nc -v -w 1 192.0.0.1 1-65535 | & grep -v "refused"

printf "GET / HTTP/1.1\nHost:www.entensuppe.ch \n\n" | nc www.entensuppe.ch 80

By sending a P_CONTROL_HARD_RESET_CLIENT_V2 package to the server, a new session is initiated and the server will respond with P_CONTROL_HARD_RESET_SERVER_V2 package.

This won't work if tls-auth is active.

echo -e "\x38\x01\x00\x00\x00\x00\x00\x00\x00" | timeout 3 nc -u 192.0.0.1 1194 | cat -v

Example

user@server:~$ echo -e "\x38\x01\x00\x00\x00\x00\x00\x00\x00" | timeout 3 nc -u 192.0.0.1 1194 | cat -v
@M-*g^EDXM-R+z^@^@^@^@^@

The command above doesn't work on OPNsense (FreeBSD). In this case, the following command should work.

echo -n "3801000000000000000a" | perl -e 'print pack "H*", <STDIN>' | timeout 3 nc -u 192.0.0.1 1194 | cat -v

Example

root@opnsense:~ # echo -n "3801000000000000000a" | perl -e 'print pack "H*", <STDIN>' | timeout 3 nc -u 192.0.0.1 1194 | cat -v
@E4M-^CM-*|JQa^@^@^@^@^@@E4M-^CM-*|JQa^@^@^@^@^@