- Posts: 1700
- Thank you received: 0
getting out of a shrinking box...
20 years 6 months ago #789
by sahirh
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
Replied by sahirh on topic Re: getting out of a shrinking box...
Netcat examples ?
Well start off with the readme file that comes with it, it has a lot of examples .. of both shade of hat
The thing that basically makes netcat awesome is that fact that it can make any kind of tcp/udp connection.. without regard to protocol etc..
Not for nothing is it called the Swiss Army Knife network tool
Theres one excerpt from the 'Anti-Hacker Toolkit' book here
www.osborne.com/products/0072222824/0072222824_ch01.pdf
and i know that SANS has a whole paper on netcat usage in its reading room.. I'm feeling a bit lazy to look for it though
www.sans.org
once I started using nc, I can't believe that I ever managed without it, I use it instead of telnet as well..
Heres my simple example (windows) script that will tell you what webserver is running on a machine :
1. make a text file called test.txt and put the following lines in it
GET / HTTP/1.0
<blank line>
<blank line>
2. make a batchfile called id.bat in the same directory and put this in it
@echo off
cls
nc.exe %1 80 < test.txt | find "server:" /I
echo.
pause
put all the files (nc.exe, test.txt and id.bat) in a directory in your path (i use c:\winnt).. next time you wanna check what webserver is running, click start, run, and type
id www.whatever.com
all netcat does is make the connection to %1 (whatever.com) port 80, and chucks the data in test.txt to it.. which will give you the default webpage.. i send that output to the windows find command and search for the string 'server:' in the headers
for more flexibility you can replace the %1 80 in the script with %1 %2 which will let you choose which port the webserver runs on.
I don't know what changes you'd have to make for that to run on the mac, but I just typed it up as an example of how it can really be used, I use that script myself when im 'manually' pen-testing
Cheers,
Sahir.
Well start off with the readme file that comes with it, it has a lot of examples .. of both shade of hat
The thing that basically makes netcat awesome is that fact that it can make any kind of tcp/udp connection.. without regard to protocol etc..
Not for nothing is it called the Swiss Army Knife network tool
Theres one excerpt from the 'Anti-Hacker Toolkit' book here
www.osborne.com/products/0072222824/0072222824_ch01.pdf
and i know that SANS has a whole paper on netcat usage in its reading room.. I'm feeling a bit lazy to look for it though
www.sans.org
once I started using nc, I can't believe that I ever managed without it, I use it instead of telnet as well..
Heres my simple example (windows) script that will tell you what webserver is running on a machine :
1. make a text file called test.txt and put the following lines in it
GET / HTTP/1.0
<blank line>
<blank line>
2. make a batchfile called id.bat in the same directory and put this in it
@echo off
cls
nc.exe %1 80 < test.txt | find "server:" /I
echo.
pause
put all the files (nc.exe, test.txt and id.bat) in a directory in your path (i use c:\winnt).. next time you wanna check what webserver is running, click start, run, and type
id www.whatever.com
all netcat does is make the connection to %1 (whatever.com) port 80, and chucks the data in test.txt to it.. which will give you the default webpage.. i send that output to the windows find command and search for the string 'server:' in the headers
for more flexibility you can replace the %1 80 in the script with %1 %2 which will let you choose which port the webserver runs on.
I don't know what changes you'd have to make for that to run on the mac, but I just typed it up as an example of how it can really be used, I use that script myself when im 'manually' pen-testing
Cheers,
Sahir.
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
20 years 6 months ago #794
by sahirh
Yeah the first instance of netcat is taking any data coming in on 3168 and sending it to staticip:80 at the other end, netcat recieves it on port 80 ..
what you type in whatdoiinputhere is the address of the server actually running your application. From what I gathered in your post its the same machine as the netcat relay, in which case I would use
nc -l -p 80 | nc localhost 3168
or 127.0.0.1 should work fine
With regard to someone sniffing, at first glance they may think they're seeing http traffic (if they just see someone requesting something on port 80) however if they inspect the packet, they'll see the actual data that your client app is sending..
there is a solution if you don't want them snooping around,
an encrypted version of netcat called cryptcat.. does exactly the same things with the same commands, only it encrypts the data it sends.
Make sure your relay agent is also running cryptcat or the data will not be decrypted on the other end and will be passed up to your server app in garbled form.
I suppose some people would consider this a poor man's VPN
I think your netcat solution was correct, if it doesn't seem to work, remember the software I told you about earlier which tunnels any data through SSL connections.. that too will work, and I'm sure there'll be a mac equivalent.
Good Luck,
Sahir.
(btw just in case those firewall admins had got really anal on you and blocked an egress SOURCE port of 3168 then you can modify your first netcat command to look like
nc -l -p <use another high port number> | nc mystaticip 80
It is very doubtful that they would have done that as 3168 is a port that any legit software could use to make a request, even a web browser.
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
Replied by sahirh on topic Re: how's this
Check this:
on my client (behind the 2 nat routers and the checkpoint firewall that only allows port 80 egress)
nc -l -p 3168 | nc mystaticip 80
on my server ( sits behind a nat router with port 80 forwarded to its nonroutable ip 192.168.1.3)
nc -l -p 80 | nc whatdoIputHere? 3168
In the first use of netcat, it's taking the client traffic on port 3168 and shipping it out on port 80. Will this traffic appear to be http to anyoone sniffing?
In the second use of netcat, it's taking port 80 traffic but how do i redirect that to port 3168 traffic? do i use the local nonrouteable ip of 192.168.1.3 or do i use 127.0.0.1?
it's kinda hard to test this stuff out when your sites are miles apart and you only have a single dsl connection at each site.
Yeah the first instance of netcat is taking any data coming in on 3168 and sending it to staticip:80 at the other end, netcat recieves it on port 80 ..
what you type in whatdoiinputhere is the address of the server actually running your application. From what I gathered in your post its the same machine as the netcat relay, in which case I would use
nc -l -p 80 | nc localhost 3168
or 127.0.0.1 should work fine
With regard to someone sniffing, at first glance they may think they're seeing http traffic (if they just see someone requesting something on port 80) however if they inspect the packet, they'll see the actual data that your client app is sending..
there is a solution if you don't want them snooping around,
an encrypted version of netcat called cryptcat.. does exactly the same things with the same commands, only it encrypts the data it sends.
Make sure your relay agent is also running cryptcat or the data will not be decrypted on the other end and will be passed up to your server app in garbled form.
I suppose some people would consider this a poor man's VPN
I think your netcat solution was correct, if it doesn't seem to work, remember the software I told you about earlier which tunnels any data through SSL connections.. that too will work, and I'm sure there'll be a mac equivalent.
Good Luck,
Sahir.
(btw just in case those firewall admins had got really anal on you and blocked an egress SOURCE port of 3168 then you can modify your first netcat command to look like
nc -l -p <use another high port number> | nc mystaticip 80
It is very doubtful that they would have done that as 3168 is a port that any legit software could use to make a request, even a web browser.
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
Time to create page: 0.150 seconds