ncat is a utility that is like the UNIX cat command but for network connections. It’s based on the original netcat and comes with a couple of more modern features.
In this short post, we’ll go through a couple of examples to see exactly what uses this tool has. I’m currently using ncat version 7.01, in Ubuntu 16.04. ncat is a part of the nmap package in Ubuntu.
Shiny new things
A couple of the features of ncat, some of which are new, are:
- IPv6 Support
- Chain multiple ncat together
- Support for SSL
- Ability to specify specific hosts to allow or deny access to in listen mode
While the new features are great, it’s important to note that ncat is not 100% reverse compatible with the original netcat.
Examples
Let’s continue with a couple of examples to get you started.
IPv4 or IPv6?
To force ncat to only use either IPv4 og IPv6, use:
-4-6
..as in:
|
1 |
ncat -6 <server> 10100 |
..to connect to a server only through IPv6.
Banner grabbing
|
1 |
ncat -C scanme.nmap.org 80 |
..and type in:
|
1 |
GET / HTTP/1.0 |
..and press enter twice. The result will be something along the lines of:
|
1 2 3 4 5 6 7 8 9 |
... HTTP/1.1 200 OK Date: Fri, 25 Nov 2016 09:01:08 GMT Server: Apache/2.4.7 (Ubuntu) Accept-Ranges: bytes Vary: Accept-Encoding Connection: close Content-Type: text/html ... |
The option -C is used because it requires CRLF line endings.
Chaining
An example from nmap’s website; sending a log file from host1 to host3, by way of host2:
host3
|
1 |
ncat -l > log.txt |
host2
|
1 |
ncat -l --sh-exec "ncat host3" |
host1
|
1 |
ncat --send-only host2 < log.txt |
Cloning partitions over the network
One of the more useful tricks is the ability to clone partitions over the network.
On the system you’d like to clone the partition from, do:
|
1 |
dd if=/dev/sda | ncat -l 10100 |
..and on the receiving machine:
|
1 |
ncat <server> 10100 | dd of=/dev/sda |
To speed up the process of transfer you can always throw in gzip for compression:
|
1 |
dd if=/dev/sda | gzip -9 | ncat -l 10100 |
..and:
|
1 |
ncat <server> 10100 | gzip -d | dd of=/dev/sda |
Web server
Setting up a simple webserver is also easy:
|
1 |
ncat -l 8080 -k --sh-exec "echo -e 'HTTP/1.1 200 OK\r\n'; cat index.html" |
The option -k makes ncat keep listening and accepting more connections after the first one is finished.
File transfer with SSL
On the machine you want to send the file from:
|
1 |
ncat -l 10100 --ssl --send-only < secret.tar.gz |
..and on the receiving end:
|
1 |
ncat <server> 10100 --ssl > secret.tar.gz |
The option –send-only does what it says – it only sends data and ignores received.
Ports
Need to check if a port is open? Try:
|
1 |
nc -z -v -w5 <host> <port> |
This example checks if port 53 is open, with a timeout of 5 seconds. When a port is open:
|
1 2 |
$ nc -z -v -w5 dns.example.com 53 Connection to dns.example.com 53 port [tcp/domain] succeeded! |
..and when it’s closed:
|
1 2 |
$ nc -z -v -w5 dns.example.com 52 nc: connect to dns.example.com port 52 (tcp) timed out: Operation now in progress |
Chat server
As far I know, the are two main ways to do this.
First way
Start listening on a port of your choice:
|
1 |
ncat -l 10100 |
..and connect to it from another machine:
|
1 |
ncat <server> 10100 |
Type in some text and the line will appear on the other machine when you press enter. You won’t be able to see who wrote what, but hey, it’s good enough if you want to communicate with someone.
Second way
The new fancier way of starting a chat-server is by using –chat:
|
1 |
ncat --chat -l 10100 |
Users who then want to connect to the chat:
|
1 |
ncat <server> 10100 |
The output will be something along the lines of:
|
1 2 |
<user0> Hello? <user5> Is it me you're looking for? |
The user IDs generated by ncat are based on the file descriptor for each connection and must be considered arbitrary. Also, you won’t see
<userX> in front of the text you type, but others will see it. The main difference when using –chat is that you and every user connected to the server will get a <userX> tag, making it easier to see who wrote what.
Mail client
ncat also works as a mail client. Expect to type a lot:
|
1 |
ncat -C mail.example.com 25 |
..followed up by typing:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
220 mail.example.com ESMTP HELO client.example.com 250 mail.example.com Hello client.example.com MAIL FROM:a@example.com 250 OK RCPT TO:b@example.com 250 Accepted DATA 354 Enter message, ending with "." on a line by itself From: a@example.com To: b@example.com Subject: Greetings from ncat This short message is brought to you by ncat. . 250 OK QUIT 221 mail.example.com closing connection |
TCP/UDP daytime server
The daytime service, defined in RFC 867, sends a human-readable date and time string over TCP or UDP port 13. It ignores any input. So, we can use:
|
1 |
ncat -l 13 --keep-open --send-only --exec "/bin/date" |
Add –udp to create an UDP daytime server instead.
Access control
Allow one host, deny others
|
1 |
ncat -l --allow 10.0.0.2 |
Deny one host, allow others
|
1 |
ncat -l --deny 10.0.0.2 |
Allow or deny hosts from file
|
1 |
ncat -l --allowfile trusted-hosts.txt |
Replace –allowfile with –denyfile to deny and trusted-hosts.txt with a file that contains the hosts to be denied.
These are just a few of the things that you can do with ncat. Have fun exploring the rest!