I was looking through the various options for ncat and came across an option I hadn’t seen before: Broker mode. After reading through the examples, I learned that the
--chat mode is really just a special mode of connection brokering.
In ncat, “brokering” a connection allows multiple connections to the same listening instance, and takes the input from one connection and send it as output to all the other connections. The ncat chat server adds labels to who said what to help keep the confusion down, but in every other way, it is simply a brokered connection.
This mode of operation could come in handy when two systems cannot connect directly to each other, perhaps due to NAT’ing or other firewall restrictions. Utilizing a third system can help move data efficiently between systems.
Use of the
--broker flag implies the
ubahmapk@laptop:~ > ncat --broker -v Ncat: Version 7.25SVN ( https://nmap.org/ncat ) Ncat: Listening on :::31337 Ncat: Listening on 0.0.0.0:31337
If no listening port is specified, the highly popular port of 31337 is used as the default.
Using broker mode, we can transfer files from one host to another (or multiple!) through an intermediate host. First set up the listening broker on port 443 (since that was the only other port open on my firewall):
ubahmapk@broker-host:~$ sudo ncat -l -v --broker -p 443 Ncat: Version 7.25SVN ( https://nmap.org/ncat ) Ncat: Listening on :::443 Ncat: Listening on 0.0.0.0:443
Get ready to receive the file:
ubahmapk@receiving-host:~$ ncat --recv-only 192.168.2.99 443 | tee outputfile
By piping the output through tee, we can see the data as it comes in while also saving it to the file.
We can see on the broker that the receiving host connected:
Ncat: Connection from 192.168.1.6. Ncat: Connection from 192.168.1.6:40868.
Now that everything’s setup, we can send our precious data! Just for fun, I’m using the HTTP headers from the SANS Internet Storm Center website:
ubahmapk@sending-host:~$ cat headers HTTP/1.1 200 OK Date: Wed, 09 Nov 2016 21:42:25 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive Server: nc -6 -l 80 X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block X-HeyJason: DEV522 rocks Permitted-Cross-Domain-Policies: none Public-Key-Pins: pin-sha256="yPygUehClEHV8rvCx38NfHm7VA6IQN65Jkp2W4czLl4=";pin-sha256="ujF0jpR9Bfbrlj2annpMzkLl1DZr1y80DAqNkoAw9IA=";pin-sha256="oBPvhtvElQwtqQAFCzmHX7iaOgvmPfYDRPEMP5zVMBQ=";pin-sha256="Ofki57ad70COg0ke3x80cbJ62Tt3c/f3skTimJdpnTw="; pin-sha256="kS2Xhr6z68kfHmJMGRYw5Gept+QuLctgg7RQaHUfYHc="; max-age=2592000; report-uri="https://sansisc.report-uri.io/r/default/hpkp/enforce" Strict-Transport-Security: max-age=63072000 X-Do-Not-Hack: 18 U.S.C. Parag 1030 X-Frame-Options: SAMEORIGIN Content-Security-Policy-Report-Only: default-src 'self' www.sans.org; report-uri https://sansisc.report-uri.io/r/default/csp/reportOnly; script-src 'unsafe-inline' 'unsafe-eval' 'self'; style-src 'unsafe-inline' 'self'; frame-src www.sans.org Cache-Control: max-age=0, public Expires: Wed, 09 Nov 2016 21:42:25 GMT X-IPv6-Geekiness: FALSE
So, let’s send the file:
ubahmapk@sending-host:~$ ncat --send-only 192.168.2.99 443 < headers
The broker console confirms the sending host’s connection:
Ncat: Connection from 10.1.0.4. Ncat: Connection from 10.1.0.4:59048.
and the resulting file is stored in ‘outfile’.
Broker mode is certainly not the only way to send a file, and probably not even the most common. But it is certainly interesting. Not to mention the fact that it is always good to know all the available options. :-)