HakTip 90 – Netcat 101: Using Netcat To Direct Network Traffic
Today we are finishing my Netcat 101 series with a quick wrapup of tips!
Let’s start with the help file: nc -h. We haven’t gone over all of the options available to you so let’s take a quick look at a few of the other ones in here!
We checked out -h, -l, and -p, but we didn’t use -g and -G options. -g lets you force a data stream through your network to a certain path. -G tracks that connection and can be used for troubleshooting network problems.
After that is -o. This will dump data into a file of your choice and can be used as a sniffer for a man-in-the-middle attack. One example could be grabbing chat sessions while they are transferring from one client to another computer and dumping that info into a text file.
The -s option could be used for something like this: Netcat can protect your server from unauthorized access by telling you about any new connections trying to make their way in. It could block them entirely or reroute them to another port. Since Netcat can only handle one connection per instance, you would have to make it open a new instance each time it is hit with an external probe.
This will make Netcat close inbound connections then run another instance.
Some other options you will notice in this list include -t for TCP mode, -u for UDP mode, and -r for randomizing the local and remote ports. While we aren’t going to go into detail on all of these options, because there are quite a few, I do hope that this Netcat series has helped you get started! In a few moments, we’ll check out using netcat with an interactive program without using the -e option.
I’ve got a handy tip from from a fan, but also a tip of my own. Here’s mine:
Though it’s uncommon, you can also use Netcat as a proxy. Here’s an example:
nc -l -p 1337 | nc www.google.com 80.
This will make netcat listen on port 1337, and will pipe all connections to redirect to google.com on port 80. If we open our browser and go to 127.0.0.1:1337, we don’t get anything. Any in the terminal we get a bunch of gibberish (or try example.com which gives you some HTML for a 404 page.) Now, we’re just seeing this information in the terminal, in Netcat, because we haven’t told Netcat to pipe it back out to the browser. This is going to be a bidirectional pipe (netcat pipes data on port 1337 to Google.com at port 80, which in turn will pipe info back out of Netcat on port 1338).
Now we type: nc -l -p 1337 | nc www.google.com 80 | nc -l -p 1338.
Now in the browser type in 127.0.0.1:1337. Again, nothing. But, let’s now change that to 1338. It takes us directly to the site!
In previous episodes….covered Netcat with -e to create a shell. -e allows you to execute any program. What if your version of Netcat doesn’t have the -e option? For instance the Netcat-openbsd package included with most Ubuntu installations doesn’t have -e. Well then, there’s a pretty simple hack using what’s called a backpipe. A pipe, sometimes called a FIFO for File In File Out, is a special device that allows us to easily shuttle data back and forth between a process. We’ll make this using the mknod command. mknod /tmp/backpipe p.
This creates the special file “backpipe” in the /tmp directory with the “p” option which makes it a named pipe. Now we can pipe the input and output of our interactive program to a listening netcat session. So for that we’ll need an interactive program… how about the world famous text adventure from 1981 – ZORK! I have zork downloaded in ~/zork and I can run it with the frotz command.
You can grab a copy from the website.
You can run it using the frotz utility so you’ll probably also need to run sudo apt-get install frotz. Now with Zork and Frotz installed we can run: frotz ~/zork/DATA/ZORK1.DAT 0/tmp/backpipe
And finally we can connect from our other machine with: nc 12345. And look! Text adventure goodness 🙂