You're reading from Nmap Network Exploration and Security Auditing Cookbook, Third Edition Network discovery and security scanning at your fingertips

Product type Paperback

Published in Sep 2021

Publisher Packt

ISBN-13 9781838649357

Length 436 pages

Edition 3rd Edition

Languages

C++

Tools

Nmap

Concepts

Network Security

Author (1):

Paulino Calderon

View More author details

Table of Contents (22) Chapters

Preface

1. Chapter 1: Nmap Fundamentals

2. Chapter 2: Getting Familiar with Nmap's Family FREE CHAPTER

3. Chapter 3: Network Scanning

4. Chapter 4: Reconnaissance Tasks

5. Chapter 5: Scanning Web Servers

6. Chapter 6: Scanning Databases

7. Chapter 7: Scanning Mail Servers

8. Chapter 8: Scanning Windows Systems

9. Chapter 9: Scanning ICS/SCADA Systems

10. Chapter 10: Scanning Mainframes

11. Chapter 11: Optimizing Scans

12. Chapter 12: Generating Scan Reports

13. Chapter 13: Writing Your Own NSE Scripts

14. Chapter 14: Exploiting Vulnerabilities with the Nmap Scripting Engine

15. Other Books You May Enjoy

Appendix A: HTTP, HTTP Pipelining, and Web Crawling Configuration Options

HTTP user agent

1. Appendix Β: Brute-Force Password Auditing Options

Brute modes

2. Appendix C: NSE Debugging

3. Appendix D: Additional Output Options

4. Appendix Ε: Introduction to Lua

5. Appendix F: References and Additional Reading

Why subscribe?

Using Ncat to diagnose a network client

Ncat can be used for a wide range of tasks including diagnosing network communications. The ability to easily set it up as a proxy is helpful when we need to analyze the traffic sent by a network client. With the help of Ncat, we can analyze the data exchanged and identify possible errors.

This recipe describes how to use Ncat to analyze network communications between a remote server and our local client.

How to do it...

Start a local listener with Ncat:

$ncat -l -k 5555 --hex-dump client.txt

We now have a listener on localhost port 5555. It is time to configure our client to connect to our local IP address (it works on remote IP addresses as well). Connect to our listener to see the traffic that is sent by the client. For example, to see what probes are sent during a service scan, we use this:

$nmap -sV -p 5555 localhost

The traffic sent will be displayed as the output of our first ncat command:

$ncat -l -k 5555 --hex-dump client.txt
versionbind??SMB@@?PC NETWORK PROGRAM 1.0MICROSOFT NETWORKS 1.03MICROSOFT NETWORKS 3.0LANMAN1.0LM1.2X002SambaNT LANMAN 1.0NT LM 0.12CNXN2????host::GET / HTTP/1.0
OPTIONS / HTTP/1.0
OPTIONS / RTSP/1.0
?(r????|

Depending on the client, a configuration might support proxies out of the box. If not, use the target IP address to the host where your listener is running. Note that you may not be able to change the port, but you can use the same port on your local machine to work around this. The hex dump will be saved in the client.txt file:

Figure 2.2 – Hex dump of traffic sent by the client

How it works...

The ncat command starts a listener on localhost port 5555 (-l 5555) that accepts multiple connections (-k) and dumps the output in hexadecimal format (--hex-dump client.txt). In this case, Ncat acts as a proxy between the local or remote server and our client (Nmap) and the client is instructed to connect to the proxy. Note that in this example we are not re-routing the network traffic, but it is possible. The output shown by Ncat is the traffic sent by the client.

The interesting option here is --hex-dump, which allows us to see those unprintable characters usually found in network traffic. Hex format makes it easier to analyze and compare with the expected results. If something is not being sent correctly, we would catch it here after reading the output.

There is more...

Since Ncat supports encrypted channels out of the box, a simple solution to upgrade services that use plain text to communicate is tunneling the traffic in an encrypted channel with Ncat. Ncat can chain multiple commands to achieve this – as here, for example:

ncat -l localhost 143 --sh-exec "ncat --ssl imap.packtpub.com 993"

Once the client connects to local port 143, it connects to imap.packtpub.com using an encrypted channel (--ssl). When the network traffic leaves the box, it will be using the SSL channel.