9.3 Netcat
| Netcat is the next logical step up from telnet. Like telnet, it lets you send data to and from text-based TCP protocols, but it also has the following additional features:
9.3.1 Installing NetcatNetcat sometimes comes installed with operating systems, but most often it does not. If you do have it, it will likely be called nc and may live at /usr/bin/nc . If you do not have it, it can be retrieved from http://www.atstake.com/research/tools/network_utilities/. Be sure to unpackage it in its own separate directory because it will not create one for you. For example: Solaris% mkdir nc Solaris% mv nc110.tgz nc Solaris% cd nc Solaris% gunzip -c nc110.tgz tar xvf - The build system for Netcat is somewhat nontraditional. There is no configure script, but instead, you supply the name of the operating system to the make command line: Solaris% make solaris or Linux% make linux You can find the names used for other systems by reading the Makefile in the distribution. When the build is complete, there will be a file called nc , which is the Netcat program. 9.3.2 Using NetcatRunning Netcat with the -h option will produce a help listing: Solaris% nc -h [v1.10] connect to somewhere: nc [-options] hostname port[s] [ports] ... listen for inbound: nc -l -p port [-options] [hostname] [port] options: -g gateway source-routing hop point[s], up to 8 -G num source-routing pointer: 4, 8, 12, ... -h this cruft -i secs delay interval for lines sent, ports scanned -l listen mode, for inbound connects -n numeric-only IP addresses, no DNS -o file hex dump of traffic -p port local port number -r randomize local and remote ports -s addr local source address -u UDP mode -v verbose [use twice to be more verbose] -w secs timeout for connects and final net reads -z zero-I/O mode [used for scanning] port numbers can be individual or ranges: lo-hi [inclusive] If you wish to test a Web server, just as you did with telnet: Solaris% nc www.example.com 80 HEAD / HTTP/1.0 HTTP/1.1 200 OK Date: Wed, 26 Feb 2003 13:58:14 GMT Server: Apache/1.3.27 (Unix) (Red-Hat/Linux) Last-Modified: Wed, 08 Jan 2003 23:11:55 GMT ETag: "3f80f-1b6-3e1cb03b" Accept-Ranges: bytes Content-Length: 438 Connection: close Content-Type: text/html Remember to type an extra newline after the request, regardless of whether it is a GET or a HEAD request. Netcat behaves somewhat differently than telnet. For one thing, it does not print a message indicating that the connection was established unless you use the -v option on the command line, indicating that you want verbose output. In a similar manner, you will need to use -v to ask Netcat to explicitly inform you if the connection is refused . Here is an example of how Netcat can be used to pipe data to or from a file: Solaris% (echo "GET / HTTP/1.0" ; echo ) nc www.example.com \ 80 > /var/tmp/out This is something that could not easily be done with telnet. In this example, Netcat is both reading input from a pipe and redirecting its output to a file. Of course, you do not have to do both; you may choose to pipe input from a file and view the results on the screen, or you may send the results to a file while typing the input to Netcat yourself. Here the entire output is sent to the file /var/tmp/out . For the input, we use the trick of placing two echo statements in parenthesis so that the extra newline character will be sent. Netcat can also store a hexadecimal dump of traffic using the -o option: Solaris% nc -o /var/tmp/hexout www.example.com 80 GET / HTTP/1.0 You will still be able view the text traffic on the screen, but an additional copy will be stored in /var/tmp/hexout that contains both the hexadecimal and text representations of the data. Data sent from the client to the server will be preceded by a right angle bracket; data sent from the server to the client will be preceded by a left angle bracket : Solaris% head /var/tmp/hexout > 00000000 47 45 54 20 2f 20 48 54 54 50 2f 31 2e 30 0a # GET / HTTP/1.0. > 0000000f 0a # . < 00000000 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d # HTTP/1.1 200 OK. < 00000010 0a 44 61 74 65 3a 20 54 75 65 2c 20 32 35 20 46 # .Date: Tue, 25 F < 00000020 65 62 20 32 30 30 33 20 32 32 3a 31 31 3a 31 31 # eb 2003 22:11:11 < 00000030 20 47 4d 54 0d 0a 53 65 72 76 65 72 3a 20 41 70 # GMT..Server: Ap < 00000040 61 63 68 65 2f 31 2e 33 2e 32 37 20 28 55 6e 69 # ache/1.3.27 (Uni < 00000050 78 29 20 20 28 52 65 64 2d 48 61 74 2f 4c 69 6e # x) (Red-Hat/Lin < 00000060 75 78 29 0d 0a 4c 61 73 74 2d 4d 6f 64 69 66 69 # ux)..Last-Modifi < 00000070 65 64 3a 20 57 65 64 2c 20 30 38 20 4a 61 6e 20 # ed: Wed, 08 Jan Constructing a UDP example is slightly harder because most UDP protocols are not encoded in a simple text format. However, if you place the appropriate binary data for a UDP service into a file, Netcat will happily send it. The following Perl script will create a valid DNS query in a binary format: #!/usr/bin/perl print pack("H*", "f5bc"."0100"."0001"."0000"); print pack("H*", "0000"."0000"."0377"."7777"); print pack("H*", "0765"."7861"."6d70"."6c65"); print pack("H*", "0363"."6f6d"."0000"."0100"); print pack("H*", "01"); Place the program in a file called make-packet.pl and give it execute permission with: Solaris% chmod u+x make-packet.pl You can then use it to place the packet data in a file: Solaris% ./make-packet.pl > /var/tmp/packet Now you can pipe that packet data to Netcat and have Netcat send it to a root name server while capturing the response in /var/tmp/hexout . If you wish, you can also run tcpdump at the same time to watch for the response. Solarisl% cat /var/tmp/packet nc -o /var/tmp/hexout -u \ 198.41.0.4 53 > /dev/null You will have to type <ctrl>-C to break the Netcat process. Since it is not making a TCP connection, it has no way of knowing when the conversation is over. Now examine the results in /var/tmp/hexout . You will see the packet you constructed sent to the server and the response from the server, which should list the address for www.example.com and the addresses of other top-level name servers as well. Finally, Netcat can be directed to listen on a port and accept incoming connections. This is useful for all sorts of things, including examination of client behavior. Say you have a Web browser that is not behaving properly and you suspect it may be sending strange options to the Web servers it tries to contact. You can instruct Netcat to listen on a port while the user attempts to load a Web page from your workstation: Solaris# nc -l -p 80 After you have started the program, it will sit and wait for a connection. Note that you must run Netcat from a root account if you wish to listen on port 80 or any other port below 1024. If you do not have root access to a machine, you can always use a higher numbered port and point the Web browser at that instead. Now you, or the user whose Web browser is misbehaving, can attempt to open a Web page using your workstation as the serving host. If the name of your workstation is workstation1.example.com , the URL would be http://workstation1.example.com/ . Once it is accessed, output like the following will appear from Netcat: GET / HTTP/1.0 Connection: Keep-Alive User-Agent: Mozilla/4.78 [en] (X11; U; SunOS 5.8 sun4u) Host: client1.example.com Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, ima... Accept-Encoding: gzip Accept-Language: en Accept-Charset: iso-8859-1,*,utf-8 If necessary, you can continue the HTTP transaction by typing text into Netcat. Otherwise, if you have all the information you need, you can break the session with <ctrl>-C.  |
EAN: 2147483647
Pages: 85