7

How can we use the netcat (nc) to determine whether a particular machine is running web, mail or SSH services?

Vilican
  • 2,703
  • 8
  • 21
  • 35
stevGates
  • 197
  • 1
  • 1
  • 4
  • You have to know what services you're looking for, then run netcat to try to connect to those services. For example, unsecured web servers run on port 80, so you could use nc -z -port 80 www.example.com. It would succeed if the server was listening on port 80, which is how web servers work; it would fail if that server didn't run a listener on port 80. – John Deters Nov 17 '15 at 21:36
  • no , nc -z port 80 .. created a connexion , i need to testing the connexion – stevGates Nov 17 '15 at 21:38
  • 2
    then either you have to learn enough HTTP to make a valid web server request and pipe that into netcat, or use a different tool like nmap. nmap is designed to identify the various types of services by their fingerprints, and I would recommend it as the right tool for your request. – John Deters Nov 17 '15 at 21:41
  • i need used the netcat , it s chalenge ! – stevGates Nov 17 '15 at 21:44
  • 2
    you need to explain what you are looking for. It needs to be `nc`, but `nc -z www.example.com 80` isn't enough? Why isn't it enough? – schroeder Nov 17 '15 at 23:23

4 Answers4

13

To identify if a server is running, you only need to determine if the port is open for requests. Using netcat, you can query a server like this:

nc -z www.example.com 80

This will tell you if it's listening on port 80, the web port, but it won't tell you anything else about the server.

To use netcat to learn more, you need to pass it the correct data to elicit a valid response. That means you have to understand http if you want to find out if it's running a web server, smtp if it's running a mail sender, etc. You have to know what port a web server runs on, the name of the server, the protocol, everything.

Here's a simple example of how I'd determine if www.example.com was hosting a live web server using netcat.

echo -e "GET http://www.example.com HTTP/1.0\n\n" | nc www.example.com 80 | less

If this comes back with a response containing HTTP/1.0 200 OK, it's running a web server on port 80. If not, it may not be running a typical web server.

You'll have to discover and understand the protocols of mail servers and ssh servers if you want to query them in a similar fashion.

Netcat is really the wrong tool for this job, however. If you want to identify the kinds of servers a host is running, nmap is a much better tool as it's kept current with the various fingerprints of common servers you're likely to encounter.

John Deters
  • 33,650
  • 3
  • 57
  • 110
  • 1
    Depending on the configuration of the service, many "typical web servers" will return an HTTP status code other than 200. For example, you may get `403 Forbidden`. Essentially, any HTTP status code returned indicates a web server is present there. Whether or not that service is used for a *website* is a completely different matter. – Iszi Nov 18 '15 at 21:17
  • @Iszi, good point. I'm just looking to give him a way to dig a bit deeper; but I'm not really sure what his goals are. – John Deters Nov 19 '15 at 15:21
  • `hst=www.google.com; res=$(echo -e -n "HEAD / HTTP/1.0\nHost: $hst\n\n" | nc $hst 80) ; echo $res | grep -q "HTTP/1.0\ 200"&& echo "Site is Up: $hst" ; echo $res | grep -q "HTTP/1.0\ 302" && echo -n "Site is Forwarded To " && echo $res|grep "Location:"` – unsynchronized May 21 '17 at 08:10
  • `hst=captive.apple.com; res=$(echo -e -n "HEAD / HTTP/1.0\nHost: $hst\n\n" | nc $hst 80) ; echo $res | grep -q "HTTP/1.0\ 200"&& echo "Site is Up: $hst" ; echo $res | grep -q "HTTP/1.0\ 302" && echo -n "Site is Forwarded To " && echo $res|grep "Location:" ` – unsynchronized May 21 '17 at 08:16
  • For variants of `nc` that don't have `-z` (eg. Centos), you can do much the same with: `nc --send-only $host $port < /dev/null` (optionally with a -v to see what's happening) - once it's quit, $? gives you 1 or 0. – Ralph Bolton Oct 30 '17 at 15:59
  • typically, `nc -z` seems to work but sometimes, i have to add `nc -zv` otherwise no output shows up. – dtc Feb 17 '22 at 22:28
3

Answer to what has been asked, no extra suggestions or information.

To test if the service is running on the remote server.

nc -zvn IP PORT

ex. to test smtp 

nc -zvn 10.8.0.45 25
avicoder
  • 313
  • 2
  • 11
1

As I said on superuser.com:

Yes, use HPing to do that:

$ sudo hping -S -p 80 google.com
HPING google.com (p5p1 77.237.27.37): S set, 40 headers + 0 data bytes
len=46 ip=77.237.27.37 ttl=58 id=25706 sport=80 flags=SA seq=0 win=29200 rtt=7.5 ms
len=46 ip=77.237.27.37 ttl=58 id=25707 sport=80 flags=SA seq=1 win=29200 rtt=7.4 ms
len=46 ip=77.237.27.37 ttl=58 id=25708 sport=80 flags=SA seq=2 win=29200 rtt=8.5 ms
len=46 ip=77.237.27.37 ttl=58 id=25709 sport=80 flags=SA seq=3 win=29200 rtt=7.8 ms
^C
--- google.com hping statistic ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 7.4/7.8/8.5 ms

Note that it needs root privileges (or SELinux capabilities) to create raw IP packets, just like ping (which is most likely suid on your system).

Source: https://superuser.com/a/769980/171552

Community
  • 1
d33tah
  • 6,524
  • 8
  • 38
  • 60
0

This may answer your question; netcat can do some port scanning:

"Port-scanning is a popular method for exploring what's out there. Netcat accepts its commands with options first, then the target host, and everything thereafter is interpreted as port names or numbers, or ranges of ports in M-N syntax. CAVEAT: some port names in /etc/services contain hyphens -- netcat currently will not correctly parse those, so specify ranges using numbers if you can. If more than one port is thus specified, netcat connects to all of them, sending the same batch of data from standard input [up to 8K worth] to each one that is successfully connected to. Specifying multiple ports also suppresses diagnostic messages about refused connections, unless -v is specified twice for "more verbosity". This way you normally get notified only about genuinely open connections. Example: nc -v -w 2 -z target 20-30 will try connecting to every port between 20 and 30 [inclusive] at the target, and will likely inform you about an FTP server, telnet server, and mailer along the way. The -z switch prevents sending any data to a TCP connection and very limited probe data to a UDP connection, and is thus useful as a fast scanning mode just to see what ports the target is listening on. To limit scanning speed if desired, -i will insert a delay between each port probe. There are some pitfalls with regard to UDP scanning, described later, but in general it works well."

http://nc110.sourceforge.net

schroeder
  • 123,438
  • 55
  • 284
  • 319
multithr3at3d
  • 12,355
  • 3
  • 29
  • 42