When troubleshooting a network integration or any other connection issue in Linux, step one is usually a matter of checking to see if the network port on the other side is even responding.
Netcat -The network Swiss Army knife (Hobbit, not nmap)- is the right tool for the job.
Before we begin, NetCat needs to be installed.
# RHEL / CentOS
~$ yum install nc
# Debian / Ubuntu
~$ apt-get install nc
Once installed, you can invoke Netcat like so:
~$ nc [REMOTE_SERVER] [PORT]
[REMOTE_SERVER] – The server to be checked
[PORT] – The service/port to be checked
Connection to google.com 443 port [tcp/https] succeeded!
Linux and networking go hand in hand, whether running on the fancy desktop or noisy server. Regardless of which packages you choose to install, chances are, that they require networking for some functionality. A desktop may have some dns-cache, filtering proxy, anonymous socks or ssh-tunnel listening in the background. The server equally busy with its web, email, ftp, or nfs awaiting its clients. But when expected bandwidth is missing or something decides to communicate outside the expected standard, it can be difficult to guess which one of these ghosts and daemons is responsible.
Its good administrative practice to be aware of which protocols that are communicating over the wire, and who/what is allowed to do so. If open connections are not checked periodically, perhaps automatically. The system may have been subject to intrusion or be part of a massive botnet, where the activity goes unnoticed. Your system, Your sockets.
Netstat casts some light on the situation. Using the right switches, this utility can provide a detailed real-time overview of active connections. Among other things. One particular set of switches I find useful, found at cyberciti.biz (http://www.cyberciti.biz/faq/what-process-has-open-linux-port/) is as follows:
~$ netstat -tulpna (as root)
This nifty little line compress several features of netstat, and outputs almost everything you need to know.
- -t List TCP sockets
- -u List UDP sockets
- -l Display listening sockets
- -p Display process ID related to socket
- -n Skip domain name
- -a Display all connected sockets
Sample Output (from cyberciti.biz)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 1138/mysqld
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 850/portmap
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1607/apache2
tcp 0 0 0.0.0.0:55091 0.0.0.0:* LISTEN 910/rpc.statd
tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 1467/dnsmasq
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 992/sshd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 1565/cupsd
tcp 0 0 0.0.0.0:7000 0.0.0.0:* LISTEN 3813/transmission
tcp6 0 0 :::22 :::* LISTEN 992/sshd
tcp6 0 0 ::1:631 :::* LISTEN 1565/cupsd
tcp6 0 0 :::7000 :::* LISTEN 3813/transmission
udp 0 0 0.0.0.0:111 0.0.0.0:* 850/portmap
udp 0 0 0.0.0.0:662 0.0.0.0:* 910/rpc.statd
udp 0 0 192.168.122.1:53 0.0.0.0:* 1467/dnsmasq
udp 0 0 0.0.0.0:67 0.0.0.0:* 1467/dnsmasq
udp 0 0 0.0.0.0:68 0.0.0.0:* 3697/dhclient
udp 0 0 0.0.0.0:7000 0.0.0.0:* 3813/transmission
udp 0 0 0.0.0.0:54746 0.0.0.0:* 910/rpc.statd
If you use netstat with the “-tulpna” switch regularly, put it in an bash alias. For example:
~$ alias tulpna=’netstat -tulpna’
Put it in .bashrc or .bash_aliases to make it permanent.
As with any application in Linux, piping the output from an application to a logfile or perhaps another application. Can sometimes clarify what is going on. It would be even better if you could “cat” any output over the Network (Ncat, get it?) to another computer. That is where Ncat comes in.
First, some basics
- ncat The command in question
- -v Verbose output, recommended for testing
- -l Tells ncat to listen
- -k Tells ncat to keep the connection up (ncat exits on client disconnect by default)
- -n Tells ncat to skip DNS resolution (not necessary when connecting/listening on plain IP’s)
- –ssl Tells ncat to send data encrypted with ssl (optional)
- –send-only Tells ncat to only send data (optional)
- –recv-only Tells ncat to only receive data (optional)
Now, some examples
- [Server] $ncat -l 1025 > file.txt [Client] $cat file.txt | ncat [IP of Server] 1025 – Sends “file.txt” to the server over port 1025
- [Server] $ncat -lkv 12345 > file.txt [Client] $cat file.txt | ncat [IP of Server] 12345 – Sends “file.txt” to the server over port 12345. The server will verbosely print what is going on, and keep the connection open when the client disconnects
- [Server] $ncat -lkvn –recv-only 1337 > supersecretfile.txt [Client] $cat supersecretfile.txt | ncat –send-only –ssl [IP of Server] 1337 – Sends “supersecretfile.txt” to the server over port 1337. The server will verbosely print output, keep the connection open and skip resolving DNS. While the client sends the data encrypted over ssl
Netcat is without any doubt my favorite security tool, it’s always in my toolbox alwayswith me, it comes in handy a few times. It’s the first tool I pick when I need to perform a banner grab, just connect and send some requests and see what it spits back at you (sometimes just random crap). In this tutorial i’ll show you how can perform one yourself and how easy it is. Continue reading How To: Banner Grab With NetCat