4 min read

On Ncat

Traditionally called the “Swiss Army knife” for reading, writing and redirecting traffic across network connections, Ncat is used in a variety of different ways, including controlling and debugging network connections. It is an improved replacement for netcat and is included when downloading Nmap.

Although for some use cases it can act as a drop-in replacement for netcat, it is different in several important areas in that it offers:

  • Security and authentication via TLS
  • Support for IPv6
  • Connection brokering
  • Proxy connections

Here are some of its use cases:

  • Act as a TCP client or server for HTTP, FTP and other TCP/IP connections. This enables fine control over what a client sends to a server, and it also allows investigation into what a client is doing.
  • Set up secure channels using TLS.
  • Redirect or proxy TCP and UDP (among others) connections to other hosts.
  • Acts as a network cat.

Since Ncat is a pipeline tool that reads from stdin and writes to stdout, it can be used in any manner of of I/O redirection with which you’re accustomed. None of the streams are altered unless given the the -C flag (adds CRLF for EOL sequence).

Ncat either operates in connect mode (client) or listen mode (server). Let’s take a look at some use cases

Connect Mode

One of the simplest uses is to connect to a TCP server, like Telnet:

    ncat -C benjamintoll.com 80
    > HTTP / GET/1.0
    >
    >

Using TLS:

    ncat -C --ssl theowlsnestfarm.com 443
    > HTTP / GET/1.0
    >
    >

Listen Mode

Here is Ncat listening as a server:

    ncat -l localhost 10003 < <(echo -e "HTTP/1.0 200 OK\n\n<h1>hello world</h1>")

Simply point a browser to localhost:10003.

Note that, in the previous example, Ncat is expecting a file descriptor to be redirected to stdin, so you could replace the process substitution here with a regular file.

The following would also do the same as the previous listening Ncat example:

    echo -e "HTTP/1.0 200 OK\n\n<h1>hello world</h1>" | ncat -l localhost 10003

Or:

    cat | ncat -l localhost 10003
    > HTTP/1.0 200 OK
    >
    > <h1>hello world</h1>
    >

Note that there are also many examples of using TLS with both server and client certificates in the Ncat guide.

Access Control

Ncat also supports access control. You can whitelist and blacklist by host (--allow and --deny, respectively) or by lists in a file (--allowfile or --denyfile). Ncat supports the following syntax:

  • IPv4 and IPv6 addresses
  • hostnames
  • IPv4 octet ranges
  • CIDR netmasks

For example:

    ncat -l --allow 2001:db8::7d
    ncat -l --deny google.com
    ncat -l --allow 192.168.0.0/24
    ncat -l --allowfile trusted_hosts.txt

You can also limit the number of connections:

    ncat -l --max-conns 3

Naturally, this is not secure and shouldn’t be replied upon in any significant way, but I think it’s good enough for a quick file transfer or chat session or the like.

Command Execution

Ncat allows a server to respond with the results of a command executed by means of:

  • Directly executing a binary
  • Passing a command string to be interpreted by a shell
  • Invoking a Lua script

For example, the following commands will do the same thing, i.e., list the contents of the directory of the Ncat “server”:

    ncat -le "/bin/ls -al"
    ncat -l --sh-exec "ls -al"

The client request:

    ncat localhost

Although I don’t use it very frequently, it does come in handy.

File Transfer

I usually prefer scp over Ncat when transferring a single file, except in one instance - archive files. I find it preferable to use Ncat because doing the operation as a stream means that I don’t have to create a temporary archive file.

For example, the following will stream a bzip2 archive from trout to chomsky:

    chomsky$ ncat -l 1972 | tar xjv
      trout$ tar cjv keygen.c Makefile | ncat --send-only chomsky 1972

As you can see, the listening Ncat on chomsky receives the stream and pipes it to tar, thereby “untarring” it without further intervention from me. As an added bonus, the --send-only flag will automatically close the connection as soon as the transfer is complete.

Using a Broker

    chomsky$ ncat -l --broker
       nero$ ncat chomsky > outputfile
      trout$ ncat --send-only chomsky < inputfile

Chat

Simple two user chat:

    germanicus$ ncat -kl --max-conns 1
          nero$ ncat germanicus

Note that without the access control flag other clients can connect to the listening Ncat but that that will only establish its own channel with the “server”. In other words, none of the other clients will “hear” the conversation. Use it or don’t :)

If multi-user chat is desired, simply start Ncat in listening mode with the --broker flag:

    ncat -l --broker

A multi-user chat with designated usernames can be used with the --chat option. For example, all messages all prefaced with <usern>, where n is the client connection’s file descriptor (this cannot be changed). This will automatically enable connection brokering.

    ncat -l --chat

Anything received on one channel is broadcast out to all the other channels, but note that the server doesn’t receive any client messages.

Incidentally, I wrote a simple chat program that does the same, and it does allow the connecting client to choose a unique username.