diff options
author | Theo de Raadt <deraadt@cvs.openbsd.org> | 1996-09-05 08:55:44 +0000 |
---|---|---|
committer | Theo de Raadt <deraadt@cvs.openbsd.org> | 1996-09-05 08:55:44 +0000 |
commit | 74ce25b78fd53d753084ef14b2234bc105a4a983 (patch) | |
tree | 2cffc06e2eb76342240043e73120bb5451145124 | |
parent | e70074aa65073a222e5a14ec65e7c499c313ba3d (diff) |
nc is *hobbit*'s netcat; let the sysadm have the same tools the crackers
have, so that he may learn what the network is about and protect it better.
31 files changed, 4792 insertions, 2 deletions
diff --git a/usr.bin/Makefile b/usr.bin/Makefile index add18a3f091..af84a9ea8de 100644 --- a/usr.bin/Makefile +++ b/usr.bin/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.24 1996/09/04 22:52:05 deraadt Exp $ +# $OpenBSD: Makefile,v 1.25 1996/09/05 08:55:23 deraadt Exp $ # $NetBSD: Makefile,v 1.62 1996/03/10 05:45:43 thorpej Exp $ # from: @(#)Makefile 5.8.1.1 (Berkeley) 5/8/91 @@ -11,7 +11,8 @@ SUBDIR= apply apropos arch asa at awk banner basename bdes biff cal calendar \ fsplit fstat ftp gencat getconf getopt head hexdump id indent \ info_mkdb ipcrm ipcs join jot kdump ktrace lam last lastcomm leave \ less lex lndir locate lock logger login logname look lorder m4 machine \ - mail make man mesg mkdep mkfifo mkstr modstat msgs netstat newsyslog \ + mail make man mesg mkdep mkfifo mkstr modstat msgs nc \ + netstat newsyslog \ nfsstat nice nohup oldrdist pagesize passwd paste patch pr printenv \ printf quota rdist rdistd renice rev rlogin rpcgen rpcinfo rs \ rsh rup ruptime rusers rwall rwho \ diff --git a/usr.bin/nc/Makefile b/usr.bin/nc/Makefile new file mode 100644 index 00000000000..9170bcaba93 --- /dev/null +++ b/usr.bin/nc/Makefile @@ -0,0 +1,8 @@ +# $OpenBSD: Makefile,v 1.1 1996/09/05 08:55:31 deraadt Exp $ +# $NetBSD: Makefile,v 1.11 1995/10/03 21:42:34 thorpej Exp $ + +CFLAGS+= -DTELNET +PROG= nc +SRCS= netcat.c + +.include <bsd.prog.mk> diff --git a/usr.bin/nc/README b/usr.bin/nc/README new file mode 100644 index 00000000000..4235bc41acf --- /dev/null +++ b/usr.bin/nc/README @@ -0,0 +1,946 @@ +Netcat 1.10 +=========== /\_/\ + / 0 0 \ +Netcat is a simple Unix utility which reads and writes data ====v==== +across network connections, using TCP or UDP protocol. \ W / +It is designed to be a reliable "back-end" tool that can | | _ +be used directly or easily driven by other programs and / ___ \ / +scripts. At the same time, it is a feature-rich network / / \ \ | +debugging and exploration tool, since it can create almost (((-----)))-' +any kind of connection you would need and has several / +interesting built-in capabilities. Netcat, or "nc" as the ( ___ +actual program is named, should have been supplied long ago \__.=|___E +as another one of those cryptic but standard Unix tools. / + +In the simplest usage, "nc host port" creates a TCP connection to the given +port on the given target host. Your standard input is then sent to the host, +and anything that comes back across the connection is sent to your standard +output. This continues indefinitely, until the network side of the connection +shuts down. Note that this behavior is different from most other applications +which shut everything down and exit after an end-of-file on the standard input. + +Netcat can also function as a server, by listening for inbound connections +on arbitrary ports and then doing the same reading and writing. With minor +limitations, netcat doesn't really care if it runs in "client" or "server" +mode -- it still shovels data back and forth until there isn't any more left. +In either mode, shutdown can be forced after a configurable time of inactivity +on the network side. + +And it can do this via UDP too, so netcat is possibly the "udp telnet-like" +application you always wanted for testing your UDP-mode servers. UDP, as the +"U" implies, gives less reliable data transmission than TCP connections and +some systems may have trouble sending large amounts of data that way, but it's +still a useful capability to have. + +You may be asking "why not just use telnet to connect to arbitrary ports?" +Valid question, and here are some reasons. Telnet has the "standard input +EOF" problem, so one must introduce calculated delays in driving scripts to +allow network output to finish. This is the main reason netcat stays running +until the *network* side closes. Telnet also will not transfer arbitrary +binary data, because certain characters are interpreted as telnet options and +are thus removed from the data stream. Telnet also emits some of its +diagnostic messages to standard output, where netcat keeps such things +religiously separated from its *output* and will never modify any of the real +data in transit unless you *really* want it to. And of course telnet is +incapable of listening for inbound connections, or using UDP instead. Netcat +doesn't have any of these limitations, is much smaller and faster than telnet, +and has many other advantages. + +Some of netcat's major features are: + + Outbound or inbound connections, TCP or UDP, to or from any ports + Full DNS forward/reverse checking, with appropriate warnings + Ability to use any local source port + Ability to use any locally-configured network source address + Built-in port-scanning capabilities, with randomizer + Built-in loose source-routing capability + Can read command line arguments from standard input + Slow-send mode, one line every N seconds + Hex dump of transmitted and received data + Optional ability to let another program service established connections + Optional telnet-options responder + +Efforts have been made to have netcat "do the right thing" in all its various +modes. If you believe that it is doing the wrong thing under whatever +circumstances, please notify me and tell me how you think it should behave. +If netcat is not able to do some task you think up, minor tweaks to the code +will probably fix that. It provides a basic and easily-modified template for +writing other network applications, and I certainly encourage people to make +custom mods and send in any improvements they make to it. This is the second +release; the overall differences from 1.00 are relatively minor and have mostly +to do with portability and bugfixes. Many people provided greatly appreciated +fixes and comments on the 1.00 release. Continued feedback from the Internet +community is always welcome! + +Netcat is entirely my own creation, although plenty of other code was used as +examples. It is freely given away to the Internet community in the hope that +it will be useful, with no restrictions except giving credit where it is due. +No GPLs, Berkeley copyrights or any of that nonsense. The author assumes NO +responsibility for how anyone uses it. If netcat makes you rich somehow and +you're feeling generous, mail me a check. If you are affiliated in any way +with Microsoft Network, get a life. Always ski in control. Comments, +questions, and patches to hobbit@avian.org. + +Building +======== + +Compiling is fairly straightforward. Examine the Makefile for a SYSTYPE that +matches yours, and do "make <systype>". The executable "nc" should appear. +If there is no relevant SYSTYPE section, try "generic". If you create new +sections for generic.h and Makefile to support another platform, please follow +the given format and mail back the diffs. + +There are a couple of other settable #defines in netcat.c, which you can +include as DFLAGS="-DTHIS -DTHAT" to your "make" invocation without having to +edit the Makefile. See the following discussions for what they are and do. + +If you want to link against the resolver library on SunOS [recommended] and +you have BIND 4.9.x, you may need to change XLIBS=-lresolv in the Makefile to +XLIBS="-lresolv -l44bsd". + +Linux sys/time.h does not really support presetting of FD_SETSIZE; a harmless +warning is issued. + +Some systems may warn about pointer types for signal(). No problem, though. + +Exploration of features +======================= + +Where to begin? Netcat is at the same time so simple and versatile, it's like +trying to describe everything you can do with your Swiss Army knife. This will +go over the basics; you should also read the usage examples and notes later on +which may give you even more ideas about what this sort of tool is good for. + +If no command arguments are given at all, netcat asks for them, reads a line +from standard input, and breaks it up into arguments internally. This can be +useful when driving netcat from certain types of scripts, with the side effect +of hiding your command line arguments from "ps" displays. + +The host argument can be a name or IP address. If -n is specified, netcat +will only accept numeric IP addresses and do no DNS lookups for anything. If +-n is not given and -v is turned on, netcat will do a full forward and reverse +name and address lookup for the host, and warn you about the all-too-common +problem of mismatched names in the DNS. This often takes a little longer for +connection setup, but is useful to know about. There are circumstances under +which this can *save* time, such as when you want to know the name for some IP +address and also connect there. Netcat will just tell you all about it, saving +the manual steps of looking up the hostname yourself. Normally mismatch- +checking is case-insensitive per the DNS spec, but you can define ANAL at +compile time to make it case-sensitive -- sometimes useful for uncovering minor +errors in your own DNS files while poking around your networks. + +A port argument is required for outbound connections, and can be numeric or a +name as listed in /etc/services. If -n is specified, only numeric arguments +are valid. Special syntax and/or more than one port argument cause different +behavior -- see details below about port-scanning. + +The -v switch controls the verbosity level of messages sent to standard error. +You will probably want to run netcat most of the time with -v turned on, so you +can see info about the connections it is trying to make. You will probably +also want to give a smallish -w argument, which limits the time spent trying to +make a connection. I usually alias "nc" to "nc -v -w 3", which makes it +function just about the same for things I would otherwise use telnet to do. +The timeout is easily changed by a subsequent -w argument which overrides the +earlier one. Specifying -v more than once makes diagnostic output MORE +verbose. If -v is not specified at all, netcat silently does its work unless +some error happens, whereupon it describes the error and exits with a nonzero +status. Refused network connections are generally NOT considered to be errors, +unless you only asked for a single TCP port and it was refused. + +Note that -w also sets the network inactivity timeout. This does not have any +effect until standard input closes, but then if nothing further arrives from +the network in the next <timeout> seconds, netcat tries to read the net once +more for good measure, and then closes and exits. There are a lot of network +services now that accept a small amount of input and return a large amount of +output, such as Gopher and Web servers, which is the main reason netcat was +written to "block" on the network staying open rather than standard input. +Handling the timeout this way gives uniform behavior with network servers that +*don't* close by themselves until told to. + +UDP connections are opened instead of TCP when -u is specified. These aren't +really "connections" per se since UDP is a connectionless protocol, although +netcat does internally use the "connected UDP socket" mechanism that most +kernels support. Although netcat claims that an outgoing UDP connection is +"open" immediately, no data is sent until something is read from standard +input. Only thereafter is it possible to determine whether there really is a +UDP server on the other end, and often you just can't tell. Most UDP protocols +use timeouts and retries to do their thing and in many cases won't bother +answering at all, so you should specify a timeout and hope for the best. You +will get more out of UDP connections if standard input is fed from a source +of data that looks like various kinds of server requests. + +To obtain a hex dump file of the data sent either way, use "-o logfile". The +dump lines begin with "<" or ">" to respectively indicate "from the net" or +"to the net", and contain the total count per direction, and hex and ascii +representations of the traffic. Capturing a hex dump naturally slows netcat +down a bit, so don't use it where speed is critical. + +Netcat can bind to any local port, subject to privilege restrictions and ports +that are already in use. It is also possible to use a specific local network +source address if it is that of a network interface on your machine. [Note: +this does not work correctly on all platforms.] Use "-p portarg" to grab a +specific local port, and "-s ip-addr" or "-s name" to have that be your source +IP address. This is often referred to as "anchoring the socket". Root users +can grab any unused source port including the "reserved" ones less than 1024. +Absence of -p will bind to whatever unused port the system gives you, just like +any other normal client connection, unless you use -r [see below]. + +Listen mode will cause netcat to wait for an inbound connection, and then the +same data transfer happens. Thus, you can do "nc -l -p 1234 < filename" and +when someone else connects to your port 1234, the file is sent to them whether +they wanted it or not. Listen mode is generally used along with a local port +argument -- this is required for UDP mode, while TCP mode can have the system +assign one and tell you what it is if -v is turned on. If you specify a target +host and optional port in listen mode, netcat will accept an inbound connection +only from that host and if you specify one, only from that foreign source port. +In verbose mode you'll be informed about the inbound connection, including what +address and port it came from, and since listening on "any" applies to several +possibilities, which address it came *to* on your end. If the system supports +IP socket options, netcat will attempt to retrieve any such options from an +inbound connection and print them out in hex. + +If netcat is compiled with -DGAPING_SECURITY_HOLE, the -e argument specifies +a program to exec after making or receiving a successful connection. In the +listening mode, this works similarly to "inetd" but only for a single instance. +Use with GREAT CARE. This piece of the code is normally not enabled; if you +know what you're doing, have fun. This hack also works in UDP mode. Note that +you can only supply -e with the name of the program, but no arguments. If you +want to launch something with an argument list, write a two-line wrapper script +or just use inetd like always. + +If netcat is compiled with -DTELNET, the -t argument enables it to respond +to telnet option negotiation [always in the negative, i.e. DONT or WONT]. +This allows it to connect to a telnetd and get past the initial negotiation +far enough to get a login prompt from the server. Since this feature has +the potential to modify the data stream, it is not enabled by default. You +have to understand why you might need this and turn on the #define yourself. + +Data from the network connection is always delivered to standard output as +efficiently as possible, using large 8K reads and writes. Standard input is +normally sent to the net the same way, but the -i switch specifies an "interval +time" which slows this down considerably. Standard input is still read in +large batches, but netcat then tries to find where line breaks exist and sends +one line every interval time. Note that if standard input is a terminal, data +is already read line by line, so unless you make the -i interval rather long, +what you type will go out at a fairly normal rate. -i is really designed +for use when you want to "measure out" what is read from files or pipes. + +Port-scanning is a popular method for exploring what's out there. Netcat +accepts its commands with options first, then the target host, and everything +thereafter is interpreted as port names or numbers, or ranges of ports in M-N +syntax. CAVEAT: some port names in /etc/services contain hyphens -- netcat +currently will not correctly parse those, so specify ranges using numbers if +you can. If more than one port is thus specified, netcat connects to *all* of +them, sending the same batch of data from standard input [up to 8K worth] to +each one that is successfully connected to. Specifying multiple ports also +suppresses diagnostic messages about refused connections, unless -v is +specified twice for "more verbosity". This way you normally get notified only +about genuinely open connections. Example: "nc -v -w 2 -z target 20-30" will +try connecting to every port between 20 and 30 [inclusive] at the target, and +will likely inform you about an FTP server, telnet server, and mailer along the +way. The -z switch prevents sending any data to a TCP connection and very +limited probe data to a UDP connection, and is thus useful as a fast scanning +mode just to see what ports the target is listening on. To limit scanning +speed if desired, -i will insert a delay between each port probe. There are +some pitfalls with regard to UDP scanning, described later, but in general it +works well. + +For each range of ports specified, scanning is normally done downward within +that range. If the -r switch is used, scanning hops randomly around within +that range and reports open ports as it finds them. [If you want them listed +in order regardless, pipe standard error through "sort"...] In addition, if +random mode is in effect, the local source ports are also randomized. This +prevents netcat from exhibiting any kind of regular pattern in its scanning. +You can exert fairly fine control over your scan by judicious use of -r and +selected port ranges to cover. If you use -r for a single connection, the +source port will have a random value above 8192, rather than the next one the +kernel would have assigned you. Note that selecting a specific local port +with -p overrides any local-port randomization. + +Many people are interested in testing network connectivity using IP source +routing, even if it's only to make sure their own firewalls are blocking +source-routed packets. On systems that support it, the -g switch can be used +multiple times [up to 8] to construct a loose-source-routed path for your +connection, and the -G argument positions the "hop pointer" within the list. +If your network allows source-routed traffic in and out, you can test +connectivity to your own services via remote points in the internet. Note that +although newer BSD-flavor telnets also have source-routing capability, it isn't +clearly documented and the command syntax is somewhat clumsy. Netcat's +handling of "-g" is modeled after "traceroute". + +Netcat tries its best to behave just like "cat". It currently does nothing to +terminal input modes, and does no end-of-line conversion. Standard input from +a terminal is read line by line with normal editing characters in effect. You +can freely suspend out of an interactive connection and resume. ^C or whatever +your interrupt character is will make netcat close the network connection and +exit. A switch to place the terminal in raw mode has been considered, but so +far has not been necessary. You can send raw binary data by reading it out of +a file or piping from another program, so more meaningful effort would be spent +writing an appropriate front-end driver. + +Netcat is not an "arbitrary packet generator", but the ability to talk to raw +sockets and/or nit/bpf/dlpi may appear at some point. Such things are clearly +useful; I refer you to Darren Reed's excellent ip_filter package, which now +includes a tool to construct and send raw packets with any contents you want. + +Example uses -- the light side +============================== + +Again, this is a very partial list of possibilities, but it may get you to +think up more applications for netcat. Driving netcat with simple shell or +expect scripts is an easy and flexible way to do fairly complex tasks, +especially if you're not into coding network tools in C. My coding isn't +particularly strong either [although undoubtedly better after writing this +thing!], so I tend to construct bare-metal tools like this that I can trivially +plug into other applications. Netcat doubles as a teaching tool -- one can +learn a great deal about more complex network protocols by trying to simulate +them through raw connections! + +An example of netcat as a backend for something else is the shell-script +Web browser, which simply asks for the relevant parts of a URL and pipes +"GET /what/ever" into a netcat connection to the server. I used to do this +with telnet, and had to use calculated sleep times and other stupidity to +kludge around telnet's limitations. Netcat guarantees that I get the whole +page, and since it transfers all the data unmodified, I can even pull down +binary image files and display them elsewhere later. Some folks may find the +idea of a shell-script web browser silly and strange, but it starts up and +gets me my info a hell of a lot faster than a GUI browser and doesn't hide +any contents of links and forms and such. This is included, as scripts/web, +along with several other web-related examples. + +Netcat is an obvious replacement for telnet as a tool for talking to daemons. +For example, it is easier to type "nc host 25", talk to someone's mailer, and +just ^C out than having to type ^]c or QUIT as telnet would require you to do. +You can quickly catalog the services on your network by telling netcat to +connect to well-known services and collect greetings, or at least scan for open +ports. You'll probably want to collect netcat's diagnostic messages in your +output files, so be sure to include standard error in the output using +`>& file' in *csh or `> file 2>&1' in bourne shell. + +A scanning example: "echo QUIT | nc -v -w 5 target 20-250 500-600 5990-7000" +will inform you about a target's various well-known TCP servers, including +r-services, X, IRC, and maybe a few you didn't expect. Sending in QUIT and +using the timeout will almost guarantee that you see some kind of greeting or +error from each service, which usually indicates what it is and what version. +[Beware of the "chargen" port, though...] SATAN uses exactly this technique to +collect host information, and indeed some of the ideas herein were taken from +the SATAN backend tools. If you script this up to try every host in your +subnet space and just let it run, you will not only see all the services, +you'll find out about hosts that aren't correctly listed in your DNS. Then you +can compare new snapshots against old snapshots to see changes. For going +after particular services, a more intrusive example is in scripts/probe. + +Netcat can be used as a simple data transfer agent, and it doesn't really +matter which end is the listener and which end is the client -- input at one +side arrives at the other side as output. It is helpful to start the listener +at the receiving side with no timeout specified, and then give the sending side +a small timeout. That way the listener stays listening until you contact it, +and after data stops flowing the client will time out, shut down, and take the +listener with it. Unless the intervening network is fraught with problems, +this should be completely reliable, and you can always increase the timeout. A +typical example of something "rsh" is often used for: on one side, + + nc -l -p 1234 | uncompress -c | tar xvfp - + +and then on the other side + + tar cfp - /some/dir | compress -c | nc -w 3 othermachine 1234 + +will transfer the contents of a directory from one machine to another, without +having to worry about .rhosts files, user accounts, or inetd configurations +at either end. Again, it matters not which is the listener or receiver; the +"tarring" machine could just as easily be running the listener instead. One +could conceivably use a scheme like this for backups, by having cron-jobs fire +up listeners and backup handlers [which can be restricted to specific addresses +and ports between each other] and pipe "dump" or "tar" on one machine to "dd +of=/dev/tapedrive" on another as usual. Since netcat returns a nonzero exit +status for a denied listener connection, scripts to handle such tasks could +easily log and reject connect attempts from third parties, and then retry. + +Another simple data-transfer example: shipping things to a PC that doesn't have +any network applications yet except a TCP stack and a web browser. Point the +browser at an arbitrary port on a Unix server by telling it to download +something like http://unixbox:4444/foo, and have a listener on the Unix side +ready to ship out a file when the connect comes in. The browser may pervert +binary data when told to save the URL, but you can dig the raw data out of +the on-disk cache. + +If you build netcat with GAPING_SECURITY_HOLE defined, you can use it as an +"inetd" substitute to test experimental network servers that would otherwise +run under "inetd". A script or program will have its input and output hooked +to the network the same way, perhaps sans some fancier signal handling. Given +that most network services do not bind to a particular local address, whether +they are under "inetd" or not, it is possible for netcat avoid the "address +already in use" error by binding to a specific address. This lets you [as +root, for low ports] place netcat "in the way" of a standard service, since +inbound connections are generally sent to such specifically-bound listeners +first and fall back to the ones bound to "any". This allows for a one-off +experimental simulation of some service, without having to screw around with +inetd.conf. Running with -v turned on and collecting a connection log from +standard error is recommended. + +Netcat as well can make an outbound connection and then run a program or script +on the originating end, with input and output connected to the same network +port. This "inverse inetd" capability could enhance the backup-server concept +described above or help facilitate things such as a "network dialback" concept. +The possibilities are many and varied here; if such things are intended as +security mechanisms, it may be best to modify netcat specifically for the +purpose instead of wrapping such functions in scripts. + +Speaking of inetd, netcat will function perfectly well *under* inetd as a TCP +connection redirector for inbound services, like a "plug-gw" without the +authentication step. This is very useful for doing stuff like redirecting +traffic through your firewall out to other places like web servers and mail +hubs, while posing no risk to the firewall machine itself. Put netcat behind +inetd and tcp_wrappers, perhaps thusly: + + www stream tcp nowait nobody /etc/tcpd /bin/nc -w 3 realwww 80 + +and you have a simple and effective "application relay" with access control +and logging. Note use of the wait time as a "safety" in case realwww isn't +reachable or the calling user aborts the connection -- otherwise the relay may +hang there forever. + +You can use netcat to generate huge amounts of useless network data for +various performance testing. For example, doing + + yes AAAAAAAAAAAAAAAAAAAAAA | nc -v -v -l -p 2222 > /dev/null + +on one side and then hitting it with + + yes BBBBBBBBBBBBBBBBBBBBBB | nc othermachine 2222 > /dev/null + +from another host will saturate your wires with A's and B's. The "very +verbose" switch usage will tell you how many of each were sent and received +after you interrupt either side. Using UDP mode produces tremendously MORE +trash per unit time in the form of fragmented 8 Kbyte mobygrams -- enough to +stress-test kernels and network interfaces. Firing random binary data into +various network servers may help expose bugs in their input handling, which +nowadays is a popular thing to explore. A simple example data-generator is +given in data/data.c included in this package, along with a small collection +of canned input files to generate various packet contents. This program is +documented in its beginning comments, but of interest here is using "%r" to +generate random bytes at well-chosen points in a data stream. If you can +crash your daemon, you likely have a security problem. + +The hex dump feature may be useful for debugging odd network protocols, +especially if you don't have any network monitoring equipment handy or aren't +root where you'd need to run "tcpdump" or something. Bind a listening netcat +to a local port, and have it run a script which in turn runs another netcat +to the real service and captures the hex dump to a log file. This sets up a +transparent relay between your local port and wherever the real service is. +Be sure that the script-run netcat does *not* use -v, or the extra info it +sends to standard error may confuse the protocol. Note also that you cannot +have the "listen/exec" netcat do the data capture, since once the connection +arrives it is no longer netcat that is running. + +Binding to an arbitrary local port allows you to simulate things like r-service +clients, if you are root locally. For example, feeding "^@root^@joe^@pwd^@" +[where ^@ is a null, and root/joe could be any other local/remote username +pair] into a "rsh" or "rlogin" server, FROM your port 1023 for example, +duplicates what the server expects to receive. Thus, you can test for insecure +.rhosts files around your network without having to create new user accounts on +your client machine. The program data/rservice.c can aid this process by +constructing the "rcmd" protocol bytes. Doing this also prevents "rshd" from +trying to create that separate standard-error socket and still gives you an +input path, as opposed to the usual action of "rsh -n". Using netcat for +things like this can be really useful sometimes, because rsh and rlogin +generally want a host *name* as an argument and won't accept IP addresses. If +your client-end DNS is hosed, as may be true when you're trying to extract +backup sets on to a dumb client, "netcat -n" wins where normal rsh/rlogin is +useless. + +If you are unsure that a remote syslogger is working, test it with netcat. +Make a UDP connection to port 514 and type in "<0>message", which should +correspond to "kern.emerg" and cause syslogd to scream into every file it has +open [and possibly all over users' terminals]. You can tame this down by +using a different number and use netcat inside routine scripts to send syslog +messages to places that aren't configured in syslog.conf. For example, +"echo '<38>message' | nc -w 1 -u loggerhost 514" should send to auth.notice +on loggerhost. The exact number may vary; check against your syslog.h first. + +Netcat provides several ways for you to test your own packet filters. If you +bind to a port normally protected against outside access and make a connection +to somewhere outside your own network, the return traffic will be coming to +your chosen port from the "outside" and should be blocked. TCP may get through +if your filter passes all "ack syn", but it shouldn't be even doing that to low +ports on your network. Remember to test with UDP traffic as well! If your +filter passes at least outbound source-routed IP packets, bouncing a connection +back to yourself via some gateway outside your network will create "incoming" +traffic with your source address, which should get dropped by a correctly +configured anti-spoofing filter. This is a "non-test" if you're also dropping +source-routing, but it's good to be able to test for that too. Any packet +filter worth its salt will be blocking source-routed packets in both +directions, but you never know what interesting quirks you might turn up by +playing around with source ports and addresses and watching the wires with a +network monitor. + +You can use netcat to protect your own workstation's X server against outside +access. X is stupid enough to listen for connections on "any" and never tell +you when new connections arrive, which is one reason it is so vulnerable. Once +you have all your various X windows up and running you can use netcat to bind +just to your ethernet address and listen to port 6000. Any new connections +from outside the machine will hit netcat instead your X server, and you get a +log of who's trying. You can either tell netcat to drop the connection, or +perhaps run another copy of itself to relay to your actual X server on +"localhost". This may not work for dedicated X terminals, but it may be +possible to authorize your X terminal only for its boot server, and run a relay +netcat over on the server that will in turn talk to your X terminal. Since +netcat only handles one listening connection per run, make sure that whatever +way you rig it causes another one to run and listen on 6000 soon afterward, or +your real X server will be reachable once again. A very minimal script just +to protect yourself could be + + while true ; do + nc -v -l -s <your-addr> -p 6000 localhost 2 + done + +which causes netcat to accept and then close any inbound connection to your +workstation's normal ethernet address, and another copy is immediately run by +the script. Send standard error to a file for a log of connection attempts. +If your system can't do the "specific bind" thing all is not lost; run your +X server on display ":1" or port 6001, and netcat can still function as a probe +alarm by listening on 6000. + +Does your shell-account provider allow personal Web pages, but not CGI scripts? +You can have netcat listen on a particular port to execute a program or script +of your choosing, and then just point to the port with a URL in your homepage. +The listener could even exist on a completely different machine, avoiding the +potential ire of the homepage-host administrators. Since the script will get +the raw browser query as input it won't look like a typical CGI script, and +since it's running under your UID you need to write it carefully. You may want +to write a netcat-based script as a wrapper that reads a query and sets up +environment variables for a regular CGI script. The possibilities for using +netcat and scripts to handle Web stuff are almost endless. Again, see the +examples under scripts/. + +Example uses -- the dark side +============================= + +Equal time is deserved here, since a versatile tool like this can be useful +to any Shade of Hat. I could use my Victorinox to either fix your car or +disassemble it, right? You can clearly use something like netcat to attack +or defend -- I don't try to govern anyone's social outlook, I just build tools. +Regardless of your intentions, you should still be aware of these threats to +your own systems. + +The first obvious thing is scanning someone *else's* network for vulnerable +services. Files containing preconstructed data, be it exploratory or +exploitive, can be fed in as standard input, including command-line arguments +to netcat itself to keep "ps" ignorant of your doings. The more random the +scanning, the less likelihood of detection by humans, scan-detectors, or +dynamic filtering, and with -i you'll wait longer but avoid loading down the +target's network. Some examples for crafting various standard UDP probes are +given in data/*.d. + +Some configurations of packet filters attempt to solve the FTP-data problem by +just allowing such connections from the outside. These come FROM port 20, TO +high TCP ports inside -- if you locally bind to port 20, you may find yourself +able to bypass filtering in some cases. Maybe not to low ports "inside", but +perhaps to TCP NFS servers, X servers, Prospero, ciscos that listen on 200x +and 400x... Similar bypassing may be possible for UDP [and maybe TCP too] if a +connection comes from port 53; a filter may assume it's a nameserver response. + +Using -e in conjunction with binding to a specific address can enable "server +takeover" by getting in ahead of the real ones, whereupon you can snarf data +sent in and feed your own back out. At the very least you can log a hex dump +of someone else's session. If you are root, you can certainly use -s and -e to +run various hacked daemons without having to touch inetd.conf or the real +daemons themselves. You may not always have the root access to deal with low +ports, but what if you are on a machine that also happens to be an NFS server? +You might be able to collect some interesting things from port 2049, including +local file handles. There are several other servers that run on high ports +that are likely candidates for takeover, including many of the RPC services on +some platforms [yppasswdd, anyone?]. Kerberos tickets, X cookies, and IRC +traffic also come to mind. RADIUS-based terminal servers connect incoming +users to shell-account machines on a high port, usually 1642 or thereabouts. +SOCKS servers run on 1080. Do "netstat -a" and get creative. + +There are some daemons that are well-written enough to bind separately to all +the local interfaces, possibly with an eye toward heading off this sort of +problem. Named from recent BIND releases, and NTP, are two that come to mind. +Netstat will show these listening on address.53 instead of *.53. You won't +be able to get in front of these on any of the real interface addresses, which +of course is especially interesting in the case of named, but these servers +sometimes forget about things like "alias" interface addresses or interfaces +that appear later on such as dynamic PPP links. There are some hacked web +servers and versions of "inetd" floating around that specifically bind as well, +based on a configuration file -- these generally *are* bound to alias addresses +to offer several different address-based services from one machine. + +Using -e to start a remote backdoor shell is another obvious sort of thing, +easier than constructing a file for inetd to listen on "ingreslock" or +something, and you can access-control it against other people by specifying a +client host and port. Experience with this truly demonstrates how fragile the +barrier between being "logged in" or not really is, and is further expressed by +scripts/bsh. If you're already behind a firewall, it may be easier to make an +*outbound* connection and then run a shell; a small wrapper script can +periodically try connecting to a known place and port, you can later listen +there until the inbound connection arrives, and there's your shell. Running +a shell via UDP has several interesting features, although be aware that once +"connected", the UDP stub sockets tend to show up in "netstat" just like TCP +connections and may not be quite as subtle as you wanted. Packets may also be +lost, so use TCP if you need reliable connections. But since UDP is +connectionless, a hookup of this sort will stick around almost forever, even if +you ^C out of netcat or do a reboot on your side, and you only need to remember +the ports you used on both ends to reestablish. And outbound UDP-plus-exec +connection creates the connected socket and starts the program immediately. On +a listening UDP connection, the socket is created once a first packet is +received. In either case, though, such a "connection" has the interesting side +effect that only your client-side IP address and [chosen?] source port will +thereafter be able to talk to it. Instant access control! A non-local third +party would have to do ALL of the following to take over such a session: + + forge UDP with your source address [trivial to do; see below] + guess the port numbers of BOTH ends, or sniff the wire for them + arrange to block ICMP or UDP return traffic between it and your real + source, so the session doesn't die with a network write error. + +The companion program data/rservice.c is helpful in scripting up any sort of +r-service username or password guessing attack. The arguments to "rservice" +are simply the strings that get null-terminated and passed over an "rcmd"-style +connection, with the assumption that the client does not need a separate +standard-error port. Brute-force password banging is best done via "rexec" if +it is available since it is less likely to log failed attempts. Thus, doing +"rservice joe joespass pwd | nc target exec" should return joe's home dir if +the password is right, or "Permission denied." Plug in a dictionary and go to +town. If you're attacking rsh/rlogin, remember to be root and bind to a port +between 512 and 1023 on your end, and pipe in "rservice joe joe pwd" and such. + +Netcat can prevent inadvertently sending extra information over a telnet +connection. Use "nc -t" in place of telnet, and daemons that try to ask for +things like USER and TERM environment variables will get no useful answers, as +they otherwise would from a more recent telnet program. Some telnetds actually +try to collect this stuff and then plug the USER variable into "login" so that +the caller is then just asked for a password! This mechanism could cause a +login attempt as YOUR real username to be logged over there if you use a +Borman-based telnet instead of "nc -t". + +Got an unused network interface configured in your kernel [e.g. SLIP], or +support for alias addresses? Ifconfig one to be any address you like, and bind +to it with -s to enable all sorts of shenanigans with bogus source addresses. +The interface probably has to be UP before this works; some SLIP versions +need a far-end address before this is true. Hammering on UDP services is then +a no-brainer. What you can do to an unfiltered syslog daemon should be fairly +obvious; trimming the conf file can help protect against it. Many routers out +there still blindly believe what they receive via RIP and other routing +protocols. Although most UDP echo and chargen servers check if an incoming +packet was sent from *another* "internal" UDP server, there are many that still +do not, any two of which [or many, for that matter] could keep each other +entertained for hours at the expense of bandwidth. And you can always make +someone wonder why she's being probed by nsa.gov. + +Your TCP spoofing possibilities are mostly limited to destinations you can +source-route to while locally bound to your phony address. Many sites block +source-routed packets these days for precisely this reason. If your kernel +does oddball things when sending source-routed packets, try moving the pointer +around with -G. You may also have to fiddle with the routing on your own +machine before you start receiving packets back. Warning: some machines still +send out traffic using the source address of the outbound interface, regardless +of your binding, especially in the case of localhost. Check first. If you can +open a connection but then get no data back from it, the target host is +probably killing the IP options on its end [this is an option inside TCP +wrappers and several other packages], which happens after the 3-way handshake +is completed. If you send some data and observe the "send-q" side of "netstat" +for that connection increasing but never getting sent, that's another symptom. +Beware: if Sendmail 8.7.x detects a source-routed SMTP connection, it extracts +the hop list and sticks it in the Received: header! + +SYN bombing [sometimes called "hosing"] can disable many TCP servers, and if +you hit one often enough, you can keep it unreachable for days. As is true of +many other denial-of-service attacks, there is currently no defense against it +except maybe at the human level. Making kernel SOMAXCONN considerably larger +than the default and the half-open timeout smaller can help, and indeed some +people running large high-performance web servers have *had* to do that just to +handle normal traffic. Taking out mailers and web servers is sociopathic, but +on the other hand it is sometimes useful to be able to, say, disable a site's +identd daemon for a few minutes. If someone realizes what is going on, +backtracing will still be difficult since the packets have a phony source +address, but calls to enough ISP NOCs might eventually pinpoint the source. +It is also trivial for a clueful ISP to watch for or even block outgoing +packets with obviously fake source addresses, but as we know many of them are +not clueful or willing to get involved in such hassles. Besides, outbound +packets with an [otherwise unreachable] source address in one of their net +blocks would look fairly legitimate. + +Notes +===== + +A discussion of various caveats, subtleties, and the design of the innards. + +As of version 1.07 you can construct a single file containing command arguments +and then some data to transfer. Netcat is now smart enough to pick out the +first line and build the argument list, and send any remaining data across the +net to one or multiple ports. The first release of netcat had trouble with +this -- it called fgets() for the command line argument, which behind the +scenes does a large read() from standard input, perhaps 4096 bytes or so, and +feeds that out to the fgets() library routine. By the time netcat 1.00 started +directly read()ing stdin for more data, 4096 bytes of it were gone. It now +uses raw read() everywhere and does the right thing whether reading from files, +pipes, or ttys. If you use this for multiple-port connections, the single +block of data will now be a maximum of 8K minus the first line. Improvements +have been made to the logic in sending the saved chunk to each new port. Note +that any command-line arguments hidden using this mechanism could still be +extracted from a core dump. + +When netcat receives an inbound UDP connection, it creates a "connected socket" +back to the source of the connection so that it can also send out data using +normal write(). Using this mechanism instead of recvfrom/sendto has several +advantages -- the read/write select loop is simplified, and ICMP errors can in +effect be received by non-root users. However, it has the subtle side effect +that if further UDP packets arrive from the caller but from different source +ports, the listener will not receive them. UDP listen mode on a multihomed +machine may have similar quirks unless you specifically bind to one of its +addresses. It is not clear that kernel support for UDP connected sockets +and/or my understanding of it is entirely complete here, so experiment... + +You should be aware of some subtleties concerning UDP scanning. If -z is on, +netcat attempts to send a single null byte to the target port, twice, with a +small time in between. You can either use the -w timeout, or netcat will try +to make a "sideline" TCP connection to the target to introduce a small time +delay equal to the round-trip time between you and the target. Note that if +you have a -w timeout and -i timeout set, BOTH take effect and you wait twice +as long. The TCP connection is to a normally refused port to minimize traffic, +but if you notice a UDP fast-scan taking somewhat longer than it should, it +could be that the target is actually listening on the TCP port. Either way, +any ICMP port-unreachable messages from the target should have arrived in the +meantime. The second single-byte UDP probe is then sent. Under BSD kernels, +the ICMP error is delivered to the "connected socket" and the second write +returns an error, which tells netcat that there is NOT a UDP service there. +While Linux seems to be a fortunate exception, under many SYSV derived kernels +the ICMP is not delivered, and netcat starts reporting that *all* the ports are +"open" -- clearly wrong. [Some systems may not even *have* the "udp connected +socket" concept, and netcat in its current form will not work for UDP at all.] +If -z is specified and only one UDP port is probed, netcat's exit status +reflects whether the connection was "open" or "refused" as with TCP. + +It may also be that UDP packets are being blocked by filters with no ICMP error +returns, in which case everything will time out and return "open". This all +sounds backwards, but that's how UDP works. If you're not sure, try "echo +w00gumz | nc -u -w 2 target 7" to see if you can reach its UDP echo port at +all. You should have no trouble using a BSD-flavor system to scan for UDP +around your own network, although flooding a target with the high activity that +-z generates will cause it to occasionally drop packets and indicate false +"opens". A more "correct" way to do this is collect and analyze the ICMP +errors, as does SATAN's "udp_scan" backend, but then again there's no guarantee +that the ICMP gets back to you either. Udp_scan also does the zero-byte +probes but is excruciatingly careful to calculate its own round-trip timing +average and dynamically set its own response timeouts along with decoding any +ICMP received. Netcat uses a much sleazier method which is nonetheless quite +effective. Cisco routers are known to have a "dead time" in between ICMP +responses about unreachable UDP ports, so a fast scan of a cisco will show +almost everything "open". If you are looking for a specific UDP service, you +can construct a file containing the right bytes to trigger a response from the +other end and send that as standard input. Netcat will read up to 8K of the +file and send the same data to every UDP port given. Note that you must use a +timeout in this case [as would any other UDP client application] since the +two-write probe only happens if -z is specified. + +Many telnet servers insist on a specific set of option negotiations before +presenting a login banner. On a raw connection you will see this as small +amount of binary gook. My attempts to create fixed input bytes to make a +telnetd happy worked some places but failed against newer BSD-flavor ones, +possibly due to timing problems, but there are a couple of much better +workarounds. First, compile with -DTELNET and use -t if you just want to get +past the option negotiation and talk to something on a telnet port. You will +still see the binary gook -- in fact you'll see a lot more of it as the options +are responded to behind the scenes. The telnet responder does NOT update the +total byte count, or show up in the hex dump -- it just responds negatively to +any options read from the incoming data stream. If you want to use a normal +full-blown telnet to get to something but also want some of netcat's features +involved like settable ports or timeouts, construct a tiny "foo" script: + + #! /bin/sh + exec nc -otheroptions targethost 23 + +and then do + + nc -l -p someport -e foo localhost & + telnet localhost someport + +and your telnet should connect transparently through the exec'ed netcat to +the target, using whatever options you supplied in the "foo" script. Don't +use -t inside the script, or you'll wind up sending *two* option responses. + +I've observed inconsistent behavior under some Linuxes [perhaps just older +ones?] when binding in listen mode. Sometimes netcat binds only to "localhost" +if invoked with no address or port arguments, and sometimes it is unable to +bind to a specific address for listening if something else is already listening +on "any". The former problem can be worked around by specifying "-s 0.0.0.0", +which will do the right thing despite netcat claiming that it's listening on +[127.0.0.1]. This is a known problem -- for example, there's a mention of it +in the makefile for SOCKS. On the flip side, binding to localhost and sending +packets to some other machine doesn't work as you'd expect -- they go out with +the source address of the sending interface instead. The Linux kernel contains +a specific check to ensure that packets from 127.0.0.1 are never sent to the +wire; other kernels may contain similar code. Linux, of course, *still* +doesn't support source-routing, but they claim that it and many other network +improvements are at least breathing hard. + +There are several possible errors associated with making TCP connections, but +to specifically see anything other than "refused", one must wait the full +kernel-defined timeout for a connection to fail. Netcat's mechanism of +wrapping an alarm timer around the connect prevents the *real* network error +from being returned -- "errno" at that point indicates "interrupted system +call" since the connect attempt was interrupted. Some old 4.3 BSD kernels +would actually return things like "host unreachable" immediately if that was +the case, but most newer kernels seem to wait the full timeout and *then* pass +back the real error. Go figure. In this case, I'd argue that the old way was +better, despite those same kernels generally being the ones that tear down +*established* TCP connections when ICMP-bombed. + +Incoming socket options are passed to applications by the kernel in the +kernel's own internal format. The socket-options structure for source-routing +contains the "first-hop" IP address first, followed by the rest of the real +options list. The kernel uses this as is when sending reply packets -- the +structure is therefore designed to be more useful to the kernel than to humans, +but the hex dump of it that netcat produces is still useful to have. + +Kernels treat source-routing options somewhat oddly, but it sort of makes sense +once one understands what's going on internally. The options list of addresses +must contain hop1, hop2, ..., destination. When a source-routed packet is sent +by the kernel [at least BSD], the actual destination address becomes irrelevant +because it is replaced with "hop1", "hop1" is removed from the options list, +and all the other addresses in the list are shifted up to fill the hole. Thus +the outbound packet is sent from your chosen source address to the first +*gateway*, and the options list now contains hop2, ..., destination. During +all this address shuffling, the kernel does NOT change the pointer value, which +is why it is useful to be able to set the pointer yourself -- you can construct +some really bizarre return paths, and send your traffic fairly directly to the +target but around some larger loop on the way back. Some Sun kernels seem to +never flip the source-route around if it contains less than three hops, never +reset the pointer anyway, and tries to send the packet [with options containing +a "completed" source route!!] directly back to the source. This is way broken, +of course. [Maybe ipforwarding has to be on? I haven't had an opportunity to +beat on it thoroughly yet.] + +"Credits" section: The original idea for netcat fell out of a long-standing +desire and fruitless search for a tool resembling it and having the same +features. After reading some other network code and realizing just how many +cool things about sockets could be controlled by the calling user, I started +on the basics and the rest fell together pretty quickly. Some port-scanning +ideas were taken from Venema/Farmer's SATAN tool kit, and Pluvius' "pscan" +utility. Healthy amounts of BSD kernel source were perused in an attempt to +dope out socket options and source-route handling; additional help was obtained +from Dave Borman's telnet sources. The select loop is loosely based on fairly +well-known code from "rsh" and Richard Stevens' "sock" program [which itself is +sort of a "netcat" with more obscure features], with some more paranoid +sanity-checking thrown in to guard against the distinct likelihood that there +are subtleties about such things I still don't understand. I found the +argument-hiding method cleanly implemented in Barrett's "deslogin"; reading the +line as input allows greater versatility and is much less prone to cause +bizarre problems than the more common trick of overwriting the argv array. +After the first release, several people contributed portability fixes; they are +credited in generic.h and the Makefile. Lauren Burka inspired the ascii art +for this revised document. Dean Gaudet at Wired supplied a precursor to +the hex-dump code, and mudge@l0pht.com originally experimented with and +supplied code for the telnet-options responder. Outbound "-e <prog>" resulted +from a need to quietly bypass a firewall installation. Other suggestions and +patches have rolled in for which I am always grateful, but there are only 26 +hours per day and a discussion of feature creep near the end of this document. + +Netcat was written with the Russian railroad in mind -- conservatively built +and solid, but it *will* get you there. While the coding style is fairly +"tight", I have attempted to present it cleanly [keeping *my* lines under 80 +characters, dammit] and put in plenty of comments as to why certain things +are done. Items I know to be questionable are clearly marked with "XXX". +Source code was made to be modified, but determining where to start is +difficult with some of the tangles of spaghetti code that are out there. +Here are some of the major points I feel are worth mentioning about netcat's +internal design, whether or not you agree with my approach. + +Except for generic.h, which changes to adapt more platforms, netcat is a single +source file. This has the distinct advantage of only having to include headers +once and not having to re-declare all my functions in a billion different +places. I have attempted to contain all the gross who's-got-what-.h-file +things in one small dumping ground. Functions are placed "dependencies-first", +such that when the compiler runs into the calls later, it already knows the +type and arguments and won't complain. No function prototyping -- not even the +__P(()) crock -- is used, since it is more portable and a file of this size is +easy enough to check manually. Each function has a standard-format comment +ahead of it, which is easily found using the regexp " :$". I freely use gotos. +Loops and if-clauses are made as small and non-nested as possible, and the ends +of same *marked* for clarity [I wish everyone would do this!!]. + +Large structures and buffers are all malloc()ed up on the fly, slightly larger +than the size asked for and zeroed out. This reduces the chances of damage +from those "end of the buffer" fencepost errors or runaway pointers escaping +off the end. These things are permanent per run, so nothing needs to be freed +until the program exits. + +File descriptor zero is always expected to be standard input, even if it is +closed. If a new network descriptor winds up being zero, a different one is +asked for which will be nonzero, and fd zero is simply left kicking around +for the rest of the run. Why? Because everything else assumes that stdin is +always zero and "netfd" is always positive. This may seem silly, but it was a +lot easier to code. The new fd is obtained directly as a new socket, because +trying to simply dup() a new fd broke subsequent socket-style use of the new fd +under Solaris' stupid streams handling in the socket library. + +The catch-all message and error handlers are implemented with an ample list of +phoney arguments to get around various problems with varargs. Varargs seems +like deliberate obfuscation in the first place, and using it would also +require use of vfprintf() which not all platforms support. The trailing +sleep in bail() is to allow output to flush, which is sometimes needed if +netcat is already on the other end of a network connection. + +The reader may notice that the section that does DNS lookups seems much +gnarlier and more confusing than other parts. This is NOT MY FAULT. The +sockaddr and hostent abstractions are an abortion that forces the coder to +deal with it. Then again, a lot of BSD kernel code looks like similar +struct-pointer hell. I try to straighten it out somewhat by defining my own +HINF structure, containing names, ascii-format IP addresses, and binary IP +addresses. I fill this structure exactly once per host argument, and squirrel +everything safely away and handy for whatever wants to reference it later. + +Where many other network apps use the FIONBIO ioctl to set non-blocking I/O +on network sockets, netcat uses straightforward blocking I/O everywhere. +This makes everything very lock-step, relying on the network and filesystem +layers to feed in data when needed. Data read in is completely written out +before any more is fetched. This may not be quite the right thing to do under +some OSes that don't do timed select() right, but this remains to be seen. + +The hexdump routine is written to be as fast as possible, which is why it does +so much work itself instead of just sprintf()ing everything together. Each +dump line is built into a single buffer and atomically written out using the +lowest level I/O calls. Further improvements could undoubtedly be made by +using writev() and eliminating all sprintf()s, but it seems to fly right along +as is. If both exec-a-prog mode and a hexdump file is asked for, the hexdump +flag is deliberately turned off to avoid creating random zero-length files. +Files are opened in "truncate" mode; if you want "append" mode instead, change +the open flags in main(). + +main() may look a bit hairy, but that's only because it has to go down the +argv list and handle multiple ports, random mode, and exit status. Efforts +have been made to place a minimum of code inside the getopt() loop. Any real +work is sent off to functions in what is hopefully a straightforward way. + +Obligatory vendor-bash: If "nc" had become a standard utility years ago, +the commercial vendors would have likely packaged it setuid root and with +-DGAPING_SECURITY_HOLE turned on but not documented. It is hoped that netcat +will aid people in finding and fixing the no-brainer holes of this sort that +keep appearing, by allowing easier experimentation with the "bare metal" of +the network layer. + +It could be argued that netcat already has too many features. I have tried +to avoid "feature creep" by limiting netcat's base functionality only to those +things which are truly relevant to making network connections and the everyday +associated DNS lossage we're used to. Option switches already have slightly +overloaded functionality. Random port mode is sort of pushing it. The +hex-dump feature went in later because it *is* genuinely useful. The +telnet-responder code *almost* verges on the gratuitous, especially since it +mucks with the data stream, and is left as an optional piece. Many people have +asked for example "how 'bout adding encryption?" and my response is that such +things should be separate entities that could pipe their data *through* netcat +instead of having their own networking code. I am therefore not completely +enthusiastic about adding any more features to this thing, although you are +still free to send along any mods you think are useful. + +Nonetheless, at this point I think of netcat as my tcp/ip swiss army knife, +and the numerous companion programs and scripts to go with it as duct tape. +Duct tape of course has a light side and a dark side and binds the universe +together, and if I wrap enough of it around what I'm trying to accomplish, +it *will* work. Alternatively, if netcat is a large hammer, there are many +network protocols that are increasingly looking like nails by now... + +_H* 960320 v1.10 RELEASE -- happy spring! diff --git a/usr.bin/nc/data/Makefile b/usr.bin/nc/data/Makefile new file mode 100644 index 00000000000..65cf185358f --- /dev/null +++ b/usr.bin/nc/data/Makefile @@ -0,0 +1,10 @@ +all: data rservice xor + +data: data.c + cc -s -O -o data data.c +rservice: rservice.c + cc -s -O -o rservice rservice.c +xor: xor.c + cc -s -O -o xor xor.c +clean: + rm -f *.o data rservice xor diff --git a/usr.bin/nc/data/README b/usr.bin/nc/data/README new file mode 100644 index 00000000000..7e4b9fbf63c --- /dev/null +++ b/usr.bin/nc/data/README @@ -0,0 +1,9 @@ +For now, read the header comments inside each of these for documentation. +The programs are simple enough that they don't really need a Makefile any more +complex than the one given; ymmv. Data and xor may also be useful on DOS, +which is why there are hooks for it in the code. + +data.c a primitive atob / btoa byte generator +*.d example input to "data -g" +rservice.c a utility for scripting up rsh/rexec attacks +xor.c generic xor handler diff --git a/usr.bin/nc/data/data.c b/usr.bin/nc/data/data.c new file mode 100644 index 00000000000..56c167fd969 --- /dev/null +++ b/usr.bin/nc/data/data.c @@ -0,0 +1,274 @@ +/* primitive arbitrary-data frontend for netcat. 0.9 960226 + only handles one value per ascii line, but at least parses 0xNN too + an input line containing "%r" during "-g" generates a random byte + + todo: + make work on msloss jus' for kicks [workin' on it...] + + syntax: data -X [limit] + where X is one of + d: dump raw bytes to ascii format + g: generate raw bytes from ascii input + c: generate ??? of value -- NOTYET + r: generate all random bytes + and limit is how many bytes to generate or dump [unspecified = infinite] + + *Hobbit*, started 951004 or so and randomly screwed around with since */ + +#include <stdio.h> + +#ifdef MSDOS /* for MSC only at the moment... */ +#include <fcntl.h> +#else /* MSDOS */ +#include <sys/file.h> +#define HAVE_RANDOM /* XXX: might have to change */ +#endif /* MSDOS */ + +static char buf_in [128]; +static char buf_raw [8192]; +static char surveysez[] = "survey sez... XXX\n"; + +/* fgetss : + wrapper for fgets, that yanks trailing newlines. Doing the work ourselves + instead of calling strchr/strlen/whatever */ +char * fgetss (buf, len, from) + char * buf; + size_t len; + FILE * from; +{ + register int x; + register char * p, * q; + p = fgets (buf, len, from); /* returns ptr to buf */ + if (! p) + return (NULL); + q = p; + for (x = 0; x < len; x++) { + *p = (*p & 0x7f); /* rip parity, just in case */ + switch (*p) { + case '\n': + case '\r': + case '\0': + *p = '\0'; + return (q); + } /* switch */ + p++; + } /* for */ +} /* fgetss */ + +/* randint: + swiped from rndb.c. Generates an INT, you have to mask down to char. */ +int randint() +{ + register int q; + register int x; + +#ifndef HAVE_RANDOM + q = rand(); +#else + q = random(); +#endif + x = ((q >> 8) & 0xff); /* perturb low byte using some higher bits */ + x = q ^ x; + return (x); +} + +main (argc, argv) + int argc; + char ** argv; +{ + register unsigned char * p; + register char * q; + register int x; + int bc = 0; + int limit = 0; /* num to gen, or 0 = infinite */ + register int xlimit; /* running limit */ + FILE * txt; /* line-by-line ascii file */ + int raw; /* raw bytes fd */ + int dumping = 0; /* cmd flags ... */ + int genning = 0; + int randing = 0; + + memset (buf_in, 0, sizeof (buf_in)); + memset (buf_raw, 0, sizeof (buf_raw)); + + xlimit = 1; /* doubles as "exit flag" */ + bc = 1; /* preload, assuming "dump" */ + x = getpid() + 687319; +/* if your library doesnt have srandom/random, use srand/rand. [from rnd.c] */ +#ifndef HAVE_RANDOM + srand (time(0) + x); +#else + srandom (time(0) + x); +#endif + +#ifdef O_BINARY +/* DOS stupidity */ +/* Aha: *here's* where that setmode() lib call conflict in ?BSD came from */ + x = setmode (0, O_BINARY); /* make stdin raw */ + if (x < 0) { + fprintf (stderr, "stdin binary setmode oops: %d\n", x); + exit (1); + } + x = setmode (1, O_BINARY); /* make stdout raw */ + if (x < 0) { + fprintf (stderr, "stdout binary setmode oops: %d\n", x); + exit (1); + } +#endif /* O_BINARY */ + + if (argv[1]) { + p = argv[1]; /* shit-simple single arg parser... */ + if (*p == '-') /* dash is optional, we'll deal */ + p++; + if (*p == 'd') + dumping++; + if (*p == 'g') + genning++; + if (*p == 'r') + randing++; + } /* if argv 1 */ + +/* optional second argument: limit # of bytes shoveled either way */ + if (argv[2]) { + x = atoi (argv[2]); + if (x) + limit = x; + else + goto wrong; + xlimit = limit; + } + +/* Since this prog would likely best be written in assmbler, I'm gonna + write it *like* assembler. So there. */ + + if (randing) + goto do_rand; + +nextbuf: /* loop sleaze */ + + if (dumping) { /* switch off to wherever */ + if (genning) + goto wrong; + goto do_dump; + } + if (genning) + goto do_gen; +wrong: + fprintf (stderr, surveysez); /* if both or neither */ + exit (1); + +do_gen: +/* here if genning -- original functionality */ + q = buf_raw; + bc = 0; +/* suck up lines until eof or buf_raw is full */ + while (1) { + p = fgetss (buf_in, 120, stdin); + if (! p) + break; /* EOF */ +/* super-primitive version first: one thingie per line */ + if (*p == '#') /* comment */ + continue; + if (*p == '\0') /* blank line */ + continue; + if (*p == '%') { /* escape char? */ + p++; + if (*p == 'r') { /* random byte */ + x = randint(); + goto stuff; + } /* %r */ + } /* if "%" escape */ + if (*p == '0') + if (*(p+1) == 'x') /* 0x?? */ + goto hex; + x = atoi (p); /* reg'lar decimal number */ + goto stuff; + +hex: +/* A 65 a 97 */ +/* xxx: use a conversion table for this or something. Since we ripped the + parity bit, we only need a preset array of 128 with downconversion factors + loaded in *once*. maybe look at scanf... */ + p++; p++; /* point at hex-chars */ + x = 0; + if ((*p > 96) && (*p < 123)) /* a-z */ + *p = (*p - 32); /* this is massively clumsy */ + if ((*p > 64) && (*p < 71)) /* A-F */ + x = (*p - 55); + if ((*p > 47) && (*p < 58)) /* digits */ + x = (*p - 48); + p++; + if (*p) /* another digit? */ + x = (x << 4); /* shift to hi half */ + if ((*p > 96) && (*p < 123)) /* a-z */ + *p = (*p - 32); + if ((*p > 64) && (*p < 71)) /* A-F */ + x = (x | (*p - 55)); /* lo half */ + if ((*p > 47) && (*p < 58)) /* digits */ + x = (x | (*p - 48)); + +/* fall thru */ +stuff: /* cvt to byte and add to buffer */ + *q = (x & 0xff); + q++; + bc++; + if (limit) { + xlimit--; + if (xlimit == 0) /* max num reached */ + break; + } /* limit */ + if (bc >= sizeof (buf_raw)) /* buffer full */ + break; + } /* while 1 */ + +/* now in theory we have our buffer formed; shovel it out */ + x = write (1, buf_raw, bc); + if (x <= 0) { + fprintf (stderr, "write oops: %d\n", x); + exit (1); + } + if (xlimit && p) + goto nextbuf; /* go get some more */ + exit (0); + +do_dump: +/* here if dumping raw stuff into an ascii file */ +/* gad, this is *so* much simpler! can we say "don't rewrite printf"? */ + x = read (0, buf_raw, 8192); + if (x <= 0) + exit (0); + q = buf_raw; + for ( ; x > 0; x--) { + p = q; + printf ("%-3.3d # 0x%-2.2x # ", *p, *p); + if ((*p > 31) && (*p < 127)) + printf ("%c %d\n", *p, bc); + else + printf (". %d\n", bc); + q++; + bc++; + if (limit) { + xlimit--; + if (xlimit == 0) { + fflush (stdout); + exit (0); + } + } /* limit */ + } /* for */ + goto nextbuf; + +do_rand: +/* here if generating all-random bytes. Stays in this loop */ + p = buf_raw; + while (1) { + *p = (randint() & 0xff); + write (1, p, 1); /* makes very slow! */ + if (limit) { + xlimit--; + if (xlimit == 0) + break; + } + } /* while */ + exit (0); + +} /* main */ diff --git a/usr.bin/nc/data/dns-any.d b/usr.bin/nc/data/dns-any.d new file mode 100644 index 00000000000..77b014cf703 --- /dev/null +++ b/usr.bin/nc/data/dns-any.d @@ -0,0 +1,36 @@ +# dns "any for ." query, to udp 53 +# if tcp: precede with 2 bytes of len: +# 0 +# 17 +# you should get at least *one* record back out + +# HEADER: +0 # query id = 2 +2 + +1 # flags/opcodes = query, dorecurse +0 + +0 # qdcount, i.e. nqueries: 1 +1 + +0 # ancount: answers, 0 +0 + +0 # nscount: 0 +0 + +0 # addl records: 0 +0 + +# end of fixed header + +0 # name-len: 0 for ".", lenbyte plus name-bytes otherwise + +0 # type: any, 255 +0xff + +0 # class: IN +1 + +# i think that's it.. diff --git a/usr.bin/nc/data/nfs-0.d b/usr.bin/nc/data/nfs-0.d new file mode 100644 index 00000000000..03609382270 --- /dev/null +++ b/usr.bin/nc/data/nfs-0.d @@ -0,0 +1,59 @@ +# UDP NFS null-proc call; finds active NFS listeners on port 2049. +# If you get *something* back, there's an NFS server there. + +000 # XID: 4 trash bytes +001 +002 +003 + +000 # CALL: 0 +000 +000 +000 + +000 # RPC version: 2 +000 +000 +002 + +000 # nfs: 100003 +001 +0x86 +0xa3 + +000 # version: 1 +000 +000 +001 + +000 # procedure number: 0 +000 +000 +000 + +000 # port: junk +000 +000 +000 + +000 # auth trash +000 +000 +000 + +000 # auth trash +000 +000 +000 + +000 # auth trash +000 +000 +000 + +000 # extra auth trash? probably not needed +000 +000 +000 + +# that's it! diff --git a/usr.bin/nc/data/pm.d b/usr.bin/nc/data/pm.d new file mode 100644 index 00000000000..fe327693a9e --- /dev/null +++ b/usr.bin/nc/data/pm.d @@ -0,0 +1,8 @@ +# obligatory duplicate of dr delete's Livingston portmaster crash, aka +# telnet break. Fire into its telnet listener. An *old* bug by now, but +# consider the small window one might obtain from a slightly out-of-rev PM +# used as a firewall, that starts routing IP traffic BEFORE its filter sets +# are fully loaded... + +255 # 0xff # . 1 +243 # 0xf3 # . 2 diff --git a/usr.bin/nc/data/pmap-dump.d b/usr.bin/nc/data/pmap-dump.d new file mode 100644 index 00000000000..bc6b63277df --- /dev/null +++ b/usr.bin/nc/data/pmap-dump.d @@ -0,0 +1,60 @@ +# portmap dump request: like "rpcinfo -p" but via UDP instead +# send to UDP 111 and hope it's not a logging portmapper! +# split into longwords, since rpc apparently only deals with them + +001 # 0x01 # . # XID: 4 trash bytes +002 # 0x02 # . +003 # 0x03 # . +004 # 0x04 # . + +000 # 0x00 # . # MSG: int 0=call, 1=reply +000 # 0x00 # . +000 # 0x00 # . +000 # 0x00 # . + +000 # 0x00 # . # pmap call body: rpc version=2 +000 # 0x00 # . +000 # 0x00 # . +002 # 0x02 # . + +000 # 0x00 # . # pmap call body: prog=PMAP, 100000 +001 # 0x01 # . +134 # 0x86 # . +160 # 0xa0 # . + +000 # 0x00 # . # pmap call body: progversion=2 +000 # 0x00 # . +000 # 0x00 # . +002 # 0x02 # . + +000 # 0x00 # . # pmap call body: proc=DUMP, 4 +000 # 0x00 # . +000 # 0x00 # . +004 # 0x04 # . + +# with AUTH_NONE, there are 4 zero integers [16 bytes] here + +000 # 0x00 # . # auth junk: cb_cred: auth_unix = 1; NONE = 0 +000 # 0x00 # . +000 # 0x00 # . +000 # 0x00 # . + +000 # 0x00 # . # auth junk +000 # 0x00 # . +000 # 0x00 # . +000 # 0x00 # . + +000 # 0x00 # . # auth junk +000 # 0x00 # . +000 # 0x00 # . +000 # 0x00 # . + +000 # 0x00 # . # auth junk +000 # 0x00 # . +000 # 0x00 # . +000 # 0x00 # . + +# The reply you get back contains your XID, int 1 if "accepted", and +# a whole mess of gobbledygook containing program numbers, versions, +# and ports that rpcinfo knows how to decode. For the moment, you get +# to wade through it yourself... diff --git a/usr.bin/nc/data/pmap-mnt.d b/usr.bin/nc/data/pmap-mnt.d new file mode 100644 index 00000000000..00588ba41f7 --- /dev/null +++ b/usr.bin/nc/data/pmap-mnt.d @@ -0,0 +1,78 @@ +# portmap request for mountd [or whatever; see where prog=MOUNT] +# send to UDP 111 and hope it's not a logging portmapper! +# split into longwords, since rpc apparently only deals with them + +001 # 0x01 # . # XID: 4 trash bytes +002 # 0x02 # . +003 # 0x03 # . +004 # 0x04 # . + +000 # 0x00 # . # MSG: int 0=call, 1=reply +000 # 0x00 # . +000 # 0x00 # . +000 # 0x00 # . + +000 # 0x00 # . # pmap call body: rpc version=2 +000 # 0x00 # . +000 # 0x00 # . +002 # 0x02 # . + +000 # 0x00 # . # pmap call body: prog=PMAP, 100000 +001 # 0x01 # . +134 # 0x86 # . +160 # 0xa0 # . + +000 # 0x00 # . # pmap call body: progversion=2 +000 # 0x00 # . +000 # 0x00 # . +002 # 0x02 # . + +000 # 0x00 # . # pmap call body: proc=GETPORT, 3 +000 # 0x00 # . +000 # 0x00 # . +003 # 0x03 # . + +# with AUTH_NONE, there are 4 zero integers [16 bytes] here + +000 # 0x00 # . # auth junk: cb_cred: auth_unix = 1; NONE = 0 +000 # 0x00 # . +000 # 0x00 # . +000 # 0x00 # . + +000 # 0x00 # . # auth junk +000 # 0x00 # . +000 # 0x00 # . +000 # 0x00 # . + +000 # 0x00 # . # auth junk +000 # 0x00 # . +000 # 0x00 # . +000 # 0x00 # . + +000 # 0x00 # . # auth junk +000 # 0x00 # . +000 # 0x00 # . +000 # 0x00 # . + +000 # 0x00 # . # prog=MOUNT, 100005 +001 # 0x01 # . +134 # 0x86 # . +165 # 0xa5 # . + +000 # 0x00 # . # progversion=1 +000 # 0x00 # . +000 # 0x00 # . +001 # 0x01 # . + +000 # 0x00 # . # protocol=udp, 17 +000 # 0x00 # . +000 # 0x00 # . +017 # 0x11 # . + +000 # 0x00 # . # proc num = junk +000 # 0x00 # . +000 # 0x00 # . +000 # 0x00 # . + +# The reply you get back contains your XID, int 1 if "accepted", and +# mountd's port number at the end or 0 if not registered. diff --git a/usr.bin/nc/data/rip.d b/usr.bin/nc/data/rip.d new file mode 100644 index 00000000000..da505e21430 --- /dev/null +++ b/usr.bin/nc/data/rip.d @@ -0,0 +1,52 @@ +# struct netinfo { +# struct sockaddr rip_dst; /* destination net/host */ +# int rip_metric; /* cost of route */ +# }; +# struct rip { +# u_char rip_cmd; /* request/response */ +# u_char rip_vers; /* protocol version # */ +# u_char rip_res1[2]; /* pad to 32-bit boundary */ +# union { +# struct netinfo ru_nets[1]; /* variable length... */ +# char ru_tracefile[1]; /* ditto ... */ +# } ripun; +#define rip_nets ripun.ru_nets +#define rip_tracefile ripun.ru_tracefile +#define RIPCMD_REQUEST 1 /* want info */ +#define RIPCMD_RESPONSE 2 /* responding to request */ +#define RIPCMD_TRACEON 3 /* turn tracing on */ +#define RIPCMD_TRACEOFF 4 /* turn it off */ +#define HOPCNT_INFINITY 16 /* per Xerox NS */ +#define MAXPACKETSIZE 512 /* max broadcast size */ + +### RIP packet redux +### UDP send FROM clued-rtr/520 to target/520 +2 # RIPCMD_RESPONSE +1 # version +0 # padding +0 + +# sockaddr-plus-metric structs begin, as many as necessary... +0 # len +2 # AF_INET +0 # port +0 +# addr bytes: +X +Y +Z +Q +0 # filler, out to 16 bytes [sizeof (sockaddr)] ... +0 +0 +0 +0 +0 +0 +0 +0 # metric: net-order integer +0 +0 +1 + +## that's it diff --git a/usr.bin/nc/data/rservice.c b/usr.bin/nc/data/rservice.c new file mode 100644 index 00000000000..1085d9cb789 --- /dev/null +++ b/usr.bin/nc/data/rservice.c @@ -0,0 +1,68 @@ +/* generate ^@string1^@string2^@cmd^@ input to netcat, for scripting up + rsh/rexec attacks. Needs to be a prog because shells strip out nulls. + + args: + locuser remuser [cmd] + remuser passwd [cmd] + + cmd defaults to "pwd". + + ... whatever. _H*/ + +#include <stdio.h> + +/* change if you like; "id" is a good one for figuring out if you won too */ +static char cmd[] = "pwd"; + +static char buf [256]; + +main(argc, argv) + int argc; + char * argv[]; +{ + register int x; + register int y; + char * p; + char * q; + + p = buf; + memset (buf, 0, 256); + + p++; /* first null */ + y = 1; + + if (! argv[1]) + goto wrong; + x = strlen (argv[1]); + memcpy (p, argv[1], x); /* first arg plus another null */ + x++; + p += x; + y += x; + + if (! argv[2]) + goto wrong; + x = strlen (argv[2]); + memcpy (p, argv[2], x); /* second arg plus null */ + x++; + p += x; + y += x; + + q = cmd; + if (argv[3]) + q = argv[3]; + x = strlen (q); /* not checked -- bfd */ + memcpy (p, q, x); /* the command, plus final null */ + x++; + p += x; + y += x; + + memcpy (p, "\n", 1); /* and a newline, so it goes */ + y++; + + write (1, buf, y); /* zot! */ + exit (0); + +wrong: + fprintf (stderr, "wrong! needs 2 or more args.\n"); + exit (1); +} diff --git a/usr.bin/nc/data/showmount.d b/usr.bin/nc/data/showmount.d new file mode 100644 index 00000000000..499794bc8a5 --- /dev/null +++ b/usr.bin/nc/data/showmount.d @@ -0,0 +1,63 @@ +# UDP mountd call. Use as input to find mount daemons and avoid portmap. +# Useful proc numbers are 2, 5, and 6. +# UDP-scan around between 600-800 to find most mount daemons. +# Using this with "2", plugged into "nc -u -v -w 2 victim X-Y" will +# directly scan *and* dump the current exports when mountd is hit. +# combine stdout *and* stderr thru "strings" or something to clean it up + +000 # XID: 4 trash bytes +001 +002 +003 + +000 # CALL: 0 +000 +000 +000 + +000 # RPC version: 2 +000 +000 +002 + +000 # mount: 100005 +001 +0x86 +0xa5 + +000 # mount version: 1 +000 +000 +001 + +000 # procedure number -- put what you need here: +000 # 2 = dump [showmount -e] +000 # 5 = exportlist [showmount -a] +xxx # "sed s/xxx/$1/ | data -g | nc ..." or some such... + +000 # port: junk +000 +000 +000 + +000 # auth trash +000 +000 +000 + +000 # auth trash +000 +000 +000 + +000 # auth trash +000 +000 +000 + +000 # extra auth trash? probably not needed +000 +000 +000 + +# that's it! diff --git a/usr.bin/nc/data/xor.c b/usr.bin/nc/data/xor.c new file mode 100644 index 00000000000..9feead0cbac --- /dev/null +++ b/usr.bin/nc/data/xor.c @@ -0,0 +1,92 @@ +/* Generic xor handler. + + With no args, xors stdin against 0xFF to stdout. A single argument is a + file to read xor-bytes out of. Any zero in the xor-bytes array is treated + as the end; if you need to xor against a string that *includes* zeros, + you're on your own. + + The indirect file can be generated easily with data.c. + + Written because there are so many lame schemes for "masking" plaintext + passwords and the like floating around, and it's handy to just run an + obscure binary-format configuration file through this and look for strings. + + *Hobbit*, 960208 */ + +#include <stdio.h> +#include <fcntl.h> + +char buf[8192]; +char bytes[256]; +char * py; + +/* do the xor, in place. Uses global ptr "py" to maintain "bytes" state */ +xorb (buf, len) + char * buf; + int len; +{ + register int x; + register char * pb; + + pb = buf; + x = len; + while (x > 0) { + *pb = (*pb ^ *py); + pb++; + py++; + if (! *py) + py = bytes; + x--; + } +} /* xorb */ + +/* blah */ +main (argc, argv) + int argc; + char ** argv; +{ + register int x = 0; + register int y; + +/* manually preload; xor-with-0xFF is all too common */ + memset (bytes, 0, sizeof (bytes)); + bytes[0] = 0xff; + +/* if file named in any arg, reload from that */ +#ifdef O_BINARY /* DOS shit... */ + x = setmode (0, O_BINARY); /* make stdin raw */ + if (x < 0) { + fprintf (stderr, "stdin binary setmode oops: %d\n", x); + exit (1); + } + x = setmode (1, O_BINARY); /* make stdout raw */ + if (x < 0) { + fprintf (stderr, "stdout binary setmode oops: %d\n", x); + exit (1); + } +#endif /* O_BINARY */ + + if (argv[1]) +#ifdef O_BINARY + x = open (argv[1], O_RDONLY | O_BINARY); +#else + x = open (argv[1], O_RDONLY); +#endif + if (x > 0) { + read (x, bytes, 250); /* nothin' fancy here */ + close (x); + } + py = bytes; + x = 1; + while (x > 0) { + x = read (0, buf, sizeof (buf)); + if (x <= 0) + break; + xorb (buf, x); + y = write (1, buf, x); + if (y <= 0) + exit (1); + } + exit (0); +} + diff --git a/usr.bin/nc/generic.h b/usr.bin/nc/generic.h new file mode 100644 index 00000000000..b3dd5f5dc64 --- /dev/null +++ b/usr.bin/nc/generic.h @@ -0,0 +1,377 @@ +/* generic.h -- anything you don't #undef at the end remains in effect. + The ONLY things that go in here are generic indicator flags; it's up + to your programs to declare and call things based on those flags. + + You should only need to make changes via a minimal system-specific section + at the end of this file. To build a new section, rip through this and + check everything it mentions on your platform, and #undef that which needs + it. If you generate a system-specific section you didn't find in here, + please mail me a copy so I can update the "master". + + I realize I'm probably inventing another pseudo-standard here, but + goddamnit, everybody ELSE has already, and I can't include all of their + hairball schemes too. HAVE_xx conforms to the gnu/autoconf usage and + seems to be the most common format. In fact, I dug a lot of these out + of autoconf and tried to common them all together using "stupidh" to + collect data from platforms. + + In disgust... _H* 940910, 941115, 950511. Pseudo-version: 1.3 + + Updated 951104 with many patches from netcat feedback, and properly + closed a lot of slop in open-ended comments: version 1.4 + 960217 + nextstep: version 1.5 +*/ + +#ifndef GENERIC_H /* only run through this once */ +#define GENERIC_H + +/* =============================== */ +/* System calls, lib routines, etc */ +/* =============================== */ + +/* How does your system declare malloc, void or char? Usually void, but go + ask the SunOS people why they had to be different... */ +#define VOID_MALLOC + +/* notably from fwtk/firewall.h: posix locking? */ +#define HAVE_FLOCK /* otherwise it's lockf() */ + +/* if you don't have setsid(), you might have setpgrp(). */ +#define HAVE_SETSID + +/* random() is generally considered better than rand() */ +#define HAVE_RANDOM + +/* the srand48/lrand48/etc family is s'posedly even better */ +#define HAVE_RAND48 +/* bmc@telebase and others have suggested these macros if a box *does* have + rand48. Will consider for later if we're doing something that really + requires stronger random numbers, but netcat and such certainly doesn't. +#define srandom(seed) srand48((long) seed) +#define random() lrand48() */ + +/* if your machine doesn't have lstat(), it should have stat() [dos...] */ +#define HAVE_LSTAT + +/* different kinds of term ioctls. How to recognize them, very roughly: + sysv/POSIX_ME_HARDER: termio[s].h, struct termio[s], tty.c_*[] + bsd/old stuff: sgtty.h, ioctl(TIOCSETP), sgttyb.sg_*, tchars.t_* */ +#define HAVE_TERMIOS + +/* dbm vs ndbm */ +#define HAVE_NDBM + +/* extended utmp/wtmp stuff. MOST machines still do NOT have this SV-ism */ +#define UTMPX + +/* some systems have nice() which takes *relative* values... [resource.h] */ +#define HAVE_SETPRIORITY + +/* a sysvism, I think, but ... */ +#define HAVE_SYSINFO + +/* ============= */ +/* Include files */ +/* ============= */ + +/* Presence of these can be determined via a script that sniffs them + out if you aren't sure. See "stupidh"... */ + +/* stdlib comes with most modern compilers, but ya never know */ +#define HAVE_STDLIB_H + +/* not on a DOS box! */ +#define HAVE_UNISTD_H + +/* stdarg is a weird one */ +#define HAVE_STDARG_H + +/* dir.h or maybe ndir.h otherwise. */ +#define HAVE_DIRENT_H + +/* string or strings */ +#define HAVE_STRINGS_H + +/* if you don't have lastlog.h, what you want might be in login.h */ +#define HAVE_LASTLOG_H + +/* predefines for _PATH_various */ +#define HAVE_PATHS_H + +/* some SV-flavors break select stuff out separately */ +#define HAVE_SELECT_H + +/* assorted others */ +#define HAVE_PARAM_H /* in sys/ */ +#define HAVE_SYSMACROS_H /* in sys/ */ +#define HAVE_TTYENT_H /* securetty et al */ + +/* ==================== */ + +/* Still maybe have to do something about the following, if it's even + worth it. I just grepped a lot of these out of various code, without + looking them up yet: + +#define HAVE_EINPROGRESS +#define HAVE_F_SETOWN +HAVE_FILIO_H ... fionbio, fiosetown, etc... will need for hairier + select loops. +#define HAVE_SETENV ... now *there's* a hairy one; **environ is portable +#define BIG_ENDIAN/little_endian ... *please* try to avoid this stupidity + and LSBFIRST/MSBFIRST +#define HAVE_GETUSERSHELL ... you could always pull it out of getpwent() +#define HAVE_SETE[UG]ID ... lib or syscall, it varies on diff platforms +#define HAVE_STRCHR ... should actually be handled by string/strings +#define HAVE_PSTAT +#define HAVE_ST_BLKSIZE ... a stat() thing? +#define HAVE_IP_TOS +#define HAVE_STRFTIME ... screw this, we'll just INCLUDE one for lame + old boxes that don't have it [sunos 3.x, early 4.x?] +#define HAVE_VFPRINTF +#define HAVE_SHADOW_PASSWD ... in its multitudinous schemes?? ... how + about sumpin' like #define SHADOW_PASSWD_TYPE ... could get grody. + ... looks like sysv /etc/shadow, getspent() family is common. +#define SIG* ... what a swamp, punt for now; should all be in signal.h +#define HAVE_STRCSPN ... see larry wall's comment in the fwtk regex code +#define ULTRIX_AUTH ... bwahaha. +#define HAVE_YP or NIS or whatever you wanna call it this week +randomness about VARARGS?? +--- later stuff to be considered --- +#define UINT4 ... u-int on alpha/osf, i.e. __alpha/__osf__, ulong elsewhere? + dont name it that, though, it'll conflict with extant .h files like md5 +randomness about machine/endian.h, machine/inline.h -- bsdi, net/2 +randomness about _PATH_WTMP vs WTMP_FILE and where they even live!! +#define HAVE_SYS_ERRLIST ... whether it's in stdio.h or not [bsd 4.4] +--- still more stuff +#define HAVE_SETENV +#define _PATH_UTMP vs UTMP_FILE, a la deslogind?! +#define HAVE_DAEMON +#define HAVE_INETADDR [vixie bind?] +lseek: SEEK_SET vs L_SET and associated lossage [epi-notes, old 386Mach] +bsdi: ioctl_compat.h ? +--- takin' some ifdefs from CNS krb: +F_GETOWN/F_SETOWN +CRAY: long = 8 bytes, etc [class with alpha?] +CGETENT +SIGINFO +SIGTSTP SIGTTOU SIGWINCH +SPX? +SYSV_TERMIO -- covered elsewhere, I hope +TIOCEXT TIOCFLUSH TIOC[GS]WINSIZ +NEWINIT: something about init cleaning up dead login processes [telnet?] +PARENT_DOES_UTMP, too [telnet] +VDISCARD +VEOL/VEOL2/VLNEXT VREPRINT -- termios stuff?, and related... +STREAMSPTY/STREAMSPTYEM +AF_INET/AF_UNSPEC, PF_* +ECHOCTL/ECHOKE +F_ULOCK [?!] +setpgrp/getpgrp() ONEARG business.. +HAVE_ALLOCA +HAVE_GETUTENT +HAVE_SYS_SELECT_H [irix!] +HAVE_DIRENT [old 386mach has *direct.h*!] +HAVE_SIGSET +HAVE_VFORK_H and HAVE_VFORK +HAVE_VHANGUP +HAVE_VSPRINTF +HAVE_IPTOS_* +HAVE_STRCASECMP, STRNCASECMP +HAVE_SYS_FCNTL_H +HAVE_SYS_TIME_H +HAVE_UTIMES +NOTTYENT [?] +HAVE_FCHMOD +HAVE_GETUSERSHELL +HAVE_SIGCONTEXT [stack hair, very machine-specific] +YYLINENO? +POSIX_SIGNALS +POSIX_TERMIOS +SETPROCTITLE -- breaks some places, like fbsd sendmail +SIG* -- actual signal names? some are missing +SIOCGIFCONF +SO_BROADCAST +SHMEM [krb tickets] +VARARGS, or HAVE_VARARGS +CBAUD +... and B300, B9600, etc etc +HAVE_BZERO vs memset/memcpy +HAVE_SETVBUF +HAVE_STRDUP +HAVE_GETENV +HAVE_STRSAVE +HAVE_STBLKSIZE [stat?] +HAVE_STREAM_H -- in sys/, ref sendmail 8.7 for IP_SRCROUTE +FCHMOD +INITGROUPS -- most machines seem to *have* +SETREUID +SNPRINTF +SETPGRP semantics bsd vs. sys5 style + +There's also the issue about WHERE various .h files live, sys/ or otherwise. +There's a BIG swamp lurking where network code of any sort lives. +*/ + +/* ======================== */ +/* System-specific sections */ +/* ======================== */ + +/* By turning OFF various bits of the above, you can customize for + a given platform. Yes, we're ignoring the stock compiler predefines + and using our own plugged in via the Makefile. */ + +/* DOS boxes, with MSC; you may need to adapt to a different compiler. */ +/* looks like later ones *do* have dirent.h, for example */ +#ifdef MSDOS +#undef HAVE_FLOCK +#undef HAVE_RANDOM +#undef HAVE_LSTAT +#undef HAVE_TERMIOS +#undef UTMPX +#undef HAVE_SYSINFO +#undef HAVE_UNISTD_H +#undef HAVE_DIRENT_H /* unless you have the k00l little wrapper from L5!! */ +#undef HAVE_STRINGS_H +#undef HAVE_LASTLOG_H +#undef HAVE_PATHS_H +#undef HAVE_PARAM_H +#undef HAVE_SYSMACROS_H +#undef HAVE_SELECT_H +#undef HAVE_TTYENT_H +#endif /* MSDOS */ + +/* buglix 4.x; dunno about 3.x on down. should be bsd4.2 */ +#ifdef ULTRIX +#undef UTMPX +#undef HAVE_PATHS_H +#undef HAVE_SYSMACROS_H +#undef HAVE_SELECT_H +#endif /* buglix */ + +/* some of this might still be broken on older sunoses */ +#ifdef SUNOS +#undef VOID_MALLOC +#undef UTMPX +#undef HAVE_PATHS_H +#undef HAVE_SELECT_H +#endif /* sunos */ + +/* "contact your vendor for a fix" */ +#ifdef SOLARIS +/* has UTMPX */ +#undef HAVE_RANDOM +#undef HAVE_SETPRIORITY +#undef HAVE_STRINGS_H /* this is genuinely the case, go figure */ +#undef HAVE_PATHS_H +#undef HAVE_SELECT_H +#undef HAVE_TTYENT_H +#endif /* SOLARIS */ + +/* whatever aix variant MIT had at the time; 3.2.x?? */ +#ifdef AIX +#undef UTMPX +#undef HAVE_LASTLOG_H +#define HAVE_LOGIN_H /* "special", in the educational sense */ +#endif /* aix */ + +/* linux, which is trying as desperately as the gnu folks can to be + POSIXLY_CORRECT. I think I'm gonna hurl... */ +#ifdef LINUX +#undef UTMPX +#undef HAVE_SYSINFO +#undef HAVE_SELECT_H +#undef HAVE_TTYENT_H +#endif /* linux */ + +/* irix 5.x; may not be correct for earlier ones */ +#ifdef IRIX +/* wow, does irix really have everything?! */ +#endif /* irix */ + +/* osf on alphas */ +#ifdef OSF +#undef UTMPX +#undef HAVE_SELECT_H +#endif /* osf */ + +/* they's some FUCKED UP paths in this one! */ +#ifdef FREEBSD +#undef UTMPX +#undef HAVE_SYSINFO +#undef HAVE_LASTLOG_H +#undef HAVE_SYSMACROS_H +#undef HAVE_SELECT_H /* actually a lie, but only for kernel */ +#endif /* freebsd */ + +/* Originally from the sidewinder site, of all places, but subsequently + checked further under a more normal bsdi 2.0 */ +#ifdef BSDI +#undef UTMPX +#undef HAVE_LASTLOG_H +#undef HAVE_SYSMACROS_H +/* and their malloc.h was in sys/ ?! */ +#undef HAVE_SELECT_H +#endif /* bsdi */ + +/* netbsd/44lite, jives with amiga-netbsd from cactus */ +#ifdef NETBSD +#undef UTMPX +#undef HAVE_SYSINFO +#undef HAVE_LASTLOG_H +#undef HAVE_SELECT_H +#endif /* netbsd */ + +/* Hpux 9.0x, from BBN and various patches sent in */ +#ifdef HPUX +#undef HAVE_RANDOM /* but *does* have ?rand48 -- need to consider.. */ +#undef HAVE_UTMPX +#undef HAVE_LASTLOG_H /* has utmp/wtmp/btmp nonsense, and pututline() */ +#undef HAVE_PATHS_H +#undef HAVE_SELECT_H +#undef HAVE_TTYENT_H +#endif /* hockeypux */ + +/* Unixware [a loose definition of "unix", to be sure], 1.1.2 [at least] + from Brian Clapper. He wasn't sure about 2.0... */ +#ifdef UNIXWARE +/* has UTMPX */ +#undef HAVE_SETPRIORITY +/* NOTE: UnixWare does provide the BSD stuff, in "/usr/ucbinclude" (headers) + and "/usr/ucblib" (libraries). However, I've run into problems linking + stuff out of that version of the C library, when objects are also coming + out of the "regular" C library. My advice: Avoid the BSD compatibility + stuff wherever possible. Brian Clapper <bmc@telebase.com> */ +#undef HAVE_STRINGS_H +#undef HAVE_PATHS_H +#undef HAVE_TTYENT_H +#endif /* UNIXWARE */ + +/* A/UX 3.1.x from darieb@sandia.gov */ +#ifdef AUX +#undef HAVE_RANDOM +#undef HAVE_SELECT_H /* xxx: untested */ +#endif /* a/ux */ + +/* NeXTSTEP 3.2 motorola mudge@l0pht.com xxx should also work with + white hardware and Sparc/HPPA. Should work with 3.3 too as it's + 4.3 / 4.4 bsd wrapped around mach */ +#ifdef NEXT +#undef UTMPX +#undef HAVE_SELECT_X +#endif /* NeXTSTEP 3.2 motorola */ + +/* Make some "generic" assumptions if all else fails */ +#ifdef GENERIC +#undef HAVE_FLOCK +#if defined(SYSV) && (SYSV < 4) /* TW leftover: old SV doesnt have symlinks */ +#undef HAVE_LSTAT +#endif /* old SYSV */ +#undef HAVE_TERMIOS +#undef UTMPX +#undef HAVE_PATHS_H +#undef HAVE_SELECT_H +#endif /* generic */ + +/* ================ */ +#endif /* GENERIC_H */ + diff --git a/usr.bin/nc/nc.1 b/usr.bin/nc/nc.1 new file mode 100644 index 00000000000..cffb9f637b5 --- /dev/null +++ b/usr.bin/nc/nc.1 @@ -0,0 +1,213 @@ +.\" $OpenBSD: nc.1,v 1.1 1996/09/05 08:55:32 deraadt Exp $ +.\" +.\" Copyright (c) 1996 David Sacerdote +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. The name of the author may not be used to endorse or promote products +.\" derived from this software without specific prior written permission +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR +.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, +.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF +.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.Dd August 1, 1996 +.Dt nc 1 +.Sh NAME +.Os +.Nm nc +.Nd +Arbitrary tcp and udp connections and listens. +.Pp +.Nm nc +.Op Fl e Ar command +.Op Fl g Ar intermediates +.Op Fl G Ar hopcount +.Op Fl i Ar interval +.Op Fl lnrtuvz +.Op Fl o Ar filename +.Op Fl p Ar source port +.Op Fl s Ar ip address +.Op Fl w Ar timeout +.Op Ar hostname +.Op Ar port[s...] +.Pp +.Sh DESCRIPTION +The +.Nm nc +(or +.Nm netcat ) +utility is used for just about anything under the sun +involving TCP or UDP. It can open tcp connections, send udp packets, +listen on arbitrary tcp and udp ports, do port scanning, and source +routing. Unlike +.Xr telnet 1 , +.Nm nc +scripts nicely, and separates error messages onto standard error instead +of sending them to standard output, as +.Xr telnet 1 +does with some. +.Pp +Destination ports can be single integers, names as listed in +.Xr /etc/services 5 , +or ranges. Ranges are in the form nn-mm, and several separate ports and/or +ranges may be specified on the command line. +.Pp +Common uses include: +.Bl -bullet +.It +simple tcp proxies +.It +shell\-script based http clients and servers +.It +network daemon testing +.It +source routing based connectivity testing +.It +and much, much more +.El +.Pp +The options are as follows: +.Bl -tag -width Ds +.It Fl e Ar command +Execute the specified command, using data from the network for stdin, +and sending stdout and stderr to the network. This option is only present if +.Nm nc +was compiled with the GAPING_SECURITY_HOLE compile time option, since it +allows users to make arbitrary programs available to anyone on the network. +.It Fl g Ar intermediate-host +Specifies a hop along a loose source routed path. Can be used more than +once to build a chain of hop points. +.It Fl G Ar pointer +Positions the "hop counter" within the list of machines in the path of +a source routed packet. Must be a multiple of 4. +.It Fl i Ar seconds +Specifies a delay time interval between lines of text sent and received. +Also causes a delay time between connections to multiple ports. +.It Fl l +Is used to specify that +.Nm nc +should listen for an incoming connection, rather than initiate a +connection to a remote host. Any hostname/ip address and port arguments +restrict the source of inbound connections to only that address and +source port. +.It Fl n +Do not do DNS lookups on any of the specified addresses or hostnames, or +names of port numbers from /etc/services. +.It Fl o Ar filename +Create a hexadecimal log of data transferred in the specified file. +Each line begins with < or >. < means "from the net" and > means +"to the net." +.It Fl p Ar port +Specifies the source port +.Nm nc +should use, subject to privilege restrictions and availability. +.It Fl r +Specified that source and/or destination ports should be chosen semi-randomly +instead of sequentially within a range or in the order that the +system assigns. +.It Fl s Ar hostname/ip-address +Specifies the ip of the interface which is used to send the packets. +On some platforms, this can be used for udp spoofing by using ifconfig +to bring up a dummy interface with the desired source ip address. +.It Fl t +Causes +.Nm nc +to send RFC854 DON'T and WON'T responses to RFC854 DO +and WILL requests. This makes it possible to use +.Nm nc +to script telnet sessions. The presence of this option can be +enabled or disabled as a compile-time option. +.It Fl u +Use UDP instead of TCP. +On most platforms, +.Nm nc +will behave as if a connection is established until it receives an +ICMP packet indicating that there is no program listening to what it +sends. +.It Fl v +Verbose. Cause +.Nm nc +to display connection information. Using \-v +more than once will cause +.Nm nc +to become even more verbose. +.It Fl w Ar timeout +Specifies the number of seconds +.Nm nc +should wait before deciding that +an attempt to establish a connection is hopeless. +Also used to specify how long to wait for more network data after standard +input closes. +.It Fl z +Specifies that +.Nm nc +should just scan for listening +daemons, without sending any data to them. Diagnostic messages about refused +connections will not be +displayed unless \-v is specified twice. +.Sh EXAMPLES +.Pp +.Bl -tag -width x +.It Li "nc" +Wait for the user to type what would normally be command-line +arguments in at stdin. +.It Li "nc example.host 42" +Open a TCP connection to port 42 of example.host. If the connection +fails, do not display any error messages, but simply exit. +.It Li "nc -p 31337 example.host 42" +Open a TCP connection to port 42 of example.host, and use port 31337 +as the source port. +.It Li "nc -w 5 example.host 42" +Open a tcp connection to port 42 of example.host, and time out after +five seconds while attempting to connect. +.It Li "nc -u example.host 53" +Send any data from stdin +to UDP port 53 of example.host, and display any data returned. +.It Li "nc -s 10.1.2.3 example.host 42" +Open a tcp connection to port 42 of example.host using 10.1.2.3 as the +ip for the local end of the connection. +.It Li "nc -v example.host 42" +Open a tcp connection to port 42 of example.host, displaying some +diagnostic messages on stderr. +.It Li "nc -v -v example.host 42" +Open a tcp connection to port 42 of example.host, displaying all +diagnostic messages on stderr. +.It Li "nc -v -z example.host 20-30" +Attempt to open tcp connections to ports 20 through 30 of +example.host, and report which ones +.Nm nc +was able to connect to. +.It Li "nc -v -u -z -w 3 example.host 20-30" +Send udp packets to ports 20-30 of example.host, and report which ones +did not respond with an ICMP packet after three seconds. +.It Li "nc -l -p 3000" +Listen on TCP port 3000, and once there is a connection, send stdin to +the remote host, and send data from the remote host to stdout. +.It Li "echo foobar | nc example.host 1000" +Connect to port 1000 of example.host, send the string "foobar" +followed by a newline, and move data from port 1000 of example.host to +stdout until example.host closes the connection. +.El +.Sh SEE ALSO +.Xr telnet 1 , +.Xr cat 1 , +and the +.Nm netcat +.Pa README +.Sh AUTHOR +*Hobbit* [hobbit@avian.org] diff --git a/usr.bin/nc/netcat.blurb b/usr.bin/nc/netcat.blurb new file mode 100644 index 00000000000..2c540ad9dcc --- /dev/null +++ b/usr.bin/nc/netcat.blurb @@ -0,0 +1,61 @@ +Netcat 1.10 is an updated release of Netcat, a simple Unix utility which reads +and writes data across network connections using TCP or UDP protocol. It is +designed to be a reliable "back-end" tool that can be used directly or easily +driven by other programs and scripts. At the same time it is a feature-rich +network debugging and exploration tool, since it can create almost any kind of +connection you would need and has several interesting built-in capabilities. + +Some of netcat's major features are: + + Outbound or inbound connections, TCP or UDP, to or from any ports + Full DNS forward/reverse checking, with appropriate warnings + Ability to use any local source port + Ability to use any locally-configured network source address + Built-in port-scanning capabilities, with randomizer + Built-in loose source-routing capability + Can read command line arguments from standard input + Slow-send mode, one line every N seconds + Hex dump of transmitted and received data + Optional ability to let another program service established connections + Optional telnet-options responder + +A very short list of potential uses: + + Script backends + Scanning ports and inventorying services, automated probes + Backup handlers + File transfers + Server testing, simulation, debugging, and hijacking + Firewall testing + Proxy gatewaying + Network performance testing + Address spoofing tests + Protecting X servers + 1001 other uses you'll likely come up with + +Changes between the 1.00 release and this release: + + Better portability -- updated generic.h and Makefile [thanx folks!] + Indication of local-end interface address on inbound connections + That's *Dave* Borman's telnet, not Paul Borman... + Better indication of DNS errors + Total byte counts printed if -v -v is used + A bunch of front-end driver companion programs and scripts + Better handling of stdin arguments-plus-data + Hex-dump feature + Telnet responder + Program exec works inbound or outbound now + +Netcat and the associated package is a product of Avian Research, and is freely +available in full source form with no restrictions save an obligation to give +credit where due. Get it via anonymous FTP at avian.org:/src/hacks/nc110.tgz +which is a gzipped tar file and not to be confused with its version 1.00 +precursor, nc100.tgz. Other distribution formats can be accomodated upon +request. Netcat is also mirrored at the following [faster] sites: + + zippy.telcom.arizona.edu:/pub/mirrors/avian.org/hacks/nc110.tgz + ftp.sterling.com:/mirrors/avian.org/src/hacks/nc110.tgz + coast.cs.purdue.edu:/pub/tools/unix/netcat/nc110.tgz + ftp.rge.com:/pub/security/coast/mirrors/avian.org/netcat/nc110.tgz + +_H* 960320 diff --git a/usr.bin/nc/netcat.c b/usr.bin/nc/netcat.c new file mode 100644 index 00000000000..5ceb4f1d2fd --- /dev/null +++ b/usr.bin/nc/netcat.c @@ -0,0 +1,1668 @@ +/* Netcat 1.10 RELEASE 960320 + + A damn useful little "backend" utility begun 950915 or thereabouts, + as *Hobbit*'s first real stab at some sockets programming. Something that + should have and indeed may have existed ten years ago, but never became a + standard Unix utility. IMHO, "nc" could take its place right next to cat, + cp, rm, mv, dd, ls, and all those other cryptic and Unix-like things. + + Read the README for the whole story, doc, applications, etc. + + Layout: + conditional includes: + includes: + handy defines: + globals: + malloced globals: + cmd-flag globals: + support routines: + readwrite select loop: + main: + + bluesky: + parse ranges of IP address as well as ports, perhaps + RAW mode! + backend progs to grab a pty and look like a real telnetd?! + backend progs to do various encryption modes??!?! +*/ + +#include "generic.h" /* same as with L5, skey, etc */ + +/* conditional includes -- a very messy section which you may have to dink + for your own architecture [and please send diffs...]: */ +/* #undef _POSIX_SOURCE /* might need this for something? */ +#define HAVE_BIND /* ASSUMPTION -- seems to work everywhere! */ +#define HAVE_HELP /* undefine if you dont want the help text */ +/* #define ANAL /* if you want case-sensitive DNS matching */ + +#ifdef HAVE_STDLIB_H +#include <stdlib.h> +#else +#include <malloc.h> +#endif +#ifdef HAVE_SELECT_H /* random SV variants need this */ +#include <sys/select.h> +#endif + +/* have to do this *before* including types.h. xxx: Linux still has it wrong */ +#ifdef FD_SETSIZE /* should be in types.h, butcha never know. */ +#undef FD_SETSIZE /* if we ever need more than 16 active */ +#endif /* fd's, something is horribly wrong! */ +#define FD_SETSIZE 16 /* <-- this'll give us a long anyways, wtf */ +#include <sys/types.h> /* *now* do it. Sigh, this is broken */ + +#ifdef HAVE_RANDOM /* aficionados of ?rand48() should realize */ +#define SRAND srandom /* that this doesn't need *strong* random */ +#define RAND random /* numbers just to mix up port numbers!! */ +#else +#define SRAND srand +#define RAND rand +#endif /* HAVE_RANDOM */ + +/* includes: */ +#include <sys/time.h> /* timeval, time_t */ +#include <setjmp.h> /* jmp_buf et al */ +#include <sys/socket.h> /* basics, SO_ and AF_ defs, sockaddr, ... */ +#include <netinet/in.h> /* sockaddr_in, htons, in_addr */ +#include <netinet/in_systm.h> /* misc crud that netinet/ip.h references */ +#include <netinet/ip.h> /* IPOPT_LSRR, header stuff */ +#include <netdb.h> /* hostent, gethostby*, getservby* */ +#include <arpa/inet.h> /* inet_ntoa */ +#include <stdio.h> +#include <string.h> /* strcpy, strchr, yadda yadda */ +#include <errno.h> +#include <signal.h> +#include <fcntl.h> /* O_WRONLY et al */ + +/* handy stuff: */ +#define SA struct sockaddr /* socket overgeneralization braindeath */ +#define SAI struct sockaddr_in /* ... whoever came up with this model */ +#define IA struct in_addr /* ... should be taken out and shot, */ + /* ... not that TLI is any better. sigh.. */ +#define SLEAZE_PORT 31337 /* for UDP-scan RTT trick, change if ya want */ +#define USHORT unsigned short /* use these for options an' stuff */ +#define BIGSIZ 8192 /* big buffers */ + +#ifndef INADDR_NONE +#define INADDR_NONE 0xffffffff +#endif +#ifdef MAXHOSTNAMELEN +#undef MAXHOSTNAMELEN /* might be too small on aix, so fix it */ +#endif +#define MAXHOSTNAMELEN 256 + +struct host_poop { + char name[MAXHOSTNAMELEN]; /* dns name */ + char addrs[8][24]; /* ascii-format IP addresses */ + struct in_addr iaddrs[8]; /* real addresses: in_addr.s_addr: ulong */ +}; +#define HINF struct host_poop + +struct port_poop { + char name [64]; /* name in /etc/services */ + char anum [8]; /* ascii-format number */ + USHORT num; /* real host-order number */ +}; +#define PINF struct port_poop + +/* globals: */ +jmp_buf jbuf; /* timer crud */ +int jval = 0; /* timer crud */ +int netfd = -1; +int ofd = 0; /* hexdump output fd */ +static char unknown[] = "(UNKNOWN)"; +static char p_tcp[] = "tcp"; /* for getservby* */ +static char p_udp[] = "udp"; +#ifdef HAVE_BIND +extern int h_errno; +/* stolen almost wholesale from bsd herror.c */ +static char * h_errs[] = { + "Error 0", /* but we *don't* use this */ + "Unknown host", /* 1 HOST_NOT_FOUND */ + "Host name lookup failure", /* 2 TRY_AGAIN */ + "Unknown server error", /* 3 NO_RECOVERY */ + "No address associated with name", /* 4 NO_ADDRESS */ +}; +#else +int h_errno; /* just so we *do* have it available */ +#endif /* HAVE_BIND */ +int gatesidx = 0; /* LSRR hop count */ +int gatesptr = 4; /* initial LSRR pointer, settable */ +USHORT Single = 1; /* zero if scanning */ +unsigned int insaved = 0; /* stdin-buffer size for multi-mode */ +unsigned int wrote_out = 0; /* total stdout bytes */ +unsigned int wrote_net = 0; /* total net bytes */ +static char wrote_txt[] = " sent %d, rcvd %d"; +static char hexnibs[20] = "0123456789abcdef "; + +/* will malloc up the following globals: */ +struct timeval * timer1 = NULL; +struct timeval * timer2 = NULL; +SAI * lclend = NULL; /* sockaddr_in structs */ +SAI * remend = NULL; +HINF ** gates = NULL; /* LSRR hop hostpoop */ +char * optbuf = NULL; /* LSRR or sockopts */ +char * bigbuf_in; /* data buffers */ +char * bigbuf_net; +fd_set * ding1; /* for select loop */ +fd_set * ding2; +PINF * portpoop = NULL; /* for getportpoop / getservby* */ +unsigned char * stage = NULL; /* hexdump line buffer */ + +/* global cmd flags: */ +USHORT o_alla = 0; +unsigned int o_interval = 0; +USHORT o_listen = 0; +USHORT o_nflag = 0; +USHORT o_wfile = 0; +USHORT o_random = 0; +USHORT o_udpmode = 0; +USHORT o_verbose = 0; +unsigned int o_wait = 0; +USHORT o_zero = 0; +/* o_tn in optional section */ + +/* Debug macro: squirt whatever message and sleep a bit so we can see it go + by. need to call like Debug ((stuff)) [with no ; ] so macro args match! + Beware: writes to stdOUT... */ +#ifdef DEBUG +#define Debug(x) printf x; printf ("\n"); fflush (stdout); sleep (1); +#else +#define Debug(x) /* nil... */ +#endif + + +/* support routines -- the bulk of this thing. Placed in such an order that + we don't have to forward-declare anything: */ + +/* holler : + fake varargs -- need to do this way because we wind up calling through + more levels of indirection than vanilla varargs can handle, and not all + machines have vfprintf/vsyslog/whatever! 6 params oughta be enough. */ +void holler (str, p1, p2, p3, p4, p5, p6) + char * str; + char * p1, * p2, * p3, * p4, * p5, * p6; +{ + if (o_verbose) { + fprintf (stderr, str, p1, p2, p3, p4, p5, p6); +#ifdef HAVE_BIND + if (h_errno) { /* if host-lookup variety of error ... */ + if (h_errno > 4) /* oh no you don't, either */ + fprintf (stderr, "preposterous h_errno: %d", h_errno); + else + fprintf (stderr, h_errs[h_errno]); /* handle it here */ + h_errno = 0; /* and reset for next call */ + } +#endif + if (errno) { /* this gives funny-looking messages, but */ + perror (" "); /* it's more portable than sys_errlist[]... */ + } else /* xxx: do something better? */ + fprintf (stderr, "\n"); + fflush (stderr); + } +} /* holler */ + +/* bail : + error-exit handler, callable from anywhere */ +void bail (str, p1, p2, p3, p4, p5, p6) + char * str; + char * p1, * p2, * p3, * p4, * p5, * p6; +{ + o_verbose = 1; + holler (str, p1, p2, p3, p4, p5, p6); + close (netfd); + sleep (1); + exit (1); +} /* bail */ + +/* catch : + no-brainer interrupt handler */ +void catch () +{ + errno = 0; + if (o_verbose > 1) /* normally we don't care */ + bail (wrote_txt, wrote_net, wrote_out); + bail (" punt!"); +} + +/* timeout and other signal handling cruft */ +void tmtravel () +{ + signal (SIGALRM, SIG_IGN); + alarm (0); + if (jval == 0) + bail ("spurious timer interrupt!"); + longjmp (jbuf, jval); +} + +/* arm : + set the timer. Zero secs arg means unarm */ +void arm (num, secs) + unsigned int num; + unsigned int secs; +{ + if (secs == 0) { /* reset */ + signal (SIGALRM, SIG_IGN); + alarm (0); + jval = 0; + } else { /* set */ + signal (SIGALRM, tmtravel); + alarm (secs); + jval = num; + } /* if secs */ +} /* arm */ + +/* Hmalloc : + malloc up what I want, rounded up to *4, and pre-zeroed. Either succeeds + or bails out on its own, so that callers don't have to worry about it. */ +char * Hmalloc (size) + unsigned int size; +{ + unsigned int s = (size + 4) & 0xfffffffc; /* 4GB?! */ + char * p = malloc (s); + if (p != NULL) + memset (p, 0, s); + else + bail ("Hmalloc %d failed", s); + return (p); +} /* Hmalloc */ + +/* findline : + find the next newline in a buffer; return inclusive size of that "line", + or the entire buffer size, so the caller knows how much to then write(). + Not distinguishing \n vs \r\n for the nonce; it just works as is... */ +unsigned int findline (buf, siz) + char * buf; + unsigned int siz; +{ + register char * p; + register int x; + if (! buf) /* various sanity checks... */ + return (0); + if (siz > BIGSIZ) + return (0); + x = siz; + for (p = buf; x > 0; x--) { + if (*p == '\n') { + x = (int) (p - buf); + x++; /* 'sokay if it points just past the end! */ +Debug (("findline returning %d", x)) + return (x); + } + p++; + } /* for */ +Debug (("findline returning whole thing: %d", siz)) + return (siz); +} /* findline */ + +/* comparehosts : + cross-check the host_poop we have so far against new gethostby*() info, + and holler about mismatches. Perhaps gratuitous, but it can't hurt to + point out when someone's DNS is fukt. Returns 1 if mismatch, in case + someone else wants to do something about it. */ +int comparehosts (poop, hp) + HINF * poop; + struct hostent * hp; +{ + errno = 0; + h_errno = 0; +/* The DNS spec is officially case-insensitive, but for those times when you + *really* wanna see any and all discrepancies, by all means define this. */ +#ifdef ANAL + if (strcmp (poop->name, hp->h_name) != 0) { /* case-sensitive */ +#else + if (strcasecmp (poop->name, hp->h_name) != 0) { /* normal */ +#endif + holler ("DNS fwd/rev mismatch: %s != %s", poop->name, hp->h_name); + return (1); + } + return (0); +/* ... do we need to do anything over and above that?? */ +} /* comparehosts */ + +/* gethostpoop : + resolve a host 8 ways from sunday; return a new host_poop struct with its + info. The argument can be a name or [ascii] IP address; it will try its + damndest to deal with it. "numeric" governs whether we do any DNS at all, + and we also check o_verbose for what's appropriate work to do. */ +HINF * gethostpoop (name, numeric) + char * name; + USHORT numeric; +{ + struct hostent * hostent; + struct in_addr iaddr; + register HINF * poop = NULL; + register int x; + +/* I really want to strangle the twit who dreamed up all these sockaddr and + hostent abstractions, and then forced them all to be incompatible with + each other so you *HAVE* to do all this ridiculous casting back and forth. + If that wasn't bad enough, all the doc insists on referring to local ports + and addresses as "names", which makes NO sense down at the bare metal. + + What an absolutely horrid paradigm, and to think of all the people who + have been wasting significant amounts of time fighting with this stupid + deliberate obfuscation over the last 10 years... then again, I like + languages wherein a pointer is a pointer, what you put there is your own + business, the compiler stays out of your face, and sheep are nervous. + Maybe that's why my C code reads like assembler half the time... */ + +/* If we want to see all the DNS stuff, do the following hair -- + if inet_addr, do reverse and forward with any warnings; otherwise try + to do forward and reverse with any warnings. In other words, as long + as we're here, do a complete DNS check on these clowns. Yes, it slows + things down a bit for a first run, but once it's cached, who cares? */ + + errno = 0; + h_errno = 0; + if (name) + poop = (HINF *) Hmalloc (sizeof (HINF)); + if (! poop) + bail ("gethostpoop fuxored"); + strcpy (poop->name, unknown); /* preload it */ +/* see wzv:workarounds.c for dg/ux return-a-struct inet_addr lossage */ + iaddr.s_addr = inet_addr (name); + + if (iaddr.s_addr == INADDR_NONE) { /* here's the great split: names... */ + if (numeric) + bail ("Can't parse %s as an IP address", name); + hostent = gethostbyname (name); + if (! hostent) +/* failure to look up a name is fatal, since we can't do anything with it */ + bail ("%s: forward host lookup failed: ", name); + strncpy (poop->name, hostent->h_name, MAXHOSTNAMELEN - 2); + for (x = 0; hostent->h_addr_list[x] && (x < 8); x++) { + memcpy (&poop->iaddrs[x], hostent->h_addr_list[x], sizeof (IA)); + strncpy (poop->addrs[x], inet_ntoa (poop->iaddrs[x]), + sizeof (poop->addrs[0])); + } /* for x -> addrs, part A */ + if (! o_verbose) /* if we didn't want to see the */ + return (poop); /* inverse stuff, we're done. */ +/* do inverse lookups in separate loop based on our collected forward addrs, + since gethostby* tends to crap into the same buffer over and over */ + for (x = 0; poop->iaddrs[x].s_addr && (x < 8); x++) { + hostent = gethostbyaddr ((char *)&poop->iaddrs[x], + sizeof (IA), AF_INET); + if ((! hostent) || (! hostent-> h_name)) + holler ("Warning: inverse host lookup failed for %s: ", + poop->addrs[x]); + else + (void) comparehosts (poop, hostent); + } /* for x -> addrs, part B */ + + } else { /* not INADDR_NONE: numeric addresses... */ + memcpy (poop->iaddrs, &iaddr, sizeof (IA)); + strncpy (poop->addrs[0], inet_ntoa (iaddr), sizeof (poop->addrs)); + if (numeric) /* if numeric-only, we're done */ + return (poop); + if (! o_verbose) /* likewise if we don't want */ + return (poop); /* the full DNS hair */ + hostent = gethostbyaddr ((char *) &iaddr, sizeof (IA), AF_INET); +/* numeric or not, failure to look up a PTR is *not* considered fatal */ + if (! hostent) + holler ("%s: inverse host lookup failed: ", name); + else { + strncpy (poop->name, hostent->h_name, MAXHOSTNAMELEN - 2); + hostent = gethostbyname (poop->name); + if ((! hostent) || (! hostent->h_addr_list[0])) + holler ("Warning: forward host lookup failed for %s: ", + poop->name); + else + (void) comparehosts (poop, hostent); + } /* if hostent */ + } /* INADDR_NONE Great Split */ + +/* whatever-all went down previously, we should now have a host_poop struct + with at least one IP address in it. */ + h_errno = 0; + return (poop); +} /* gethostpoop */ + +/* getportpoop : + Same general idea as gethostpoop -- look up a port in /etc/services, fill + in global port_poop, but return the actual port *number*. Pass ONE of: + pstring to resolve stuff like "23" or "exec"; + pnum to reverse-resolve something that's already a number. + If o_nflag is on, fill in what we can but skip the getservby??? stuff. + Might as well have consistent behavior here, and it *is* faster. */ +USHORT getportpoop (pstring, pnum) + char * pstring; + unsigned int pnum; +{ + struct servent * servent; + register int x; + register int y; + char * whichp = p_tcp; + if (o_udpmode) + whichp = p_udp; + portpoop->name[0] = '?'; /* fast preload */ + portpoop->name[1] = '\0'; + +/* case 1: reverse-lookup of a number; placed first since this case is much + more frequent if we're scanning */ + if (pnum) { + if (pstring) /* one or the other, pleeze */ + return (0); + x = pnum; + if (o_nflag) /* go faster, skip getservbyblah */ + goto gp_finish; + y = htons (x); /* gotta do this -- see Fig.1 below */ + servent = getservbyport (y, whichp); + if (servent) { + y = ntohs (servent->s_port); + if (x != y) /* "never happen" */ + holler ("Warning: port-bynum mismatch, %d != %d", x, y); + strncpy (portpoop->name, servent->s_name, sizeof (portpoop->name)); + } /* if servent */ + goto gp_finish; + } /* if pnum */ + +/* case 2: resolve a string, but we still give preference to numbers instead + of trying to resolve conflicts. None of the entries in *my* extensive + /etc/services begins with a digit, so this should "always work" unless + you're at 3com and have some company-internal services defined... */ + if (pstring) { + if (pnum) /* one or the other, pleeze */ + return (0); + x = atoi (pstring); + if (x) + return (getportpoop (NULL, x)); /* recurse for numeric-string-arg */ + if (o_nflag) /* can't use names! */ + return (0); + servent = getservbyname (pstring, whichp); + if (servent) { + strncpy (portpoop->name, servent->s_name, sizeof (portpoop->name)); + x = ntohs (servent->s_port); + goto gp_finish; + } /* if servent */ + } /* if pstring */ + + return (0); /* catches any problems so far */ + +/* Obligatory netdb.h-inspired rant: servent.s_port is supposed to be an int. + Despite this, we still have to treat it as a short when copying it around. + Not only that, but we have to convert it *back* into net order for + getservbyport to work. Manpages generally aren't clear on all this, but + there are plenty of examples in which it is just quietly done. More BSD + lossage... since everything getserv* ever deals with is local to our own + host, why bother with all this network-order/host-order crap at all?! + That should be saved for when we want to actually plug the port[s] into + some real network calls -- and guess what, we have to *re*-convert at that + point as well. Fuckheads. */ + +gp_finish: +/* Fall here whether or not we have a valid servent at this point, with + x containing our [host-order and therefore useful, dammit] port number */ + sprintf (portpoop->anum, "%d", x); /* always load any numeric specs! */ + portpoop->num = (x & 0xffff); /* ushort, remember... */ + return (portpoop->num); +} /* getportpoop */ + +/* nextport : + Come up with the next port to try, be it random or whatever. "block" is + a ptr to randports array, whose bytes [so far] carry these meanings: + 0 ignore + 1 to be tested + 2 tested [which is set as we find them here] + returns a USHORT random port, or 0 if all the t-b-t ones are used up. */ +USHORT nextport (block) + char * block; +{ + register unsigned int x; + register unsigned int y; + + y = 70000; /* high safety count for rnd-tries */ + while (y > 0) { + x = (RAND() & 0xffff); + if (block[x] == 1) { /* try to find a not-done one... */ + block[x] = 2; + break; + } + x = 0; /* bummer. */ + y--; + } /* while y */ + if (x) + return (x); + + y = 65535; /* no random one, try linear downsearch */ + while (y > 0) { /* if they're all used, we *must* be sure! */ + if (block[y] == 1) { + block[y] = 2; + break; + } + y--; + } /* while y */ + if (y) + return (y); /* at least one left */ + + return (0); /* no more left! */ +} /* nextport */ + +/* loadports : + set "to be tested" indications in BLOCK, from LO to HI. Almost too small + to be a separate routine, but makes main() a little cleaner... */ +void loadports (block, lo, hi) + char * block; + USHORT lo; + USHORT hi; +{ + USHORT x; + + if (! block) + bail ("loadports: no block?!"); + if ((! lo) || (! hi)) + bail ("loadports: bogus values %d, %d", lo, hi); + x = hi; + while (lo <= x) { + block[x] = 1; + x--; + } +} /* loadports */ + +#ifdef GAPING_SECURITY_HOLE +char * pr00gie = NULL; /* global ptr to -e arg */ + +/* doexec : + fiddle all the file descriptors around, and hand off to another prog. Sort + of like a one-off "poor man's inetd". This is the only section of code + that would be security-critical, which is why it's ifdefed out by default. + Use at your own hairy risk; if you leave shells lying around behind open + listening ports you deserve to lose!! */ +doexec (fd) + int fd; +{ + register char * p; + + dup2 (fd, 0); /* the precise order of fiddlage */ + close (fd); /* is apparently crucial; this is */ + dup2 (0, 1); /* swiped directly out of "inetd". */ + dup2 (0, 2); + p = strrchr (pr00gie, '/'); /* shorter argv[0] */ + if (p) + p++; + else + p = pr00gie; +Debug (("gonna exec %s as %s...", pr00gie, p)) + execl (pr00gie, p, NULL); + bail ("exec %s failed", pr00gie); /* this gets sent out. Hmm... */ +} /* doexec */ +#endif /* GAPING_SECURITY_HOLE */ + +/* doconnect : + do all the socket stuff, and return an fd for one of + an open outbound TCP connection + a UDP stub-socket thingie + with appropriate socket options set up if we wanted source-routing, or + an unconnected TCP or UDP socket to listen on. + Examines various global o_blah flags to figure out what-all to do. */ +int doconnect (rad, rp, lad, lp) + IA * rad; + USHORT rp; + IA * lad; + USHORT lp; +{ + register int nnetfd; + register int rr; + int x, y; + errno = 0; + +/* grab a socket; set opts */ +newskt: + if (o_udpmode) + nnetfd = socket (AF_INET, SOCK_DGRAM, IPPROTO_UDP); + else + nnetfd = socket (AF_INET, SOCK_STREAM, IPPROTO_TCP); + if (nnetfd < 0) + bail ("Can't get socket"); + if (nnetfd == 0) /* if stdin was closed this might *be* 0, */ + goto newskt; /* so grab another. See text for why... */ + x = 1; + rr = setsockopt (nnetfd, SOL_SOCKET, SO_REUSEADDR, &x, sizeof (x)); + if (rr == -1) + holler ("nnetfd reuseaddr failed"); /* ??? */ +#ifdef SO_REUSEPORT /* doesnt exist everywhere... */ + rr = setsockopt (nnetfd, SOL_SOCKET, SO_REUSEPORT, &x, sizeof (x)); + if (rr == -1) + holler ("nnetfd reuseport failed"); /* ??? */ +#endif +#if 0 +/* If you want to screw with RCVBUF/SNDBUF, do it here. Liudvikas Bukys at + Rochester sent this example, which would involve YET MORE options and is + just archived here in case you want to mess with it. o_xxxbuf are global + integers set in main() getopt loop, and check for rr == 0 afterward. */ + rr = setsockopt(nnetfd, SOL_SOCKET, SO_RCVBUF, &o_rcvbuf, sizeof o_rcvbuf); + rr = setsockopt(nnetfd, SOL_SOCKET, SO_SNDBUF, &o_sndbuf, sizeof o_sndbuf); +#endif + + /* fill in all the right sockaddr crud */ + lclend->sin_family = AF_INET; + +/* fill in all the right sockaddr crud */ + lclend->sin_family = AF_INET; + remend->sin_family = AF_INET; + +/* if lad/lp, do appropriate binding */ + if (lad) + memcpy (&lclend->sin_addr.s_addr, lad, sizeof (IA)); + if (lp) + lclend->sin_port = htons (lp); + rr = 0; + if (lad || lp) { + x = (int) lp; +/* try a few times for the local bind, a la ftp-data-port... */ + for (y = 4; y > 0; y--) { + rr = bind (nnetfd, (SA *)lclend, sizeof (SA)); + if (rr == 0) + break; + if (errno != EADDRINUSE) + break; + else { + holler ("retrying local %s:%d", inet_ntoa (lclend->sin_addr), lp); + sleep (2); + errno = 0; /* clear from sleep */ + } /* if EADDRINUSE */ + } /* for y counter */ + } /* if lad or lp */ + if (rr) + bail ("Can't grab %s:%d with bind", + inet_ntoa(lclend->sin_addr), lp); + + if (o_listen) + return (nnetfd); /* thanks, that's all for today */ + + memcpy (&remend->sin_addr.s_addr, rad, sizeof (IA)); + remend->sin_port = htons (rp); + +/* rough format of LSRR option and explanation of weirdness. +Option comes after IP-hdr dest addr in packet, padded to *4, and ihl > 5. +IHL is multiples of 4, i.e. real len = ip_hl << 2. + type 131 1 ; 0x83: copied, option class 0, number 3 + len 1 ; of *whole* option! + pointer 1 ; nxt-hop-addr; 1-relative, not 0-relative + addrlist... var ; 4 bytes per hop-addr + pad-to-32 var ; ones, i.e. "NOP" + +If we want to route A -> B via hops C and D, we must add C, D, *and* B to the +options list. Why? Because when we hand the kernel A -> B with list C, D, B +the "send shuffle" inside the kernel changes it into A -> C with list D, B and +the outbound packet gets sent to C. If B wasn't also in the hops list, the +final destination would have been lost at this point. + +When C gets the packet, it changes it to A -> D with list C', B where C' is +the interface address that C used to forward the packet. This "records" the +route hop from B's point of view, i.e. which address points "toward" B. This +is to make B better able to return the packets. The pointer gets bumped by 4, +so that D does the right thing instead of trying to forward back to C. + +When B finally gets the packet, it sees that the pointer is at the end of the +LSRR list and is thus "completed". B will then try to use the packet instead +of forwarding it, i.e. deliver it up to some application. + +Note that by moving the pointer yourself, you could send the traffic directly +to B but have it return via your preconstructed source-route. Playing with +this and watching "tcpdump -v" is the best way to understand what's going on. + +Only works for TCP in BSD-flavor kernels. UDP is a loss; udp_input calls +stripoptions() early on, and the code to save the srcrt is notdef'ed. +Linux is also still a loss at 1.3.x it looks like; the lsrr code is { }... +*/ + +/* if any -g arguments were given, set up source-routing. We hit this after + the gates are all looked up and ready to rock, any -G pointer is set, + and gatesidx is now the *number* of hops */ + if (gatesidx) { /* if we wanted any srcrt hops ... */ +/* don't even bother compiling if we can't do IP options here! */ +#ifdef IP_OPTIONS + if (! optbuf) { /* and don't already *have* a srcrt set */ + char * opp; /* then do all this setup hair */ + optbuf = Hmalloc (48); + opp = optbuf; + *opp++ = IPOPT_LSRR; /* option */ + *opp++ = (char) + (((gatesidx + 1) * sizeof (IA)) + 3) & 0xff; /* length */ + *opp++ = gatesptr; /* pointer */ +/* opp now points at first hop addr -- insert the intermediate gateways */ + for ( x = 0; x < gatesidx; x++) { + memcpy (opp, gates[x]->iaddrs, sizeof (IA)); + opp += sizeof (IA); + } +/* and tack the final destination on the end [needed!] */ + memcpy (opp, rad, sizeof (IA)); + opp += sizeof (IA); + *opp = IPOPT_NOP; /* alignment filler */ + } /* if empty optbuf */ +/* calculate length of whole option mess, which is (3 + [hops] + [final] + 1), + and apply it [have to do this every time through, of course] */ + x = ((gatesidx + 1) * sizeof (IA)) + 4; + rr = setsockopt (nnetfd, IPPROTO_IP, IP_OPTIONS, optbuf, x); + if (rr == -1) + bail ("srcrt setsockopt fuxored"); +#else /* IP_OPTIONS */ + holler ("Warning: source routing unavailable on this machine, ignoring"); +#endif /* IP_OPTIONS*/ + } /* if gatesidx */ + +/* wrap connect inside a timer, and hit it */ + arm (1, o_wait); + if (setjmp (jbuf) == 0) { + rr = connect (nnetfd, (SA *)remend, sizeof (SA)); + } else { /* setjmp: connect failed... */ + rr = -1; + errno = ETIMEDOUT; /* fake it */ + } + arm (0, 0); + if (rr == 0) + return (nnetfd); + close (nnetfd); /* clean up junked socket FD!! */ + return (-1); +} /* doconnect */ + +/* dolisten : + just like doconnect, and in fact calls a hunk of doconnect, but listens for + incoming and returns an open connection *from* someplace. If we were + given host/port args, any connections from elsewhere are rejected. This + in conjunction with local-address binding should limit things nicely... */ +int dolisten (rad, rp, lad, lp) + IA * rad; + USHORT rp; + IA * lad; + USHORT lp; +{ + register int nnetfd; + register int rr; + HINF * whozis = NULL; + int x; + char * cp; + USHORT z; + errno = 0; + +/* Pass everything off to doconnect, who in o_listen mode just gets a socket */ + nnetfd = doconnect (rad, rp, lad, lp); + if (nnetfd <= 0) + return (-1); + if (o_udpmode) { /* apparently UDP can listen ON */ + if (! lp) /* "port 0", but that's not useful */ + bail ("UDP listen needs -p arg"); + } else { + rr = listen (nnetfd, 1); /* gotta listen() before we can get */ + if (rr < 0) /* our local random port. sheesh. */ + bail ("local listen fuxored"); + } + +/* Various things that follow temporarily trash bigbuf_net, which might contain + a copy of any recvfrom()ed packet, but we'll read() another copy later. */ + +/* I can't believe I have to do all this to get my own goddamn bound address + and port number. It should just get filled in during bind() or something. + All this is only useful if we didn't say -p for listening, since if we + said -p we *know* what port we're listening on. At any rate we won't bother + with it all unless we wanted to see it, although listening quietly on a + random unknown port is probably not very useful without "netstat". */ + if (o_verbose) { + x = sizeof (SA); /* how 'bout getsockNUM instead, pinheads?! */ + rr = getsockname (nnetfd, (SA *) lclend, &x); + if (rr < 0) + holler ("local getsockname failed"); + strcpy (bigbuf_net, "listening on ["); /* buffer reuse... */ + if (lclend->sin_addr.s_addr) + strcat (bigbuf_net, inet_ntoa (lclend->sin_addr)); + else + strcat (bigbuf_net, "any"); + strcat (bigbuf_net, "] %d ..."); + z = ntohs (lclend->sin_port); + holler (bigbuf_net, z); + } /* verbose -- whew!! */ + +/* UDP is a speeeeecial case -- we have to do I/O *and* get the calling + party's particulars all at once, listen() and accept() don't apply. + At least in the BSD universe, however, recvfrom/PEEK is enough to tell + us something came in, and we can set things up so straight read/write + actually does work after all. Yow. YMMV on strange platforms! */ + if (o_udpmode) { + x = sizeof (SA); /* retval for recvfrom */ + arm (2, o_wait); /* might as well timeout this, too */ + if (setjmp (jbuf) == 0) { /* do timeout for initial connect */ + rr = recvfrom /* and here we block... */ + (nnetfd, bigbuf_net, BIGSIZ, MSG_PEEK, (SA *) remend, &x); +Debug (("dolisten/recvfrom ding, rr = %d, netbuf %s ", rr, bigbuf_net)) + } else + goto dol_tmo; /* timeout */ + arm (0, 0); +/* I'm not completely clear on how this works -- BSD seems to make UDP + just magically work in a connect()ed context, but we'll undoubtedly run + into systems this deal doesn't work on. For now, we apparently have to + issue a connect() on our just-tickled socket so we can write() back. + Again, why the fuck doesn't it just get filled in and taken care of?! + This hack is anything but optimal. Basically, if you want your listener + to also be able to send data back, you need this connect() line, which + also has the side effect that now anything from a different source or even a + different port on the other end won't show up and will cause ICMP errors. + I guess that's what they meant by "connect". + Let's try to remember what the "U" is *really* for, eh? */ + rr = connect (nnetfd, (SA *)remend, sizeof (SA)); + goto whoisit; + } /* o_udpmode */ + +/* fall here for TCP */ + x = sizeof (SA); /* retval for accept */ + arm (2, o_wait); /* wrap this in a timer, too; 0 = forever */ + if (setjmp (jbuf) == 0) { + rr = accept (nnetfd, (SA *)remend, &x); + } else + goto dol_tmo; /* timeout */ + arm (0, 0); + close (nnetfd); /* dump the old socket */ + nnetfd = rr; /* here's our new one */ + +whoisit: + if (rr < 0) + goto dol_err; /* bail out if any errors so far */ + +/* If we can, look for any IP options. Useful for testing the receiving end of + such things, and is a good exercise in dealing with it. We do this before + the connect message, to ensure that the connect msg is uniformly the LAST + thing to emerge after all the intervening crud. Doesn't work for UDP on + any machines I've tested, but feel free to surprise me. */ +#ifdef IP_OPTIONS + if (! o_verbose) /* if we wont see it, we dont care */ + goto dol_noop; + optbuf = Hmalloc (40); + x = 40; + rr = getsockopt (nnetfd, IPPROTO_IP, IP_OPTIONS, optbuf, &x); + if (rr < 0) + holler ("getsockopt failed"); +Debug (("ipoptions ret len %d", x)) + if (x) { /* we've got options, lessee em... */ + unsigned char * q = (unsigned char *) optbuf; + char * p = bigbuf_net; /* local variables, yuk! */ + char * pp = &bigbuf_net[128]; /* get random space farther out... */ + memset (bigbuf_net, 0, 256); /* clear it all first */ + while (x > 0) { + sprintf (pp, "%2.2x ", *q); /* clumsy, but works: turn into hex */ + strcat (p, pp); /* and build the final string */ + q++; p++; + x--; + } + holler ("IP options: %s", bigbuf_net); + } /* if x, i.e. any options */ +dol_noop: +#endif /* IP_OPTIONS */ + +/* find out what address the connection was *to* on our end, in case we're + doing a listen-on-any on a multihomed machine. This allows one to + offer different services via different alias addresses, such as the + "virtual web site" hack. */ + memset (bigbuf_net, 0, 64); + cp = &bigbuf_net[32]; + x = sizeof (SA); + rr = getsockname (nnetfd, (SA *) lclend, &x); + if (rr < 0) + holler ("post-rcv getsockname failed"); + strcpy (cp, inet_ntoa (lclend->sin_addr)); + +/* now check out who it is. We don't care about mismatched DNS names here, + but any ADDR and PORT we specified had better fucking well match the caller. + Converting from addr to inet_ntoa and back again is a bit of a kludge, but + gethostpoop wants a string and there's much gnarlier code out there already, + so I don't feel bad. + The *real* question is why BFD sockets wasn't designed to allow listens for + connections *from* specific hosts/ports, instead of requiring the caller to + accept the connection and then reject undesireable ones by closing. In + other words, we need a TCP MSG_PEEK. */ + z = ntohs (remend->sin_port); + strcpy (bigbuf_net, inet_ntoa (remend->sin_addr)); + whozis = gethostpoop (bigbuf_net, o_nflag); + errno = 0; + x = 0; /* use as a flag... */ + if (rad) /* xxx: fix to go down the *list* if we have one? */ + if (memcmp (rad, whozis->iaddrs, sizeof (SA))) + x = 1; + if (rp) + if (z != rp) + x = 1; + if (x) /* guilty! */ + bail ("invalid connection to [%s] from %s [%s] %d", + cp, whozis->name, whozis->addrs[0], z); + holler ("connect to [%s] from %s [%s] %d", /* oh, you're okay.. */ + cp, whozis->name, whozis->addrs[0], z); + return (nnetfd); /* open! */ + +dol_tmo: + errno = ETIMEDOUT; /* fake it */ +dol_err: + close (nnetfd); + return (-1); +} /* dolisten */ + +/* udptest : + fire a couple of packets at a UDP target port, just to see if it's really + there. On BSD kernels, ICMP host/port-unreachable errors get delivered to + our socket as ECONNREFUSED write errors. On SV kernels, we lose; we'll have + to collect and analyze raw ICMP ourselves a la satan's probe_udp_ports + backend. Guess where one could swipe the appropriate code from... + + Use the time delay between writes if given, otherwise use the "tcp ping" + trick for getting the RTT. [I got that idea from pluvius, and warped it.] + Return either the original fd, or clean up and return -1. */ +udptest (fd, where) + int fd; + IA * where; +{ + register int rr; + + rr = write (fd, bigbuf_in, 1); + if (rr != 1) + holler ("udptest first write failed?! errno %d", errno); + if (o_wait) + sleep (o_wait); + else { +/* use the tcp-ping trick: try connecting to a normally refused port, which + causes us to block for the time that SYN gets there and RST gets back. + Not completely reliable, but it *does* mostly work. */ + o_udpmode = 0; /* so doconnect does TCP this time */ +/* Set a temporary connect timeout, so packet filtration doesnt cause + us to hang forever, and hit it */ + o_wait = 5; /* enough that we'll notice?? */ + rr = doconnect (where, SLEAZE_PORT, 0, 0); + if (rr > 0) + close (rr); /* in case it *did* open */ + o_wait = 0; /* reset it */ + o_udpmode++; /* we *are* still doing UDP, right? */ + } /* if o_wait */ + errno = 0; /* clear from sleep */ + rr = write (fd, bigbuf_in, 1); + if (rr == 1) /* if write error, no UDP listener */ + return (fd); + close (fd); /* use it or lose it! */ + return (-1); +} /* udptest */ + +/* oprint : + Hexdump bytes shoveled either way to a running logfile, in the format: +D offset - - - - --- 16 bytes --- - - - - # .... ascii ..... + where "which" sets the direction indicator, D: + 0 -- sent to network, or ">" + 1 -- rcvd and printed to stdout, or "<" + and "buf" and "n" are data-block and length. If the current block generates + a partial line, so be it; we *want* that lockstep indication of who sent + what when. Adapted from dgaudet's original example -- but must be ripping + *fast*, since we don't want to be too disk-bound... */ +void oprint (which, buf, n) + int which; + char * buf; + int n; +{ + int bc; /* in buffer count */ + int obc; /* current "global" offset */ + int soc; /* stage write count */ + register unsigned char * p; /* main buf ptr; m.b. unsigned here */ + register unsigned char * op; /* out hexdump ptr */ + register unsigned char * a; /* out asc-dump ptr */ + register int x; + register unsigned int y; + + if (! ofd) + bail ("oprint called with no open fd?!"); + if (n == 0) + return; + + op = stage; + if (which) { + *op = '<'; + obc = wrote_out; /* use the globals! */ + } else { + *op = '>'; + obc = wrote_net; + } + op++; /* preload "direction" */ + *op = ' '; + p = (unsigned char *) buf; + bc = n; + stage[59] = '#'; /* preload separator */ + stage[60] = ' '; + + while (bc) { /* for chunk-o-data ... */ + x = 16; + soc = 78; /* len of whole formatted line */ + if (bc < x) { + soc = soc - 16 + bc; /* fiddle for however much is left */ + x = (bc * 3) + 11; /* 2 digits + space per, after D & offset */ + op = &stage[x]; + x = 16 - bc; + while (x) { + *op++ = ' '; /* preload filler spaces */ + *op++ = ' '; + *op++ = ' '; + x--; + } + x = bc; /* re-fix current linecount */ + } /* if bc < x */ + + bc -= x; /* fix wrt current line size */ + sprintf (&stage[2], "%8.8x ", obc); /* xxx: still slow? */ + obc += x; /* fix current offset */ + op = &stage[11]; /* where hex starts */ + a = &stage[61]; /* where ascii starts */ + + while (x) { /* for line of dump, however long ... */ + y = (int)(*p >> 4); /* hi half */ + *op = hexnibs[y]; + op++; + y = (int)(*p & 0x0f); /* lo half */ + *op = hexnibs[y]; + op++; + *op = ' '; + op++; + if ((*p > 31) && (*p < 127)) + *a = *p; /* printing */ + else + *a = '.'; /* nonprinting, loose def */ + a++; + p++; + x--; + } /* while x */ + *a = '\n'; /* finish the line */ + x = write (ofd, stage, soc); + if (x < 0) + bail ("ofd write err"); + } /* while bc */ +} /* oprint */ + +#ifdef TELNET +USHORT o_tn = 0; /* global -t option */ + +/* atelnet : + Answer anything that looks like telnet negotiation with don't/won't. + This doesn't modify any data buffers, update the global output count, + or show up in a hexdump -- it just shits into the outgoing stream. + Idea and codebase from Mudge@l0pht.com. */ +void atelnet (buf, size) + unsigned char * buf; /* has to be unsigned here! */ + unsigned int size; +{ + static unsigned char obuf [4]; /* tiny thing to build responses into */ + register int x; + register unsigned char y; + register unsigned char * p; + + y = 0; + p = buf; + x = size; + while (x > 0) { + if (*p != 255) /* IAC? */ + goto notiac; + obuf[0] = 255; + p++; x--; + if ((*p == 251) || (*p == 252)) /* WILL or WONT */ + y = 254; /* -> DONT */ + if ((*p == 253) || (*p == 254)) /* DO or DONT */ + y = 252; /* -> WONT */ + if (y) { + obuf[1] = y; + p++; x--; + obuf[2] = *p; /* copy actual option byte */ + (void) write (netfd, obuf, 3); +/* if one wanted to bump wrote_net or do a hexdump line, here's the place */ + y = 0; + } /* if y */ +notiac: + p++; x--; + } /* while x */ +} /* atelnet */ +#endif /* TELNET */ + +/* readwrite : + handle stdin/stdout/network I/O. Bwahaha!! -- the select loop from hell. + In this instance, return what might become our exit status. */ +int readwrite (fd) + int fd; +{ + register int rr; + register char * zp; /* stdin buf ptr */ + register char * np; /* net-in buf ptr */ + unsigned int rzleft; + unsigned int rnleft; + USHORT netretry; /* net-read retry counter */ + USHORT wretry; /* net-write sanity counter */ + USHORT wfirst; /* one-shot flag to skip first net read */ + +/* if you don't have all this FD_* macro hair in sys/types.h, you'll have to + either find it or do your own bit-bashing: *ding1 |= (1 << fd), etc... */ + if (fd > FD_SETSIZE) { + holler ("Preposterous fd value %d", fd); + return (1); + } + FD_SET (fd, ding1); /* global: the net is open */ + netretry = 2; + wfirst = 0; + rzleft = rnleft = 0; + if (insaved) { + rzleft = insaved; /* preload multi-mode fakeouts */ + zp = bigbuf_in; + wfirst = 1; + if (Single) /* if not scanning, this is a one-off first */ + insaved = 0; /* buffer left over from argv construction, */ + else { + FD_CLR (0, ding1); /* OR we've already got our repeat chunk, */ + close (0); /* so we won't need any more stdin */ + } /* Single */ + } /* insaved */ + if (o_interval) + sleep (o_interval); /* pause *before* sending stuff, too */ + errno = 0; /* clear from sleep, close, whatever */ + +/* and now the big ol' select shoveling loop ... */ + while (FD_ISSET (fd, ding1)) { /* i.e. till the *net* closes! */ + wretry = 8200; /* more than we'll ever hafta write */ + if (wfirst) { /* any saved stdin buffer? */ + wfirst = 0; /* clear flag for the duration */ + goto shovel; /* and go handle it first */ + } + *ding2 = *ding1; /* FD_COPY ain't portable... */ +/* some systems, notably linux, crap into their select timers on return, so + we create a expendable copy and give *that* to select. *Fuck* me ... */ + if (timer1) + memcpy (timer2, timer1, sizeof (struct timeval)); + rr = select (16, ding2, 0, 0, timer2); /* here it is, kiddies */ + if (rr < 0) { + if (errno != EINTR) { /* might have gotten ^Zed, etc ?*/ + holler ("select fuxored"); + close (fd); + return (1); + } + } /* select fuckup */ +/* if we have a timeout AND stdin is closed AND we haven't heard anything + from the net during that time, assume it's dead and close it too. */ + if (rr == 0) { + if (! FD_ISSET (0, ding1)) + netretry--; /* we actually try a coupla times. */ + if (! netretry) { + if (o_verbose > 1) /* normally we don't care */ + holler ("net timeout"); + close (fd); + return (0); /* not an error! */ + } + } /* select timeout */ +/* xxx: should we check the exception fds too? The read fds seem to give + us the right info, and none of the examples I found bothered. */ + +/* Ding!! Something arrived, go check all the incoming hoppers, net first */ + if (FD_ISSET (fd, ding2)) { /* net: ding! */ + rr = read (fd, bigbuf_net, BIGSIZ); + if (rr <= 0) { + FD_CLR (fd, ding1); /* net closed, we'll finish up... */ + rzleft = 0; /* can't write anymore: broken pipe */ + } else { + rnleft = rr; + np = bigbuf_net; +#ifdef TELNET + if (o_tn) + atelnet (np, rr); /* fake out telnet stuff */ +#endif /* TELNET */ + } /* if rr */ +Debug (("got %d from the net, errno %d", rr, errno)) + } /* net:ding */ + +/* if we're in "slowly" mode there's probably still stuff in the stdin + buffer, so don't read unless we really need MORE INPUT! MORE INPUT! */ + if (rzleft) + goto shovel; + +/* okay, suck more stdin */ + if (FD_ISSET (0, ding2)) { /* stdin: ding! */ + rr = read (0, bigbuf_in, BIGSIZ); +/* Considered making reads here smaller for UDP mode, but 8192-byte + mobygrams are kinda fun and exercise the reassembler. */ + if (rr <= 0) { /* at end, or fukt, or ... */ + FD_CLR (0, ding1); /* disable and close stdin */ + close (0); + } else { + rzleft = rr; + zp = bigbuf_in; +/* special case for multi-mode -- we'll want to send this one buffer to every + open TCP port or every UDP attempt, so save its size and clean up stdin */ + if (! Single) { /* we might be scanning... */ + insaved = rr; /* save len */ + FD_CLR (0, ding1); /* disable further junk from stdin */ + close (0); /* really, I mean it */ + } /* Single */ + } /* if rr/read */ + } /* stdin:ding */ + +shovel: +/* now that we've dingdonged all our thingdings, send off the results. + Geez, why does this look an awful lot like the big loop in "rsh"? ... + not sure if the order of this matters, but write net -> stdout first. */ + +/* sanity check. Works because they're both unsigned... */ + if ((rzleft > 8200) || (rnleft > 8200)) { + holler ("Bogus buffers: %d, %d", rzleft, rnleft); + rzleft = rnleft = 0; + } +/* net write retries sometimes happen on UDP connections */ + if (! wretry) { /* is something hung? */ + holler ("too many output retries"); + return (1); + } + if (rnleft) { + rr = write (1, np, rnleft); + if (rr > 0) { + if (o_wfile) + oprint (1, np, rr); /* log the stdout */ + np += rr; /* fix up ptrs and whatnot */ + rnleft -= rr; /* will get sanity-checked above */ + wrote_out += rr; /* global count */ + } +Debug (("wrote %d to stdout, errno %d", rr, errno)) + } /* rnleft */ + if (rzleft) { + if (o_interval) /* in "slowly" mode ?? */ + rr = findline (zp, rzleft); + else + rr = rzleft; + rr = write (fd, zp, rr); /* one line, or the whole buffer */ + if (rr > 0) { + if (o_wfile) + oprint (0, zp, rr); /* log what got sent */ + zp += rr; + rzleft -= rr; + wrote_net += rr; /* global count */ + } +Debug (("wrote %d to net, errno %d", rr, errno)) + } /* rzleft */ + if (o_interval) { /* cycle between slow lines, or ... */ + sleep (o_interval); + errno = 0; /* clear from sleep */ + continue; /* ...with hairy select loop... */ + } + if ((rzleft) || (rnleft)) { /* shovel that shit till they ain't */ + wretry--; /* none left, and get another load */ + goto shovel; + } + } /* while ding1:netfd is open */ + +/* XXX: maybe want a more graceful shutdown() here, or screw around with + linger times?? I suspect that I don't need to since I'm always doing + blocking reads and writes and my own manual "last ditch" efforts to read + the net again after a timeout. I haven't seen any screwups yet, but it's + not like my test network is particularly busy... */ + close (fd); + return (0); +} /* readwrite */ + +/* main : + now we pull it all together... */ +main (argc, argv) + int argc; + char ** argv; +{ +#ifndef HAVE_GETOPT + extern char * optarg; + extern int optind, optopt; +#endif + register int x; + register char *cp; + HINF * gp; + HINF * whereto = NULL; + HINF * wherefrom = NULL; + IA * ouraddr = NULL; + IA * themaddr = NULL; + USHORT o_lport = 0; + USHORT ourport = 0; + USHORT loport = 0; /* for scanning stuff */ + USHORT hiport = 0; + USHORT curport = 0; + char * randports = NULL; + +#ifdef HAVE_BIND +/* can *you* say "cc -yaddayadda netcat.c -lresolv -l44bsd" on SunLOSs? */ + res_init(); +#endif +/* I was in this barbershop quartet in Skokie IL ... */ +/* round up the usual suspects, i.e. malloc up all the stuff we need */ + lclend = (SAI *) Hmalloc (sizeof (SA)); + remend = (SAI *) Hmalloc (sizeof (SA)); + bigbuf_in = Hmalloc (BIGSIZ); + bigbuf_net = Hmalloc (BIGSIZ); + ding1 = (fd_set *) Hmalloc (sizeof (fd_set)); + ding2 = (fd_set *) Hmalloc (sizeof (fd_set)); + portpoop = (PINF *) Hmalloc (sizeof (PINF)); + + errno = 0; + gatesptr = 4; + h_errno = 0; + +/* catch a signal or two for cleanup */ + signal (SIGINT, catch); + signal (SIGQUIT, catch); + signal (SIGTERM, catch); +/* and suppress others... */ +#ifdef SIGURG + signal (SIGURG, SIG_IGN); +#endif +#ifdef SIGPIPE + signal (SIGPIPE, SIG_IGN); /* important! */ +#endif + +/* if no args given at all, get 'em from stdin, construct an argv, and hand + anything left over to readwrite(). */ + if (argc == 1) { + cp = argv[0]; + argv = (char **) Hmalloc (128 * sizeof (char *)); /* XXX: 128? */ + argv[0] = cp; /* leave old prog name intact */ + cp = Hmalloc (BIGSIZ); + argv[1] = cp; /* head of new arg block */ + fprintf (stderr, "Cmd line: "); + fflush (stderr); /* I dont care if it's unbuffered or not! */ + insaved = read (0, cp, BIGSIZ); /* we're gonna fake fgets() here */ + if (insaved <= 0) + bail ("wrong"); + x = findline (cp, insaved); + if (x) + insaved -= x; /* remaining chunk size to be sent */ + if (insaved) /* which might be zero... */ + memcpy (bigbuf_in, &cp[x], insaved); + cp = strchr (argv[1], '\n'); + if (cp) + *cp = '\0'; + cp = strchr (argv[1], '\r'); /* look for ^M too */ + if (cp) + *cp = '\0'; + +/* find and stash pointers to remaining new "args" */ + cp = argv[1]; + cp++; /* skip past first char */ + x = 2; /* we know argv 0 and 1 already */ + for (; *cp != '\0'; cp++) { + if (*cp == ' ') { + *cp = '\0'; /* smash all spaces */ + continue; + } else { + if (*(cp-1) == '\0') { + argv[x] = cp; + x++; + } + } /* if space */ + } /* for cp */ + argc = x; + } /* if no args given */ + +/* If your shitbox doesn't have getopt, step into the nineties already. */ +/* optarg, optind = next-argv-component [i.e. flag arg]; optopt = last-char */ + while ((x = getopt (argc, argv, "ae:g:G:hi:lno:p:rs:tuvw:z")) != EOF) { +/* Debug (("in go: x now %c, optarg %x optind %d", x, optarg, optind)) */ + switch (x) { + case 'a': + bail ("all-A-records NIY"); + o_alla++; break; +#ifdef GAPING_SECURITY_HOLE + case 'e': /* prog to exec */ + pr00gie = optarg; + break; +#endif + case 'G': /* srcrt gateways pointer val */ + x = atoi (optarg); + if ((x) && (x == (x & 0x1c))) /* mask off bits of fukt values */ + gatesptr = x; + else + bail ("invalid hop pointer %d, must be multiple of 4 <= 28", x); + break; + case 'g': /* srcroute hop[s] */ + if (gatesidx > 8) + bail ("too many -g hops"); + if (gates == NULL) /* eat this, Billy-boy */ + gates = (HINF **) Hmalloc (sizeof (HINF *) * 10); + gp = gethostpoop (optarg, o_nflag); + if (gp) + gates[gatesidx] = gp; + gatesidx++; + break; + case 'h': + errno = 0; +#ifdef HAVE_HELP + helpme(); /* exits by itself */ +#else + bail ("no help available, dork -- RTFS"); +#endif + case 'i': /* line-interval time */ + o_interval = atoi (optarg) & 0xffff; + if (! o_interval) + bail ("invalid interval time %s", optarg); + break; + case 'l': /* listen mode */ + o_listen++; break; + case 'n': /* numeric-only, no DNS lookups */ + o_nflag++; break; + case 'o': /* hexdump log */ + stage = (unsigned char *) optarg; + o_wfile++; break; + case 'p': /* local source port */ + o_lport = getportpoop (optarg, 0); + if (o_lport == 0) + bail ("invalid local port %s", optarg); + break; + case 'r': /* randomize various things */ + o_random++; break; + case 's': /* local source address */ +/* do a full lookup [since everything else goes through the same mill], + unless -n was previously specified. In fact, careful placement of -n can + be useful, so we'll still pass o_nflag here instead of forcing numeric. */ + wherefrom = gethostpoop (optarg, o_nflag); + ouraddr = &wherefrom->iaddrs[0]; + break; +#ifdef TELNET + case 't': /* do telnet fakeout */ + o_tn++; break; +#endif /* TELNET */ + case 'u': /* use UDP */ + o_udpmode++; break; + case 'v': /* verbose */ + o_verbose++; break; + case 'w': /* wait time */ + o_wait = atoi (optarg); + if (o_wait <= 0) + bail ("invalid wait-time %s", optarg); + timer1 = (struct timeval *) Hmalloc (sizeof (struct timeval)); + timer2 = (struct timeval *) Hmalloc (sizeof (struct timeval)); + timer1->tv_sec = o_wait; /* we need two. see readwrite()... */ + break; + case 'z': /* little or no data xfer */ + o_zero++; + break; + default: + errno = 0; + bail ("nc -h for help"); + } /* switch x */ + } /* while getopt */ + +/* other misc initialization */ +Debug (("fd_set size %d", sizeof (*ding1))) /* how big *is* it? */ + FD_SET (0, ding1); /* stdin *is* initially open */ + if (o_random) { + SRAND (time (0)); + randports = Hmalloc (65536); /* big flag array for ports */ + } +#ifdef GAPING_SECURITY_HOLE + if (pr00gie) { + close (0); /* won't need stdin */ + o_wfile = 0; /* -o with -e is meaningless! */ + ofd = 0; + } +#endif /* G_S_H */ + if (o_wfile) { + ofd = open (stage, O_WRONLY | O_CREAT | O_TRUNC, 0664); + if (ofd <= 0) /* must be > extant 0/1/2 */ + bail ("can't open %s", stage); + stage = (unsigned char *) Hmalloc (100); + } + +/* optind is now index of first non -x arg */ +Debug (("after go: x now %c, optarg %x optind %d", x, optarg, optind)) +/* Debug (("optind up to %d at host-arg %s", optind, argv[optind])) */ +/* gonna only use first addr of host-list, like our IQ was normal; if you wanna + get fancy with addresses, look up the list yourself and plug 'em in for now. + unless we finally implement -a, that is. */ + if (argv[optind]) + whereto = gethostpoop (argv[optind], o_nflag); + if (whereto && whereto->iaddrs) + themaddr = &whereto->iaddrs[0]; + if (themaddr) + optind++; /* skip past valid host lookup */ + errno = 0; + h_errno = 0; + +/* Handle listen mode here, and exit afterward. Only does one connect; + this is arguably the right thing to do. A "persistent listen-and-fork" + mode a la inetd has been thought about, but not implemented. A tiny + wrapper script can handle such things... */ + if (o_listen) { + curport = 0; /* rem port *can* be zero here... */ + if (argv[optind]) { /* any rem-port-arg? */ + curport = getportpoop (argv[optind], 0); + if (curport == 0) /* if given, demand correctness */ + bail ("invalid port %s", argv[optind]); + } /* if port-arg */ + netfd = dolisten (themaddr, curport, ouraddr, o_lport); +/* dolisten does its own connect reporting, so we don't holler anything here */ + if (netfd > 0) { +#ifdef GAPING_SECURITY_HOLE + if (pr00gie) /* -e given? */ + doexec (netfd); +#endif /* GAPING_SECURITY_HOLE */ + x = readwrite (netfd); /* it even works with UDP! */ + if (o_verbose > 1) /* normally we don't care */ + holler (wrote_txt, wrote_net, wrote_out); + exit (x); /* "pack out yer trash" */ + } else /* if no netfd */ + bail ("no connection"); + } /* o_listen */ + +/* fall thru to outbound connects. Now we're more picky about args... */ + if (! themaddr) + bail ("no destination"); + if (argv[optind] == NULL) + bail ("no port[s] to connect to"); + if (argv[optind + 1]) /* look ahead: any more port args given? */ + Single = 0; /* multi-mode, case A */ + ourport = o_lport; /* which can be 0 */ + +/* everything from here down is treated as as ports and/or ranges thereof, so + it's all enclosed in this big ol' argv-parsin' loop. Any randomization is + done within each given *range*, but in separate chunks per each succeeding + argument, so we can control the pattern somewhat. */ + while (argv[optind]) { + hiport = loport = 0; + cp = strchr (argv[optind], '-'); /* nn-mm range? */ + if (cp) { + *cp = '\0'; + cp++; + hiport = getportpoop (cp, 0); + if (hiport == 0) + bail ("invalid port %s", cp); + } /* if found a dash */ + loport = getportpoop (argv[optind], 0); + if (loport == 0) + bail ("invalid port %s", argv[optind]); + if (hiport > loport) { /* was it genuinely a range? */ + Single = 0; /* multi-mode, case B */ + curport = hiport; /* start high by default */ + if (o_random) { /* maybe populate the random array */ + loadports (randports, loport, hiport); + curport = nextport (randports); + } + } else /* not a range, including args like "25-25" */ + curport = loport; +Debug (("Single %d, curport %d", Single, curport)) + +/* Now start connecting to these things. curport is already preloaded. */ + while (loport <= curport) { + if ((! o_lport) && (o_random)) { /* -p overrides random local-port */ + ourport = (RAND() & 0xffff); /* random local-bind -- well above */ + if (ourport < 8192) /* resv and any likely listeners??? */ + ourport += 8192; /* if it *still* conflicts, use -s. */ + } + curport = getportpoop (NULL, curport); + netfd = doconnect (themaddr, curport, ouraddr, ourport); +Debug (("netfd %d from port %d to port %d", netfd, ourport, curport)) + if (netfd > 0) + if (o_zero && o_udpmode) /* if UDP scanning... */ + netfd = udptest (netfd, themaddr); + if (netfd > 0) { /* Yow, are we OPEN YET?! */ + x = 0; /* pre-exit status */ + holler ("%s [%s] %d (%s) open", + whereto->name, whereto->addrs[0], curport, portpoop->name); +#ifdef GAPING_SECURITY_HOLE + if (pr00gie) /* exec is valid for outbound, too */ + doexec (netfd); +#endif /* GAPING_SECURITY_HOLE */ + if (! o_zero) + x = readwrite (netfd); /* go shovel shit */ + } else { /* no netfd... */ + x = 1; /* preload exit status for later */ +/* if we're scanning at a "one -v" verbosity level, don't print refusals. + Give it another -v if you want to see everything. */ + if ((Single || (o_verbose > 1)) || (errno != ECONNREFUSED)) + holler ("%s [%s] %d (%s)", + whereto->name, whereto->addrs[0], curport, portpoop->name); + } /* if netfd */ + close (netfd); /* just in case we didn't already */ + if (o_interval) + sleep (o_interval); /* if -i, delay between ports too */ + if (o_random) + curport = nextport (randports); + else + curport--; /* just decrement... */ + } /* while curport within current range */ + optind++; + } /* while remaining port-args -- end of big argv-ports loop*/ + + errno = 0; + if (o_verbose > 1) /* normally we don't care */ + holler (wrote_txt, wrote_net, wrote_out); + if (Single) + exit (x); /* give us status on one connection */ + exit (0); /* otherwise, we're just done */ +} /* main */ + +#ifdef HAVE_HELP /* unless we wanna be *really* cryptic */ +/* helpme : + the obvious */ +helpme() +{ + o_verbose = 1; + holler ("[v1.10]\n\ +connect to somewhere: nc [-options] hostname port[s] [ports] ... \n\ +listen for inbound: nc -l -p port [-options] [hostname] [port]\n\ +options:"); +/* sigh, this necessarily gets messy. And the trailing \ characters may be + interpreted oddly by some compilers, generating or not generating extra + newlines as they bloody please. u-fix... */ +#ifdef GAPING_SECURITY_HOLE /* needs to be separate holler() */ + holler ("\ + -e prog program to exec after connect [dangerous!!]"); +#endif + holler ("\ + -g gateway source-routing hop point[s], up to 8\n\ + -G num source-routing pointer: 4, 8, 12, ...\n\ + -h this cruft\n\ + -i secs delay interval for lines sent, ports scanned\n\ + -l listen mode, for inbound connects\n\ + -n numeric-only IP addresses, no DNS\n\ + -o file hex dump of traffic\n\ + -p port local port number\n\ + -r randomize local and remote ports\n\ + -s addr local source address"); +#ifdef TELNET + holler ("\ + -t answer TELNET negotiation"); +#endif + holler ("\ + -u UDP mode\n\ + -v verbose [use twice to be more verbose]\n\ + -w secs timeout for connects and final net reads\n\ + -z zero-I/O mode [used for scanning]"); + bail ("port numbers can be individual or ranges: lo-hi [inclusive]"); +} /* helpme */ +#endif /* HAVE_HELP */ + +/* None genuine without this seal! _H*/ diff --git a/usr.bin/nc/scripts/README b/usr.bin/nc/scripts/README new file mode 100644 index 00000000000..07aee0c8ea3 --- /dev/null +++ b/usr.bin/nc/scripts/README @@ -0,0 +1,5 @@ +A collection of example scripts that use netcat as a backend, each +documented by its own internal comments. + +I'll be the first to admit that some of these are seriously *sick*, +but they do work and are quite useful to me on a daily basis. diff --git a/usr.bin/nc/scripts/alta b/usr.bin/nc/scripts/alta new file mode 100644 index 00000000000..7a091767e8e --- /dev/null +++ b/usr.bin/nc/scripts/alta @@ -0,0 +1,33 @@ +#! /bin/sh +## special handler for altavista, since they only hand out chunks of 10 at +## a time. Tries to isolate out results without the leading/trailing trash. +## multiword arguments are foo+bar, as usual. +## Second optional arg switches the "what" field, to e.g. "news" + +test "${1}" = "" && echo 'Needs an argument to search for!' && exit 1 +WHAT="web" +test "${2}" && WHAT="${2}" + +# convert multiple args +PLUSARG="`echo $* | sed 's/ /+/g'`" + +# Plug in arg. only doing simple-q for now; pg=aq for advanced-query +# embedded quotes define phrases; otherwise it goes wild on multi-words +QB="GET /cgi-bin/query?pg=q&what=${WHAT}&fmt=c&q=\"${PLUSARG}\"" + +# ping 'em once, to get the routing warm +nc -z -w 8 www.altavista.digital.com 24015 2> /dev/null +echo "=== Altavista ===" + +for xx in 0 10 20 30 40 50 60 70 80 90 100 110 120 130 140 150 160 170 180 \ + 190 200 210 220 230 240 250 260 270 280 290 300 310 320 330 340 350 ; do + echo "${QB}&stq=${xx}" | nc -w 15 www.altavista.digital.com 80 | \ + egrep '^<a href="http://' +done + +exit 0 + +# old filter stuff + sed -e '/Documents .* matching .* query /,/query?.*stq=.* Document/p' \ + -e d + diff --git a/usr.bin/nc/scripts/bsh b/usr.bin/nc/scripts/bsh new file mode 100644 index 00000000000..796e480354a --- /dev/null +++ b/usr.bin/nc/scripts/bsh @@ -0,0 +1,29 @@ +#! /bin/sh +## a little wrapper to "password" and re-launch a shell-listener. +## Arg is taken as the port to listen on. Define "NC" to point wherever. + +NC=nc + +case "$1" in + ?* ) + LPN="$1" + export LPN + sleep 1 + echo "-l -p $LPN -e $0" | $NC > /dev/null 2>&1 & + echo "launched on port $LPN" + exit 0 + ;; +esac + +# here we play inetd +echo "-l -p $LPN -e $0" | $NC > /dev/null 2>&1 & + +while read qq ; do +case "$qq" in +# here's yer password + gimme ) + cd / + exec csh -i + ;; +esac +done diff --git a/usr.bin/nc/scripts/dist.sh b/usr.bin/nc/scripts/dist.sh new file mode 100644 index 00000000000..4d2534a0e35 --- /dev/null +++ b/usr.bin/nc/scripts/dist.sh @@ -0,0 +1,23 @@ +#! /bin/sh +## This is a quick example listen-exec server, which was used for a while to +## distribute netcat prereleases. It illustrates use of netcat both as a +## "fake inetd" and a syslogger, and how easy it then is to crock up a fairly +## functional server that restarts its own listener and does full connection +## logging. In a half-screen of shell script!! + +PORT=31337 + +sleep 1 +SRC=`tail -1 dist.log` +echo "<36>elite: ${SRC}" | ./nc -u -w 1 localhost 514 > /dev/null 2>&1 +echo ";;; Hi, ${SRC}..." +echo ";;; This is a PRERELEASE version of 'netcat', tar/gzip/uuencoded." +echo ";;; Unless you are capturing this somehow, it won't do you much good." +echo ";;; Ready?? Here it comes! Have phun ..." +sleep 8 +cat dist.file +sleep 1 +./nc -v -l -p ${PORT} -e dist.sh < /dev/null >> dist.log 2>&1 & +sleep 1 +echo "<36>elite: done" | ./nc -u -w 1 localhost 514 > /dev/null 2>&1 +exit 0 diff --git a/usr.bin/nc/scripts/irc b/usr.bin/nc/scripts/irc new file mode 100644 index 00000000000..3557d7a0c6e --- /dev/null +++ b/usr.bin/nc/scripts/irc @@ -0,0 +1,79 @@ +#! /bin/sh +## Shit-simple script to supply the "privmsg <recipient>" of IRC typein, and +## keep the connection alive. Pipe this thru "nc -v -w 5 irc-server port". +## Note that this mechanism makes the script easy to debug without being live, +## since it just echoes everything bound for the server. +## if you want autologin-type stuff, construct some appropriate files and +## shovel them in using the "<" mechanism. + +# magic arg: if "tick", do keepalive process instead of main loop +if test "$1" = "tick" ; then +# ignore most signals; the parent will nuke the kid +# doesn't stop ^Z, of course. + trap '' 1 2 3 13 14 15 16 + while true ; do + sleep 60 + echo "PONG !" + done +fi + +# top level: fire ourselves off as the keepalive process, and keep track of it +sh $0 tick & +ircpp=$! +echo "[Keepalive: $ircpp]" >&2 +# catch our own batch of signals: hup int quit pipe alrm term urg +trap 'kill -9 $ircpp ; exit 0' 1 2 3 13 14 15 16 +sleep 2 + +sender='' +savecmd='' + +# the big honkin' loop... +while read xx yy ; do + case "${xx}" in +# blank line: do nothing + "") + continue + ;; +# new channel or recipient; if bare ">", we're back to raw literal mode. + ">") + if test "${yy}" ; then + sender="privmsg ${yy} :" + else + sender='' + fi + continue + ;; +# send crud from a file, one line per second. Can you say "skr1pt kidz"?? +# *Note: uses current "recipient" if set. + "<") + if test -f "${yy}" ; then + ( while read zz ; do + sleep 1 + echo "${sender}${zz}" + done ) < "$yy" + echo "[done]" >&2 + else + echo "[File $yy not found]" >&2 + fi + continue + ;; +# do and save a single command, for quick repeat + "/") + if test "${yy}" ; then + savecmd="${yy}" + fi + echo "${savecmd}" + ;; +# default case goes to recipient, just like always + *) + echo "${sender}${xx} ${yy}" + continue + ;; + esac +done + +# parting shot, if you want it +echo "quit :Bye all!" +kill -9 $ircpp +exit 0 diff --git a/usr.bin/nc/scripts/iscan b/usr.bin/nc/scripts/iscan new file mode 100644 index 00000000000..6279bc817fe --- /dev/null +++ b/usr.bin/nc/scripts/iscan @@ -0,0 +1,35 @@ +#! /bin/sh +## duplicate DaveG's ident-scan thingie using netcat. Oooh, he'll be pissed. +## args: target port [port port port ...] +## hose stdout *and* stderr together. +## +## advantages: runs slower than ident-scan, giving remote inetd less cause +## for alarm, and only hits the few known daemon ports you specify. +## disadvantages: requires numeric-only port args, the output sleazitude, +## and won't work for r-services when coming from high source ports. + +case "${2}" in + "" ) echo needs HOST and at least one PORT ; exit 1 ;; +esac + +# ping 'em once and see if they *are* running identd +nc -z -w 9 "$1" 113 || { echo "oops, $1 isn't running identd" ; exit 0 ; } + +# generate a randomish base port +RP=`expr $$ % 999 + 31337` + +TRG="$1" +shift + +while test "$1" ; do + nc -v -w 8 -p ${RP} "$TRG" ${1} < /dev/null > /dev/null & + PROC=$! + sleep 3 + echo "${1},${RP}" | nc -w 4 -r "$TRG" 113 2>&1 + sleep 2 +# does this look like a lamer script or what... + kill -HUP $PROC + RP=`expr ${RP} + 1` + shift +done + diff --git a/usr.bin/nc/scripts/ncp b/usr.bin/nc/scripts/ncp new file mode 100644 index 00000000000..1931b033858 --- /dev/null +++ b/usr.bin/nc/scripts/ncp @@ -0,0 +1,46 @@ +#! /bin/sh +## Like "rcp" but uses netcat on a high port. +## do "ncp targetfile" on the RECEIVING machine +## then do "ncp sourcefile receivinghost" on the SENDING machine +## if invoked as "nzp" instead, compresses transit data. + +## pick your own personal favorite port, which will be used on both ends. +## You should probably change this for your own uses. +MYPORT=23456 + +## if "nc" isn't systemwide or in your PATH, add the right place +# PATH=${HOME}:${PATH} ; export PATH + +test "$3" && echo "too many args" && exit 1 +test ! "$1" && echo "no args?" && exit 1 +me=`echo $0 | sed 's+.*/++'` +test "$me" = "nzp" && echo '[compressed mode]' + +# if second arg, it's a host to send an [extant] file to. +if test "$2" ; then + test ! -f "$1" && echo "can't find $1" && exit 1 + if test "$me" = "nzp" ; then + compress -c < "$1" | nc -v -w 2 $2 $MYPORT && exit 0 + else + nc -v -w 2 $2 $MYPORT < "$1" && exit 0 + fi + echo "transfer FAILED!" + exit 1 +fi + +# fall here for receiver. Ask before trashing existing files +if test -f "$1" ; then + echo -n "Overwrite $1? " + read aa + test ! "$aa" = "y" && echo "[punted!]" && exit 1 +fi +# 30 seconds oughta be pleeeeenty of time, but change if you want. +if test "$me" = "nzp" ; then + nc -v -w 30 -p $MYPORT -l < /dev/null | uncompress -c > "$1" && exit 0 +else + nc -v -w 30 -p $MYPORT -l < /dev/null > "$1" && exit 0 +fi +echo "transfer FAILED!" +# clean up, since even if the transfer failed, $1 is already trashed +rm -f "$1" +exit 1 diff --git a/usr.bin/nc/scripts/probe b/usr.bin/nc/scripts/probe new file mode 100644 index 00000000000..c47dc3f495e --- /dev/null +++ b/usr.bin/nc/scripts/probe @@ -0,0 +1,50 @@ +#! /bin/sh +## launch a whole buncha shit at yon victim in no particular order; capture +## stderr+stdout in one place. Run as root for rservice and low -p to work. +## Fairly thorough example of using netcat to collect a lot of host info. +## Will set off every intrusion alarm in existence on a paranoid machine! + +# where .d files are kept; "." if nothing else +DDIR=../data +# address of some well-connected router that groks LSRR +GATE=192.157.69.11 + +# might conceivably wanna change this for different run styles +UCMD='nc -v -w 8' + +test ! "$1" && echo Needs victim arg && exit 1 + +echo '' | $UCMD -w 9 -r "$1" 13 79 6667 2>&1 +echo '0' | $UCMD "$1" 79 2>&1 +# if LSRR was passed thru, should get refusal here: +$UCMD -z -r -g $GATE "$1" 6473 2>&1 +$UCMD -r -z "$1" 6000 4000-4004 111 53 2105 137-140 1-20 540-550 95 87 2>&1 +# -s `hostname` may be wrong for some multihomed machines +echo 'UDP echoecho!' | nc -u -p 7 -s `hostname` -w 3 "$1" 7 19 2>&1 +echo '113,10158' | $UCMD -p 10158 "$1" 113 2>&1 +rservice bin bin | $UCMD -p 1019 "$1" shell 2>&1 +echo QUIT | $UCMD -w 8 -r "$1" 25 158 159 119 110 109 1109 142-144 220 23 2>&1 +# newline after any telnet trash +echo '' +echo PASV | $UCMD -r "$1" 21 2>&1 +echo 'GET /' | $UCMD -w 10 "$1" 80 81 210 70 2>&1 +# sometimes contains useful directory info: +echo 'GET /robots.txt' | $UCMD -w 10 "$1" 80 2>&1 +# now the big red lights go on +rservice bin bin 9600/9600 | $UCMD -p 1020 "$1" login 2>&1 +rservice root root | $UCMD -r "$1" exec 2>&1 +echo 'BEGIN big udp -- everything may look "open" if packet-filtered' +data -g < ${DDIR}/nfs-0.d | $UCMD -i 1 -u "$1" 2049 | od -x 2>&1 +# no wait-time, uses RTT hack +nc -v -z -u -r "$1" 111 66-70 88 53 87 161-164 121-123 213 49 2>&1 +nc -v -z -u -r "$1" 137-140 694-712 747-770 175-180 2103 510-530 2>&1 +echo 'END big udp' +$UCMD -r -z "$1" 175-180 2000-2003 530-533 1524 1525 666 213 8000 6250 2>&1 +# Use our identd-sniffer! +iscan "$1" 21 25 79 80 111 53 6667 6000 2049 119 2>&1 +# this gets pretty intrusive, but what the fuck. Probe for portmap first +if nc -w 5 -z -u "$1" 111 ; then + showmount -e "$1" 2>&1 + rpcinfo -p "$1" 2>&1 +fi +exit 0 diff --git a/usr.bin/nc/scripts/web b/usr.bin/nc/scripts/web new file mode 100644 index 00000000000..382b18e1e3f --- /dev/null +++ b/usr.bin/nc/scripts/web @@ -0,0 +1,148 @@ +#! /bin/sh +## The web sucks. It is a mighty dismal kludge built out of a thousand +## tiny dismal kludges all band-aided together, and now these bottom-line +## clueless pinheads who never heard of "TCP handshake" want to run +## *commerce* over the damn thing. Ye godz. Welcome to TV of the next +## century -- six million channels of worthless shit to choose from, and +## about as much security as today's cable industry! +## +## Having grown mightily tired of pain in the ass browsers, I decided +## to build the minimalist client. It doesn't handle POST, just GETs, but +## the majority of cgi forms handlers apparently ignore the method anyway. +## A distinct advantage is that it *doesn't* pass on any other information +## to the server, like Referer: or info about your local machine such as +## Netscum tries to! +## +## Since the first version, this has become the *almost*-minimalist client, +## but it saves a lot of typing now. And with netcat as its backend, it's +## totally the balls. Don't have netcat? Get it here in /src/hacks! +## _H* 950824, updated 951009 et seq. +## +## args: hostname [port]. You feed it the filename-parts of URLs. +## In the loop, HOST, PORT, and SAVE do the right things; a null line +## gets the previous spec again [useful for initial timeouts]; EOF to exit. +## Relative URLs behave like a "cd" to wherever the last slash appears, or +## just use the last component with the saved preceding "directory" part. +## "\" clears the "filename" part and asks for just the "directory", and +## ".." goes up one "directory" level while retaining the "filename" part. +## Play around; you'll get used to it. + +if test "$1" = "" ; then + echo Needs hostname arg. + exit 1 +fi +umask 022 + +# optional PATH fixup +# PATH=${HOME}:${PATH} ; export PATH + +test "${PAGER}" || PAGER=more +BACKEND="nc -v -w 15" +TMPAGE=/tmp/web$$ +host="$1" +port="80" +if test "$2" != "" ; then + port="$2" +fi + +spec="/" +specD="/" +specF='' +saving='' + +# be vaguely smart about temp file usage. Use your own homedir if you're +# paranoid about someone symlink-racing your shell script, jeez. +rm -f ${TMPAGE} +test -f ${TMPAGE} && echo "Can't use ${TMPAGE}" && exit 1 + +# get loopy. Yes, I know "echo -n" aint portable. Everything echoed would +# need "\c" tacked onto the end in an SV universe, which you can fix yourself. +while echo -n "${specD}${specF} " && read spec ; do + case $spec in + HOST) + echo -n 'New host: ' + read host + continue + ;; + PORT) + echo -n 'New port: ' + read port + continue + ;; + SAVE) + echo -n 'Save file: ' + read saving +# if we've already got a page, save it + test "${saving}" && test -f ${TMPAGE} && + echo "=== ${host}:${specD}${specF} ===" >> $saving && + cat ${TMPAGE} >> $saving && echo '' >> $saving + continue + ;; +# changing the logic a bit here. Keep a state-concept of "current dir" +# and "current file". Dir is /foo/bar/ ; file is "baz" or null. +# leading slash: create whole new state. + /*) + specF=`echo "${spec}" | sed 's|.*/||'` + specD=`echo "${spec}" | sed 's|\(.*/\).*|\1|'` + spec="${specD}${specF}" + ;; +# embedded slash: adding to the path. "file" part can be blank, too + */*) + specF=`echo "${spec}" | sed 's|.*/||'` + specD=`echo "${specD}${spec}" | sed 's|\(.*/\).*|\1|'` + ;; +# dotdot: jump "up" one level and just reprompt [confirms what it did...] + ..) + specD=`echo "${specD}" | sed 's|\(.*/\)..*/|\1|'` + continue + ;; +# blank line: do nothing, which will re-get the current one + '') + ;; +# hack-quoted blank line: "\" means just zero out "file" part + '\') + specF='' + ;; +# sigh + '?') + echo Help yourself. Read the script fer krissake. + continue + ;; +# anything else is taken as a "file" part + *) + specF=${spec} + ;; + esac + +# now put it together and stuff it down a connection. Some lame non-unix +# http servers assume they'll never get simple-query format, and wait till +# an extra newline arrives. If you're up against one of these, change +# below to (echo GET "$spec" ; echo '') | $BACKEND ... + spec="${specD}${specF}" + echo GET "${spec}" | $BACKEND $host $port > ${TMPAGE} + ${PAGER} ${TMPAGE} + +# save in a format that still shows the URLs we hit after a de-html run + if test "${saving}" ; then + echo "=== ${host}:${spec} ===" >> $saving + cat ${TMPAGE} >> $saving + echo '' >> $saving + fi +done +rm -f ${TMPAGE} +exit 0 + +####### +# Encoding notes, finally from RFC 1738: +# %XX -- hex-encode of special chars +# allowed alphas in a URL: $_-.+!*'(), +# relative names *not* described, but obviously used all over the place +# transport://user:pass@host:port/path/name?query-string +# wais: port 210, //host:port/database?search or /database/type/file? +# cgi-bin/script?arg1=foo&arg2=bar&... scripts have to parse xxx&yyy&zzz +# ISMAP imagemap stuff: /bin/foobar.map?xxx,yyy -- have to guess at coords! +# local access-ctl files: ncsa: .htaccess ; cern: .www_acl +####### +# SEARCH ENGINES: fortunately, all are GET forms or at least work that way... +# multi-word args for most cases: foo+bar +# See 'websearch' for concise results of this research... diff --git a/usr.bin/nc/scripts/webproxy b/usr.bin/nc/scripts/webproxy new file mode 100644 index 00000000000..cee2d29fd14 --- /dev/null +++ b/usr.bin/nc/scripts/webproxy @@ -0,0 +1,138 @@ +#! /bin/sh +## Web proxy, following the grand tradition of Web things being handled by +## gross scripts. Uses netcat to listen on a high port [default 8000], +## picks apart requests and sends them on to the right place. Point this +## at the browser client machine you'll be coming from [to limit access to +## only it], and point the browser's concept of an HTTP proxy to the +## machine running this. Takes a single argument of the client that will +## be using it, and rejects connections from elsewhere. LOGS the queries +## to a configurable logfile, which can be an interesting read later on! +## If the argument is "reset", the listener and logfile are cleaned up. +## +## This works surprisingly fast and well, for a shell script, although may +## randomly fail when hammered by a browser that tries to open several +## connections at once. Drop the "maximum connections" in your browser if +## this is a problem. +## +## A more degenerate case of this, or preferably a small C program that +## does the same thing under inetd, could handle a small site's worth of +## proxy queries. Given the way browsers are evolving, proxies like this +## can play an important role in protecting your own privacy. +## +## If you grabbed this in ASCII mode, search down for "eew" and make sure +## the embedded-CR check is intact, or requests might hang. +## +## Doesn't handle POST forms. Who cares, if you're just watching HTTV? +## Dumbness here has a highly desirable side effect: it only sends the first +## GET line, since that's all you really ever need to send, and suppresses +## the other somewhat revealing trash that most browsers insist on sending. + +# set these as you wish: proxy port... +PORT=8000 +# logfile spec: a real file or /dev/null if you don't care +LFILE=${0}.log +# optional: where to dump connect info, so you can see if anything went wrong +# CFILE=${0}.conn +# optional extra args to the listener "nc", for instance "-s inside-net-addr" +# XNC='' + +# functionality switch has to be done fast, so the next listener can start +# prelaunch check: if no current client and no args, bail. +case "${1}${CLIENT}" in + "") + echo needs client hostname + exit 1 + ;; +esac + +case "${1}" in + "") +# Make like inetd, and run the next relayer process NOW. All the redirection +# is necessary so this shell has NO remaining channel open to the net. +# This will hang around for 10 minutes, and exit if no new connections arrive. +# Using -n for speed, avoiding any DNS/port lookups. + nc -w 600 -n -l -p $PORT -e "$0" $XNC "$CLIENT" < /dev/null > /dev/null \ + 2> $CFILE & + ;; +esac + +# no client yet and had an arg, this checking can be much slower now +umask 077 + +if test "$1" ; then +# if magic arg, just clean up and then hit our own port to cause server exit + if test "$1" = "reset" ; then + rm -f $LFILE + test -f "$CFILE" && rm -f $CFILE + nc -w 1 -n 127.0.0.1 $PORT < /dev/null > /dev/null 2>&1 + exit 0 + fi +# find our ass with both hands + test ! -f "$0" && echo "Oops, cannot find my own corporeal being" && exit 1 +# correct launch: set up client access control, passed along thru environment. + CLIENT="$1" + export CLIENT + test "$CFILE" || CFILE=/dev/null + export CFILE + touch "$CFILE" +# tell us what happened during the last run, if possible + if test -f "$CFILE" ; then + echo "Last connection results:" + cat $CFILE + fi + +# ping client machine and get its bare IP address + CLIENT=`nc -z -v -w 8 "$1" 22000 2>&1 | sed 's/.*\[\(..*\)\].*/\1/'` + test ! "$CLIENT" && echo "Can't find address of $1" && exit 1 + +# if this was an initial launch, be informative about it + echo "=== Launch: $CLIENT" >> $LFILE + echo "Proxy running -- will accept connections on $PORT from $CLIENT" + echo " Logging queries to $LFILE" + test -f "$CFILE" && echo " and connection fuckups to $CFILE" + +# and run the first listener, showing us output just for the first hit + nc -v -w 600 -n -l -p $PORT -e "$0" $XNC "$CLIENT" & + exit 0 +fi + +# Fall here to handle a page. +# GET type://host.name:80/file/path HTTP/1.0 +# Additional: trash +# More: trash +# <newline> + +read x1 x2 x3 x4 +echo "=== query: $x1 $x2 $x3 $x4" >> $LFILE +test "$x4" && echo "extra junk after request: $x4" && exit 0 +# nuke questionable characters and split up the request +hurl=`echo "$x2" | sed -e "s+.*//++" -e 's+[\`'\''|$;<>{}\\!*()"]++g'` +# echo massaged hurl: $hurl >> $LFILE +hh=`echo "$hurl" | sed -e "s+/.*++" -e "s+:.*++"` +hp=`echo "$hurl" | sed -e "s+.*:++" -e "s+/.*++"` +test "$hp" = "$hh" && hp=80 +hf=`echo "$hurl" | sed -e "s+[^/]*++"` +# echo total split: $hh : $hp : $hf >> $LFILE +# suck in and log the entire request, because we're curious +# Fails on multipart stuff like forms; oh well... +if test "$x3" ; then + while read xx ; do + echo "${xx}" >> $LFILE + test "${xx}" || break +# eew, buried returns, gross but necessary for DOS stupidity: + test "${xx}" = "
" && break + done +fi +# check for non-GET *after* we log the query... +test "$x1" != "GET" && echo "sorry, this proxy only does GETs" && exit 0 +# no, you can *not* phone home, you miserable piece of shit +test "`echo $hh | fgrep -i netscap`" && \ + echo "access to Netscam's servers <b>DENIED.</b>" && exit 0 +# Do it. 30 sec net-wait time oughta be *plenty*... +# Some braindead servers have forgotten how to handle the simple-query syntax. +# If necessary, replace below with (echo "$x1 $hf" ; echo '') | nc... +echo "$x1 $hf" | nc -w 30 "$hh" "$hp" 2> /dev/null || \ + echo "oops, can't get to $hh : $hp". +echo "sent \"$x1 $hf\" to $hh : $hp" >> $LFILE +exit 0 + diff --git a/usr.bin/nc/scripts/webrelay b/usr.bin/nc/scripts/webrelay new file mode 100644 index 00000000000..829a8b07081 --- /dev/null +++ b/usr.bin/nc/scripts/webrelay @@ -0,0 +1,44 @@ +#! /bin/sh +## web relay -- a degenerate version of webproxy, usable with browsers that +## don't understand proxies. This just forwards connections to a given server. +## No query logging, no access control [although you can add it to XNC for +## your own run], and full-URL links will undoubtedly confuse the browser +## if it can't reach the server directly. This was actually written before +## the full proxy was, and it shows. +## The arguments in this case are the destination server and optional port. +## Please flame pinheads who use self-referential absolute links. + +# set these as you wish: proxy port... +PORT=8000 +# any extra args to the listening "nc", for instance "-s inside-net-addr" +XNC='' + +# functionality switch, which has to be done fast to start the next listener +case "${1}${RDEST}" in + "") + echo needs hostname + exit 1 + ;; +esac + +case "${1}" in + "") +# no args: fire off new relayer process NOW. Will hang around for 10 minutes + nc -w 600 -l -n -p $PORT -e "$0" $XNC < /dev/null > /dev/null 2>&1 & +# and handle this request, which will simply fail if vars not set yet. + exec nc -w 15 $RDEST $RPORT + ;; +esac + +# Fall here for setup; this can now be slower. +RDEST="$1" +RPORT="$2" +test "$RPORT" || RPORT=80 +export RDEST RPORT + +# Launch the first relayer same as above, but let its error msgs show up +# will hang around for a minute, and exit if no new connections arrive. +nc -v -w 600 -l -p $PORT -e "$0" $XNC < /dev/null > /dev/null & +echo \ + "Relay to ${RDEST}:${RPORT} running -- point your browser here on port $PORT" +exit 0 diff --git a/usr.bin/nc/scripts/websearch b/usr.bin/nc/scripts/websearch new file mode 100644 index 00000000000..60c3a3356a7 --- /dev/null +++ b/usr.bin/nc/scripts/websearch @@ -0,0 +1,77 @@ +#! /bin/sh +## Hit the major search engines. Hose the [large] output to a file! +## autoconverts multiple arguments into the right format for given servers -- +## usually worda+wordb, with certain lame exceptions like dejanews. +## Extracting and post-sorting the URLs is highly recommended... +## +## Altavista currently handled by a separate script; may merge at some point. +## +## _H* original 950824, updated 951218 and 960209 + +test "${1}" = "" && echo 'Needs argument[s] to search for!' && exit 1 +PLUSARG="`echo $* | sed 's/ /+/g'`" +PIPEARG="`echo ${PLUSARG} | sed 's/+/|/g'`" +IFILE=/tmp/.webq.$$ + +# Don't have "nc"? Get "netcat" from avian.org and add it to your toolkit. +doquery () { + echo GET "$1" | nc -v -i 1 -w 30 "$2" "$3" +} + +# changed since original: now supplying port numbers and separator lines... + +echo "=== Yahoo ===" +doquery "/bin/search?p=${PLUSARG}&n=300&w=w&s=a" search.yahoo.com 80 + +echo '' ; echo "=== Webcrawler ===" +doquery "/cgi-bin/WebQuery?searchText=${PLUSARG}&maxHits=300" webcrawler.com 80 + +# the infoseek lamers want "registration" before they do a real search, but... +echo '' ; echo "=== Infoseek ===" +echo " is broken." +# doquery "WW/IS/Titles?qt=${PLUSARG}" www2.infoseek.com 80 +# ... which doesn't work cuz their lame server wants the extra newlines, WITH +# CRLF pairs ferkrissake. Fuck 'em for now, they're hopelessly broken. If +# you want to play, the basic idea and query formats follow. +# echo "GET /WW/IS/Titles?qt=${PLUSARG}" > $IFILE +# echo "" >> $IFILE +# nc -v -w 30 guide-p.infoseek.com 80 < $IFILE + +# this is kinda flakey; might have to do twice?? +echo '' ; echo "=== Opentext ===" +doquery "/omw/simplesearch?SearchFor=${PLUSARG}&mode=phrase" \ + search.opentext.com 80 + +# looks like inktomi will only take hits=100, or defaults back to 30 +# we try to suppress all the stupid rating dots here, too +echo '' ; echo "=== Inktomi ===" +doquery "/query/?query=${PLUSARG}&hits=100" ink3.cs.berkeley.edu 1234 | \ + sed '/^<IMG ALT.*inktomi.*\.gif">$/d' + +#djnews lame shit limits hits to 120 and has nonstandard format +echo '' ; echo "=== Dejanews ===" +doquery "/cgi-bin/nph-dnquery?query=${PIPEARG}+maxhits=110+format=terse+defaultOp=AND" \ + smithers.dejanews.com 80 + +# OLD lycos: used to work until they fucking BROKE it... +# doquery "/cgi-bin/pursuit?query=${PLUSARG}&maxhits=300&terse=1" \ +# query5.lycos.cs.cmu.edu 80 +# NEW lycos: wants the User-agent field present in query or it returns nothing +# 960206: webmaster@lycos duly bitched at +# 960208: reply received; here's how we will now handle it: +echo \ +"GET /cgi-bin/pursuit?query=${PLUSARG}&maxhits=300&terse=terse&matchmode=and&minscore=.5 HTTP/1.x" \ + > $IFILE +echo "User-agent: *FUCK OFF*" >> $IFILE +echo "Why: go ask todd@pointcom.com (Todd Whitney)" >> $IFILE +echo '' >> $IFILE +echo '' ; echo "=== Lycos ===" +nc -v -i 1 -w 30 twelve.srv.lycos.com 80 < $IFILE + +rm -f $IFILE +exit 0 + +# CURRENTLY BROKEN [?] +# infoseek + +# some args need to be redone to ensure whatever "and" mode applies |