Using SSL Connections Over ncat

Posted on Sun 20 March 2016 in howto

ncat is a full rewrite from the nmap team of the traditional netcat (nc) network "Swiss Army Knife".

ncat is full of really slick new features, but the one I will cover here is the ability to do all the wonderful things nc could do, but over an SSL connection. (Yes, yes, yes: I should call it a TLS connection instead, but since the ncat documentation still refers to it as "SSL", I will do the same here.)

To establish an encrypted ncat session, simply pass the "--ssl" option to ncat, along with the hostname or IP and destination port, like you would with any other connection:

ubahmapk@laptop:~ > echo -e "GET / HTTP/1.1\r\nHost: \
ubahmapk.github.io\r\nUser-Agent: ncat\r\nAccept: */*\r\nReferer: \
https://www.google.com/?gws_rd=ssl#q=ncat+ssl\r\n\r\n" \ 
| ncat --ssl -v ubahmapk.github.io 443
Ncat: Version 6.49SVN ( http://nmap.org/ncat )
Ncat: SSL connection to 23.235.44.133:443. Fastly, Inc.
Ncat: SHA-1 fingerprint: 2199 1384 6372 1713 B9ED 0E8F 00A5 9B73 0DD0 5658
HTTP/1.1 200 OK
Server: GitHub.com
Content-Type: text/html; charset=utf-8
Last-Modified: Mon, 21 Mar 2016 02:14:16 GMT
Access-Control-Allow-Origin: *
Expires: Mon, 21 Mar 2016 03:42:50 GMT
Cache-Control: max-age=600
X-GitHub-Request-Id: 17EB2C2C:38FF:984CD29:56EF6B60
Content-Length: 12733
Accept-Ranges: bytes
Date: Mon, 21 Mar 2016 03:32:50 GMT
Via: 1.1 varnish
Age: 0
Connection: keep-alive
X-Served-By: cache-dfw1826-DFW
X-Cache: MISS
X-Cache-Hits: 0
X-Timer: S1458531170.944139,VS0,VE49
Vary: Accept-Encoding
X-Fastly-Request-ID: f9a65b919e4649f5ef6f24397ecdf953fee840dd

[trimmed output]

The '-v' option above caused ncat to include the three lines at the top beginning with "Ncat: ", which confirm the version running, along with the SSL connection connection information. Adding three '-v' options would add information like this:

 NCAT DEBUG: Using system default trusted CA certificates and those in /usr/local/share/ncat/ca-bundle.crt.
 Ncat: Subject: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA
 Ncat: Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA
 Ncat: SHA-1 fingerprint: 5FB7 EE06 33E2 59DB AD0C 4C9A E6D3 8F1A 61C7 DC25
 Ncat: Subject: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA
 Ncat: Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA
 Ncat: SHA-1 fingerprint: A031 C467 82E6 E6C6 62C2 C87C 76DA 9AA6 2CCA BD8E
 Ncat: Subject: C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=www.github.com
 Ncat: Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA
 Ncat: SHA-1 fingerprint: 2199 1384 6372 1713 B9ED 0E8F 00A5 9B73 0DD0 5658
 NCAT DEBUG: Checking certificate DNS name "www.github.com" against "ubahmapk.github.io".
 NCAT DEBUG: Checking certificate DNS name "*.github.com" against "ubahmapk.github.io".
 NCAT DEBUG: Checking certificate DNS name "github.com" against "ubahmapk.github.io".
 NCAT DEBUG: Checking certificate DNS name "*.github.io" against "ubahmapk.github.io".
 Ncat: SSL connection to 23.235.40.133:443. Fastly, Inc.
 Ncat: SHA-1 fingerprint: 2199 1384 6372 1713 B9ED 0E8F 00A5 9B73 0DD0 5658

But it also includes a great deal of other details from the libnsock library and can greatly clutter up the output.

Inbound connections with ncat can also utilize the ssl option:

ncat --ssl -l -p 443 -e /bin/bash

(The above is a terrible thing to run. Do NOT do that...)

The code snippet below shows the options used to specify public and private SSL keys; certificate validation behavior and which file should be used to validate certificates; and which SSL ciphers to accept (or reject):

--ssl-cert             Specify SSL certificate file (PEM) for listening
--ssl-key              Specify SSL private key (PEM) for listening
--ssl-verify           Verify trust and domain name of certificates
--ssl-trustfile        PEM file containing trusted SSL certificates
--ssl-ciphers          Cipherlist containing SSL ciphers to use

If you needed to make SSL connections with the traditional nc client, you could either create an stunnel connection or utilize the openssl s_client command as a ncat client:

ubahmapk@laptop:~ > openssl s_client -host ubahmapk.github.io -port 443 
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA
verify return:1
depth=0 C = US, ST = California, L = San Francisco, O = "Fastly, Inc.", CN = www.github.com
verify return:1
---
Certificate chain
0 s:/C=US/ST=California/L=San Francisco/O=Fastly, Inc./CN=www.github.com
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
---
Server certificate

[output trimmed]

But this method isn't nearly as clean, and doesn't allow for all the other functionality of netcat!

In fact, I'll probably start a series on the different ncat options just for fun... :-)