Ncat - Nmap 6 Cookbook: The Fat Free Guide to Network Security Scanning (2015)

Nmap 6 Cookbook: The Fat Free Guide to Network Security Scanning (2015)

Section 15: Ncat

Overview

Ncat is another new addition to the Nmap suite. Beginning with Nmap 5, Ncat was released as a modern replacement for the popular Netcat program that is no longer actively developed. Ncat is designed to be a "Swiss Army Knife" for all things TCP/IP. You can use Ncat to act as a client or server for virtually any type of service or protocol. This allows you to see and manipulate raw protocol behavior in real-time, which can be useful for troubleshooting or security auditing.

Note: Ncat is a complex tool that has countless uses. I could come up with enough material to write a whole book just on this one utility. Unfortunately, this is not that book. This guide is written from a network administrator's point of view. As such, it only covers basic usage of the utility for testing and troubleshooting. This section covers the basic operation of Ncat and it's up to you to find creative uses for the tool.

Summary of features covered in this section:

Test a Webserver

Test a SMTP Server

Transfer a File

Create an Ad Hoc Chat Server

Create an Ad Hoc Webserver

Test a Webserver

Using Ncat to connect to port 80 or 443 on a webserver allows you to test the functionality of the system by issuing HTTP requests.

Usage syntax (HTTP): ncat -C [target] 80
Usage syntax (SSL): ncat -C --ssl [target] 443

$ ncat 192.168.1.103 80

HEAD / HTTP/1.0<ENTER><ENTER>

HTTP/1.1 200 OK

Date: Sun, 25 Jan 2015 06:23:33 GMT

Server: Apache/2.4.7 (Ubuntu)

Last-Modified: Sun, 25 Jan 2015 06:08:46 GMT

ETag: "2cf6-50d73dac8beb2"

Accept-Ranges: bytes

Content-Length: 11510

Vary: Accept-Encoding

Connection: close

Content-Type: text/html

<CTRL + D>

Output of a webserver test using ncat

Using Ncat can be helpful when testing webserver configuration without having to open a browser or clear caches. It can also show you HTTP headers from the server (demonstrated above) which browsers normally hide from end users. In this example, Ncat connects to a web server on port 80. The HTTP request “HEAD / HTTP/1.0” is issued (followed by hitting the <ENTER> key twice) which displays some basic information about the server. The command “GET / HTTP/1.0” could also be issued to dump the HTML contents of the server’s index page to the screen. When finished, pressing <CTRL + D> ends the session.

Note: Some webservers may require adding the -C option when connecting to send proper CRLF line endings.

Ncat can be especially helpful when testing virtual hosting configuration. On vhosts, additional information is required in order to form a proper HTTP request. The next example displays the syntax for testing a virtual webserver.

$ ncat www.example.com.com 80

GET / HTTP/1.0

HOST: www.example.com<ENTER><ENTER>

[...]

Testing a virtual hosted system

Test a SMTP Server

Another neat use for Ncat is testing a SMTP (Simple Mail Transfer Protocol) server.

Usage syntax: ncat [target] 25

$ ncat 192.168.1.103 25

220 E6420 ESMTP Postfix (Ubuntu)

HELO test

250 E6420

QUIT

221 2.0.0 Bye

<CTRL + D>

Testing a SMTP server connection

Connecting to a SMTP server on port 25 allows you to see and interact with a mail server. This is helpful if you are trying to troubleshoot problems with mail systems. You could actually use Ncat in this situation to craft a complete message and send it, assuming you have relay access from your location and understand proper SMTP command syntax.

In the example above, the Ncat client connects to port 25 on the SMTP server and is greeted with a 220 banner displaying some basic information about the server. Issuing the command “HELO test” results in a 250 response from the server. These responses indicate the server is working properly. Once we are satisfied that the server is working we issue the “QUIT” command and then see a 221 message which ends the session. Pressing <CTRL + D> then causes Ncat to return to the shell.

Transfer a File

Ncat provides a simple way to send a single file to another system on the fly without having to use a client/server protocol like FTP.

Usage syntax (receiver): ncat -l >[output]
Usage syntax (sender): ncat --send-only [target] < [input]

# ncat -l > test.png

Setting up the receiving system to listen for a file

In the first example, we set up the receiving system to listen for a connection and redirect the output to a file. In this case the file being transferred is test.png. The example below shows the syntax used to send the file with the --send-only option and redirect the test.png file as input.

# ncat --send-only 192.168.1.103 < test.png

Transferring the file from the sending system

This will transfer the test.png file to the listening system and then close the connection. In a pinch, this can be very handy for sending a file to a remote system quickly.

Tip: You can use a checksum program such as md5sum (Linux) or md5 (Unix/BSD) to verify the integrity of the transferred file. This command can be found on most Unix/Linux systems, but is not available on Windows.

Create an Ad Hoc Chat Server

Ncat can also be used as a simple chat server between one or more users.

Usage syntax (host): ncat -l
Usage syntax (guest): ncat [host]

# ncat -l

Setting up ncat to listen as a host

To setup a chat simply have one user run Ncat in listen mode (as shown above) and then connect from another system (demonstrated below).

# ncat 192.168.1.103

Sup?

Nothing

Let's go get some tacos!

Ok, meet me downstairs in 5 min.

:)

<CTRL + D>

Connecting to the host system and sending messages

Once connected, you can exchange messages between the two systems. Pressing <CTRL + D> ends the session when you are finished.

Tip: The --chat option is also provided to help facilitate chats between multiple users. This will give each user a unique ID to help keep conversations straight. Include the --chat option on the listening system to enable this feature.

Create an Ad Hoc Webserver

Using a simple HTTP response and a few HTML tags, you can get Ncat to act like a webserver.

Usage syntax: ncat -l [port] < [file]

# ncat -l 80 < web.server

Setting up Ncat to listen on port 80

In the example above, a file called web.server is used as input for Ncat listening on port 80. The contents of the web.server file are shown below and consist of an HTTP response code and then the minimum amount of HTML code needed to serve up a web page.

$ cat web.server

HTTP/1.0 200 OK

<html>

<body>

<h1>Hello, world!</h1>

</body>

</html>

Creating a simple HTTP response and HTML document

The resulting web page when accessed from a browser is displayed below.

A web browser accessing the Ad Hoc Ncat webserver

On the listening end, Ncat displays the HTTP request along with the User-Agent information supplied by the client. The output of the client request is shown below.

GET / HTTP/1.1

Host: 10.10.4.1

Connection: keep-alive

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.91 Safari/537.36

Accept-Encoding: gzip, deflate, sdch

Accept-Language: en-US,en;q=0.8

Output of a client request to Ncat