.

Netcat Relays on Windows

<<

SecMan

Newbie
Newbie

Posts: 17

Joined: Thu Dec 25, 2008 8:57 am

Post Sun May 30, 2010 8:29 pm

Netcat Relays on Windows

Hi,

I hope this is the right place in the forums for this question.

According to http://www.sans.org/security-resources/ ... eet_v1.pdf, you can create netcat relays on windows such as Listener-to-Client relays and other types of relays. However, even in simple scenarios, I find that the problem is that the 2nd nc command does not know how to pipe back the data it receives to the first netcat. A simple example will illustrate.

C:\> echo nc www.google.com 80 > relay.bat
C:\> nc -l -p 4444 -e relay.bat

I then start up my web browser and wireshark to monitor the data. I point my web browser to 127.0.0.1:4444. No response is received. Looking at wireshark, I find that the connection was made to the www.google.com and data was received. However, it appears that the nc in relay.bat does not know how to return the data to the first nc.

Any ideas? Thanks.

PS. The above works fine on Linux, but not on Windows.
<<

Xen

User avatar

Sr. Member
Sr. Member

Posts: 386

Joined: Tue Feb 03, 2009 3:59 am

Post Tue Jun 01, 2010 12:18 pm

Re: Netcat Relays on Windows

I tried a lot of methods to find answer to this question. Checked wireshark output and tried to come up with a reasonable explanation. Ultimately, I asked the person who loves netcat perhaps more than Hobbit himself-- Ed Skoudis. I contacted him on twitter and he replied in minutes.

I'll just quote his response here:
 
@Equix3n Windows nc doesn't flush stuff through enough for your browser. Try doing it to a shell, and hit Enter a few times. You'll see.
Last edited by Xen on Tue Jun 01, 2010 12:36 pm, edited 1 time in total.
<<

SecMan

Newbie
Newbie

Posts: 17

Joined: Thu Dec 25, 2008 8:57 am

Post Tue Jun 01, 2010 12:43 pm

Re: Netcat Relays on Windows

Thanks a lot Equix3n.  It was one of those annoying things that kept nagging at me, especially since I didn't understand why it wasn't working.  Thanks :)
<<

SecMan

Newbie
Newbie

Posts: 17

Joined: Thu Dec 25, 2008 8:57 am

Post Wed Jun 02, 2010 4:51 am

Re: Netcat Relays on Windows

By the way, has anyone successfully used this for anything other than something like HTTP?  I tried using it to forward an SSH connection and netcat would die (but works perfectly on Linux).  For example:

C:\> echo nc 192.168.1.1 22 > ssh.bat
C:\> nc -l -vv -p 44444 -e ssh.bat

When I then tried setting plink or any other ssh client to connect to localhost 44444, netcat would die and give me the following error:

connect to [127.0.0.1] from localhost [127.0.0.1] 44800
Failed to execute shell, error = 193: unknown socket error
Failed to execute shell: unknown socket error

Thanks.
<<

Xen

User avatar

Sr. Member
Sr. Member

Posts: 386

Joined: Tue Feb 03, 2009 3:59 am

Post Thu Jun 03, 2010 2:11 pm

Re: Netcat Relays on Windows

Did you try this again? I've no problems connecting to netcat using plink. However, once connected plink just hangs there. But if I try making a raw connection using netcat I do get the banner info.

Read the following article, perhaps this could help you out.
http://www.governmentsecurity.org/forum ... topic=5787
Last edited by Xen on Thu Jun 03, 2010 2:55 pm, edited 1 time in total.
<<

SecMan

Newbie
Newbie

Posts: 17

Joined: Thu Dec 25, 2008 8:57 am

Post Thu Jun 03, 2010 2:49 pm

Re: Netcat Relays on Windows

Thanks Equix3n-.  Didn't get very far.  I get the impression that netcat on Windows is basically useless except for two things:

1. Uploading/downloading files
2. Giving you a cmd.exe and execution of other commands

For things such as port forwarding, I think it's miserable.  Upload something like plink or socat or a meterpreter shell and use that instead.

I just thought that nc on Windows was better but that I was missing some option that would make it function the same as it does in Linux but that doesn't seem to be the case :(
<<

Xen

User avatar

Sr. Member
Sr. Member

Posts: 386

Joined: Tue Feb 03, 2009 3:59 am

Post Thu Jun 03, 2010 2:57 pm

Re: Netcat Relays on Windows

Guess I've to disturb Weld Pond this time ;)
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Thu Jun 03, 2010 4:16 pm

Re: Netcat Relays on Windows

I got similar results to what you were seeing SecMan.  The good news is that the source code is available and can be compared to the GNU netcat.  That's obviously a bit of a project.
~~~~~~~~~~~~~~
Ketchup
<<

Xen

User avatar

Sr. Member
Sr. Member

Posts: 386

Joined: Tue Feb 03, 2009 3:59 am

Post Thu Jun 10, 2010 7:32 am

Re: Netcat Relays on Windows

I've been trying to find a solution ever since this was posted, and with ketchup replying that he's getting the same result as SecMan I'm getting a little confused.

Here are the steps I'm following. Check if I'm doing everything correctly.

a) Firstly I run a freeSSHd  SSH server on port 22 of my machine.

b) Then I make a netcat batch file which invokes a netcat client to connect to the SSH server.

  Code:
echo nc 127.0.0.1 22 > relayssh.bat


c) Then I start a netcat listener which executes the batch file whenever I connect to it.

  Code:
nc -v -l -p 2222 -e relayssh.bat


d)Then if I connect to the netcat listener using a netcat client I get the banner information after pressing return 2-3 times, and the connection is terminated after hitting the return key again.

For netcat client:
  Code:
nc -vv 127.0.0.1 22


After pressing return:
  Code:
nc -vv 127.0.0.1 22

DNS fwd/rev mismatch: localhost != compaq-d
localhost [127.0.0.1] 22 (?) open


SSH-2.0-WeOnlyDo 2.1.3

too many output retries: CONNABORTED
sent 2, rcvd 24


The netcat listener window displays the following information when netcat client connect to it.
  Code:
nc -v -l -p 2222 -e relayssh.bat

listening on [any] 2222 ...
DNS fwd/rev mismatch: localhost != compaq-d
connect to [127.0.0.1] from localhost [127.0.0.1] 3076


e) I start the netcat listener again and try to connect to it using plink.
  Code:
plink -v -ssh 127.0.0.1 -P 2222


After hitting return the plink terminal displays the following information and hangs.
  Code:
plink -v -ssh 127.0.0.1 -P 2222

Looking up host "127.0.0.1"
Connecting to 127.0.0.1 port 2222

The netcat listener window terminal displays the following result:
  Code:
nc -v -l -p 2222 -e relayssh.bat

listening on [any] 2222 ...
DNS fwd/rev mismatch: localhost != compaq-d
connect to [127.0.0.1] from localhost [127.0.0.1] 3091


Furthermore, when I connect to the listener using either netcat client or plink the server message changes from no user online to There is 1 user online, which means that data is reaching the ssh server (as we can clearly see when we connect to the netcat listener using netcat) but not coming back to any other client except the netcat (Since we got the banner information using netcat client instead of plink). The same thing happened when we used a browser instead of a netcat client in the previous problem.

I did get the error you two are talking about, but only once and before I posted my previous reply. I then rebooted the system and tried again and haven't got the error since. That's why I asked you whether you're still getting that error. I have tried searching the net but my Googlefu isn't helping me much. So, in frustration, I've started reading the code and it is a bit of project :) The code isn't large BTW, more than half of it is just comments.
Last edited by Xen on Thu Jun 10, 2010 7:40 am, edited 1 time in total.
<<

Xen

User avatar

Sr. Member
Sr. Member

Posts: 386

Joined: Tue Feb 03, 2009 3:59 am

Post Wed Jun 16, 2010 9:11 am

Re: Netcat Relays on Windows

I'm just bumping this thread again so that it doesn't go into oblivion. Anyone else tried this?
<<

yatz

Full Member
Full Member

Posts: 222

Joined: Tue May 25, 2010 2:58 pm

Post Wed Jun 16, 2010 9:34 am

Re: Netcat Relays on Windows

I just happened to be browsing the InGuardians website yesterday and found the netcat cheat sheet where this is mentioned.  Maybe I'll give it a try...
"Live as though you would die tomorrow, learn as though you would live forever."

CCNA, MCSA, MCTS, Sec+, Net+, Linux+, CEH
<<

yatz

Full Member
Full Member

Posts: 222

Joined: Tue May 25, 2010 2:58 pm

Post Wed Jun 16, 2010 4:53 pm

Re: Netcat Relays on Windows

I played with this a bit during my lunch time and after work a bit, but I couldn't get much further that what has been stated.

Actually, I couldn't even get netcat to connect properly to telnet.  I started the freesshd telnet server on a basic XP box, and then used

nc -vv 192.168.0.1 23

and got a bunch of random characters.  After hitting enter I got a login prompt, but after that nothing seemed to take.

Actually I get the same problem with setting up the relay, so maybe the relay concept is working and there's just a basic problem with netcat connecting to a non-netcat client??  No idea.  I may continue test later but no more time today.

BTW, I don't know your config Equix3n, but I took my test boxes off a domain environment and set static IP/DNS and I didn't get that DNS problem you were seeing so that was a plus.
"Live as though you would die tomorrow, learn as though you would live forever."

CCNA, MCSA, MCTS, Sec+, Net+, Linux+, CEH
<<

yatz

Full Member
Full Member

Posts: 222

Joined: Tue May 25, 2010 2:58 pm

Post Thu Jun 17, 2010 8:32 am

Re: Netcat Relays on Windows

(Sorry to triple-post...)

I loaded up the source code this morning to see if I could find anything.  All I have to say is

  :o WOW  :o

Some of the comments were funny, and variable names like GAPING_SECURITY_HOLE gave me a laugh.


And if I thought I could find out anything from this code, I was sorely mistaken.
"Live as though you would die tomorrow, learn as though you would live forever."

CCNA, MCSA, MCTS, Sec+, Net+, Linux+, CEH
<<

Xen

User avatar

Sr. Member
Sr. Member

Posts: 386

Joined: Tue Feb 03, 2009 3:59 am

Post Thu Jun 17, 2010 8:36 am

Re: Netcat Relays on Windows

Actually, I couldn't even get netcat to connect properly to telnet.  I started the freesshd telnet server on a basic XP box, and then used

nc -vv 192.168.0.1 23

and got a bunch of random characters.  After hitting enter I got a login prompt, but after that nothing seemed to take.

Try this:
nc -v -t <I.P> 23

Netcat doesn't handle telnet negotiation unless you use the -t flag. That being said even I couldn't connect to the freessd telnet server using netcat. I could get the login prompt but after that anything I type on the screen was just reflected back to me again. But I can connect to the telnet server on my router using netcat.
<<

yatz

Full Member
Full Member

Posts: 222

Joined: Tue May 25, 2010 2:58 pm

Post Thu Jun 17, 2010 8:57 am

Re: Netcat Relays on Windows

Try this:
nc -v -t <I.P> 23


I did see the -t in the help listing but it gave the same error for freessd telnet server so I thought it didn't work... my mistake.

Anyway, yes this did work and the relay worked as well!

relay:
    echo nc -t <telnet.server.ip.address> 23 > relaytelnet.bat
    nc -v -l -p 4444 -e relaytelnet.bat

remote:
    nc <relay.i.p.address> 4444


As Ed mentioned earlier, I had to hit enter 3 times after each command to get any response from the telnet server through the relay, which is still pretty lame.

Also, since this is Windows we can eliminate the need for the batch file by using the command in this way:

    nc -v -l -p 4444 -e "nc -t <telnet.server.ip.address> 23"

The HTTP forwarding on port 80 still doesn't work, but again as Ed said it's probably because of the buffers.
"Live as though you would die tomorrow, learn as though you would live forever."

CCNA, MCSA, MCTS, Sec+, Net+, Linux+, CEH

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 2 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software