ncat is a full rewrite from the nmap team of the traditional netcat (nc) network “Swiss Army Knife”.

ncat is full of really slick new features, but the one I will cover here is the ability to do all the wonderful things nc could do, but over an SSL connection. (Yes, yes, yes: I should call it a TLS connection instead, but since the ncat documentation still refers to it as “SSL”, I will do the same here.)

To establish an encrypted ncat session, simply pass the “–ssl” option to ncat, along with the hostname or IP and destination port, like you would with any other connection:

ubahmapk@laptop:~ > echo -e "GET / HTTP/1.1\r\nHost: \
ubahmapk.github.io\r\nUser-Agent: ncat\r\nAccept: */*\r\nReferer: \
https://www.google.com/?gws_rd=ssl#q=ncat+ssl\r\n\r\n" \ 
| ncat --ssl -v ubahmapk.github.io 443
Ncat: Version 6.49SVN ( http://nmap.org/ncat )
Ncat: SSL connection to 23.235.44.133:443. Fastly, Inc.
Ncat: SHA-1 fingerprint: 2199 1384 6372 1713 B9ED 0E8F 00A5 9B73 0DD0 5658
HTTP/1.1 200 OK
Server: GitHub.com
Content-Type: text/html; charset=utf-8
Last-Modified: Mon, 21 Mar 2016 02:14:16 GMT
Access-Control-Allow-Origin: *
Expires: Mon, 21 Mar 2016 03:42:50 GMT
Cache-Control: max-age=600
X-GitHub-Request-Id: 17EB2C2C:38FF:984CD29:56EF6B60
Content-Length: 12733
Accept-Ranges: bytes
Date: Mon, 21 Mar 2016 03:32:50 GMT
Via: 1.1 varnish
Age: 0
Connection: keep-alive
X-Served-By: cache-dfw1826-DFW
X-Cache: MISS
X-Cache-Hits: 0
X-Timer: S1458531170.944139,VS0,VE49
Vary: Accept-Encoding
X-Fastly-Request-ID: f9a65b919e4649f5ef6f24397ecdf953fee840dd

[trimmed output]

The ‘-v’ option above caused ncat to include the three lines at the top beginning with “Ncat: “, which confirm the version running, along with the SSL connection connection information. Adding three ‘-v’ options would add information like this:

 NCAT DEBUG: Using system default trusted CA certificates and those in /usr/local/share/ncat/ca-bundle.crt.
 Ncat: Subject: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA
 Ncat: Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA
 Ncat: SHA-1 fingerprint: 5FB7 EE06 33E2 59DB AD0C 4C9A E6D3 8F1A 61C7 DC25
 Ncat: Subject: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA
 Ncat: Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA
 Ncat: SHA-1 fingerprint: A031 C467 82E6 E6C6 62C2 C87C 76DA 9AA6 2CCA BD8E
 Ncat: Subject: C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=www.github.com
 Ncat: Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA
 Ncat: SHA-1 fingerprint: 2199 1384 6372 1713 B9ED 0E8F 00A5 9B73 0DD0 5658
 NCAT DEBUG: Checking certificate DNS name "www.github.com" against "ubahmapk.github.io".
 NCAT DEBUG: Checking certificate DNS name "*.github.com" against "ubahmapk.github.io".
 NCAT DEBUG: Checking certificate DNS name "github.com" against "ubahmapk.github.io".
 NCAT DEBUG: Checking certificate DNS name "*.github.io" against "ubahmapk.github.io".
 Ncat: SSL connection to 23.235.40.133:443. Fastly, Inc.
 Ncat: SHA-1 fingerprint: 2199 1384 6372 1713 B9ED 0E8F 00A5 9B73 0DD0 5658

But it also includes a great deal of other details from the libnsock library and can greatly clutter up the output.

Inbound connections with ncat can also utilize the ssl option:

ncat --ssl -l -p 443 -e /bin/bash

(The above is a terrible thing to run. Do NOT do that…)

The code snippet below shows the options used to specify public and private SSL keys; certificate validation behavior and which file should be used to validate certificates; and which SSL ciphers to accept (or reject):

--ssl-cert             Specify SSL certificate file (PEM) for listening
--ssl-key              Specify SSL private key (PEM) for listening
--ssl-verify           Verify trust and domain name of certificates
--ssl-trustfile        PEM file containing trusted SSL certificates
--ssl-ciphers          Cipherlist containing SSL ciphers to use

If you needed to make SSL connections with the traditional nc client, you could either create an stunnel connection or utilize the openssl s_client command as a ncat client:

ubahmapk@laptop:~ > openssl s_client -host ubahmapk.github.io -port 443 
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA
verify return:1
depth=0 C = US, ST = California, L = San Francisco, O = "Fastly, Inc.", CN = www.github.com
verify return:1
---
Certificate chain
0 s:/C=US/ST=California/L=San Francisco/O=Fastly, Inc./CN=www.github.com
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
---
Server certificate

[output trimmed]

But this method isn’t nearly as clean, and doesn’t allow for all the other functionality of netcat!

In fact, I’ll probably start a series on the different ncat options just for fun… :-)