Restricting Connections to ncat

Posted on Fri 08 April 2016 in howto

We've already seen the usefulness of ncat, including ncat SSL sessions and running chat servers. Now we address the potential issue of unintended users of our listening ncat sessions.

Why would you want to limit access to an ncat listener?

If you're competing in a Capture the Flag event and you've managed to establish an ncat listener, it would be no good to take a host you worked so hard to gain and gice it away to the other competitors.

Worse still if it was not a Capture the Flag event but a live pentest, in which you opened a hole to a live shell console to real attackers while simply conducting your test!

Connections to the ncat session can be restricted via the use of the following flags:

  • --allow
  • --deny
  • --allowfile
  • --denyfile

These largely work as you might expect. Per the ncat man page, each of these options support the standard host specification as used by Nmap.

    ubahmapk@laptop:~ > ncat -v --chat -l -p 8888 --deny 192.168.0.30
    Ncat: Version 7.12 ( https://nmap.org/ncat )
    Ncat: Listening on :::8888
    Ncat: Listening on 0.0.0.0:8888
    Ncat: Connection from 192.168.0.30 on file descriptor 5.
    Ncat: Connection from 192.168.0.30:64554.
    Ncat: New connection denied: not allowed

When the client attempts to connect, the only message received is:

    C:\USERS\ubahmapk> ncat 192.168.0.10 8888
    close: No error

Which actually differs from when the port isn't open:

    C:\USERS\ubahmapk> ncat 192.168.0.10 8888
    Ncat: No connection could be made because the target machine actively refused it. .

(The extra period at the end is not a typo on my part. It's really included in the output...)

Obviously, in most cases permitting or restricting a single IP is not so helpful. So you can also use the --allowfile or --denyfile options. The files specified here should contain one entry (either IP, hostname, or CIDR range) per line.

Combining all the techniques we've seen so far, we can very quickly and easily set up a private, encrypted chat server for use in....well doing almost anything you want. It could be used as a poor man's red team dumping ground, so that all members of the team have access to all the accounts and hosts compromised so far, for example.

    ncat -v --ssl --allowfile allowed-ips -l -p 8443 --chat

I used port 8443 here to help the encrypted chat traffic possibly blend in with other potential traffic.

We still have a few more options to cover in the coming weeks, but we're off to a great start! :-)