diff options
Diffstat (limited to 'README')
-rw-r--r-- | README | 946 |
1 files changed, 946 insertions, 0 deletions
@@ -0,0 +1,946 @@ +Netcat 1.10 +=========== /\_/\ + / 0 0 \ +Netcat is a simple Unix utility which reads and writes data ====v==== +across network connections, using TCP or UDP protocol. \ W / +It is designed to be a reliable "back-end" tool that can | | _ +be used directly or easily driven by other programs and / ___ \ / +scripts. At the same time, it is a feature-rich network / / \ \ | +debugging and exploration tool, since it can create almost (((-----)))-' +any kind of connection you would need and has several / +interesting built-in capabilities. Netcat, or "nc" as the ( ___ +actual program is named, should have been supplied long ago \__.=|___E +as another one of those cryptic but standard Unix tools. / + +In the simplest usage, "nc host port" creates a TCP connection to the given +port on the given target host. Your standard input is then sent to the host, +and anything that comes back across the connection is sent to your standard +output. This continues indefinitely, until the network side of the connection +shuts down. Note that this behavior is different from most other applications +which shut everything down and exit after an end-of-file on the standard input. + +Netcat can also function as a server, by listening for inbound connections +on arbitrary ports and then doing the same reading and writing. With minor +limitations, netcat doesn't really care if it runs in "client" or "server" +mode -- it still shovels data back and forth until there isn't any more left. +In either mode, shutdown can be forced after a configurable time of inactivity +on the network side. + +And it can do this via UDP too, so netcat is possibly the "udp telnet-like" +application you always wanted for testing your UDP-mode servers. UDP, as the +"U" implies, gives less reliable data transmission than TCP connections and +some systems may have trouble sending large amounts of data that way, but it's +still a useful capability to have. + +You may be asking "why not just use telnet to connect to arbitrary ports?" +Valid question, and here are some reasons. Telnet has the "standard input +EOF" problem, so one must introduce calculated delays in driving scripts to +allow network output to finish. This is the main reason netcat stays running +until the *network* side closes. Telnet also will not transfer arbitrary +binary data, because certain characters are interpreted as telnet options and +are thus removed from the data stream. Telnet also emits some of its +diagnostic messages to standard output, where netcat keeps such things +religiously separated from its *output* and will never modify any of the real +data in transit unless you *really* want it to. And of course telnet is +incapable of listening for inbound connections, or using UDP instead. Netcat +doesn't have any of these limitations, is much smaller and faster than telnet, +and has many other advantages. + +Some of netcat's major features are: + + Outbound or inbound connections, TCP or UDP, to or from any ports + Full DNS forward/reverse checking, with appropriate warnings + Ability to use any local source port + Ability to use any locally-configured network source address + Built-in port-scanning capabilities, with randomizer + Built-in loose source-routing capability + Can read command line arguments from standard input + Slow-send mode, one line every N seconds + Hex dump of transmitted and received data + Optional ability to let another program service established connections + Optional telnet-options responder + +Efforts have been made to have netcat "do the right thing" in all its various +modes. If you believe that it is doing the wrong thing under whatever +circumstances, please notify me and tell me how you think it should behave. +If netcat is not able to do some task you think up, minor tweaks to the code +will probably fix that. It provides a basic and easily-modified template for +writing other network applications, and I certainly encourage people to make +custom mods and send in any improvements they make to it. This is the second +release; the overall differences from 1.00 are relatively minor and have mostly +to do with portability and bugfixes. Many people provided greatly appreciated +fixes and comments on the 1.00 release. Continued feedback from the Internet +community is always welcome! + +Netcat is entirely my own creation, although plenty of other code was used as +examples. It is freely given away to the Internet community in the hope that +it will be useful, with no restrictions except giving credit where it is due. +No GPLs, Berkeley copyrights or any of that nonsense. The author assumes NO +responsibility for how anyone uses it. If netcat makes you rich somehow and +you're feeling generous, mail me a check. If you are affiliated in any way +with Microsoft Network, get a life. Always ski in control. Comments, +questions, and patches to hobbit@avian.org. + +Building +======== + +Compiling is fairly straightforward. Examine the Makefile for a SYSTYPE that +matches yours, and do "make <systype>". The executable "nc" should appear. +If there is no relevant SYSTYPE section, try "generic". If you create new +sections for generic.h and Makefile to support another platform, please follow +the given format and mail back the diffs. + +There are a couple of other settable #defines in netcat.c, which you can +include as DFLAGS="-DTHIS -DTHAT" to your "make" invocation without having to +edit the Makefile. See the following discussions for what they are and do. + +If you want to link against the resolver library on SunOS [recommended] and +you have BIND 4.9.x, you may need to change XLIBS=-lresolv in the Makefile to +XLIBS="-lresolv -l44bsd". + +Linux sys/time.h does not really support presetting of FD_SETSIZE; a harmless +warning is issued. + +Some systems may warn about pointer types for signal(). No problem, though. + +Exploration of features +======================= + +Where to begin? Netcat is at the same time so simple and versatile, it's like +trying to describe everything you can do with your Swiss Army knife. This will +go over the basics; you should also read the usage examples and notes later on +which may give you even more ideas about what this sort of tool is good for. + +If no command arguments are given at all, netcat asks for them, reads a line +from standard input, and breaks it up into arguments internally. This can be +useful when driving netcat from certain types of scripts, with the side effect +of hiding your command line arguments from "ps" displays. + +The host argument can be a name or IP address. If -n is specified, netcat +will only accept numeric IP addresses and do no DNS lookups for anything. If +-n is not given and -v is turned on, netcat will do a full forward and reverse +name and address lookup for the host, and warn you about the all-too-common +problem of mismatched names in the DNS. This often takes a little longer for +connection setup, but is useful to know about. There are circumstances under +which this can *save* time, such as when you want to know the name for some IP +address and also connect there. Netcat will just tell you all about it, saving +the manual steps of looking up the hostname yourself. Normally mismatch- +checking is case-insensitive per the DNS spec, but you can define ANAL at +compile time to make it case-sensitive -- sometimes useful for uncovering minor +errors in your own DNS files while poking around your networks. + +A port argument is required for outbound connections, and can be numeric or a +name as listed in /etc/services. If -n is specified, only numeric arguments +are valid. Special syntax and/or more than one port argument cause different +behavior -- see details below about port-scanning. + +The -v switch controls the verbosity level of messages sent to standard error. +You will probably want to run netcat most of the time with -v turned on, so you +can see info about the connections it is trying to make. You will probably +also want to give a smallish -w argument, which limits the time spent trying to +make a connection. I usually alias "nc" to "nc -v -w 3", which makes it +function just about the same for things I would otherwise use telnet to do. +The timeout is easily changed by a subsequent -w argument which overrides the +earlier one. Specifying -v more than once makes diagnostic output MORE +verbose. If -v is not specified at all, netcat silently does its work unless +some error happens, whereupon it describes the error and exits with a nonzero +status. Refused network connections are generally NOT considered to be errors, +unless you only asked for a single TCP port and it was refused. + +Note that -w also sets the network inactivity timeout. This does not have any +effect until standard input closes, but then if nothing further arrives from +the network in the next <timeout> seconds, netcat tries to read the net once +more for good measure, and then closes and exits. There are a lot of network +services now that accept a small amount of input and return a large amount of +output, such as Gopher and Web servers, which is the main reason netcat was +written to "block" on the network staying open rather than standard input. +Handling the timeout this way gives uniform behavior with network servers that +*don't* close by themselves until told to. + +UDP connections are opened instead of TCP when -u is specified. These aren't +really "connections" per se since UDP is a connectionless protocol, although +netcat does internally use the "connected UDP socket" mechanism that most +kernels support. Although netcat claims that an outgoing UDP connection is +"open" immediately, no data is sent until something is read from standard +input. Only thereafter is it possible to determine whether there really is a +UDP server on the other end, and often you just can't tell. Most UDP protocols +use timeouts and retries to do their thing and in many cases won't bother +answering at all, so you should specify a timeout and hope for the best. You +will get more out of UDP connections if standard input is fed from a source +of data that looks like various kinds of server requests. + +To obtain a hex dump file of the data sent either way, use "-o logfile". The +dump lines begin with "<" or ">" to respectively indicate "from the net" or +"to the net", and contain the total count per direction, and hex and ascii +representations of the traffic. Capturing a hex dump naturally slows netcat +down a bit, so don't use it where speed is critical. + +Netcat can bind to any local port, subject to privilege restrictions and ports +that are already in use. It is also possible to use a specific local network +source address if it is that of a network interface on your machine. [Note: +this does not work correctly on all platforms.] Use "-p portarg" to grab a +specific local port, and "-s ip-addr" or "-s name" to have that be your source +IP address. This is often referred to as "anchoring the socket". Root users +can grab any unused source port including the "reserved" ones less than 1024. +Absence of -p will bind to whatever unused port the system gives you, just like +any other normal client connection, unless you use -r [see below]. + +Listen mode will cause netcat to wait for an inbound connection, and then the +same data transfer happens. Thus, you can do "nc -l -p 1234 < filename" and +when someone else connects to your port 1234, the file is sent to them whether +they wanted it or not. Listen mode is generally used along with a local port +argument -- this is required for UDP mode, while TCP mode can have the system +assign one and tell you what it is if -v is turned on. If you specify a target +host and optional port in listen mode, netcat will accept an inbound connection +only from that host and if you specify one, only from that foreign source port. +In verbose mode you'll be informed about the inbound connection, including what +address and port it came from, and since listening on "any" applies to several +possibilities, which address it came *to* on your end. If the system supports +IP socket options, netcat will attempt to retrieve any such options from an +inbound connection and print them out in hex. + +If netcat is compiled with -DGAPING_SECURITY_HOLE, the -e argument specifies +a program to exec after making or receiving a successful connection. In the +listening mode, this works similarly to "inetd" but only for a single instance. +Use with GREAT CARE. This piece of the code is normally not enabled; if you +know what you're doing, have fun. This hack also works in UDP mode. Note that +you can only supply -e with the name of the program, but no arguments. If you +want to launch something with an argument list, write a two-line wrapper script +or just use inetd like always. + +If netcat is compiled with -DTELNET, the -t argument enables it to respond +to telnet option negotiation [always in the negative, i.e. DONT or WONT]. +This allows it to connect to a telnetd and get past the initial negotiation +far enough to get a login prompt from the server. Since this feature has +the potential to modify the data stream, it is not enabled by default. You +have to understand why you might need this and turn on the #define yourself. + +Data from the network connection is always delivered to standard output as +efficiently as possible, using large 8K reads and writes. Standard input is +normally sent to the net the same way, but the -i switch specifies an "interval +time" which slows this down considerably. Standard input is still read in +large batches, but netcat then tries to find where line breaks exist and sends +one line every interval time. Note that if standard input is a terminal, data +is already read line by line, so unless you make the -i interval rather long, +what you type will go out at a fairly normal rate. -i is really designed +for use when you want to "measure out" what is read from files or pipes. + +Port-scanning is a popular method for exploring what's out there. Netcat +accepts its commands with options first, then the target host, and everything +thereafter is interpreted as port names or numbers, or ranges of ports in M-N +syntax. CAVEAT: some port names in /etc/services contain hyphens -- netcat +currently will not correctly parse those, so specify ranges using numbers if +you can. If more than one port is thus specified, netcat connects to *all* of +them, sending the same batch of data from standard input [up to 8K worth] to +each one that is successfully connected to. Specifying multiple ports also +suppresses diagnostic messages about refused connections, unless -v is +specified twice for "more verbosity". This way you normally get notified only +about genuinely open connections. Example: "nc -v -w 2 -z target 20-30" will +try connecting to every port between 20 and 30 [inclusive] at the target, and +will likely inform you about an FTP server, telnet server, and mailer along the +way. The -z switch prevents sending any data to a TCP connection and very +limited probe data to a UDP connection, and is thus useful as a fast scanning +mode just to see what ports the target is listening on. To limit scanning +speed if desired, -i will insert a delay between each port probe. There are +some pitfalls with regard to UDP scanning, described later, but in general it +works well. + +For each range of ports specified, scanning is normally done downward within +that range. If the -r switch is used, scanning hops randomly around within +that range and reports open ports as it finds them. [If you want them listed +in order regardless, pipe standard error through "sort"...] In addition, if +random mode is in effect, the local source ports are also randomized. This +prevents netcat from exhibiting any kind of regular pattern in its scanning. +You can exert fairly fine control over your scan by judicious use of -r and +selected port ranges to cover. If you use -r for a single connection, the +source port will have a random value above 8192, rather than the next one the +kernel would have assigned you. Note that selecting a specific local port +with -p overrides any local-port randomization. + +Many people are interested in testing network connectivity using IP source +routing, even if it's only to make sure their own firewalls are blocking +source-routed packets. On systems that support it, the -g switch can be used +multiple times [up to 8] to construct a loose-source-routed path for your +connection, and the -G argument positions the "hop pointer" within the list. +If your network allows source-routed traffic in and out, you can test +connectivity to your own services via remote points in the internet. Note that +although newer BSD-flavor telnets also have source-routing capability, it isn't +clearly documented and the command syntax is somewhat clumsy. Netcat's +handling of "-g" is modeled after "traceroute". + +Netcat tries its best to behave just like "cat". It currently does nothing to +terminal input modes, and does no end-of-line conversion. Standard input from +a terminal is read line by line with normal editing characters in effect. You +can freely suspend out of an interactive connection and resume. ^C or whatever +your interrupt character is will make netcat close the network connection and +exit. A switch to place the terminal in raw mode has been considered, but so +far has not been necessary. You can send raw binary data by reading it out of +a file or piping from another program, so more meaningful effort would be spent +writing an appropriate front-end driver. + +Netcat is not an "arbitrary packet generator", but the ability to talk to raw +sockets and/or nit/bpf/dlpi may appear at some point. Such things are clearly +useful; I refer you to Darren Reed's excellent ip_filter package, which now +includes a tool to construct and send raw packets with any contents you want. + +Example uses -- the light side +============================== + +Again, this is a very partial list of possibilities, but it may get you to +think up more applications for netcat. Driving netcat with simple shell or +expect scripts is an easy and flexible way to do fairly complex tasks, +especially if you're not into coding network tools in C. My coding isn't +particularly strong either [although undoubtedly better after writing this +thing!], so I tend to construct bare-metal tools like this that I can trivially +plug into other applications. Netcat doubles as a teaching tool -- one can +learn a great deal about more complex network protocols by trying to simulate +them through raw connections! + +An example of netcat as a backend for something else is the shell-script +Web browser, which simply asks for the relevant parts of a URL and pipes +"GET /what/ever" into a netcat connection to the server. I used to do this +with telnet, and had to use calculated sleep times and other stupidity to +kludge around telnet's limitations. Netcat guarantees that I get the whole +page, and since it transfers all the data unmodified, I can even pull down +binary image files and display them elsewhere later. Some folks may find the +idea of a shell-script web browser silly and strange, but it starts up and +gets me my info a hell of a lot faster than a GUI browser and doesn't hide +any contents of links and forms and such. This is included, as scripts/web, +along with several other web-related examples. + +Netcat is an obvious replacement for telnet as a tool for talking to daemons. +For example, it is easier to type "nc host 25", talk to someone's mailer, and +just ^C out than having to type ^]c or QUIT as telnet would require you to do. +You can quickly catalog the services on your network by telling netcat to +connect to well-known services and collect greetings, or at least scan for open +ports. You'll probably want to collect netcat's diagnostic messages in your +output files, so be sure to include standard error in the output using +`>& file' in *csh or `> file 2>&1' in bourne shell. + +A scanning example: "echo QUIT | nc -v -w 5 target 20-250 500-600 5990-7000" +will inform you about a target's various well-known TCP servers, including +r-services, X, IRC, and maybe a few you didn't expect. Sending in QUIT and +using the timeout will almost guarantee that you see some kind of greeting or +error from each service, which usually indicates what it is and what version. +[Beware of the "chargen" port, though...] SATAN uses exactly this technique to +collect host information, and indeed some of the ideas herein were taken from +the SATAN backend tools. If you script this up to try every host in your +subnet space and just let it run, you will not only see all the services, +you'll find out about hosts that aren't correctly listed in your DNS. Then you +can compare new snapshots against old snapshots to see changes. For going +after particular services, a more intrusive example is in scripts/probe. + +Netcat can be used as a simple data transfer agent, and it doesn't really +matter which end is the listener and which end is the client -- input at one +side arrives at the other side as output. It is helpful to start the listener +at the receiving side with no timeout specified, and then give the sending side +a small timeout. That way the listener stays listening until you contact it, +and after data stops flowing the client will time out, shut down, and take the +listener with it. Unless the intervening network is fraught with problems, +this should be completely reliable, and you can always increase the timeout. A +typical example of something "rsh" is often used for: on one side, + + nc -l -p 1234 | uncompress -c | tar xvfp - + +and then on the other side + + tar cfp - /some/dir | compress -c | nc -w 3 othermachine 1234 + +will transfer the contents of a directory from one machine to another, without +having to worry about .rhosts files, user accounts, or inetd configurations +at either end. Again, it matters not which is the listener or receiver; the +"tarring" machine could just as easily be running the listener instead. One +could conceivably use a scheme like this for backups, by having cron-jobs fire +up listeners and backup handlers [which can be restricted to specific addresses +and ports between each other] and pipe "dump" or "tar" on one machine to "dd +of=/dev/tapedrive" on another as usual. Since netcat returns a nonzero exit +status for a denied listener connection, scripts to handle such tasks could +easily log and reject connect attempts from third parties, and then retry. + +Another simple data-transfer example: shipping things to a PC that doesn't have +any network applications yet except a TCP stack and a web browser. Point the +browser at an arbitrary port on a Unix server by telling it to download +something like http://unixbox:4444/foo, and have a listener on the Unix side +ready to ship out a file when the connect comes in. The browser may pervert +binary data when told to save the URL, but you can dig the raw data out of +the on-disk cache. + +If you build netcat with GAPING_SECURITY_HOLE defined, you can use it as an +"inetd" substitute to test experimental network servers that would otherwise +run under "inetd". A script or program will have its input and output hooked +to the network the same way, perhaps sans some fancier signal handling. Given +that most network services do not bind to a particular local address, whether +they are under "inetd" or not, it is possible for netcat avoid the "address +already in use" error by binding to a specific address. This lets you [as +root, for low ports] place netcat "in the way" of a standard service, since +inbound connections are generally sent to such specifically-bound listeners +first and fall back to the ones bound to "any". This allows for a one-off +experimental simulation of some service, without having to screw around with +inetd.conf. Running with -v turned on and collecting a connection log from +standard error is recommended. + +Netcat as well can make an outbound connection and then run a program or script +on the originating end, with input and output connected to the same network +port. This "inverse inetd" capability could enhance the backup-server concept +described above or help facilitate things such as a "network dialback" concept. +The possibilities are many and varied here; if such things are intended as +security mechanisms, it may be best to modify netcat specifically for the +purpose instead of wrapping such functions in scripts. + +Speaking of inetd, netcat will function perfectly well *under* inetd as a TCP +connection redirector for inbound services, like a "plug-gw" without the +authentication step. This is very useful for doing stuff like redirecting +traffic through your firewall out to other places like web servers and mail +hubs, while posing no risk to the firewall machine itself. Put netcat behind +inetd and tcp_wrappers, perhaps thusly: + + www stream tcp nowait nobody /etc/tcpd /bin/nc -w 3 realwww 80 + +and you have a simple and effective "application relay" with access control +and logging. Note use of the wait time as a "safety" in case realwww isn't +reachable or the calling user aborts the connection -- otherwise the relay may +hang there forever. + +You can use netcat to generate huge amounts of useless network data for +various performance testing. For example, doing + + yes AAAAAAAAAAAAAAAAAAAAAA | nc -v -v -l -p 2222 > /dev/null + +on one side and then hitting it with + + yes BBBBBBBBBBBBBBBBBBBBBB | nc othermachine 2222 > /dev/null + +from another host will saturate your wires with A's and B's. The "very +verbose" switch usage will tell you how many of each were sent and received +after you interrupt either side. Using UDP mode produces tremendously MORE +trash per unit time in the form of fragmented 8 Kbyte mobygrams -- enough to +stress-test kernels and network interfaces. Firing random binary data into +various network servers may help expose bugs in their input handling, which +nowadays is a popular thing to explore. A simple example data-generator is +given in data/data.c included in this package, along with a small collection +of canned input files to generate various packet contents. This program is +documented in its beginning comments, but of interest here is using "%r" to +generate random bytes at well-chosen points in a data stream. If you can +crash your daemon, you likely have a security problem. + +The hex dump feature may be useful for debugging odd network protocols, +especially if you don't have any network monitoring equipment handy or aren't +root where you'd need to run "tcpdump" or something. Bind a listening netcat +to a local port, and have it run a script which in turn runs another netcat +to the real service and captures the hex dump to a log file. This sets up a +transparent relay between your local port and wherever the real service is. +Be sure that the script-run netcat does *not* use -v, or the extra info it +sends to standard error may confuse the protocol. Note also that you cannot +have the "listen/exec" netcat do the data capture, since once the connection +arrives it is no longer netcat that is running. + +Binding to an arbitrary local port allows you to simulate things like r-service +clients, if you are root locally. For example, feeding "^@root^@joe^@pwd^@" +[where ^@ is a null, and root/joe could be any other local/remote username +pair] into a "rsh" or "rlogin" server, FROM your port 1023 for example, +duplicates what the server expects to receive. Thus, you can test for insecure +.rhosts files around your network without having to create new user accounts on +your client machine. The program data/rservice.c can aid this process by +constructing the "rcmd" protocol bytes. Doing this also prevents "rshd" from +trying to create that separate standard-error socket and still gives you an +input path, as opposed to the usual action of "rsh -n". Using netcat for +things like this can be really useful sometimes, because rsh and rlogin +generally want a host *name* as an argument and won't accept IP addresses. If +your client-end DNS is hosed, as may be true when you're trying to extract +backup sets on to a dumb client, "netcat -n" wins where normal rsh/rlogin is +useless. + +If you are unsure that a remote syslogger is working, test it with netcat. +Make a UDP connection to port 514 and type in "<0>message", which should +correspond to "kern.emerg" and cause syslogd to scream into every file it has +open [and possibly all over users' terminals]. You can tame this down by +using a different number and use netcat inside routine scripts to send syslog +messages to places that aren't configured in syslog.conf. For example, +"echo '<38>message' | nc -w 1 -u loggerhost 514" should send to auth.notice +on loggerhost. The exact number may vary; check against your syslog.h first. + +Netcat provides several ways for you to test your own packet filters. If you +bind to a port normally protected against outside access and make a connection +to somewhere outside your own network, the return traffic will be coming to +your chosen port from the "outside" and should be blocked. TCP may get through +if your filter passes all "ack syn", but it shouldn't be even doing that to low +ports on your network. Remember to test with UDP traffic as well! If your +filter passes at least outbound source-routed IP packets, bouncing a connection +back to yourself via some gateway outside your network will create "incoming" +traffic with your source address, which should get dropped by a correctly +configured anti-spoofing filter. This is a "non-test" if you're also dropping +source-routing, but it's good to be able to test for that too. Any packet +filter worth its salt will be blocking source-routed packets in both +directions, but you never know what interesting quirks you might turn up by +playing around with source ports and addresses and watching the wires with a +network monitor. + +You can use netcat to protect your own workstation's X server against outside +access. X is stupid enough to listen for connections on "any" and never tell +you when new connections arrive, which is one reason it is so vulnerable. Once +you have all your various X windows up and running you can use netcat to bind +just to your ethernet address and listen to port 6000. Any new connections +from outside the machine will hit netcat instead your X server, and you get a +log of who's trying. You can either tell netcat to drop the connection, or +perhaps run another copy of itself to relay to your actual X server on +"localhost". This may not work for dedicated X terminals, but it may be +possible to authorize your X terminal only for its boot server, and run a relay +netcat over on the server that will in turn talk to your X terminal. Since +netcat only handles one listening connection per run, make sure that whatever +way you rig it causes another one to run and listen on 6000 soon afterward, or +your real X server will be reachable once again. A very minimal script just +to protect yourself could be + + while true ; do + nc -v -l -s <your-addr> -p 6000 localhost 2 + done + +which causes netcat to accept and then close any inbound connection to your +workstation's normal ethernet address, and another copy is immediately run by +the script. Send standard error to a file for a log of connection attempts. +If your system can't do the "specific bind" thing all is not lost; run your +X server on display ":1" or port 6001, and netcat can still function as a probe +alarm by listening on 6000. + +Does your shell-account provider allow personal Web pages, but not CGI scripts? +You can have netcat listen on a particular port to execute a program or script +of your choosing, and then just point to the port with a URL in your homepage. +The listener could even exist on a completely different machine, avoiding the +potential ire of the homepage-host administrators. Since the script will get +the raw browser query as input it won't look like a typical CGI script, and +since it's running under your UID you need to write it carefully. You may want +to write a netcat-based script as a wrapper that reads a query and sets up +environment variables for a regular CGI script. The possibilities for using +netcat and scripts to handle Web stuff are almost endless. Again, see the +examples under scripts/. + +Example uses -- the dark side +============================= + +Equal time is deserved here, since a versatile tool like this can be useful +to any Shade of Hat. I could use my Victorinox to either fix your car or +disassemble it, right? You can clearly use something like netcat to attack +or defend -- I don't try to govern anyone's social outlook, I just build tools. +Regardless of your intentions, you should still be aware of these threats to +your own systems. + +The first obvious thing is scanning someone *else's* network for vulnerable +services. Files containing preconstructed data, be it exploratory or +exploitive, can be fed in as standard input, including command-line arguments +to netcat itself to keep "ps" ignorant of your doings. The more random the +scanning, the less likelihood of detection by humans, scan-detectors, or +dynamic filtering, and with -i you'll wait longer but avoid loading down the +target's network. Some examples for crafting various standard UDP probes are +given in data/*.d. + +Some configurations of packet filters attempt to solve the FTP-data problem by +just allowing such connections from the outside. These come FROM port 20, TO +high TCP ports inside -- if you locally bind to port 20, you may find yourself +able to bypass filtering in some cases. Maybe not to low ports "inside", but +perhaps to TCP NFS servers, X servers, Prospero, ciscos that listen on 200x +and 400x... Similar bypassing may be possible for UDP [and maybe TCP too] if a +connection comes from port 53; a filter may assume it's a nameserver response. + +Using -e in conjunction with binding to a specific address can enable "server +takeover" by getting in ahead of the real ones, whereupon you can snarf data +sent in and feed your own back out. At the very least you can log a hex dump +of someone else's session. If you are root, you can certainly use -s and -e to +run various hacked daemons without having to touch inetd.conf or the real +daemons themselves. You may not always have the root access to deal with low +ports, but what if you are on a machine that also happens to be an NFS server? +You might be able to collect some interesting things from port 2049, including +local file handles. There are several other servers that run on high ports +that are likely candidates for takeover, including many of the RPC services on +some platforms [yppasswdd, anyone?]. Kerberos tickets, X cookies, and IRC +traffic also come to mind. RADIUS-based terminal servers connect incoming +users to shell-account machines on a high port, usually 1642 or thereabouts. +SOCKS servers run on 1080. Do "netstat -a" and get creative. + +There are some daemons that are well-written enough to bind separately to all +the local interfaces, possibly with an eye toward heading off this sort of +problem. Named from recent BIND releases, and NTP, are two that come to mind. +Netstat will show these listening on address.53 instead of *.53. You won't +be able to get in front of these on any of the real interface addresses, which +of course is especially interesting in the case of named, but these servers +sometimes forget about things like "alias" interface addresses or interfaces +that appear later on such as dynamic PPP links. There are some hacked web +servers and versions of "inetd" floating around that specifically bind as well, +based on a configuration file -- these generally *are* bound to alias addresses +to offer several different address-based services from one machine. + +Using -e to start a remote backdoor shell is another obvious sort of thing, +easier than constructing a file for inetd to listen on "ingreslock" or +something, and you can access-control it against other people by specifying a +client host and port. Experience with this truly demonstrates how fragile the +barrier between being "logged in" or not really is, and is further expressed by +scripts/bsh. If you're already behind a firewall, it may be easier to make an +*outbound* connection and then run a shell; a small wrapper script can +periodically try connecting to a known place and port, you can later listen +there until the inbound connection arrives, and there's your shell. Running +a shell via UDP has several interesting features, although be aware that once +"connected", the UDP stub sockets tend to show up in "netstat" just like TCP +connections and may not be quite as subtle as you wanted. Packets may also be +lost, so use TCP if you need reliable connections. But since UDP is +connectionless, a hookup of this sort will stick around almost forever, even if +you ^C out of netcat or do a reboot on your side, and you only need to remember +the ports you used on both ends to reestablish. And outbound UDP-plus-exec +connection creates the connected socket and starts the program immediately. On +a listening UDP connection, the socket is created once a first packet is +received. In either case, though, such a "connection" has the interesting side +effect that only your client-side IP address and [chosen?] source port will +thereafter be able to talk to it. Instant access control! A non-local third +party would have to do ALL of the following to take over such a session: + + forge UDP with your source address [trivial to do; see below] + guess the port numbers of BOTH ends, or sniff the wire for them + arrange to block ICMP or UDP return traffic between it and your real + source, so the session doesn't die with a network write error. + +The companion program data/rservice.c is helpful in scripting up any sort of +r-service username or password guessing attack. The arguments to "rservice" +are simply the strings that get null-terminated and passed over an "rcmd"-style +connection, with the assumption that the client does not need a separate +standard-error port. Brute-force password banging is best done via "rexec" if +it is available since it is less likely to log failed attempts. Thus, doing +"rservice joe joespass pwd | nc target exec" should return joe's home dir if +the password is right, or "Permission denied." Plug in a dictionary and go to +town. If you're attacking rsh/rlogin, remember to be root and bind to a port +between 512 and 1023 on your end, and pipe in "rservice joe joe pwd" and such. + +Netcat can prevent inadvertently sending extra information over a telnet +connection. Use "nc -t" in place of telnet, and daemons that try to ask for +things like USER and TERM environment variables will get no useful answers, as +they otherwise would from a more recent telnet program. Some telnetds actually +try to collect this stuff and then plug the USER variable into "login" so that +the caller is then just asked for a password! This mechanism could cause a +login attempt as YOUR real username to be logged over there if you use a +Borman-based telnet instead of "nc -t". + +Got an unused network interface configured in your kernel [e.g. SLIP], or +support for alias addresses? Ifconfig one to be any address you like, and bind +to it with -s to enable all sorts of shenanigans with bogus source addresses. +The interface probably has to be UP before this works; some SLIP versions +need a far-end address before this is true. Hammering on UDP services is then +a no-brainer. What you can do to an unfiltered syslog daemon should be fairly +obvious; trimming the conf file can help protect against it. Many routers out +there still blindly believe what they receive via RIP and other routing +protocols. Although most UDP echo and chargen servers check if an incoming +packet was sent from *another* "internal" UDP server, there are many that still +do not, any two of which [or many, for that matter] could keep each other +entertained for hours at the expense of bandwidth. And you can always make +someone wonder why she's being probed by nsa.gov. + +Your TCP spoofing possibilities are mostly limited to destinations you can +source-route to while locally bound to your phony address. Many sites block +source-routed packets these days for precisely this reason. If your kernel +does oddball things when sending source-routed packets, try moving the pointer +around with -G. You may also have to fiddle with the routing on your own +machine before you start receiving packets back. Warning: some machines still +send out traffic using the source address of the outbound interface, regardless +of your binding, especially in the case of localhost. Check first. If you can +open a connection but then get no data back from it, the target host is +probably killing the IP options on its end [this is an option inside TCP +wrappers and several other packages], which happens after the 3-way handshake +is completed. If you send some data and observe the "send-q" side of "netstat" +for that connection increasing but never getting sent, that's another symptom. +Beware: if Sendmail 8.7.x detects a source-routed SMTP connection, it extracts +the hop list and sticks it in the Received: header! + +SYN bombing [sometimes called "hosing"] can disable many TCP servers, and if +you hit one often enough, you can keep it unreachable for days. As is true of +many other denial-of-service attacks, there is currently no defense against it +except maybe at the human level. Making kernel SOMAXCONN considerably larger +than the default and the half-open timeout smaller can help, and indeed some +people running large high-performance web servers have *had* to do that just to +handle normal traffic. Taking out mailers and web servers is sociopathic, but +on the other hand it is sometimes useful to be able to, say, disable a site's +identd daemon for a few minutes. If someone realizes what is going on, +backtracing will still be difficult since the packets have a phony source +address, but calls to enough ISP NOCs might eventually pinpoint the source. +It is also trivial for a clueful ISP to watch for or even block outgoing +packets with obviously fake source addresses, but as we know many of them are +not clueful or willing to get involved in such hassles. Besides, outbound +packets with an [otherwise unreachable] source address in one of their net +blocks would look fairly legitimate. + +Notes +===== + +A discussion of various caveats, subtleties, and the design of the innards. + +As of version 1.07 you can construct a single file containing command arguments +and then some data to transfer. Netcat is now smart enough to pick out the +first line and build the argument list, and send any remaining data across the +net to one or multiple ports. The first release of netcat had trouble with +this -- it called fgets() for the command line argument, which behind the +scenes does a large read() from standard input, perhaps 4096 bytes or so, and +feeds that out to the fgets() library routine. By the time netcat 1.00 started +directly read()ing stdin for more data, 4096 bytes of it were gone. It now +uses raw read() everywhere and does the right thing whether reading from files, +pipes, or ttys. If you use this for multiple-port connections, the single +block of data will now be a maximum of 8K minus the first line. Improvements +have been made to the logic in sending the saved chunk to each new port. Note +that any command-line arguments hidden using this mechanism could still be +extracted from a core dump. + +When netcat receives an inbound UDP connection, it creates a "connected socket" +back to the source of the connection so that it can also send out data using +normal write(). Using this mechanism instead of recvfrom/sendto has several +advantages -- the read/write select loop is simplified, and ICMP errors can in +effect be received by non-root users. However, it has the subtle side effect +that if further UDP packets arrive from the caller but from different source +ports, the listener will not receive them. UDP listen mode on a multihomed +machine may have similar quirks unless you specifically bind to one of its +addresses. It is not clear that kernel support for UDP connected sockets +and/or my understanding of it is entirely complete here, so experiment... + +You should be aware of some subtleties concerning UDP scanning. If -z is on, +netcat attempts to send a single null byte to the target port, twice, with a +small time in between. You can either use the -w timeout, or netcat will try +to make a "sideline" TCP connection to the target to introduce a small time +delay equal to the round-trip time between you and the target. Note that if +you have a -w timeout and -i timeout set, BOTH take effect and you wait twice +as long. The TCP connection is to a normally refused port to minimize traffic, +but if you notice a UDP fast-scan taking somewhat longer than it should, it +could be that the target is actually listening on the TCP port. Either way, +any ICMP port-unreachable messages from the target should have arrived in the +meantime. The second single-byte UDP probe is then sent. Under BSD kernels, +the ICMP error is delivered to the "connected socket" and the second write +returns an error, which tells netcat that there is NOT a UDP service there. +While Linux seems to be a fortunate exception, under many SYSV derived kernels +the ICMP is not delivered, and netcat starts reporting that *all* the ports are +"open" -- clearly wrong. [Some systems may not even *have* the "udp connected +socket" concept, and netcat in its current form will not work for UDP at all.] +If -z is specified and only one UDP port is probed, netcat's exit status +reflects whether the connection was "open" or "refused" as with TCP. + +It may also be that UDP packets are being blocked by filters with no ICMP error +returns, in which case everything will time out and return "open". This all +sounds backwards, but that's how UDP works. If you're not sure, try "echo +w00gumz | nc -u -w 2 target 7" to see if you can reach its UDP echo port at +all. You should have no trouble using a BSD-flavor system to scan for UDP +around your own network, although flooding a target with the high activity that +-z generates will cause it to occasionally drop packets and indicate false +"opens". A more "correct" way to do this is collect and analyze the ICMP +errors, as does SATAN's "udp_scan" backend, but then again there's no guarantee +that the ICMP gets back to you either. Udp_scan also does the zero-byte +probes but is excruciatingly careful to calculate its own round-trip timing +average and dynamically set its own response timeouts along with decoding any +ICMP received. Netcat uses a much sleazier method which is nonetheless quite +effective. Cisco routers are known to have a "dead time" in between ICMP +responses about unreachable UDP ports, so a fast scan of a cisco will show +almost everything "open". If you are looking for a specific UDP service, you +can construct a file containing the right bytes to trigger a response from the +other end and send that as standard input. Netcat will read up to 8K of the +file and send the same data to every UDP port given. Note that you must use a +timeout in this case [as would any other UDP client application] since the +two-write probe only happens if -z is specified. + +Many telnet servers insist on a specific set of option negotiations before +presenting a login banner. On a raw connection you will see this as small +amount of binary gook. My attempts to create fixed input bytes to make a +telnetd happy worked some places but failed against newer BSD-flavor ones, +possibly due to timing problems, but there are a couple of much better +workarounds. First, compile with -DTELNET and use -t if you just want to get +past the option negotiation and talk to something on a telnet port. You will +still see the binary gook -- in fact you'll see a lot more of it as the options +are responded to behind the scenes. The telnet responder does NOT update the +total byte count, or show up in the hex dump -- it just responds negatively to +any options read from the incoming data stream. If you want to use a normal +full-blown telnet to get to something but also want some of netcat's features +involved like settable ports or timeouts, construct a tiny "foo" script: + + #! /bin/sh + exec nc -otheroptions targethost 23 + +and then do + + nc -l -p someport -e foo localhost & + telnet localhost someport + +and your telnet should connect transparently through the exec'ed netcat to +the target, using whatever options you supplied in the "foo" script. Don't +use -t inside the script, or you'll wind up sending *two* option responses. + +I've observed inconsistent behavior under some Linuxes [perhaps just older +ones?] when binding in listen mode. Sometimes netcat binds only to "localhost" +if invoked with no address or port arguments, and sometimes it is unable to +bind to a specific address for listening if something else is already listening +on "any". The former problem can be worked around by specifying "-s 0.0.0.0", +which will do the right thing despite netcat claiming that it's listening on +[127.0.0.1]. This is a known problem -- for example, there's a mention of it +in the makefile for SOCKS. On the flip side, binding to localhost and sending +packets to some other machine doesn't work as you'd expect -- they go out with +the source address of the sending interface instead. The Linux kernel contains +a specific check to ensure that packets from 127.0.0.1 are never sent to the +wire; other kernels may contain similar code. Linux, of course, *still* +doesn't support source-routing, but they claim that it and many other network +improvements are at least breathing hard. + +There are several possible errors associated with making TCP connections, but +to specifically see anything other than "refused", one must wait the full +kernel-defined timeout for a connection to fail. Netcat's mechanism of +wrapping an alarm timer around the connect prevents the *real* network error +from being returned -- "errno" at that point indicates "interrupted system +call" since the connect attempt was interrupted. Some old 4.3 BSD kernels +would actually return things like "host unreachable" immediately if that was +the case, but most newer kernels seem to wait the full timeout and *then* pass +back the real error. Go figure. In this case, I'd argue that the old way was +better, despite those same kernels generally being the ones that tear down +*established* TCP connections when ICMP-bombed. + +Incoming socket options are passed to applications by the kernel in the +kernel's own internal format. The socket-options structure for source-routing +contains the "first-hop" IP address first, followed by the rest of the real +options list. The kernel uses this as is when sending reply packets -- the +structure is therefore designed to be more useful to the kernel than to humans, +but the hex dump of it that netcat produces is still useful to have. + +Kernels treat source-routing options somewhat oddly, but it sort of makes sense +once one understands what's going on internally. The options list of addresses +must contain hop1, hop2, ..., destination. When a source-routed packet is sent +by the kernel [at least BSD], the actual destination address becomes irrelevant +because it is replaced with "hop1", "hop1" is removed from the options list, +and all the other addresses in the list are shifted up to fill the hole. Thus +the outbound packet is sent from your chosen source address to the first +*gateway*, and the options list now contains hop2, ..., destination. During +all this address shuffling, the kernel does NOT change the pointer value, which +is why it is useful to be able to set the pointer yourself -- you can construct +some really bizarre return paths, and send your traffic fairly directly to the +target but around some larger loop on the way back. Some Sun kernels seem to +never flip the source-route around if it contains less than three hops, never +reset the pointer anyway, and tries to send the packet [with options containing +a "completed" source route!!] directly back to the source. This is way broken, +of course. [Maybe ipforwarding has to be on? I haven't had an opportunity to +beat on it thoroughly yet.] + +"Credits" section: The original idea for netcat fell out of a long-standing +desire and fruitless search for a tool resembling it and having the same +features. After reading some other network code and realizing just how many +cool things about sockets could be controlled by the calling user, I started +on the basics and the rest fell together pretty quickly. Some port-scanning +ideas were taken from Venema/Farmer's SATAN tool kit, and Pluvius' "pscan" +utility. Healthy amounts of BSD kernel source were perused in an attempt to +dope out socket options and source-route handling; additional help was obtained +from Dave Borman's telnet sources. The select loop is loosely based on fairly +well-known code from "rsh" and Richard Stevens' "sock" program [which itself is +sort of a "netcat" with more obscure features], with some more paranoid +sanity-checking thrown in to guard against the distinct likelihood that there +are subtleties about such things I still don't understand. I found the +argument-hiding method cleanly implemented in Barrett's "deslogin"; reading the +line as input allows greater versatility and is much less prone to cause +bizarre problems than the more common trick of overwriting the argv array. +After the first release, several people contributed portability fixes; they are +credited in generic.h and the Makefile. Lauren Burka inspired the ascii art +for this revised document. Dean Gaudet at Wired supplied a precursor to +the hex-dump code, and mudge@l0pht.com originally experimented with and +supplied code for the telnet-options responder. Outbound "-e <prog>" resulted +from a need to quietly bypass a firewall installation. Other suggestions and +patches have rolled in for which I am always grateful, but there are only 26 +hours per day and a discussion of feature creep near the end of this document. + +Netcat was written with the Russian railroad in mind -- conservatively built +and solid, but it *will* get you there. While the coding style is fairly +"tight", I have attempted to present it cleanly [keeping *my* lines under 80 +characters, dammit] and put in plenty of comments as to why certain things +are done. Items I know to be questionable are clearly marked with "XXX". +Source code was made to be modified, but determining where to start is +difficult with some of the tangles of spaghetti code that are out there. +Here are some of the major points I feel are worth mentioning about netcat's +internal design, whether or not you agree with my approach. + +Except for generic.h, which changes to adapt more platforms, netcat is a single +source file. This has the distinct advantage of only having to include headers +once and not having to re-declare all my functions in a billion different +places. I have attempted to contain all the gross who's-got-what-.h-file +things in one small dumping ground. Functions are placed "dependencies-first", +such that when the compiler runs into the calls later, it already knows the +type and arguments and won't complain. No function prototyping -- not even the +__P(()) crock -- is used, since it is more portable and a file of this size is +easy enough to check manually. Each function has a standard-format comment +ahead of it, which is easily found using the regexp " :$". I freely use gotos. +Loops and if-clauses are made as small and non-nested as possible, and the ends +of same *marked* for clarity [I wish everyone would do this!!]. + +Large structures and buffers are all malloc()ed up on the fly, slightly larger +than the size asked for and zeroed out. This reduces the chances of damage +from those "end of the buffer" fencepost errors or runaway pointers escaping +off the end. These things are permanent per run, so nothing needs to be freed +until the program exits. + +File descriptor zero is always expected to be standard input, even if it is +closed. If a new network descriptor winds up being zero, a different one is +asked for which will be nonzero, and fd zero is simply left kicking around +for the rest of the run. Why? Because everything else assumes that stdin is +always zero and "netfd" is always positive. This may seem silly, but it was a +lot easier to code. The new fd is obtained directly as a new socket, because +trying to simply dup() a new fd broke subsequent socket-style use of the new fd +under Solaris' stupid streams handling in the socket library. + +The catch-all message and error handlers are implemented with an ample list of +phoney arguments to get around various problems with varargs. Varargs seems +like deliberate obfuscation in the first place, and using it would also +require use of vfprintf() which not all platforms support. The trailing +sleep in bail() is to allow output to flush, which is sometimes needed if +netcat is already on the other end of a network connection. + +The reader may notice that the section that does DNS lookups seems much +gnarlier and more confusing than other parts. This is NOT MY FAULT. The +sockaddr and hostent abstractions are an abortion that forces the coder to +deal with it. Then again, a lot of BSD kernel code looks like similar +struct-pointer hell. I try to straighten it out somewhat by defining my own +HINF structure, containing names, ascii-format IP addresses, and binary IP +addresses. I fill this structure exactly once per host argument, and squirrel +everything safely away and handy for whatever wants to reference it later. + +Where many other network apps use the FIONBIO ioctl to set non-blocking I/O +on network sockets, netcat uses straightforward blocking I/O everywhere. +This makes everything very lock-step, relying on the network and filesystem +layers to feed in data when needed. Data read in is completely written out +before any more is fetched. This may not be quite the right thing to do under +some OSes that don't do timed select() right, but this remains to be seen. + +The hexdump routine is written to be as fast as possible, which is why it does +so much work itself instead of just sprintf()ing everything together. Each +dump line is built into a single buffer and atomically written out using the +lowest level I/O calls. Further improvements could undoubtedly be made by +using writev() and eliminating all sprintf()s, but it seems to fly right along +as is. If both exec-a-prog mode and a hexdump file is asked for, the hexdump +flag is deliberately turned off to avoid creating random zero-length files. +Files are opened in "truncate" mode; if you want "append" mode instead, change +the open flags in main(). + +main() may look a bit hairy, but that's only because it has to go down the +argv list and handle multiple ports, random mode, and exit status. Efforts +have been made to place a minimum of code inside the getopt() loop. Any real +work is sent off to functions in what is hopefully a straightforward way. + +Obligatory vendor-bash: If "nc" had become a standard utility years ago, +the commercial vendors would have likely packaged it setuid root and with +-DGAPING_SECURITY_HOLE turned on but not documented. It is hoped that netcat +will aid people in finding and fixing the no-brainer holes of this sort that +keep appearing, by allowing easier experimentation with the "bare metal" of +the network layer. + +It could be argued that netcat already has too many features. I have tried +to avoid "feature creep" by limiting netcat's base functionality only to those +things which are truly relevant to making network connections and the everyday +associated DNS lossage we're used to. Option switches already have slightly +overloaded functionality. Random port mode is sort of pushing it. The +hex-dump feature went in later because it *is* genuinely useful. The +telnet-responder code *almost* verges on the gratuitous, especially since it +mucks with the data stream, and is left as an optional piece. Many people have +asked for example "how 'bout adding encryption?" and my response is that such +things should be separate entities that could pipe their data *through* netcat +instead of having their own networking code. I am therefore not completely +enthusiastic about adding any more features to this thing, although you are +still free to send along any mods you think are useful. + +Nonetheless, at this point I think of netcat as my tcp/ip swiss army knife, +and the numerous companion programs and scripts to go with it as duct tape. +Duct tape of course has a light side and a dark side and binds the universe +together, and if I wrap enough of it around what I'm trying to accomplish, +it *will* work. Alternatively, if netcat is a large hammer, there are many +network protocols that are increasingly looking like nails by now... + +_H* 960320 v1.10 RELEASE -- happy spring! |