Using Ncat to diagnose a network client

Ncat can be used for a wide range of tasks including diagnosing network communications. The ability to easily set it up as a proxy is helpful when we need to analyze the traffic sent by a network client. With the help of Ncat, we can analyze the data exchanged and identify possible errors.

This recipe describes how to use Ncat to analyze network communications between a remote server and our local client.

How to do it...

Start a local listener with Ncat:

$ncat -l -k 5555 --hex-dump client.txt

We now have a listener on localhost port 5555. It is time to configure our client to connect to our local IP address (it works on remote IP addresses as well). Connect to our listener to see the traffic that is sent by the client. For example, to see what probes are sent during a service scan, we use this:

$nmap -sV -p 5555 localhost

The traffic sent will be displayed as the output of our first ncat command:

$ncat -l -k 5555 --hex-dump client.txt
versionbind??SMB@@?PC NETWORK PROGRAM 1.0MICROSOFT NETWORKS 1.03MICROSOFT NETWORKS 3.0LANMAN1.0LM1.2X002SambaNT LANMAN 1.0NT LM 0.12CNXN2????host::GET / HTTP/1.0
OPTIONS / HTTP/1.0
OPTIONS / RTSP/1.0
?(r????|

Depending on the client, a configuration might support proxies out of the box. If not, use the target IP address to the host where your listener is running. Note that you may not be able to change the port, but you can use the same port on your local machine to work around this. The hex dump will be saved in the client.txt file:

Figure 2.2 – Hex dump of traffic sent by the client

How it works...

The ncat command starts a listener on localhost port 5555 (-l 5555) that accepts multiple connections (-k) and dumps the output in hexadecimal format (--hex-dump client.txt). In this case, Ncat acts as a proxy between the local or remote server and our client (Nmap) and the client is instructed to connect to the proxy. Note that in this example we are not re-routing the network traffic, but it is possible. The output shown by Ncat is the traffic sent by the client.

The interesting option here is --hex-dump, which allows us to see those unprintable characters usually found in network traffic. Hex format makes it easier to analyze and compare with the expected results. If something is not being sent correctly, we would catch it here after reading the output.

There is more...

Since Ncat supports encrypted channels out of the box, a simple solution to upgrade services that use plain text to communicate is tunneling the traffic in an encrypted channel with Ncat. Ncat can chain multiple commands to achieve this – as here, for example:

ncat -l localhost 143 --sh-exec "ncat --ssl imap.packtpub.com 993"

Once the client connects to local port 143, it connects to imap.packtpub.com using an encrypted channel (--ssl). When the network traffic leaves the box, it will be using the SSL channel.