with the following cmds:
nmcli connection down 'Wired connection 1'
nmcli connection up 'Wired connection 1'
To see the details of a connection (very long list, press Space to move on, or q to quit),
nmcli connection show 'Wired connection 1'
Wireless connections
SSID - Service Set Identifier; SSIDs serve as Wi-Fi network names and are typically natural language labels. The SSID is broadcast by stations in beacon packets to announce the presence of a network. Mobile devices will look for all networks in range when you attempt to connect to local Wi-Fi.
You can find if Wi-Fi is enabled in your system with this cmd:
nmcli radio wifi
But (!) enabled does not mean present. My desktop without Wi-Fi shows enabled, but does not show any Wi-Fi devices. As it was demonstrated before, you can check the presence of any network devices in your system with one of the following cmds:
nmcli
nmcli d
nmcli dev status
So, if your system has a Wi-Fi device, you can switch Wi-Fi support on/off (enable/disable):
nmcli radio wifi on
nmcli radio wifi off
NetworkManager scans Wi-Fi networks periodically. To list the SSIDs of Wi-Fi Access Points currently visible to your Linux system,
nmcli dev wifi list
If you see some SSIDs but don't see the desired one, try to rescan using
nmcli dev wifi rescan
If it does not help, then may be you are too far from AP, or its antennas are directed wrong, ...
If you know SSID and password, you can connect to Wi-Fi network using:
sudo nmcli dev wifi connect 'Cool Hotspot' password 'abracadabra'
or, without exposing pass on the cmdline,
nmcli --ask dev wifi con "Cool Hotspot"
Technically, the above cmds create connection. Now, to bring it down (disconnect) and up (connect again), you can do:
nmcli con down SSID
nmcli con up SSID
Instead SSID you can use connection's UUID (very long and very inconvenient unless you copy/paste). The connection info is displayed (it was demonstrated before) using
nmcli con sh
To delete an existing Wi-Fi connection you need either its name or UUID:
sudo nmcli con del 'Cool Hotspot'
Network connectivity
The connectivity argument shows the network connectivity state:
nmcli networking connectivity
Technically, this cmd displays the most recent known connectivity state, but you can initiate rechecking with the following cmd:
nmcli networking connectivity check
Possible states:
none | The host is not connected to any network |
portal | The host is behind a captive portal and cannot reach the full Internet |
limited | The host is connected to a network, but it has no access to the Internet |
full | The host is connected to a network and has full access to the Internet |
unknown | The connectivity status cannot be determined |
Service management
This simple cmd outputs one word (enabled or disabled indicating the current state of networking:
nmcli networking
You can stop/start/restart NetworkManager with the following cmds. Note that it requires superuser privilege:
sudo nmcli networking off
sudo nmcli networking on
Of course, you can control NetworkManager
with systemctl
like other
system services.
The following cmd tells you whether NetworkManager is running or not:
nmcli -t -f RUNNING general
And this cmd shows the overall status of NetworkManager:
nmcli -t -f STATE general
But next cmd gives you more info:
nmcli general status
Some operations are available to a superuser only. To see what is allowed to you, as you are now (and you should be a regular user most of the time):
nmcli general permissions
Let's see current NetworkManager logging level:
nmcli general logging
Available logging levels are:
ERR | Logs only critical errors |
WARN | Logs warnings that might reflect operation |
INFO | Logs various informational messages that are useful for tracking state and operations |
DEBUG | Enables verbose logging for debugging purposes |
To set a new logging level for a specific domain or for all domains:
nmcli general logging level DEBUG domains IP4
nmcli general logging level INFO domains ALL
displays the number of processing units (CPUs/Cores) available to the current process, which may be less than the number of online processors.
nproc
show the number of processors (cores) available to this process;
nproc --all
show the total number of installed processors (cores);
nproc --ignore=2
if possible exclude 2 CPUs;
Other options are --help
and --version
.
ntpd
is an OS daemon which sets and maintains the system time
in synchronism with Internet standard time servers. By default it runs in
continuous mode polling time servers at intervals determined by means of
a non-trivial algorithm using measurements of the incidental roundtrip
delay jitter, oscilator frequency deviation, etc.
ntpdate
(deprecated, but still widely used) sets the local
date and time by polling the specified NTP server.
ntpd -q
sync system time (NTP servers must be set in
/etc/ntp.conf); in this case ntpd
exits after
synchronizing (-q
) or silently fails, if another instance of
ntpd
is already running as a daemon;
ntpd -q -g
similar to prev (one time sync), but ntpd
is
forced to ignore offset limits; it is used when the time difference is really
big;
ntpd -q -x
sync system time with NTP server, adjust system clock smoothly; offset must be within 60s, otherwise it'll be long;
ntpdate ru.pool.ntp.org
sync system time with the specified NTP server;
it fails if ntpd
is running;
ntpq
is used to monitor NTP daemon (ntpd
)
operations and determine performance. It may be used as a cmd line or
interactive tool.
ntpq -p
get a list of known peers and a summary of their states (can be slow because of the name resolution);
ntpq -pn
like prev, but faster, because IPs are used instead of names;
Some ntpd
options
--help
--version
-a |
enable authentication mode (default); |
-A |
disable authentication mode; |
-b |
synchronize using NTP broadcast messages; |
-g |
normally ntpd exits if offset exceeds
the sanity limit (1000 seconds); -g overrides this
limit and forces ntpd to set the time ignoring precautions, but
only once; the necessity to repeat this procedure usually means the hardware
problem; |
-L |
listen to virtual IPs; |
-n |
do not fork; |
-p
file
the name of the pid file (usually /var/run/ntpd.pid);
-q |
exit after the first time the clock is set
(ntpdate behaviour); -g and -x
are often used with this option; |
-u
uid:
gid
drop root privileges and change user/group IDs of the
ntpd
process to the specified uid:gid;
-x |
normally the time is slewed if the offset
is below the step threshold (128 ms by default), and
stepped otherwise; -x forces the time to be slewed in
all cases; however, as the slew rate is limited to 0.5 ms/s,
the adjustment process may take essential time (2000 sec for
each second); |
(outdated) (ncurses-based app)
can be used to configure runlevel services (also, see
chkconfig
).
By default ~
configures current runlevel.
ntsysv
start configuration of the current runlevel;
ntsysv --level 5
configure runlevel 5;
ntsysv --level 016
configure runlevels 0, 1, 6;
ntsysv --back --level 3
configure runlevel 3, show 'Back' button instead of 'Cancel';