Re: Ncat: Update and Feature Request

[eldraco <eldraco () gmail com>]

Nice work!, I love ncat beeing alive again. Thank you!

Feedback:
0- Debian 4.0 unstable with libssl-dev preinstalled. Ncat svn revision 9002
1- ncat compiled like a charm, the only warning printed was :
        config.status: WARNING:  Makefile.in seems to ignore the --datarootdir 
setting
2- ncat binary and man page installed correctly

3- Executing "ncat localhost" (no port specified) prints:
        "Unable to connect to remote host"
    But debian's nc prints out a more detailed error text: "nc localhost"
        "no port[s] to connect to"

4- Connecting to localhost with "ncat localhost 22" prints out the following 
as the first line: "Connected to 127.0.0.1:22", wich is a bit odd to me, 
because I'm used to see just what the other side of the channel sends unless 
I specify the -v or something. I would like ncat to be 'quiet' by default, 
what do you think? What if the other side of the channel sends "Connected to 
127.0.0.1:23" as a kind-of deceptive measure?

5- Maybe this is a bug: Connecting to an ssh server, the ssh server closes the 
connection sending a FIN packet (because I didn't speak the ssh protocol 
right) but ncat doesn't respond with a FIN-ACK packet, it seems to believe 
the connection is still up, and keep sending packets. After the four "string" 
sent to the ssh server, ncat dies because is "Unable to connect to remote 
host". I'm attaching the nc -vvv output [ncat-internet-ssh-FIN-bug-1.txt] and 
a tcpdump capture [ncat.internet.ssh.FIN-bug-1.pcap]

6- 'ncat -l 9000 > /tmp/test' and 'ncat localhost 9000 < /bin/ls' works fine, 
but, 'ncat -l 9000 < /bin/ls' doesn't work at all. It prints:

        ncat -l 9000 < /bin/ls
        write: Broken pipe

        Ncat man page state this shoud work:
        Send a file over TCP port ‘9899’ to host ‘example.org’. (this also works in 
reverse and turns Ncat into a "one file" server!)
         HOST1$ ncat -l 9899 > outputfile
         HOST2$ ncat example.org 9899 < inputfile


7- Ncat is in the PATH but trying ncat --exec "ncat www.google.com.ar 80" -l 
9000  and later "ncat localhost 9000" doesn't work for me, it ends 
with "execv: No such file or directory". I'm attaching the -vvv output 
[ncat-exec-bug-1.txt]. But if I give the full path it works fine!, like this:  
ncat --exec "/usr/local/bin/ncat www.google.com.ar 80" -l 9000

Note that ncat --exec "/bin/bash" -l 9000 and the like, does work fine too.

8- New feature request: --allow and --deny works fine but I'm still able to 
state that port as 'open' because ncat does respond to me. Is there a way to 
make ncat show it's open port as 'closed' when the Ip is denied? This would 
really be useful to hide our ncat from people scanning our servers (perhaps 
using nmap?!)

9- Trying "ncat --socks4-server -l 5001" didn't work for me neither. Firefox 
gets a page, but that page has four null bytes at the beginning. I'm 
attaching the tcpdump capture file [ncat-socks-1.pcap], and the file firefox 
makes me 'save' because it didn't know the protocol [firefox-save.bin].
All the ncat server says is:
ncat --socks4-server -l 5001 -vvv
Listening on 0.0.0.0:5001
DEBUG: SOCKS4 request from 209.68.27.16:
DEBUG: VN: 4
DEBUG: CD: 1
DEBUG: Port: 80
DEBUG: Addr: 209.68.27.16
DEBUG: Null: 0


10- ncat: invalid option -- r

11- ncat: unrecognized option `--send-only'

12- Performance and cpu compare:
Being /tmp/b a 10Mb file created from /dev/zero with dd

With nc:
nc -l -p 9000 > /tmp/a
nc localhost 9000 < /tmp/b
Time: pair of seconds. No notable cpu usage

With ncat:
ncat -l 9000 > /tmp/a
ncat localhost 9000 < /tmp/b
Time: Almost 35 seconds. 100% cpu usage all that time.

Also ncat send 1024 packets, and nc send 139. I'm attaching both pcaps 
[tcpdump-nc-file-transfer.pcap and tcpdump-ncat-file-transfer.pcap]


13- I'm not sure to report this, but during 12- test, I was able to capture 
every packet with tcpdump from the 'nc' test as soon as the travel across the 
wire, but with 'ncat' the same tcpdump shows me packets 31 seconds after the 
connection started. You can see the time problem in the packets into the pcap 
file attached. Is anyone having the same troubel here? I 
used: 'tcpdump -n -s0 -i lo', with tcpdump version 3.9.8 and libpcap version 
0.9.8

14- ncat --broker --talk -l 9000 works fine except that users start to count 
from <user4>. Is this ok? It can make you believe that 3 previous users were 
connected. And i'm sure i'm alone here.


well, thats all for now...

cheers and thanks!

eldraco





El Monday 21 July 2008 16:33:54 Kris Katterjohn escribió:
> Hey everyone,
>
> I've taken over Ncat for this latter half of the summer.  Ncat is a new and
> improved Netcat which will start off life being shipped along with Nmap,
> but may be packaged separately in the future.
>
> All the changes below are based off of Chris Gibson's great original Ncat
> work from GSoC 2005 and thereafter.  His Ncat site is here[1], but the
> current location in SVN is here[2].
>
> I've attached the output of 'ncat -h' so you can see all of the current
> options available.
>
> Mixter has done the following:
>
> * Committed Ncat in our SVN from original SF.net CVS
> * Build improvements (don't require automake, add -lpcap, etc)
> * Fixed SSL (--ssl) and IPv6 (-6) connect problems
> * Worked on VC++2008 port
> * Implemented -n/--no-dns
> * Some cleaning up
>
> I have done the following so far:
>
> * Implemented IPv6 listening (-6 -l)
> * Implemented SSL listening (--ssl -l)
> * Redesigned -l to behave like OpenBSD netcat rather than traditional
> netcat or previous Ncat.  Now instead of specifying the port number with -l
> and the source address with -s, you just specify them like you do the
> host/port to connect to.  Specifying the local address is still optional
> * Added -g/-G for IPv4 loose source routing (based on Nsock changes)
> * Made -s actually work for binding to a local address when doing a connect
> (based on Nsock changes)
> * Added -p for specifying the local port to bind to (based on Nsock
> changes) * Added -w for specifying a connect timeout, while keeping -t for
> "idle timeout".  This differs from traditional netcat, but I like the
> distinction * Added IPv6 support to --broker
> * Added host access control to UDP listener and --broker
> * Options taking a time argument now allow time specifications like Nmap
> does (e.g. append "s" for seconds).
> * Completed VC++2008 port
> * Added -c, which is like -e but executes via /bin/sh
> * Created preliminary ncat.xml docbook man page from original ncat.1
> * Lots of cleaning up and other minor improvements
>
> As you can see, we already have many features other Netcats are lacking!
>
> Unlike Nmap changes, which usually has discussions or a patch, this is the
> first time these changes are being mentioned here on nmap-dev.  So for a
> full list of changes, and more information on some of the bigger ones, you
> can check out the SVN logs.  I try to make good explanations in my commit
> logs, but sometimes I can't help being lazy :)
>
> There exist options for connecting through SOCKS4 and HTTP proxies, though
> I haven't been able to test these yet.  Mixter tested the SOCKS proxy and
> confirmed it's working.  There is also an option for creating and listening
> as a SOCKS4 server, but comments in the code say it's broken.
>
> For my SSL listening changes, I've added the options --ssl-cert and
> --ssl-key for specifying the certificate and private key to use.  These are
> certainly subject to change with any ideas on improvements.
>
> So, while keeping in mind wanting to have an easy-to-maintain and
> non-bloated Ncat, what other features would you like to see?  Do you see
> any improvements that could/should be made on existing features?
>
> Thanks!,
> Kris Katterjohn
>
> [1] http://nmap-ncat.sourceforge.net/
> [2] svn://svn.insecure.org/ncat



-- 
Ing. Sebastián García
http://minsky.surfnet.nl:11371/pks/lookup?op=get&search=0x3E42ED27F864EDE6

Attachment: ncat-internet-ssh-FIN-bug-1.txt
Description:

Attachment: ncat.internet.ssh.FIN-bug-1.pcap
Description:

Attachment: ncat-exec-bug-1.txt
Description:

Attachment: tcpdump-nc-file-transfer.pcap
Description:

Attachment: tcpdump-ncat-file-transfer.pcap
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org