Objective: Use netcat
(often abbreviated to nc) to check if a remote TCP or UDP port is open.
Netcat, also known as the ‘TCP/IP Swiss Army Knife’, is a simple Unix utility which reads and writes data across network connections, using either TCP or UDP protocol. It is a feature-rich network debugging and investigation tool. Its list of features include tunneling of UDP over TCP, port forwarding, transferring of files, port listening and port scanning.
Netcat – Check TCP Port
To scan a TP port using netcat
, use the following syntax.
1 2 |
$ nc -zv www.google.com.sg 80 Connection to www.google.com.sg 80 port [tcp/http] succeeded! |
The ‘-z
‘ option is used to tell netcat
that it should just scan for listening daemons, without sending any data to them. The ‘-v’ option is to print verbose output. The above is the output from the netcat-openbsd
package. This seems to be the package installed by default on Ubuntu. The output from the netcat-traditional
package is below.
1 2 3 |
$ nc -zv www.google.com.sg 80 DNS fwd/rev mismatch: www.google.com.sg != nuq04s29-in-f3.1e100.net www.google.com.sg [216.58.192.3] 80 (http) open |
If a port is not open, netcat
could take a while to timeout. To specify the maximum timeout, use the ‘-w
‘ option. To wait for a maximum of 5 seconds, use the syntax below.
1 2 |
$ nc -zv -w5 www.google.com.sg 81 nc: connect to www.google.com.sg port 81 (tcp) timed out: Operation now in progress |
Netcat – Check UDP Port
To scan a UDP port with netcat
, we need to use the ‘-u
‘ option. We can use the following syntax to scan a UDP port using netcat
.
1 2 3 4 5 6 |
$ nc -zvu 8.8.8.8 53 Connection to 8.8.8.8 53 port [udp/domain] succeeded! $ nc -zvu www.google.com.sg 53 Connection to www.google.com.sg 53 port [udp/domain] succeeded! $ nc -zvu www.google.com.sg 139 Connection to www.google.com.sg 139 port [udp/netbios-ssn] succeeded! |
Hmmm, according to netcat
, the domain www.google.com.sg
has both UDP ports 53 and 139 open, which is highly unlikely. I have seen that with the netcat-openbsd
package, netcat
reports that a UDP port is always open even if it is actually closed (at least on Ubuntu). I got similar results with netcat
found in the netcat-traditional
package.
Because UDP is connectionless in nature, you cannot reliably distinguish an open port from a firewalled port or from a lost packet – many false positives can occur from UDP port scans. In UDP, there is no equivalent to a TCP SYN packet. However, if a UDP packet is sent to a port that is not open, the system will respond with an ICMP port unreachable message. Most UDP port scanners use this scanning method, and use the absence of a response to infer that a port is open. However, if a port is blocked by a firewall, this method will falsely report that the port is open. If the port unreachable message is blocked, all ports will appear open. This method is also affected by ICMP rate limiting. An alternative approach is to send application-specific UDP packets, hoping to generate an application layer response. For example, sending a DNS query to port 53 will result in a response, if a DNS server is present. This method is much more reliable at identifying open ports.
As far as I know, the best way to scan UDP ports is to send an application specific probe packet with tools such as nmap
and nessu
s. Even this method is not really foolproof – in some cases, a service may be listening on the port, but configured not to respond to the particular probe packet.