Using ncat in Broker Mode

Posted on Wed 09 November 2016 in howto

Picking back up on the ncat series started earlier this year...

I was looking through the various options for ncat and came across an option I hadn't seen before: Broker mode. After reading through the examples, I learned that the --chat mode is really just a special mode of connection brokering.

In ncat, "brokering" a connection allows multiple connections to the same listening instance, and takes the input from one connection and send it as output to all the other connections. The ncat chat server adds labels to who said what to help keep the confusion down, but in every other way, it is simply a brokered connection.

This mode of operation could come in handy when two systems cannot connect directly to each other, perhaps due to NAT'ing or other firewall restrictions. Utilizing a third system can help move data efficiently between systems.

Use of the --broker flag implies the -l flag:

    ubahmapk@laptop:~ > ncat --broker -v 
    Ncat: Version 7.25SVN ( https://nmap.org/ncat )
    Ncat: Listening on :::31337
    Ncat: Listening on 0.0.0.0:31337

If no listening port is specified, the highly popular port of 31337 is used as the default.

Using broker mode, we can transfer files from one host to another (or multiple!) through an intermediate host. First set up the listening broker on port 443 (since that was the only other port open on my firewall):

    [email protected]:~$ sudo ncat -l -v --broker -p 443
    Ncat: Version 7.25SVN ( https://nmap.org/ncat )
    Ncat: Listening on :::443
    Ncat: Listening on 0.0.0.0:443

Get ready to receive the file:

    [email protected]:~$ ncat --recv-only 192.168.2.99 443 | tee outputfile

By piping the output through tee, we can see the data as it comes in while also saving it to the file.

We can see on the broker that the receiving host connected:

    Ncat: Connection from 192.168.1.6.
    Ncat: Connection from 192.168.1.6:40868.

Now that everything's setup, we can send our precious data! Just for fun, I'm using the HTTP headers from the SANS Internet Storm Center website:

    ubahmapk@sending-host:~$ cat headers
    HTTP/1.1 200 OK
    Date: Wed, 09 Nov 2016 21:42:25 GMT
    Content-Type: text/html; charset=UTF-8
    Connection: keep-alive
    Server: nc -6 -l 80
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 1; mode=block
    X-HeyJason: DEV522 rocks
    Permitted-Cross-Domain-Policies: none
    Public-Key-Pins: pin-sha256="yPygUehClEHV8rvCx38NfHm7VA6IQN65Jkp2W4czLl4=";pin-sha256="ujF0jpR9Bfbrlj2annpMzkLl1DZr1y80DAqNkoAw9IA=";pin-sha256="oBPvhtvElQwtqQAFCzmHX7iaOgvmPfYDRPEMP5zVMBQ=";pin-sha256="Ofki57ad70COg0ke3x80cbJ62Tt3c/f3skTimJdpnTw="; pin-sha256="kS2Xhr6z68kfHmJMGRYw5Gept+QuLctgg7RQaHUfYHc="; max-age=2592000; report-uri="https://sansisc.report-uri.io/r/default/hpkp/enforce"
    Strict-Transport-Security: max-age=63072000
    X-Do-Not-Hack: 18 U.S.C. Parag 1030
    X-Frame-Options: SAMEORIGIN
    Content-Security-Policy-Report-Only: default-src 'self' www.sans.org; report-uri https://sansisc.report-uri.io/r/default/csp/reportOnly; script-src 'unsafe-inline' 'unsafe-eval' 'self'; style-src 'unsafe-inline' 'self'; frame-src www.sans.org
    Cache-Control: max-age=0, public
    Expires: Wed, 09 Nov 2016 21:42:25 GMT
    X-IPv6-Geekiness: FALSE

So, let's send the file:

    ubahmapk@sending-host:~$ ncat --send-only 192.168.2.99 443 < headers

The broker console confirms the sending host's connection:

    Ncat: Connection from 10.1.0.4.
    Ncat: Connection from 10.1.0.4:59048.

and the resulting file is stored in 'outfile'.

Broker mode is certainly not the only way to send a file, and probably not even the most common. But it is certainly interesting. Not to mention the fact that it is always good to know all the available options. :-)