How can I use netcat like ping?

  • How can we use the netcat (nc) to determine whether a particular machine is running web, mail or SSH services?

    You have to know what services you're looking for, then run netcat to try to connect to those services. For example, unsecured web servers run on port 80, so you could use nc -z -port 80 www.example.com. It would succeed if the server was listening on port 80, which is how web servers work; it would fail if that server didn't run a listener on port 80.

    no , nc -z port 80 .. created a connexion , i need to testing the connexion

    then either you have to learn enough HTTP to make a valid web server request and pipe that into netcat, or use a different tool like nmap. nmap is designed to identify the various types of services by their fingerprints, and I would recommend it as the right tool for your request.

    i need used the netcat , it s chalenge !

    you need to explain what you are looking for. It needs to be `nc`, but `nc -z www.example.com 80` isn't enough? Why isn't it enough?

  • John Deters

    John Deters Correct answer

    6 years ago

    To identify if a server is running, you only need to determine if the port is open for requests. Using netcat, you can query a server like this:

    nc -z www.example.com 80
    

    This will tell you if it's listening on port 80, the web port, but it won't tell you anything else about the server.

    To use netcat to learn more, you need to pass it the correct data to elicit a valid response. That means you have to understand http if you want to find out if it's running a web server, smtp if it's running a mail sender, etc. You have to know what port a web server runs on, the name of the server, the protocol, everything.

    Here's a simple example of how I'd determine if www.example.com was hosting a live web server using netcat.

    echo -e "GET http://www.example.com HTTP/1.0\n\n" | nc www.example.com 80 | less 
    

    If this comes back with a response containing HTTP/1.0 200 OK, it's running a web server on port 80. If not, it may not be running a typical web server.

    You'll have to discover and understand the protocols of mail servers and ssh servers if you want to query them in a similar fashion.

    Netcat is really the wrong tool for this job, however. If you want to identify the kinds of servers a host is running, nmap is a much better tool as it's kept current with the various fingerprints of common servers you're likely to encounter.

    Depending on the configuration of the service, many "typical web servers" will return an HTTP status code other than 200. For example, you may get `403 Forbidden`. Essentially, any HTTP status code returned indicates a web server is present there. Whether or not that service is used for a *website* is a completely different matter.

    @Iszi, good point. I'm just looking to give him a way to dig a bit deeper; but I'm not really sure what his goals are.

    `hst=www.google.com; res=$(echo -e -n "HEAD / HTTP/1.0\nHost: $hst\n\n" | nc $hst 80) ; echo $res | grep -q "HTTP/1.0\ 200"&& echo "Site is Up: $hst" ; echo $res | grep -q "HTTP/1.0\ 302" && echo -n "Site is Forwarded To " && echo $res|grep "Location:"`

    `hst=captive.apple.com; res=$(echo -e -n "HEAD / HTTP/1.0\nHost: $hst\n\n" | nc $hst 80) ; echo $res | grep -q "HTTP/1.0\ 200"&& echo "Site is Up: $hst" ; echo $res | grep -q "HTTP/1.0\ 302" && echo -n "Site is Forwarded To " && echo $res|grep "Location:" `

    For variants of `nc` that don't have `-z` (eg. Centos), you can do much the same with: `nc --send-only $host $port < /dev/null` (optionally with a -v to see what's happening) - once it's quit, $? gives you 1 or 0.

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM

Tags used