Home page logo
Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News


Nmap Network Scanning

Neat Tricks

Send Mail

It is great fun to interact with text-based network protocols with nothing more than Ncat and a keyboard. Here's a short example showing how to send email by talking to an SMTP server. SMTP is described in RFC 5321, but you don't need to know much about the protocol to send a simple message. The service's assigned port number is 25, and we use -C because it requires CRLF line endings. Example 8 contains a transcript of a session.

Example 8. Ncat as mail client

$ ncat -C mail.example.com 25
220 mail.example.com ESMTP
HELO client.example.com
250 mail.example.com Hello client.example.com
MAIL FROM:a@example.com
250 OK
RCPT TO:b@example.com
250 Accepted
354 Enter message, ending with "." on a line by itself
From: a@example.com
To: b@example.com
Subject: Greetings from Ncat

Hello. This short message is being sent by Ncat.
250 OK
221 mail.example.com closing connection

To make this example work for you, change mail.example.com to your SMTP server and client.example.com to your domain name. Naturally you'll want to change the email addresses and message too. It will likely only work when using your normal mail server with your real email address, or when using the recipient's mail server (look up the MX record for the domain name in their email address).

Obviously this technique can be used for more than just sending mail. Ncat is a great interactive debugging tool for any text-based protocol. Such debugging is sometimes done with the telnet command, because it provides something like a raw text stream. Ncat offers a few advantages over telnet, though. Ncat doesn't print anything except what is sent by the remote host. Telnet isn't suitable for arbitrary binary data because it reserves some bytes as control characters. The telnet command quits when its input runs out, so you may not see what the other end sends. And finally, telnet doesn't do UDP.

Chain Ncats Together

Ncat is designed to work within a pipeline, so naturally the output of one instance of Ncat can be fed into the input of another. Here is one way to send a log file from host1 to host3 by way of host2:

host3$ ncat -l > log.txt
host2$ ncat -l | ncat host3
host1$ ncat --send-only host2 < log.txt

A possible problem with this technique is that it is one-way: host1 can send to host3 but there is no way for host3 to send anything back to host1. In this case it doesn't matter, but it can be done with a small change. Consider this:

host3$ ncat -l > log.txt
host2$ ncat -l --sh-exec "ncat host3"
host1$ ncat --send-only host2 < log.txt

The Ncat listening on host2, upon receiving a connection, creates a new Ncat to speak to host3 and connects the inputs and outputs of the programs running on host1 and host3 together. The same trick can be used on the local host too. This example forwards the local port 8080 to the web server on example.org:

ncat -l localhost 8080 --sh-exec "ncat example.org 80"

Unwrap SSL

Suppose you need to connect to an IMAP server that requires SSL, but your mail reader doesn't support SSL. Ncat can act as the encrypted bridge to connect the client and server. You will connect the mail client to a local port and Ncat will forward the traffic, encrypted, to the server. Here's how to connect IMAP (port 143) on the local host to IMAP over SSL (port 993) on imap.example.com.

ncat -l localhost 143 --sh-exec "ncat --ssl imap.example.com 993"

Once this is in place, instruct the mail client to connect to the IMAP server on localhost.

This trick works for protocols that pass traffic strictly between two hosts. It doesn't work well for HTTP because HTTP is usually aware of hostnames and often involves multiple hosts.

Use SSH Through an Ncat Tunnel

With Ncat and OpenSSH you can SSH to a host behind a NAT router without having to forward ports on the router. The router must have Ncat installed. Here is how to SSH to <host> through <router>:

ssh -o ProxyCommand="ssh -q <router> ncat %h %p" <host>

The ProxyCommand option of ssh tells how to open the SSH connection to <host>. It does this by opening another SSH session to <router> and connecting it to <host> with Ncat.

Watch What Nmap's Version Detection is Doing

Ncat can show you at a low level what's going on when Nmap version-scans a service. We'll make a service that only listens and instruct Nmap to use every version probe in the book. Set up Ncat to listen and record a hex dump log. The --keep-open option will make Ncat keep listening and accepting more connections after the first one is finished, contrary to the normal listen mode behavior of quitting when the first connection ends. Some version probes are binary so redirect standard output to /dev/null to avoid writing them to the screen.

ncat -l --keep-open 5200 --hex-dump vscan.log > /dev/null

Now scan the open port you made:

nmap -d -sV --version-all localhost -p 5200

An except of the hex dump is shown in Example 9.

Example 9. Hex dump of Nmap version detection

[0000]   0D 0A 0D 0A                                         ....
[0000]   47 45 54 20 2F 20 48 54   54 50 2F 31 2E 30 0D 0A   GET / HT TP/1.0..
[0010]   0D 0A                                               ..
[0000]   4F 50 54 49 4F 4E 53 20   2F 20 48 54 54 50 2F 31   OPTIONS  / HTTP/1
[0010]   2E 30 0D 0A 0D 0A                                   .0....
[0000]   4F 50 54 49 4F 4E 53 20   2F 20 52 54 53 50 2F 31   OPTIONS  / RTSP/1
[0010]   2E 30 0D 0A 0D 0A                                   .0....
[0000]   80 00 00 28 72 FE 1D 13   00 00 00 00 00 00 00 02   ...(r... ........
[0010]   00 01 86 A0 00 01 97 7C   00 00 00 00 00 00 00 00   .......| ........
[0020]   00 00 00 00 00 00 00 00   00 00 00 00               ........ ....
[0000]   00 1E 00 06 01 00 00 01   00 00 00 00 00 00 07 76   ........ .......v
[0010]   65 72 73 69 6F 6E 04 62   69 6E 64 00 00 10 00 03   ersion.b ind.....
[0000]   00 0C 00 00 10 00 00 00   00 00 00 00 00 00         ........ ......
[0000]   45 48 4C 4F 0D 0A                                   EHLO..
[0000]   48 45 4C 50 0D 0A                                   HELP..

At the beginning, Nmap would have sent its NULL probe, which isn't shown in the log file because the NULL probe doesn't send anything. At the top of the log is the GenericLines probe (0D 0A 0D 0A, or \r\n\r\n). After that is our old friend the HTTP GET request. Then come all the other probes in the nmap-service-probes file. In this excerpt are shown probes designed to get a response from RPC, DNS, and SMTP.

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]