summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTheo de Raadt <deraadt@cvs.openbsd.org>1996-09-05 08:55:44 +0000
committerTheo de Raadt <deraadt@cvs.openbsd.org>1996-09-05 08:55:44 +0000
commit74ce25b78fd53d753084ef14b2234bc105a4a983 (patch)
tree2cffc06e2eb76342240043e73120bb5451145124
parente70074aa65073a222e5a14ec65e7c499c313ba3d (diff)
nc is *hobbit*'s netcat; let the sysadm have the same tools the crackers
have, so that he may learn what the network is about and protect it better.
-rw-r--r--usr.bin/Makefile5
-rw-r--r--usr.bin/nc/Makefile8
-rw-r--r--usr.bin/nc/README946
-rw-r--r--usr.bin/nc/data/Makefile10
-rw-r--r--usr.bin/nc/data/README9
-rw-r--r--usr.bin/nc/data/data.c274
-rw-r--r--usr.bin/nc/data/dns-any.d36
-rw-r--r--usr.bin/nc/data/nfs-0.d59
-rw-r--r--usr.bin/nc/data/pm.d8
-rw-r--r--usr.bin/nc/data/pmap-dump.d60
-rw-r--r--usr.bin/nc/data/pmap-mnt.d78
-rw-r--r--usr.bin/nc/data/rip.d52
-rw-r--r--usr.bin/nc/data/rservice.c68
-rw-r--r--usr.bin/nc/data/showmount.d63
-rw-r--r--usr.bin/nc/data/xor.c92
-rw-r--r--usr.bin/nc/generic.h377
-rw-r--r--usr.bin/nc/nc.1213
-rw-r--r--usr.bin/nc/netcat.blurb61
-rw-r--r--usr.bin/nc/netcat.c1668
-rw-r--r--usr.bin/nc/scripts/README5
-rw-r--r--usr.bin/nc/scripts/alta33
-rw-r--r--usr.bin/nc/scripts/bsh29
-rw-r--r--usr.bin/nc/scripts/dist.sh23
-rw-r--r--usr.bin/nc/scripts/irc79
-rw-r--r--usr.bin/nc/scripts/iscan35
-rw-r--r--usr.bin/nc/scripts/ncp46
-rw-r--r--usr.bin/nc/scripts/probe50
-rw-r--r--usr.bin/nc/scripts/web148
-rw-r--r--usr.bin/nc/scripts/webproxy138
-rw-r--r--usr.bin/nc/scripts/webrelay44
-rw-r--r--usr.bin/nc/scripts/websearch77
31 files changed, 4792 insertions, 2 deletions
diff --git a/usr.bin/Makefile b/usr.bin/Makefile
index add18a3f091..af84a9ea8de 100644
--- a/usr.bin/Makefile
+++ b/usr.bin/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.24 1996/09/04 22:52:05 deraadt Exp $
+# $OpenBSD: Makefile,v 1.25 1996/09/05 08:55:23 deraadt Exp $
# $NetBSD: Makefile,v 1.62 1996/03/10 05:45:43 thorpej Exp $
# from: @(#)Makefile 5.8.1.1 (Berkeley) 5/8/91
@@ -11,7 +11,8 @@ SUBDIR= apply apropos arch asa at awk banner basename bdes biff cal calendar \
fsplit fstat ftp gencat getconf getopt head hexdump id indent \
info_mkdb ipcrm ipcs join jot kdump ktrace lam last lastcomm leave \
less lex lndir locate lock logger login logname look lorder m4 machine \
- mail make man mesg mkdep mkfifo mkstr modstat msgs netstat newsyslog \
+ mail make man mesg mkdep mkfifo mkstr modstat msgs nc \
+ netstat newsyslog \
nfsstat nice nohup oldrdist pagesize passwd paste patch pr printenv \
printf quota rdist rdistd renice rev rlogin rpcgen rpcinfo rs \
rsh rup ruptime rusers rwall rwho \
diff --git a/usr.bin/nc/Makefile b/usr.bin/nc/Makefile
new file mode 100644
index 00000000000..9170bcaba93
--- /dev/null
+++ b/usr.bin/nc/Makefile
@@ -0,0 +1,8 @@
+# $OpenBSD: Makefile,v 1.1 1996/09/05 08:55:31 deraadt Exp $
+# $NetBSD: Makefile,v 1.11 1995/10/03 21:42:34 thorpej Exp $
+
+CFLAGS+= -DTELNET
+PROG= nc
+SRCS= netcat.c
+
+.include <bsd.prog.mk>
diff --git a/usr.bin/nc/README b/usr.bin/nc/README
new file mode 100644
index 00000000000..4235bc41acf
--- /dev/null
+++ b/usr.bin/nc/README
@@ -0,0 +1,946 @@
+Netcat 1.10
+=========== /\_/\
+ / 0 0 \
+Netcat is a simple Unix utility which reads and writes data ====v====
+across network connections, using TCP or UDP protocol. \ W /
+It is designed to be a reliable "back-end" tool that can | | _
+be used directly or easily driven by other programs and / ___ \ /
+scripts. At the same time, it is a feature-rich network / / \ \ |
+debugging and exploration tool, since it can create almost (((-----)))-'
+any kind of connection you would need and has several /
+interesting built-in capabilities. Netcat, or "nc" as the ( ___
+actual program is named, should have been supplied long ago \__.=|___E
+as another one of those cryptic but standard Unix tools. /
+
+In the simplest usage, "nc host port" creates a TCP connection to the given
+port on the given target host. Your standard input is then sent to the host,
+and anything that comes back across the connection is sent to your standard
+output. This continues indefinitely, until the network side of the connection
+shuts down. Note that this behavior is different from most other applications
+which shut everything down and exit after an end-of-file on the standard input.
+
+Netcat can also function as a server, by listening for inbound connections
+on arbitrary ports and then doing the same reading and writing. With minor
+limitations, netcat doesn't really care if it runs in "client" or "server"
+mode -- it still shovels data back and forth until there isn't any more left.
+In either mode, shutdown can be forced after a configurable time of inactivity
+on the network side.
+
+And it can do this via UDP too, so netcat is possibly the "udp telnet-like"
+application you always wanted for testing your UDP-mode servers. UDP, as the
+"U" implies, gives less reliable data transmission than TCP connections and
+some systems may have trouble sending large amounts of data that way, but it's
+still a useful capability to have.
+
+You may be asking "why not just use telnet to connect to arbitrary ports?"
+Valid question, and here are some reasons. Telnet has the "standard input
+EOF" problem, so one must introduce calculated delays in driving scripts to
+allow network output to finish. This is the main reason netcat stays running
+until the *network* side closes. Telnet also will not transfer arbitrary
+binary data, because certain characters are interpreted as telnet options and
+are thus removed from the data stream. Telnet also emits some of its
+diagnostic messages to standard output, where netcat keeps such things
+religiously separated from its *output* and will never modify any of the real
+data in transit unless you *really* want it to. And of course telnet is
+incapable of listening for inbound connections, or using UDP instead. Netcat
+doesn't have any of these limitations, is much smaller and faster than telnet,
+and has many other advantages.
+
+Some of netcat's major features are:
+
+ Outbound or inbound connections, TCP or UDP, to or from any ports
+ Full DNS forward/reverse checking, with appropriate warnings
+ Ability to use any local source port
+ Ability to use any locally-configured network source address
+ Built-in port-scanning capabilities, with randomizer
+ Built-in loose source-routing capability
+ Can read command line arguments from standard input
+ Slow-send mode, one line every N seconds
+ Hex dump of transmitted and received data
+ Optional ability to let another program service established connections
+ Optional telnet-options responder
+
+Efforts have been made to have netcat "do the right thing" in all its various
+modes. If you believe that it is doing the wrong thing under whatever
+circumstances, please notify me and tell me how you think it should behave.
+If netcat is not able to do some task you think up, minor tweaks to the code
+will probably fix that. It provides a basic and easily-modified template for
+writing other network applications, and I certainly encourage people to make
+custom mods and send in any improvements they make to it. This is the second
+release; the overall differences from 1.00 are relatively minor and have mostly
+to do with portability and bugfixes. Many people provided greatly appreciated
+fixes and comments on the 1.00 release. Continued feedback from the Internet
+community is always welcome!
+
+Netcat is entirely my own creation, although plenty of other code was used as
+examples. It is freely given away to the Internet community in the hope that
+it will be useful, with no restrictions except giving credit where it is due.
+No GPLs, Berkeley copyrights or any of that nonsense. The author assumes NO
+responsibility for how anyone uses it. If netcat makes you rich somehow and
+you're feeling generous, mail me a check. If you are affiliated in any way
+with Microsoft Network, get a life. Always ski in control. Comments,
+questions, and patches to hobbit@avian.org.
+
+Building
+========
+
+Compiling is fairly straightforward. Examine the Makefile for a SYSTYPE that
+matches yours, and do "make <systype>". The executable "nc" should appear.
+If there is no relevant SYSTYPE section, try "generic". If you create new
+sections for generic.h and Makefile to support another platform, please follow
+the given format and mail back the diffs.
+
+There are a couple of other settable #defines in netcat.c, which you can
+include as DFLAGS="-DTHIS -DTHAT" to your "make" invocation without having to
+edit the Makefile. See the following discussions for what they are and do.
+
+If you want to link against the resolver library on SunOS [recommended] and
+you have BIND 4.9.x, you may need to change XLIBS=-lresolv in the Makefile to
+XLIBS="-lresolv -l44bsd".
+
+Linux sys/time.h does not really support presetting of FD_SETSIZE; a harmless
+warning is issued.
+
+Some systems may warn about pointer types for signal(). No problem, though.
+
+Exploration of features
+=======================
+
+Where to begin? Netcat is at the same time so simple and versatile, it's like
+trying to describe everything you can do with your Swiss Army knife. This will
+go over the basics; you should also read the usage examples and notes later on
+which may give you even more ideas about what this sort of tool is good for.
+
+If no command arguments are given at all, netcat asks for them, reads a line
+from standard input, and breaks it up into arguments internally. This can be
+useful when driving netcat from certain types of scripts, with the side effect
+of hiding your command line arguments from "ps" displays.
+
+The host argument can be a name or IP address. If -n is specified, netcat
+will only accept numeric IP addresses and do no DNS lookups for anything. If
+-n is not given and -v is turned on, netcat will do a full forward and reverse
+name and address lookup for the host, and warn you about the all-too-common
+problem of mismatched names in the DNS. This often takes a little longer for
+connection setup, but is useful to know about. There are circumstances under
+which this can *save* time, such as when you want to know the name for some IP
+address and also connect there. Netcat will just tell you all about it, saving
+the manual steps of looking up the hostname yourself. Normally mismatch-
+checking is case-insensitive per the DNS spec, but you can define ANAL at
+compile time to make it case-sensitive -- sometimes useful for uncovering minor
+errors in your own DNS files while poking around your networks.
+
+A port argument is required for outbound connections, and can be numeric or a
+name as listed in /etc/services. If -n is specified, only numeric arguments
+are valid. Special syntax and/or more than one port argument cause different
+behavior -- see details below about port-scanning.
+
+The -v switch controls the verbosity level of messages sent to standard error.
+You will probably want to run netcat most of the time with -v turned on, so you
+can see info about the connections it is trying to make. You will probably
+also want to give a smallish -w argument, which limits the time spent trying to
+make a connection. I usually alias "nc" to "nc -v -w 3", which makes it
+function just about the same for things I would otherwise use telnet to do.
+The timeout is easily changed by a subsequent -w argument which overrides the
+earlier one. Specifying -v more than once makes diagnostic output MORE
+verbose. If -v is not specified at all, netcat silently does its work unless
+some error happens, whereupon it describes the error and exits with a nonzero
+status. Refused network connections are generally NOT considered to be errors,
+unless you only asked for a single TCP port and it was refused.
+
+Note that -w also sets the network inactivity timeout. This does not have any
+effect until standard input closes, but then if nothing further arrives from
+the network in the next <timeout> seconds, netcat tries to read the net once
+more for good measure, and then closes and exits. There are a lot of network
+services now that accept a small amount of input and return a large amount of
+output, such as Gopher and Web servers, which is the main reason netcat was
+written to "block" on the network staying open rather than standard input.
+Handling the timeout this way gives uniform behavior with network servers that
+*don't* close by themselves until told to.
+
+UDP connections are opened instead of TCP when -u is specified. These aren't
+really "connections" per se since UDP is a connectionless protocol, although
+netcat does internally use the "connected UDP socket" mechanism that most
+kernels support. Although netcat claims that an outgoing UDP connection is
+"open" immediately, no data is sent until something is read from standard
+input. Only thereafter is it possible to determine whether there really is a
+UDP server on the other end, and often you just can't tell. Most UDP protocols
+use timeouts and retries to do their thing and in many cases won't bother
+answering at all, so you should specify a timeout and hope for the best. You
+will get more out of UDP connections if standard input is fed from a source
+of data that looks like various kinds of server requests.
+
+To obtain a hex dump file of the data sent either way, use "-o logfile". The
+dump lines begin with "<" or ">" to respectively indicate "from the net" or
+"to the net", and contain the total count per direction, and hex and ascii
+representations of the traffic. Capturing a hex dump naturally slows netcat
+down a bit, so don't use it where speed is critical.
+
+Netcat can bind to any local port, subject to privilege restrictions and ports
+that are already in use. It is also possible to use a specific local network
+source address if it is that of a network interface on your machine. [Note:
+this does not work correctly on all platforms.] Use "-p portarg" to grab a
+specific local port, and "-s ip-addr" or "-s name" to have that be your source
+IP address. This is often referred to as "anchoring the socket". Root users
+can grab any unused source port including the "reserved" ones less than 1024.
+Absence of -p will bind to whatever unused port the system gives you, just like
+any other normal client connection, unless you use -r [see below].
+
+Listen mode will cause netcat to wait for an inbound connection, and then the
+same data transfer happens. Thus, you can do "nc -l -p 1234 < filename" and
+when someone else connects to your port 1234, the file is sent to them whether
+they wanted it or not. Listen mode is generally used along with a local port
+argument -- this is required for UDP mode, while TCP mode can have the system
+assign one and tell you what it is if -v is turned on. If you specify a target
+host and optional port in listen mode, netcat will accept an inbound connection
+only from that host and if you specify one, only from that foreign source port.
+In verbose mode you'll be informed about the inbound connection, including what
+address and port it came from, and since listening on "any" applies to several
+possibilities, which address it came *to* on your end. If the system supports
+IP socket options, netcat will attempt to retrieve any such options from an
+inbound connection and print them out in hex.
+
+If netcat is compiled with -DGAPING_SECURITY_HOLE, the -e argument specifies
+a program to exec after making or receiving a successful connection. In the
+listening mode, this works similarly to "inetd" but only for a single instance.
+Use with GREAT CARE. This piece of the code is normally not enabled; if you
+know what you're doing, have fun. This hack also works in UDP mode. Note that
+you can only supply -e with the name of the program, but no arguments. If you
+want to launch something with an argument list, write a two-line wrapper script
+or just use inetd like always.
+
+If netcat is compiled with -DTELNET, the -t argument enables it to respond
+to telnet option negotiation [always in the negative, i.e. DONT or WONT].
+This allows it to connect to a telnetd and get past the initial negotiation
+far enough to get a login prompt from the server. Since this feature has
+the potential to modify the data stream, it is not enabled by default. You
+have to understand why you might need this and turn on the #define yourself.
+
+Data from the network connection is always delivered to standard output as
+efficiently as possible, using large 8K reads and writes. Standard input is
+normally sent to the net the same way, but the -i switch specifies an "interval
+time" which slows this down considerably. Standard input is still read in
+large batches, but netcat then tries to find where line breaks exist and sends
+one line every interval time. Note that if standard input is a terminal, data
+is already read line by line, so unless you make the -i interval rather long,
+what you type will go out at a fairly normal rate. -i is really designed
+for use when you want to "measure out" what is read from files or pipes.
+
+Port-scanning is a popular method for exploring what's out there. Netcat
+accepts its commands with options first, then the target host, and everything
+thereafter is interpreted as port names or numbers, or ranges of ports in M-N
+syntax. CAVEAT: some port names in /etc/services contain hyphens -- netcat
+currently will not correctly parse those, so specify ranges using numbers if
+you can. If more than one port is thus specified, netcat connects to *all* of
+them, sending the same batch of data from standard input [up to 8K worth] to
+each one that is successfully connected to. Specifying multiple ports also
+suppresses diagnostic messages about refused connections, unless -v is
+specified twice for "more verbosity". This way you normally get notified only
+about genuinely open connections. Example: "nc -v -w 2 -z target 20-30" will
+try connecting to every port between 20 and 30 [inclusive] at the target, and
+will likely inform you about an FTP server, telnet server, and mailer along the
+way. The -z switch prevents sending any data to a TCP connection and very
+limited probe data to a UDP connection, and is thus useful as a fast scanning
+mode just to see what ports the target is listening on. To limit scanning
+speed if desired, -i will insert a delay between each port probe. There are
+some pitfalls with regard to UDP scanning, described later, but in general it
+works well.
+
+For each range of ports specified, scanning is normally done downward within
+that range. If the -r switch is used, scanning hops randomly around within
+that range and reports open ports as it finds them. [If you want them listed
+in order regardless, pipe standard error through "sort"...] In addition, if
+random mode is in effect, the local source ports are also randomized. This
+prevents netcat from exhibiting any kind of regular pattern in its scanning.
+You can exert fairly fine control over your scan by judicious use of -r and
+selected port ranges to cover. If you use -r for a single connection, the
+source port will have a random value above 8192, rather than the next one the
+kernel would have assigned you. Note that selecting a specific local port
+with -p overrides any local-port randomization.
+
+Many people are interested in testing network connectivity using IP source
+routing, even if it's only to make sure their own firewalls are blocking
+source-routed packets. On systems that support it, the -g switch can be used
+multiple times [up to 8] to construct a loose-source-routed path for your
+connection, and the -G argument positions the "hop pointer" within the list.
+If your network allows source-routed traffic in and out, you can test
+connectivity to your own services via remote points in the internet. Note that
+although newer BSD-flavor telnets also have source-routing capability, it isn't
+clearly documented and the command syntax is somewhat clumsy. Netcat's
+handling of "-g" is modeled after "traceroute".
+
+Netcat tries its best to behave just like "cat". It currently does nothing to
+terminal input modes, and does no end-of-line conversion. Standard input from
+a terminal is read line by line with normal editing characters in effect. You
+can freely suspend out of an interactive connection and resume. ^C or whatever
+your interrupt character is will make netcat close the network connection and
+exit. A switch to place the terminal in raw mode has been considered, but so
+far has not been necessary. You can send raw binary data by reading it out of
+a file or piping from another program, so more meaningful effort would be spent
+writing an appropriate front-end driver.
+
+Netcat is not an "arbitrary packet generator", but the ability to talk to raw
+sockets and/or nit/bpf/dlpi may appear at some point. Such things are clearly
+useful; I refer you to Darren Reed's excellent ip_filter package, which now
+includes a tool to construct and send raw packets with any contents you want.
+
+Example uses -- the light side
+==============================
+
+Again, this is a very partial list of possibilities, but it may get you to
+think up more applications for netcat. Driving netcat with simple shell or
+expect scripts is an easy and flexible way to do fairly complex tasks,
+especially if you're not into coding network tools in C. My coding isn't
+particularly strong either [although undoubtedly better after writing this
+thing!], so I tend to construct bare-metal tools like this that I can trivially
+plug into other applications. Netcat doubles as a teaching tool -- one can
+learn a great deal about more complex network protocols by trying to simulate
+them through raw connections!
+
+An example of netcat as a backend for something else is the shell-script
+Web browser, which simply asks for the relevant parts of a URL and pipes
+"GET /what/ever" into a netcat connection to the server. I used to do this
+with telnet, and had to use calculated sleep times and other stupidity to
+kludge around telnet's limitations. Netcat guarantees that I get the whole
+page, and since it transfers all the data unmodified, I can even pull down
+binary image files and display them elsewhere later. Some folks may find the
+idea of a shell-script web browser silly and strange, but it starts up and
+gets me my info a hell of a lot faster than a GUI browser and doesn't hide
+any contents of links and forms and such. This is included, as scripts/web,
+along with several other web-related examples.
+
+Netcat is an obvious replacement for telnet as a tool for talking to daemons.
+For example, it is easier to type "nc host 25", talk to someone's mailer, and
+just ^C out than having to type ^]c or QUIT as telnet would require you to do.
+You can quickly catalog the services on your network by telling netcat to
+connect to well-known services and collect greetings, or at least scan for open
+ports. You'll probably want to collect netcat's diagnostic messages in your
+output files, so be sure to include standard error in the output using
+`>& file' in *csh or `> file 2>&1' in bourne shell.
+
+A scanning example: "echo QUIT | nc -v -w 5 target 20-250 500-600 5990-7000"
+will inform you about a target's various well-known TCP servers, including
+r-services, X, IRC, and maybe a few you didn't expect. Sending in QUIT and
+using the timeout will almost guarantee that you see some kind of greeting or
+error from each service, which usually indicates what it is and what version.
+[Beware of the "chargen" port, though...] SATAN uses exactly this technique to
+collect host information, and indeed some of the ideas herein were taken from
+the SATAN backend tools. If you script this up to try every host in your
+subnet space and just let it run, you will not only see all the services,
+you'll find out about hosts that aren't correctly listed in your DNS. Then you
+can compare new snapshots against old snapshots to see changes. For going
+after particular services, a more intrusive example is in scripts/probe.
+
+Netcat can be used as a simple data transfer agent, and it doesn't really
+matter which end is the listener and which end is the client -- input at one
+side arrives at the other side as output. It is helpful to start the listener
+at the receiving side with no timeout specified, and then give the sending side
+a small timeout. That way the listener stays listening until you contact it,
+and after data stops flowing the client will time out, shut down, and take the
+listener with it. Unless the intervening network is fraught with problems,
+this should be completely reliable, and you can always increase the timeout. A
+typical example of something "rsh" is often used for: on one side,
+
+ nc -l -p 1234 | uncompress -c | tar xvfp -
+
+and then on the other side
+
+ tar cfp - /some/dir | compress -c | nc -w 3 othermachine 1234
+
+will transfer the contents of a directory from one machine to another, without
+having to worry about .rhosts files, user accounts, or inetd configurations
+at either end. Again, it matters not which is the listener or receiver; the
+"tarring" machine could just as easily be running the listener instead. One
+could conceivably use a scheme like this for backups, by having cron-jobs fire
+up listeners and backup handlers [which can be restricted to specific addresses
+and ports between each other] and pipe "dump" or "tar" on one machine to "dd
+of=/dev/tapedrive" on another as usual. Since netcat returns a nonzero exit
+status for a denied listener connection, scripts to handle such tasks could
+easily log and reject connect attempts from third parties, and then retry.
+
+Another simple data-transfer example: shipping things to a PC that doesn't have
+any network applications yet except a TCP stack and a web browser. Point the
+browser at an arbitrary port on a Unix server by telling it to download
+something like http://unixbox:4444/foo, and have a listener on the Unix side
+ready to ship out a file when the connect comes in. The browser may pervert
+binary data when told to save the URL, but you can dig the raw data out of
+the on-disk cache.
+
+If you build netcat with GAPING_SECURITY_HOLE defined, you can use it as an
+"inetd" substitute to test experimental network servers that would otherwise
+run under "inetd". A script or program will have its input and output hooked
+to the network the same way, perhaps sans some fancier signal handling. Given
+that most network services do not bind to a particular local address, whether
+they are under "inetd" or not, it is possible for netcat avoid the "address
+already in use" error by binding to a specific address. This lets you [as
+root, for low ports] place netcat "in the way" of a standard service, since
+inbound connections are generally sent to such specifically-bound listeners
+first and fall back to the ones bound to "any". This allows for a one-off
+experimental simulation of some service, without having to screw around with
+inetd.conf. Running with -v turned on and collecting a connection log from
+standard error is recommended.
+
+Netcat as well can make an outbound connection and then run a program or script
+on the originating end, with input and output connected to the same network
+port. This "inverse inetd" capability could enhance the backup-server concept
+described above or help facilitate things such as a "network dialback" concept.
+The possibilities are many and varied here; if such things are intended as
+security mechanisms, it may be best to modify netcat specifically for the
+purpose instead of wrapping such functions in scripts.
+
+Speaking of inetd, netcat will function perfectly well *under* inetd as a TCP
+connection redirector for inbound services, like a "plug-gw" without the
+authentication step. This is very useful for doing stuff like redirecting
+traffic through your firewall out to other places like web servers and mail
+hubs, while posing no risk to the firewall machine itself. Put netcat behind
+inetd and tcp_wrappers, perhaps thusly:
+
+ www stream tcp nowait nobody /etc/tcpd /bin/nc -w 3 realwww 80
+
+and you have a simple and effective "application relay" with access control
+and logging. Note use of the wait time as a "safety" in case realwww isn't
+reachable or the calling user aborts the connection -- otherwise the relay may
+hang there forever.
+
+You can use netcat to generate huge amounts of useless network data for
+various performance testing. For example, doing
+
+ yes AAAAAAAAAAAAAAAAAAAAAA | nc -v -v -l -p 2222 > /dev/null
+
+on one side and then hitting it with
+
+ yes BBBBBBBBBBBBBBBBBBBBBB | nc othermachine 2222 > /dev/null
+
+from another host will saturate your wires with A's and B's. The "very
+verbose" switch usage will tell you how many of each were sent and received
+after you interrupt either side. Using UDP mode produces tremendously MORE
+trash per unit time in the form of fragmented 8 Kbyte mobygrams -- enough to
+stress-test kernels and network interfaces. Firing random binary data into
+various network servers may help expose bugs in their input handling, which
+nowadays is a popular thing to explore. A simple example data-generator is
+given in data/data.c included in this package, along with a small collection
+of canned input files to generate various packet contents. This program is
+documented in its beginning comments, but of interest here is using "%r" to
+generate random bytes at well-chosen points in a data stream. If you can
+crash your daemon, you likely have a security problem.
+
+The hex dump feature may be useful for debugging odd network protocols,
+especially if you don't have any network monitoring equipment handy or aren't
+root where you'd need to run "tcpdump" or something. Bind a listening netcat
+to a local port, and have it run a script which in turn runs another netcat
+to the real service and captures the hex dump to a log file. This sets up a
+transparent relay between your local port and wherever the real service is.
+Be sure that the script-run netcat does *not* use -v, or the extra info it
+sends to standard error may confuse the protocol. Note also that you cannot
+have the "listen/exec" netcat do the data capture, since once the connection
+arrives it is no longer netcat that is running.
+
+Binding to an arbitrary local port allows you to simulate things like r-service
+clients, if you are root locally. For example, feeding "^@root^@joe^@pwd^@"
+[where ^@ is a null, and root/joe could be any other local/remote username
+pair] into a "rsh" or "rlogin" server, FROM your port 1023 for example,
+duplicates what the server expects to receive. Thus, you can test for insecure
+.rhosts files around your network without having to create new user accounts on
+your client machine. The program data/rservice.c can aid this process by
+constructing the "rcmd" protocol bytes. Doing this also prevents "rshd" from
+trying to create that separate standard-error socket and still gives you an
+input path, as opposed to the usual action of "rsh -n". Using netcat for
+things like this can be really useful sometimes, because rsh and rlogin
+generally want a host *name* as an argument and won't accept IP addresses. If
+your client-end DNS is hosed, as may be true when you're trying to extract
+backup sets on to a dumb client, "netcat -n" wins where normal rsh/rlogin is
+useless.
+
+If you are unsure that a remote syslogger is working, test it with netcat.
+Make a UDP connection to port 514 and type in "<0>message", which should
+correspond to "kern.emerg" and cause syslogd to scream into every file it has
+open [and possibly all over users' terminals]. You can tame this down by
+using a different number and use netcat inside routine scripts to send syslog
+messages to places that aren't configured in syslog.conf. For example,
+"echo '<38>message' | nc -w 1 -u loggerhost 514" should send to auth.notice
+on loggerhost. The exact number may vary; check against your syslog.h first.
+
+Netcat provides several ways for you to test your own packet filters. If you
+bind to a port normally protected against outside access and make a connection
+to somewhere outside your own network, the return traffic will be coming to
+your chosen port from the "outside" and should be blocked. TCP may get through
+if your filter passes all "ack syn", but it shouldn't be even doing that to low
+ports on your network. Remember to test with UDP traffic as well! If your
+filter passes at least outbound source-routed IP packets, bouncing a connection
+back to yourself via some gateway outside your network will create "incoming"
+traffic with your source address, which should get dropped by a correctly
+configured anti-spoofing filter. This is a "non-test" if you're also dropping
+source-routing, but it's good to be able to test for that too. Any packet
+filter worth its salt will be blocking source-routed packets in both
+directions, but you never know what interesting quirks you might turn up by
+playing around with source ports and addresses and watching the wires with a
+network monitor.
+
+You can use netcat to protect your own workstation's X server against outside
+access. X is stupid enough to listen for connections on "any" and never tell
+you when new connections arrive, which is one reason it is so vulnerable. Once
+you have all your various X windows up and running you can use netcat to bind
+just to your ethernet address and listen to port 6000. Any new connections
+from outside the machine will hit netcat instead your X server, and you get a
+log of who's trying. You can either tell netcat to drop the connection, or
+perhaps run another copy of itself to relay to your actual X server on
+"localhost". This may not work for dedicated X terminals, but it may be
+possible to authorize your X terminal only for its boot server, and run a relay
+netcat over on the server that will in turn talk to your X terminal. Since
+netcat only handles one listening connection per run, make sure that whatever
+way you rig it causes another one to run and listen on 6000 soon afterward, or
+your real X server will be reachable once again. A very minimal script just
+to protect yourself could be
+
+ while true ; do
+ nc -v -l -s <your-addr> -p 6000 localhost 2
+ done
+
+which causes netcat to accept and then close any inbound connection to your
+workstation's normal ethernet address, and another copy is immediately run by
+the script. Send standard error to a file for a log of connection attempts.
+If your system can't do the "specific bind" thing all is not lost; run your
+X server on display ":1" or port 6001, and netcat can still function as a probe
+alarm by listening on 6000.
+
+Does your shell-account provider allow personal Web pages, but not CGI scripts?
+You can have netcat listen on a particular port to execute a program or script
+of your choosing, and then just point to the port with a URL in your homepage.
+The listener could even exist on a completely different machine, avoiding the
+potential ire of the homepage-host administrators. Since the script will get
+the raw browser query as input it won't look like a typical CGI script, and
+since it's running under your UID you need to write it carefully. You may want
+to write a netcat-based script as a wrapper that reads a query and sets up
+environment variables for a regular CGI script. The possibilities for using
+netcat and scripts to handle Web stuff are almost endless. Again, see the
+examples under scripts/.
+
+Example uses -- the dark side
+=============================
+
+Equal time is deserved here, since a versatile tool like this can be useful
+to any Shade of Hat. I could use my Victorinox to either fix your car or
+disassemble it, right? You can clearly use something like netcat to attack
+or defend -- I don't try to govern anyone's social outlook, I just build tools.
+Regardless of your intentions, you should still be aware of these threats to
+your own systems.
+
+The first obvious thing is scanning someone *else's* network for vulnerable
+services. Files containing preconstructed data, be it exploratory or
+exploitive, can be fed in as standard input, including command-line arguments
+to netcat itself to keep "ps" ignorant of your doings. The more random the
+scanning, the less likelihood of detection by humans, scan-detectors, or
+dynamic filtering, and with -i you'll wait longer but avoid loading down the
+target's network. Some examples for crafting various standard UDP probes are
+given in data/*.d.
+
+Some configurations of packet filters attempt to solve the FTP-data problem by
+just allowing such connections from the outside. These come FROM port 20, TO
+high TCP ports inside -- if you locally bind to port 20, you may find yourself
+able to bypass filtering in some cases. Maybe not to low ports "inside", but
+perhaps to TCP NFS servers, X servers, Prospero, ciscos that listen on 200x
+and 400x... Similar bypassing may be possible for UDP [and maybe TCP too] if a
+connection comes from port 53; a filter may assume it's a nameserver response.
+
+Using -e in conjunction with binding to a specific address can enable "server
+takeover" by getting in ahead of the real ones, whereupon you can snarf data
+sent in and feed your own back out. At the very least you can log a hex dump
+of someone else's session. If you are root, you can certainly use -s and -e to
+run various hacked daemons without having to touch inetd.conf or the real
+daemons themselves. You may not always have the root access to deal with low
+ports, but what if you are on a machine that also happens to be an NFS server?
+You might be able to collect some interesting things from port 2049, including
+local file handles. There are several other servers that run on high ports
+that are likely candidates for takeover, including many of the RPC services on
+some platforms [yppasswdd, anyone?]. Kerberos tickets, X cookies, and IRC
+traffic also come to mind. RADIUS-based terminal servers connect incoming
+users to shell-account machines on a high port, usually 1642 or thereabouts.
+SOCKS servers run on 1080. Do "netstat -a" and get creative.
+
+There are some daemons that are well-written enough to bind separately to all
+the local interfaces, possibly with an eye toward heading off this sort of
+problem. Named from recent BIND releases, and NTP, are two that come to mind.
+Netstat will show these listening on address.53 instead of *.53. You won't
+be able to get in front of these on any of the real interface addresses, which
+of course is especially interesting in the case of named, but these servers
+sometimes forget about things like "alias" interface addresses or interfaces
+that appear later on such as dynamic PPP links. There are some hacked web
+servers and versions of "inetd" floating around that specifically bind as well,
+based on a configuration file -- these generally *are* bound to alias addresses
+to offer several different address-based services from one machine.
+
+Using -e to start a remote backdoor shell is another obvious sort of thing,
+easier than constructing a file for inetd to listen on "ingreslock" or
+something, and you can access-control it against other people by specifying a
+client host and port. Experience with this truly demonstrates how fragile the
+barrier between being "logged in" or not really is, and is further expressed by
+scripts/bsh. If you're already behind a firewall, it may be easier to make an
+*outbound* connection and then run a shell; a small wrapper script can
+periodically try connecting to a known place and port, you can later listen
+there until the inbound connection arrives, and there's your shell. Running
+a shell via UDP has several interesting features, although be aware that once
+"connected", the UDP stub sockets tend to show up in "netstat" just like TCP
+connections and may not be quite as subtle as you wanted. Packets may also be
+lost, so use TCP if you need reliable connections. But since UDP is
+connectionless, a hookup of this sort will stick around almost forever, even if
+you ^C out of netcat or do a reboot on your side, and you only need to remember
+the ports you used on both ends to reestablish. And outbound UDP-plus-exec
+connection creates the connected socket and starts the program immediately. On
+a listening UDP connection, the socket is created once a first packet is
+received. In either case, though, such a "connection" has the interesting side
+effect that only your client-side IP address and [chosen?] source port will
+thereafter be able to talk to it. Instant access control! A non-local third
+party would have to do ALL of the following to take over such a session:
+
+ forge UDP with your source address [trivial to do; see below]
+ guess the port numbers of BOTH ends, or sniff the wire for them
+ arrange to block ICMP or UDP return traffic between it and your real
+ source, so the session doesn't die with a network write error.
+
+The companion program data/rservice.c is helpful in scripting up any sort of
+r-service username or password guessing attack. The arguments to "rservice"
+are simply the strings that get null-terminated and passed over an "rcmd"-style
+connection, with the assumption that the client does not need a separate
+standard-error port. Brute-force password banging is best done via "rexec" if
+it is available since it is less likely to log failed attempts. Thus, doing
+"rservice joe joespass pwd | nc target exec" should return joe's home dir if
+the password is right, or "Permission denied." Plug in a dictionary and go to
+town. If you're attacking rsh/rlogin, remember to be root and bind to a port
+between 512 and 1023 on your end, and pipe in "rservice joe joe pwd" and such.
+
+Netcat can prevent inadvertently sending extra information over a telnet
+connection. Use "nc -t" in place of telnet, and daemons that try to ask for
+things like USER and TERM environment variables will get no useful answers, as
+they otherwise would from a more recent telnet program. Some telnetds actually
+try to collect this stuff and then plug the USER variable into "login" so that
+the caller is then just asked for a password! This mechanism could cause a
+login attempt as YOUR real username to be logged over there if you use a
+Borman-based telnet instead of "nc -t".
+
+Got an unused network interface configured in your kernel [e.g. SLIP], or
+support for alias addresses? Ifconfig one to be any address you like, and bind
+to it with -s to enable all sorts of shenanigans with bogus source addresses.
+The interface probably has to be UP before this works; some SLIP versions
+need a far-end address before this is true. Hammering on UDP services is then
+a no-brainer. What you can do to an unfiltered syslog daemon should be fairly
+obvious; trimming the conf file can help protect against it. Many routers out
+there still blindly believe what they receive via RIP and other routing
+protocols. Although most UDP echo and chargen servers check if an incoming
+packet was sent from *another* "internal" UDP server, there are many that still
+do not, any two of which [or many, for that matter] could keep each other
+entertained for hours at the expense of bandwidth. And you can always make
+someone wonder why she's being probed by nsa.gov.
+
+Your TCP spoofing possibilities are mostly limited to destinations you can
+source-route to while locally bound to your phony address. Many sites block
+source-routed packets these days for precisely this reason. If your kernel
+does oddball things when sending source-routed packets, try moving the pointer
+around with -G. You may also have to fiddle with the routing on your own
+machine before you start receiving packets back. Warning: some machines still
+send out traffic using the source address of the outbound interface, regardless
+of your binding, especially in the case of localhost. Check first. If you can
+open a connection but then get no data back from it, the target host is
+probably killing the IP options on its end [this is an option inside TCP
+wrappers and several other packages], which happens after the 3-way handshake
+is completed. If you send some data and observe the "send-q" side of "netstat"
+for that connection increasing but never getting sent, that's another symptom.
+Beware: if Sendmail 8.7.x detects a source-routed SMTP connection, it extracts
+the hop list and sticks it in the Received: header!
+
+SYN bombing [sometimes called "hosing"] can disable many TCP servers, and if
+you hit one often enough, you can keep it unreachable for days. As is true of
+many other denial-of-service attacks, there is currently no defense against it
+except maybe at the human level. Making kernel SOMAXCONN considerably larger
+than the default and the half-open timeout smaller can help, and indeed some
+people running large high-performance web servers have *had* to do that just to
+handle normal traffic. Taking out mailers and web servers is sociopathic, but
+on the other hand it is sometimes useful to be able to, say, disable a site's
+identd daemon for a few minutes. If someone realizes what is going on,
+backtracing will still be difficult since the packets have a phony source
+address, but calls to enough ISP NOCs might eventually pinpoint the source.
+It is also trivial for a clueful ISP to watch for or even block outgoing
+packets with obviously fake source addresses, but as we know many of them are
+not clueful or willing to get involved in such hassles. Besides, outbound
+packets with an [otherwise unreachable] source address in one of their net
+blocks would look fairly legitimate.
+
+Notes
+=====
+
+A discussion of various caveats, subtleties, and the design of the innards.
+
+As of version 1.07 you can construct a single file containing command arguments
+and then some data to transfer. Netcat is now smart enough to pick out the
+first line and build the argument list, and send any remaining data across the
+net to one or multiple ports. The first release of netcat had trouble with
+this -- it called fgets() for the command line argument, which behind the
+scenes does a large read() from standard input, perhaps 4096 bytes or so, and
+feeds that out to the fgets() library routine. By the time netcat 1.00 started
+directly read()ing stdin for more data, 4096 bytes of it were gone. It now
+uses raw read() everywhere and does the right thing whether reading from files,
+pipes, or ttys. If you use this for multiple-port connections, the single
+block of data will now be a maximum of 8K minus the first line. Improvements
+have been made to the logic in sending the saved chunk to each new port. Note
+that any command-line arguments hidden using this mechanism could still be
+extracted from a core dump.
+
+When netcat receives an inbound UDP connection, it creates a "connected socket"
+back to the source of the connection so that it can also send out data using
+normal write(). Using this mechanism instead of recvfrom/sendto has several
+advantages -- the read/write select loop is simplified, and ICMP errors can in
+effect be received by non-root users. However, it has the subtle side effect
+that if further UDP packets arrive from the caller but from different source
+ports, the listener will not receive them. UDP listen mode on a multihomed
+machine may have similar quirks unless you specifically bind to one of its
+addresses. It is not clear that kernel support for UDP connected sockets
+and/or my understanding of it is entirely complete here, so experiment...
+
+You should be aware of some subtleties concerning UDP scanning. If -z is on,
+netcat attempts to send a single null byte to the target port, twice, with a
+small time in between. You can either use the -w timeout, or netcat will try
+to make a "sideline" TCP connection to the target to introduce a small time
+delay equal to the round-trip time between you and the target. Note that if
+you have a -w timeout and -i timeout set, BOTH take effect and you wait twice
+as long. The TCP connection is to a normally refused port to minimize traffic,
+but if you notice a UDP fast-scan taking somewhat longer than it should, it
+could be that the target is actually listening on the TCP port. Either way,
+any ICMP port-unreachable messages from the target should have arrived in the
+meantime. The second single-byte UDP probe is then sent. Under BSD kernels,
+the ICMP error is delivered to the "connected socket" and the second write
+returns an error, which tells netcat that there is NOT a UDP service there.
+While Linux seems to be a fortunate exception, under many SYSV derived kernels
+the ICMP is not delivered, and netcat starts reporting that *all* the ports are
+"open" -- clearly wrong. [Some systems may not even *have* the "udp connected
+socket" concept, and netcat in its current form will not work for UDP at all.]
+If -z is specified and only one UDP port is probed, netcat's exit status
+reflects whether the connection was "open" or "refused" as with TCP.
+
+It may also be that UDP packets are being blocked by filters with no ICMP error
+returns, in which case everything will time out and return "open". This all
+sounds backwards, but that's how UDP works. If you're not sure, try "echo
+w00gumz | nc -u -w 2 target 7" to see if you can reach its UDP echo port at
+all. You should have no trouble using a BSD-flavor system to scan for UDP
+around your own network, although flooding a target with the high activity that
+-z generates will cause it to occasionally drop packets and indicate false
+"opens". A more "correct" way to do this is collect and analyze the ICMP
+errors, as does SATAN's "udp_scan" backend, but then again there's no guarantee
+that the ICMP gets back to you either. Udp_scan also does the zero-byte
+probes but is excruciatingly careful to calculate its own round-trip timing
+average and dynamically set its own response timeouts along with decoding any
+ICMP received. Netcat uses a much sleazier method which is nonetheless quite
+effective. Cisco routers are known to have a "dead time" in between ICMP
+responses about unreachable UDP ports, so a fast scan of a cisco will show
+almost everything "open". If you are looking for a specific UDP service, you
+can construct a file containing the right bytes to trigger a response from the
+other end and send that as standard input. Netcat will read up to 8K of the
+file and send the same data to every UDP port given. Note that you must use a
+timeout in this case [as would any other UDP client application] since the
+two-write probe only happens if -z is specified.
+
+Many telnet servers insist on a specific set of option negotiations before
+presenting a login banner. On a raw connection you will see this as small
+amount of binary gook. My attempts to create fixed input bytes to make a
+telnetd happy worked some places but failed against newer BSD-flavor ones,
+possibly due to timing problems, but there are a couple of much better
+workarounds. First, compile with -DTELNET and use -t if you just want to get
+past the option negotiation and talk to something on a telnet port. You will
+still see the binary gook -- in fact you'll see a lot more of it as the options
+are responded to behind the scenes. The telnet responder does NOT update the
+total byte count, or show up in the hex dump -- it just responds negatively to
+any options read from the incoming data stream. If you want to use a normal
+full-blown telnet to get to something but also want some of netcat's features
+involved like settable ports or timeouts, construct a tiny "foo" script:
+
+ #! /bin/sh
+ exec nc -otheroptions targethost 23
+
+and then do
+
+ nc -l -p someport -e foo localhost &
+ telnet localhost someport
+
+and your telnet should connect transparently through the exec'ed netcat to
+the target, using whatever options you supplied in the "foo" script. Don't
+use -t inside the script, or you'll wind up sending *two* option responses.
+
+I've observed inconsistent behavior under some Linuxes [perhaps just older
+ones?] when binding in listen mode. Sometimes netcat binds only to "localhost"
+if invoked with no address or port arguments, and sometimes it is unable to
+bind to a specific address for listening if something else is already listening
+on "any". The former problem can be worked around by specifying "-s 0.0.0.0",
+which will do the right thing despite netcat claiming that it's listening on
+[127.0.0.1]. This is a known problem -- for example, there's a mention of it
+in the makefile for SOCKS. On the flip side, binding to localhost and sending
+packets to some other machine doesn't work as you'd expect -- they go out with
+the source address of the sending interface instead. The Linux kernel contains
+a specific check to ensure that packets from 127.0.0.1 are never sent to the
+wire; other kernels may contain similar code. Linux, of course, *still*
+doesn't support source-routing, but they claim that it and many other network
+improvements are at least breathing hard.
+
+There are several possible errors associated with making TCP connections, but
+to specifically see anything other than "refused", one must wait the full
+kernel-defined timeout for a connection to fail. Netcat's mechanism of
+wrapping an alarm timer around the connect prevents the *real* network error
+from being returned -- "errno" at that point indicates "interrupted system
+call" since the connect attempt was interrupted. Some old 4.3 BSD kernels
+would actually return things like "host unreachable" immediately if that was
+the case, but most newer kernels seem to wait the full timeout and *then* pass
+back the real error. Go figure. In this case, I'd argue that the old way was
+better, despite those same kernels generally being the ones that tear down
+*established* TCP connections when ICMP-bombed.
+
+Incoming socket options are passed to applications by the kernel in the
+kernel's own internal format. The socket-options structure for source-routing
+contains the "first-hop" IP address first, followed by the rest of the real
+options list. The kernel uses this as is when sending reply packets -- the
+structure is therefore designed to be more useful to the kernel than to humans,
+but the hex dump of it that netcat produces is still useful to have.
+
+Kernels treat source-routing options somewhat oddly, but it sort of makes sense
+once one understands what's going on internally. The options list of addresses
+must contain hop1, hop2, ..., destination. When a source-routed packet is sent
+by the kernel [at least BSD], the actual destination address becomes irrelevant
+because it is replaced with "hop1", "hop1" is removed from the options list,
+and all the other addresses in the list are shifted up to fill the hole. Thus
+the outbound packet is sent from your chosen source address to the first
+*gateway*, and the options list now contains hop2, ..., destination. During
+all this address shuffling, the kernel does NOT change the pointer value, which
+is why it is useful to be able to set the pointer yourself -- you can construct
+some really bizarre return paths, and send your traffic fairly directly to the
+target but around some larger loop on the way back. Some Sun kernels seem to
+never flip the source-route around if it contains less than three hops, never
+reset the pointer anyway, and tries to send the packet [with options containing
+a "completed" source route!!] directly back to the source. This is way broken,
+of course. [Maybe ipforwarding has to be on? I haven't had an opportunity to
+beat on it thoroughly yet.]
+
+"Credits" section: The original idea for netcat fell out of a long-standing
+desire and fruitless search for a tool resembling it and having the same
+features. After reading some other network code and realizing just how many
+cool things about sockets could be controlled by the calling user, I started
+on the basics and the rest fell together pretty quickly. Some port-scanning
+ideas were taken from Venema/Farmer's SATAN tool kit, and Pluvius' "pscan"
+utility. Healthy amounts of BSD kernel source were perused in an attempt to
+dope out socket options and source-route handling; additional help was obtained
+from Dave Borman's telnet sources. The select loop is loosely based on fairly
+well-known code from "rsh" and Richard Stevens' "sock" program [which itself is
+sort of a "netcat" with more obscure features], with some more paranoid
+sanity-checking thrown in to guard against the distinct likelihood that there
+are subtleties about such things I still don't understand. I found the
+argument-hiding method cleanly implemented in Barrett's "deslogin"; reading the
+line as input allows greater versatility and is much less prone to cause
+bizarre problems than the more common trick of overwriting the argv array.
+After the first release, several people contributed portability fixes; they are
+credited in generic.h and the Makefile. Lauren Burka inspired the ascii art
+for this revised document. Dean Gaudet at Wired supplied a precursor to
+the hex-dump code, and mudge@l0pht.com originally experimented with and
+supplied code for the telnet-options responder. Outbound "-e <prog>" resulted
+from a need to quietly bypass a firewall installation. Other suggestions and
+patches have rolled in for which I am always grateful, but there are only 26
+hours per day and a discussion of feature creep near the end of this document.
+
+Netcat was written with the Russian railroad in mind -- conservatively built
+and solid, but it *will* get you there. While the coding style is fairly
+"tight", I have attempted to present it cleanly [keeping *my* lines under 80
+characters, dammit] and put in plenty of comments as to why certain things
+are done. Items I know to be questionable are clearly marked with "XXX".
+Source code was made to be modified, but determining where to start is
+difficult with some of the tangles of spaghetti code that are out there.
+Here are some of the major points I feel are worth mentioning about netcat's
+internal design, whether or not you agree with my approach.
+
+Except for generic.h, which changes to adapt more platforms, netcat is a single
+source file. This has the distinct advantage of only having to include headers
+once and not having to re-declare all my functions in a billion different
+places. I have attempted to contain all the gross who's-got-what-.h-file
+things in one small dumping ground. Functions are placed "dependencies-first",
+such that when the compiler runs into the calls later, it already knows the
+type and arguments and won't complain. No function prototyping -- not even the
+__P(()) crock -- is used, since it is more portable and a file of this size is
+easy enough to check manually. Each function has a standard-format comment
+ahead of it, which is easily found using the regexp " :$". I freely use gotos.
+Loops and if-clauses are made as small and non-nested as possible, and the ends
+of same *marked* for clarity [I wish everyone would do this!!].
+
+Large structures and buffers are all malloc()ed up on the fly, slightly larger
+than the size asked for and zeroed out. This reduces the chances of damage
+from those "end of the buffer" fencepost errors or runaway pointers escaping
+off the end. These things are permanent per run, so nothing needs to be freed
+until the program exits.
+
+File descriptor zero is always expected to be standard input, even if it is
+closed. If a new network descriptor winds up being zero, a different one is
+asked for which will be nonzero, and fd zero is simply left kicking around
+for the rest of the run. Why? Because everything else assumes that stdin is
+always zero and "netfd" is always positive. This may seem silly, but it was a
+lot easier to code. The new fd is obtained directly as a new socket, because
+trying to simply dup() a new fd broke subsequent socket-style use of the new fd
+under Solaris' stupid streams handling in the socket library.
+
+The catch-all message and error handlers are implemented with an ample list of
+phoney arguments to get around various problems with varargs. Varargs seems
+like deliberate obfuscation in the first place, and using it would also
+require use of vfprintf() which not all platforms support. The trailing
+sleep in bail() is to allow output to flush, which is sometimes needed if
+netcat is already on the other end of a network connection.
+
+The reader may notice that the section that does DNS lookups seems much
+gnarlier and more confusing than other parts. This is NOT MY FAULT. The
+sockaddr and hostent abstractions are an abortion that forces the coder to
+deal with it. Then again, a lot of BSD kernel code looks like similar
+struct-pointer hell. I try to straighten it out somewhat by defining my own
+HINF structure, containing names, ascii-format IP addresses, and binary IP
+addresses. I fill this structure exactly once per host argument, and squirrel
+everything safely away and handy for whatever wants to reference it later.
+
+Where many other network apps use the FIONBIO ioctl to set non-blocking I/O
+on network sockets, netcat uses straightforward blocking I/O everywhere.
+This makes everything very lock-step, relying on the network and filesystem
+layers to feed in data when needed. Data read in is completely written out
+before any more is fetched. This may not be quite the right thing to do under
+some OSes that don't do timed select() right, but this remains to be seen.
+
+The hexdump routine is written to be as fast as possible, which is why it does
+so much work itself instead of just sprintf()ing everything together. Each
+dump line is built into a single buffer and atomically written out using the
+lowest level I/O calls. Further improvements could undoubtedly be made by
+using writev() and eliminating all sprintf()s, but it seems to fly right along
+as is. If both exec-a-prog mode and a hexdump file is asked for, the hexdump
+flag is deliberately turned off to avoid creating random zero-length files.
+Files are opened in "truncate" mode; if you want "append" mode instead, change
+the open flags in main().
+
+main() may look a bit hairy, but that's only because it has to go down the
+argv list and handle multiple ports, random mode, and exit status. Efforts
+have been made to place a minimum of code inside the getopt() loop. Any real
+work is sent off to functions in what is hopefully a straightforward way.
+
+Obligatory vendor-bash: If "nc" had become a standard utility years ago,
+the commercial vendors would have likely packaged it setuid root and with
+-DGAPING_SECURITY_HOLE turned on but not documented. It is hoped that netcat
+will aid people in finding and fixing the no-brainer holes of this sort that
+keep appearing, by allowing easier experimentation with the "bare metal" of
+the network layer.
+
+It could be argued that netcat already has too many features. I have tried
+to avoid "feature creep" by limiting netcat's base functionality only to those
+things which are truly relevant to making network connections and the everyday
+associated DNS lossage we're used to. Option switches already have slightly
+overloaded functionality. Random port mode is sort of pushing it. The
+hex-dump feature went in later because it *is* genuinely useful. The
+telnet-responder code *almost* verges on the gratuitous, especially since it
+mucks with the data stream, and is left as an optional piece. Many people have
+asked for example "how 'bout adding encryption?" and my response is that such
+things should be separate entities that could pipe their data *through* netcat
+instead of having their own networking code. I am therefore not completely
+enthusiastic about adding any more features to this thing, although you are
+still free to send along any mods you think are useful.
+
+Nonetheless, at this point I think of netcat as my tcp/ip swiss army knife,
+and the numerous companion programs and scripts to go with it as duct tape.
+Duct tape of course has a light side and a dark side and binds the universe
+together, and if I wrap enough of it around what I'm trying to accomplish,
+it *will* work. Alternatively, if netcat is a large hammer, there are many
+network protocols that are increasingly looking like nails by now...
+
+_H* 960320 v1.10 RELEASE -- happy spring!
diff --git a/usr.bin/nc/data/Makefile b/usr.bin/nc/data/Makefile
new file mode 100644
index 00000000000..65cf185358f
--- /dev/null
+++ b/usr.bin/nc/data/Makefile
@@ -0,0 +1,10 @@
+all: data rservice xor
+
+data: data.c
+ cc -s -O -o data data.c
+rservice: rservice.c
+ cc -s -O -o rservice rservice.c
+xor: xor.c
+ cc -s -O -o xor xor.c
+clean:
+ rm -f *.o data rservice xor
diff --git a/usr.bin/nc/data/README b/usr.bin/nc/data/README
new file mode 100644
index 00000000000..7e4b9fbf63c
--- /dev/null
+++ b/usr.bin/nc/data/README
@@ -0,0 +1,9 @@
+For now, read the header comments inside each of these for documentation.
+The programs are simple enough that they don't really need a Makefile any more
+complex than the one given; ymmv. Data and xor may also be useful on DOS,
+which is why there are hooks for it in the code.
+
+data.c a primitive atob / btoa byte generator
+*.d example input to "data -g"
+rservice.c a utility for scripting up rsh/rexec attacks
+xor.c generic xor handler
diff --git a/usr.bin/nc/data/data.c b/usr.bin/nc/data/data.c
new file mode 100644
index 00000000000..56c167fd969
--- /dev/null
+++ b/usr.bin/nc/data/data.c
@@ -0,0 +1,274 @@
+/* primitive arbitrary-data frontend for netcat. 0.9 960226
+ only handles one value per ascii line, but at least parses 0xNN too
+ an input line containing "%r" during "-g" generates a random byte
+
+ todo:
+ make work on msloss jus' for kicks [workin' on it...]
+
+ syntax: data -X [limit]
+ where X is one of
+ d: dump raw bytes to ascii format
+ g: generate raw bytes from ascii input
+ c: generate ??? of value -- NOTYET
+ r: generate all random bytes
+ and limit is how many bytes to generate or dump [unspecified = infinite]
+
+ *Hobbit*, started 951004 or so and randomly screwed around with since */
+
+#include <stdio.h>
+
+#ifdef MSDOS /* for MSC only at the moment... */
+#include <fcntl.h>
+#else /* MSDOS */
+#include <sys/file.h>
+#define HAVE_RANDOM /* XXX: might have to change */
+#endif /* MSDOS */
+
+static char buf_in [128];
+static char buf_raw [8192];
+static char surveysez[] = "survey sez... XXX\n";
+
+/* fgetss :
+ wrapper for fgets, that yanks trailing newlines. Doing the work ourselves
+ instead of calling strchr/strlen/whatever */
+char * fgetss (buf, len, from)
+ char * buf;
+ size_t len;
+ FILE * from;
+{
+ register int x;
+ register char * p, * q;
+ p = fgets (buf, len, from); /* returns ptr to buf */
+ if (! p)
+ return (NULL);
+ q = p;
+ for (x = 0; x < len; x++) {
+ *p = (*p & 0x7f); /* rip parity, just in case */
+ switch (*p) {
+ case '\n':
+ case '\r':
+ case '\0':
+ *p = '\0';
+ return (q);
+ } /* switch */
+ p++;
+ } /* for */
+} /* fgetss */
+
+/* randint:
+ swiped from rndb.c. Generates an INT, you have to mask down to char. */
+int randint()
+{
+ register int q;
+ register int x;
+
+#ifndef HAVE_RANDOM
+ q = rand();
+#else
+ q = random();
+#endif
+ x = ((q >> 8) & 0xff); /* perturb low byte using some higher bits */
+ x = q ^ x;
+ return (x);
+}
+
+main (argc, argv)
+ int argc;
+ char ** argv;
+{
+ register unsigned char * p;
+ register char * q;
+ register int x;
+ int bc = 0;
+ int limit = 0; /* num to gen, or 0 = infinite */
+ register int xlimit; /* running limit */
+ FILE * txt; /* line-by-line ascii file */
+ int raw; /* raw bytes fd */
+ int dumping = 0; /* cmd flags ... */
+ int genning = 0;
+ int randing = 0;
+
+ memset (buf_in, 0, sizeof (buf_in));
+ memset (buf_raw, 0, sizeof (buf_raw));
+
+ xlimit = 1; /* doubles as "exit flag" */
+ bc = 1; /* preload, assuming "dump" */
+ x = getpid() + 687319;
+/* if your library doesnt have srandom/random, use srand/rand. [from rnd.c] */
+#ifndef HAVE_RANDOM
+ srand (time(0) + x);
+#else
+ srandom (time(0) + x);
+#endif
+
+#ifdef O_BINARY
+/* DOS stupidity */
+/* Aha: *here's* where that setmode() lib call conflict in ?BSD came from */
+ x = setmode (0, O_BINARY); /* make stdin raw */
+ if (x < 0) {
+ fprintf (stderr, "stdin binary setmode oops: %d\n", x);
+ exit (1);
+ }
+ x = setmode (1, O_BINARY); /* make stdout raw */
+ if (x < 0) {
+ fprintf (stderr, "stdout binary setmode oops: %d\n", x);
+ exit (1);
+ }
+#endif /* O_BINARY */
+
+ if (argv[1]) {
+ p = argv[1]; /* shit-simple single arg parser... */
+ if (*p == '-') /* dash is optional, we'll deal */
+ p++;
+ if (*p == 'd')
+ dumping++;
+ if (*p == 'g')
+ genning++;
+ if (*p == 'r')
+ randing++;
+ } /* if argv 1 */
+
+/* optional second argument: limit # of bytes shoveled either way */
+ if (argv[2]) {
+ x = atoi (argv[2]);
+ if (x)
+ limit = x;
+ else
+ goto wrong;
+ xlimit = limit;
+ }
+
+/* Since this prog would likely best be written in assmbler, I'm gonna
+ write it *like* assembler. So there. */
+
+ if (randing)
+ goto do_rand;
+
+nextbuf: /* loop sleaze */
+
+ if (dumping) { /* switch off to wherever */
+ if (genning)
+ goto wrong;
+ goto do_dump;
+ }
+ if (genning)
+ goto do_gen;
+wrong:
+ fprintf (stderr, surveysez); /* if both or neither */
+ exit (1);
+
+do_gen:
+/* here if genning -- original functionality */
+ q = buf_raw;
+ bc = 0;
+/* suck up lines until eof or buf_raw is full */
+ while (1) {
+ p = fgetss (buf_in, 120, stdin);
+ if (! p)
+ break; /* EOF */
+/* super-primitive version first: one thingie per line */
+ if (*p == '#') /* comment */
+ continue;
+ if (*p == '\0') /* blank line */
+ continue;
+ if (*p == '%') { /* escape char? */
+ p++;
+ if (*p == 'r') { /* random byte */
+ x = randint();
+ goto stuff;
+ } /* %r */
+ } /* if "%" escape */
+ if (*p == '0')
+ if (*(p+1) == 'x') /* 0x?? */
+ goto hex;
+ x = atoi (p); /* reg'lar decimal number */
+ goto stuff;
+
+hex:
+/* A 65 a 97 */
+/* xxx: use a conversion table for this or something. Since we ripped the
+ parity bit, we only need a preset array of 128 with downconversion factors
+ loaded in *once*. maybe look at scanf... */
+ p++; p++; /* point at hex-chars */
+ x = 0;
+ if ((*p > 96) && (*p < 123)) /* a-z */
+ *p = (*p - 32); /* this is massively clumsy */
+ if ((*p > 64) && (*p < 71)) /* A-F */
+ x = (*p - 55);
+ if ((*p > 47) && (*p < 58)) /* digits */
+ x = (*p - 48);
+ p++;
+ if (*p) /* another digit? */
+ x = (x << 4); /* shift to hi half */
+ if ((*p > 96) && (*p < 123)) /* a-z */
+ *p = (*p - 32);
+ if ((*p > 64) && (*p < 71)) /* A-F */
+ x = (x | (*p - 55)); /* lo half */
+ if ((*p > 47) && (*p < 58)) /* digits */
+ x = (x | (*p - 48));
+
+/* fall thru */
+stuff: /* cvt to byte and add to buffer */
+ *q = (x & 0xff);
+ q++;
+ bc++;
+ if (limit) {
+ xlimit--;
+ if (xlimit == 0) /* max num reached */
+ break;
+ } /* limit */
+ if (bc >= sizeof (buf_raw)) /* buffer full */
+ break;
+ } /* while 1 */
+
+/* now in theory we have our buffer formed; shovel it out */
+ x = write (1, buf_raw, bc);
+ if (x <= 0) {
+ fprintf (stderr, "write oops: %d\n", x);
+ exit (1);
+ }
+ if (xlimit && p)
+ goto nextbuf; /* go get some more */
+ exit (0);
+
+do_dump:
+/* here if dumping raw stuff into an ascii file */
+/* gad, this is *so* much simpler! can we say "don't rewrite printf"? */
+ x = read (0, buf_raw, 8192);
+ if (x <= 0)
+ exit (0);
+ q = buf_raw;
+ for ( ; x > 0; x--) {
+ p = q;
+ printf ("%-3.3d # 0x%-2.2x # ", *p, *p);
+ if ((*p > 31) && (*p < 127))
+ printf ("%c %d\n", *p, bc);
+ else
+ printf (". %d\n", bc);
+ q++;
+ bc++;
+ if (limit) {
+ xlimit--;
+ if (xlimit == 0) {
+ fflush (stdout);
+ exit (0);
+ }
+ } /* limit */
+ } /* for */
+ goto nextbuf;
+
+do_rand:
+/* here if generating all-random bytes. Stays in this loop */
+ p = buf_raw;
+ while (1) {
+ *p = (randint() & 0xff);
+ write (1, p, 1); /* makes very slow! */
+ if (limit) {
+ xlimit--;
+ if (xlimit == 0)
+ break;
+ }
+ } /* while */
+ exit (0);
+
+} /* main */
diff --git a/usr.bin/nc/data/dns-any.d b/usr.bin/nc/data/dns-any.d
new file mode 100644
index 00000000000..77b014cf703
--- /dev/null
+++ b/usr.bin/nc/data/dns-any.d
@@ -0,0 +1,36 @@
+# dns "any for ." query, to udp 53
+# if tcp: precede with 2 bytes of len:
+# 0
+# 17
+# you should get at least *one* record back out
+
+# HEADER:
+0 # query id = 2
+2
+
+1 # flags/opcodes = query, dorecurse
+0
+
+0 # qdcount, i.e. nqueries: 1
+1
+
+0 # ancount: answers, 0
+0
+
+0 # nscount: 0
+0
+
+0 # addl records: 0
+0
+
+# end of fixed header
+
+0 # name-len: 0 for ".", lenbyte plus name-bytes otherwise
+
+0 # type: any, 255
+0xff
+
+0 # class: IN
+1
+
+# i think that's it..
diff --git a/usr.bin/nc/data/nfs-0.d b/usr.bin/nc/data/nfs-0.d
new file mode 100644
index 00000000000..03609382270
--- /dev/null
+++ b/usr.bin/nc/data/nfs-0.d
@@ -0,0 +1,59 @@
+# UDP NFS null-proc call; finds active NFS listeners on port 2049.
+# If you get *something* back, there's an NFS server there.
+
+000 # XID: 4 trash bytes
+001
+002
+003
+
+000 # CALL: 0
+000
+000
+000
+
+000 # RPC version: 2
+000
+000
+002
+
+000 # nfs: 100003
+001
+0x86
+0xa3
+
+000 # version: 1
+000
+000
+001
+
+000 # procedure number: 0
+000
+000
+000
+
+000 # port: junk
+000
+000
+000
+
+000 # auth trash
+000
+000
+000
+
+000 # auth trash
+000
+000
+000
+
+000 # auth trash
+000
+000
+000
+
+000 # extra auth trash? probably not needed
+000
+000
+000
+
+# that's it!
diff --git a/usr.bin/nc/data/pm.d b/usr.bin/nc/data/pm.d
new file mode 100644
index 00000000000..fe327693a9e
--- /dev/null
+++ b/usr.bin/nc/data/pm.d
@@ -0,0 +1,8 @@
+# obligatory duplicate of dr delete's Livingston portmaster crash, aka
+# telnet break. Fire into its telnet listener. An *old* bug by now, but
+# consider the small window one might obtain from a slightly out-of-rev PM
+# used as a firewall, that starts routing IP traffic BEFORE its filter sets
+# are fully loaded...
+
+255 # 0xff # . 1
+243 # 0xf3 # . 2
diff --git a/usr.bin/nc/data/pmap-dump.d b/usr.bin/nc/data/pmap-dump.d
new file mode 100644
index 00000000000..bc6b63277df
--- /dev/null
+++ b/usr.bin/nc/data/pmap-dump.d
@@ -0,0 +1,60 @@
+# portmap dump request: like "rpcinfo -p" but via UDP instead
+# send to UDP 111 and hope it's not a logging portmapper!
+# split into longwords, since rpc apparently only deals with them
+
+001 # 0x01 # . # XID: 4 trash bytes
+002 # 0x02 # .
+003 # 0x03 # .
+004 # 0x04 # .
+
+000 # 0x00 # . # MSG: int 0=call, 1=reply
+000 # 0x00 # .
+000 # 0x00 # .
+000 # 0x00 # .
+
+000 # 0x00 # . # pmap call body: rpc version=2
+000 # 0x00 # .
+000 # 0x00 # .
+002 # 0x02 # .
+
+000 # 0x00 # . # pmap call body: prog=PMAP, 100000
+001 # 0x01 # .
+134 # 0x86 # .
+160 # 0xa0 # .
+
+000 # 0x00 # . # pmap call body: progversion=2
+000 # 0x00 # .
+000 # 0x00 # .
+002 # 0x02 # .
+
+000 # 0x00 # . # pmap call body: proc=DUMP, 4
+000 # 0x00 # .
+000 # 0x00 # .
+004 # 0x04 # .
+
+# with AUTH_NONE, there are 4 zero integers [16 bytes] here
+
+000 # 0x00 # . # auth junk: cb_cred: auth_unix = 1; NONE = 0
+000 # 0x00 # .
+000 # 0x00 # .
+000 # 0x00 # .
+
+000 # 0x00 # . # auth junk
+000 # 0x00 # .
+000 # 0x00 # .
+000 # 0x00 # .
+
+000 # 0x00 # . # auth junk
+000 # 0x00 # .
+000 # 0x00 # .
+000 # 0x00 # .
+
+000 # 0x00 # . # auth junk
+000 # 0x00 # .
+000 # 0x00 # .
+000 # 0x00 # .
+
+# The reply you get back contains your XID, int 1 if "accepted", and
+# a whole mess of gobbledygook containing program numbers, versions,
+# and ports that rpcinfo knows how to decode. For the moment, you get
+# to wade through it yourself...
diff --git a/usr.bin/nc/data/pmap-mnt.d b/usr.bin/nc/data/pmap-mnt.d
new file mode 100644
index 00000000000..00588ba41f7
--- /dev/null
+++ b/usr.bin/nc/data/pmap-mnt.d
@@ -0,0 +1,78 @@
+# portmap request for mountd [or whatever; see where prog=MOUNT]
+# send to UDP 111 and hope it's not a logging portmapper!
+# split into longwords, since rpc apparently only deals with them
+
+001 # 0x01 # . # XID: 4 trash bytes
+002 # 0x02 # .
+003 # 0x03 # .
+004 # 0x04 # .
+
+000 # 0x00 # . # MSG: int 0=call, 1=reply
+000 # 0x00 # .
+000 # 0x00 # .
+000 # 0x00 # .
+
+000 # 0x00 # . # pmap call body: rpc version=2
+000 # 0x00 # .
+000 # 0x00 # .
+002 # 0x02 # .
+
+000 # 0x00 # . # pmap call body: prog=PMAP, 100000
+001 # 0x01 # .
+134 # 0x86 # .
+160 # 0xa0 # .
+
+000 # 0x00 # . # pmap call body: progversion=2
+000 # 0x00 # .
+000 # 0x00 # .
+002 # 0x02 # .
+
+000 # 0x00 # . # pmap call body: proc=GETPORT, 3
+000 # 0x00 # .
+000 # 0x00 # .
+003 # 0x03 # .
+
+# with AUTH_NONE, there are 4 zero integers [16 bytes] here
+
+000 # 0x00 # . # auth junk: cb_cred: auth_unix = 1; NONE = 0
+000 # 0x00 # .
+000 # 0x00 # .
+000 # 0x00 # .
+
+000 # 0x00 # . # auth junk
+000 # 0x00 # .
+000 # 0x00 # .
+000 # 0x00 # .
+
+000 # 0x00 # . # auth junk
+000 # 0x00 # .
+000 # 0x00 # .
+000 # 0x00 # .
+
+000 # 0x00 # . # auth junk
+000 # 0x00 # .
+000 # 0x00 # .
+000 # 0x00 # .
+
+000 # 0x00 # . # prog=MOUNT, 100005
+001 # 0x01 # .
+134 # 0x86 # .
+165 # 0xa5 # .
+
+000 # 0x00 # . # progversion=1
+000 # 0x00 # .
+000 # 0x00 # .
+001 # 0x01 # .
+
+000 # 0x00 # . # protocol=udp, 17
+000 # 0x00 # .
+000 # 0x00 # .
+017 # 0x11 # .
+
+000 # 0x00 # . # proc num = junk
+000 # 0x00 # .
+000 # 0x00 # .
+000 # 0x00 # .
+
+# The reply you get back contains your XID, int 1 if "accepted", and
+# mountd's port number at the end or 0 if not registered.
diff --git a/usr.bin/nc/data/rip.d b/usr.bin/nc/data/rip.d
new file mode 100644
index 00000000000..da505e21430
--- /dev/null
+++ b/usr.bin/nc/data/rip.d
@@ -0,0 +1,52 @@
+# struct netinfo {
+# struct sockaddr rip_dst; /* destination net/host */
+# int rip_metric; /* cost of route */
+# };
+# struct rip {
+# u_char rip_cmd; /* request/response */
+# u_char rip_vers; /* protocol version # */
+# u_char rip_res1[2]; /* pad to 32-bit boundary */
+# union {
+# struct netinfo ru_nets[1]; /* variable length... */
+# char ru_tracefile[1]; /* ditto ... */
+# } ripun;
+#define rip_nets ripun.ru_nets
+#define rip_tracefile ripun.ru_tracefile
+#define RIPCMD_REQUEST 1 /* want info */
+#define RIPCMD_RESPONSE 2 /* responding to request */
+#define RIPCMD_TRACEON 3 /* turn tracing on */
+#define RIPCMD_TRACEOFF 4 /* turn it off */
+#define HOPCNT_INFINITY 16 /* per Xerox NS */
+#define MAXPACKETSIZE 512 /* max broadcast size */
+
+### RIP packet redux
+### UDP send FROM clued-rtr/520 to target/520
+2 # RIPCMD_RESPONSE
+1 # version
+0 # padding
+0
+
+# sockaddr-plus-metric structs begin, as many as necessary...
+0 # len
+2 # AF_INET
+0 # port
+0
+# addr bytes:
+X
+Y
+Z
+Q
+0 # filler, out to 16 bytes [sizeof (sockaddr)] ...
+0
+0
+0
+0
+0
+0
+0
+0 # metric: net-order integer
+0
+0
+1
+
+## that's it
diff --git a/usr.bin/nc/data/rservice.c b/usr.bin/nc/data/rservice.c
new file mode 100644
index 00000000000..1085d9cb789
--- /dev/null
+++ b/usr.bin/nc/data/rservice.c
@@ -0,0 +1,68 @@
+/* generate ^@string1^@string2^@cmd^@ input to netcat, for scripting up
+ rsh/rexec attacks. Needs to be a prog because shells strip out nulls.
+
+ args:
+ locuser remuser [cmd]
+ remuser passwd [cmd]
+
+ cmd defaults to "pwd".
+
+ ... whatever. _H*/
+
+#include <stdio.h>
+
+/* change if you like; "id" is a good one for figuring out if you won too */
+static char cmd[] = "pwd";
+
+static char buf [256];
+
+main(argc, argv)
+ int argc;
+ char * argv[];
+{
+ register int x;
+ register int y;
+ char * p;
+ char * q;
+
+ p = buf;
+ memset (buf, 0, 256);
+
+ p++; /* first null */
+ y = 1;
+
+ if (! argv[1])
+ goto wrong;
+ x = strlen (argv[1]);
+ memcpy (p, argv[1], x); /* first arg plus another null */
+ x++;
+ p += x;
+ y += x;
+
+ if (! argv[2])
+ goto wrong;
+ x = strlen (argv[2]);
+ memcpy (p, argv[2], x); /* second arg plus null */
+ x++;
+ p += x;
+ y += x;
+
+ q = cmd;
+ if (argv[3])
+ q = argv[3];
+ x = strlen (q); /* not checked -- bfd */
+ memcpy (p, q, x); /* the command, plus final null */
+ x++;
+ p += x;
+ y += x;
+
+ memcpy (p, "\n", 1); /* and a newline, so it goes */
+ y++;
+
+ write (1, buf, y); /* zot! */
+ exit (0);
+
+wrong:
+ fprintf (stderr, "wrong! needs 2 or more args.\n");
+ exit (1);
+}
diff --git a/usr.bin/nc/data/showmount.d b/usr.bin/nc/data/showmount.d
new file mode 100644
index 00000000000..499794bc8a5
--- /dev/null
+++ b/usr.bin/nc/data/showmount.d
@@ -0,0 +1,63 @@
+# UDP mountd call. Use as input to find mount daemons and avoid portmap.
+# Useful proc numbers are 2, 5, and 6.
+# UDP-scan around between 600-800 to find most mount daemons.
+# Using this with "2", plugged into "nc -u -v -w 2 victim X-Y" will
+# directly scan *and* dump the current exports when mountd is hit.
+# combine stdout *and* stderr thru "strings" or something to clean it up
+
+000 # XID: 4 trash bytes
+001
+002
+003
+
+000 # CALL: 0
+000
+000
+000
+
+000 # RPC version: 2
+000
+000
+002
+
+000 # mount: 100005
+001
+0x86
+0xa5
+
+000 # mount version: 1
+000
+000
+001
+
+000 # procedure number -- put what you need here:
+000 # 2 = dump [showmount -e]
+000 # 5 = exportlist [showmount -a]
+xxx # "sed s/xxx/$1/ | data -g | nc ..." or some such...
+
+000 # port: junk
+000
+000
+000
+
+000 # auth trash
+000
+000
+000
+
+000 # auth trash
+000
+000
+000
+
+000 # auth trash
+000
+000
+000
+
+000 # extra auth trash? probably not needed
+000
+000
+000
+
+# that's it!
diff --git a/usr.bin/nc/data/xor.c b/usr.bin/nc/data/xor.c
new file mode 100644
index 00000000000..9feead0cbac
--- /dev/null
+++ b/usr.bin/nc/data/xor.c
@@ -0,0 +1,92 @@
+/* Generic xor handler.
+
+ With no args, xors stdin against 0xFF to stdout. A single argument is a
+ file to read xor-bytes out of. Any zero in the xor-bytes array is treated
+ as the end; if you need to xor against a string that *includes* zeros,
+ you're on your own.
+
+ The indirect file can be generated easily with data.c.
+
+ Written because there are so many lame schemes for "masking" plaintext
+ passwords and the like floating around, and it's handy to just run an
+ obscure binary-format configuration file through this and look for strings.
+
+ *Hobbit*, 960208 */
+
+#include <stdio.h>
+#include <fcntl.h>
+
+char buf[8192];
+char bytes[256];
+char * py;
+
+/* do the xor, in place. Uses global ptr "py" to maintain "bytes" state */
+xorb (buf, len)
+ char * buf;
+ int len;
+{
+ register int x;
+ register char * pb;
+
+ pb = buf;
+ x = len;
+ while (x > 0) {
+ *pb = (*pb ^ *py);
+ pb++;
+ py++;
+ if (! *py)
+ py = bytes;
+ x--;
+ }
+} /* xorb */
+
+/* blah */
+main (argc, argv)
+ int argc;
+ char ** argv;
+{
+ register int x = 0;
+ register int y;
+
+/* manually preload; xor-with-0xFF is all too common */
+ memset (bytes, 0, sizeof (bytes));
+ bytes[0] = 0xff;
+
+/* if file named in any arg, reload from that */
+#ifdef O_BINARY /* DOS shit... */
+ x = setmode (0, O_BINARY); /* make stdin raw */
+ if (x < 0) {
+ fprintf (stderr, "stdin binary setmode oops: %d\n", x);
+ exit (1);
+ }
+ x = setmode (1, O_BINARY); /* make stdout raw */
+ if (x < 0) {
+ fprintf (stderr, "stdout binary setmode oops: %d\n", x);
+ exit (1);
+ }
+#endif /* O_BINARY */
+
+ if (argv[1])
+#ifdef O_BINARY
+ x = open (argv[1], O_RDONLY | O_BINARY);
+#else
+ x = open (argv[1], O_RDONLY);
+#endif
+ if (x > 0) {
+ read (x, bytes, 250); /* nothin' fancy here */
+ close (x);
+ }
+ py = bytes;
+ x = 1;
+ while (x > 0) {
+ x = read (0, buf, sizeof (buf));
+ if (x <= 0)
+ break;
+ xorb (buf, x);
+ y = write (1, buf, x);
+ if (y <= 0)
+ exit (1);
+ }
+ exit (0);
+}
+
diff --git a/usr.bin/nc/generic.h b/usr.bin/nc/generic.h
new file mode 100644
index 00000000000..b3dd5f5dc64
--- /dev/null
+++ b/usr.bin/nc/generic.h
@@ -0,0 +1,377 @@
+/* generic.h -- anything you don't #undef at the end remains in effect.
+ The ONLY things that go in here are generic indicator flags; it's up
+ to your programs to declare and call things based on those flags.
+
+ You should only need to make changes via a minimal system-specific section
+ at the end of this file. To build a new section, rip through this and
+ check everything it mentions on your platform, and #undef that which needs
+ it. If you generate a system-specific section you didn't find in here,
+ please mail me a copy so I can update the "master".
+
+ I realize I'm probably inventing another pseudo-standard here, but
+ goddamnit, everybody ELSE has already, and I can't include all of their
+ hairball schemes too. HAVE_xx conforms to the gnu/autoconf usage and
+ seems to be the most common format. In fact, I dug a lot of these out
+ of autoconf and tried to common them all together using "stupidh" to
+ collect data from platforms.
+
+ In disgust... _H* 940910, 941115, 950511. Pseudo-version: 1.3
+
+ Updated 951104 with many patches from netcat feedback, and properly
+ closed a lot of slop in open-ended comments: version 1.4
+ 960217 + nextstep: version 1.5
+*/
+
+#ifndef GENERIC_H /* only run through this once */
+#define GENERIC_H
+
+/* =============================== */
+/* System calls, lib routines, etc */
+/* =============================== */
+
+/* How does your system declare malloc, void or char? Usually void, but go
+ ask the SunOS people why they had to be different... */
+#define VOID_MALLOC
+
+/* notably from fwtk/firewall.h: posix locking? */
+#define HAVE_FLOCK /* otherwise it's lockf() */
+
+/* if you don't have setsid(), you might have setpgrp(). */
+#define HAVE_SETSID
+
+/* random() is generally considered better than rand() */
+#define HAVE_RANDOM
+
+/* the srand48/lrand48/etc family is s'posedly even better */
+#define HAVE_RAND48
+/* bmc@telebase and others have suggested these macros if a box *does* have
+ rand48. Will consider for later if we're doing something that really
+ requires stronger random numbers, but netcat and such certainly doesn't.
+#define srandom(seed) srand48((long) seed)
+#define random() lrand48() */
+
+/* if your machine doesn't have lstat(), it should have stat() [dos...] */
+#define HAVE_LSTAT
+
+/* different kinds of term ioctls. How to recognize them, very roughly:
+ sysv/POSIX_ME_HARDER: termio[s].h, struct termio[s], tty.c_*[]
+ bsd/old stuff: sgtty.h, ioctl(TIOCSETP), sgttyb.sg_*, tchars.t_* */
+#define HAVE_TERMIOS
+
+/* dbm vs ndbm */
+#define HAVE_NDBM
+
+/* extended utmp/wtmp stuff. MOST machines still do NOT have this SV-ism */
+#define UTMPX
+
+/* some systems have nice() which takes *relative* values... [resource.h] */
+#define HAVE_SETPRIORITY
+
+/* a sysvism, I think, but ... */
+#define HAVE_SYSINFO
+
+/* ============= */
+/* Include files */
+/* ============= */
+
+/* Presence of these can be determined via a script that sniffs them
+ out if you aren't sure. See "stupidh"... */
+
+/* stdlib comes with most modern compilers, but ya never know */
+#define HAVE_STDLIB_H
+
+/* not on a DOS box! */
+#define HAVE_UNISTD_H
+
+/* stdarg is a weird one */
+#define HAVE_STDARG_H
+
+/* dir.h or maybe ndir.h otherwise. */
+#define HAVE_DIRENT_H
+
+/* string or strings */
+#define HAVE_STRINGS_H
+
+/* if you don't have lastlog.h, what you want might be in login.h */
+#define HAVE_LASTLOG_H
+
+/* predefines for _PATH_various */
+#define HAVE_PATHS_H
+
+/* some SV-flavors break select stuff out separately */
+#define HAVE_SELECT_H
+
+/* assorted others */
+#define HAVE_PARAM_H /* in sys/ */
+#define HAVE_SYSMACROS_H /* in sys/ */
+#define HAVE_TTYENT_H /* securetty et al */
+
+/* ==================== */
+
+/* Still maybe have to do something about the following, if it's even
+ worth it. I just grepped a lot of these out of various code, without
+ looking them up yet:
+
+#define HAVE_EINPROGRESS
+#define HAVE_F_SETOWN
+HAVE_FILIO_H ... fionbio, fiosetown, etc... will need for hairier
+ select loops.
+#define HAVE_SETENV ... now *there's* a hairy one; **environ is portable
+#define BIG_ENDIAN/little_endian ... *please* try to avoid this stupidity
+ and LSBFIRST/MSBFIRST
+#define HAVE_GETUSERSHELL ... you could always pull it out of getpwent()
+#define HAVE_SETE[UG]ID ... lib or syscall, it varies on diff platforms
+#define HAVE_STRCHR ... should actually be handled by string/strings
+#define HAVE_PSTAT
+#define HAVE_ST_BLKSIZE ... a stat() thing?
+#define HAVE_IP_TOS
+#define HAVE_STRFTIME ... screw this, we'll just INCLUDE one for lame
+ old boxes that don't have it [sunos 3.x, early 4.x?]
+#define HAVE_VFPRINTF
+#define HAVE_SHADOW_PASSWD ... in its multitudinous schemes?? ... how
+ about sumpin' like #define SHADOW_PASSWD_TYPE ... could get grody.
+ ... looks like sysv /etc/shadow, getspent() family is common.
+#define SIG* ... what a swamp, punt for now; should all be in signal.h
+#define HAVE_STRCSPN ... see larry wall's comment in the fwtk regex code
+#define ULTRIX_AUTH ... bwahaha.
+#define HAVE_YP or NIS or whatever you wanna call it this week
+randomness about VARARGS??
+--- later stuff to be considered ---
+#define UINT4 ... u-int on alpha/osf, i.e. __alpha/__osf__, ulong elsewhere?
+ dont name it that, though, it'll conflict with extant .h files like md5
+randomness about machine/endian.h, machine/inline.h -- bsdi, net/2
+randomness about _PATH_WTMP vs WTMP_FILE and where they even live!!
+#define HAVE_SYS_ERRLIST ... whether it's in stdio.h or not [bsd 4.4]
+--- still more stuff
+#define HAVE_SETENV
+#define _PATH_UTMP vs UTMP_FILE, a la deslogind?!
+#define HAVE_DAEMON
+#define HAVE_INETADDR [vixie bind?]
+lseek: SEEK_SET vs L_SET and associated lossage [epi-notes, old 386Mach]
+bsdi: ioctl_compat.h ?
+--- takin' some ifdefs from CNS krb:
+F_GETOWN/F_SETOWN
+CRAY: long = 8 bytes, etc [class with alpha?]
+CGETENT
+SIGINFO
+SIGTSTP SIGTTOU SIGWINCH
+SPX?
+SYSV_TERMIO -- covered elsewhere, I hope
+TIOCEXT TIOCFLUSH TIOC[GS]WINSIZ
+NEWINIT: something about init cleaning up dead login processes [telnet?]
+PARENT_DOES_UTMP, too [telnet]
+VDISCARD
+VEOL/VEOL2/VLNEXT VREPRINT -- termios stuff?, and related...
+STREAMSPTY/STREAMSPTYEM
+AF_INET/AF_UNSPEC, PF_*
+ECHOCTL/ECHOKE
+F_ULOCK [?!]
+setpgrp/getpgrp() ONEARG business..
+HAVE_ALLOCA
+HAVE_GETUTENT
+HAVE_SYS_SELECT_H [irix!]
+HAVE_DIRENT [old 386mach has *direct.h*!]
+HAVE_SIGSET
+HAVE_VFORK_H and HAVE_VFORK
+HAVE_VHANGUP
+HAVE_VSPRINTF
+HAVE_IPTOS_*
+HAVE_STRCASECMP, STRNCASECMP
+HAVE_SYS_FCNTL_H
+HAVE_SYS_TIME_H
+HAVE_UTIMES
+NOTTYENT [?]
+HAVE_FCHMOD
+HAVE_GETUSERSHELL
+HAVE_SIGCONTEXT [stack hair, very machine-specific]
+YYLINENO?
+POSIX_SIGNALS
+POSIX_TERMIOS
+SETPROCTITLE -- breaks some places, like fbsd sendmail
+SIG* -- actual signal names? some are missing
+SIOCGIFCONF
+SO_BROADCAST
+SHMEM [krb tickets]
+VARARGS, or HAVE_VARARGS
+CBAUD
+... and B300, B9600, etc etc
+HAVE_BZERO vs memset/memcpy
+HAVE_SETVBUF
+HAVE_STRDUP
+HAVE_GETENV
+HAVE_STRSAVE
+HAVE_STBLKSIZE [stat?]
+HAVE_STREAM_H -- in sys/, ref sendmail 8.7 for IP_SRCROUTE
+FCHMOD
+INITGROUPS -- most machines seem to *have*
+SETREUID
+SNPRINTF
+SETPGRP semantics bsd vs. sys5 style
+
+There's also the issue about WHERE various .h files live, sys/ or otherwise.
+There's a BIG swamp lurking where network code of any sort lives.
+*/
+
+/* ======================== */
+/* System-specific sections */
+/* ======================== */
+
+/* By turning OFF various bits of the above, you can customize for
+ a given platform. Yes, we're ignoring the stock compiler predefines
+ and using our own plugged in via the Makefile. */
+
+/* DOS boxes, with MSC; you may need to adapt to a different compiler. */
+/* looks like later ones *do* have dirent.h, for example */
+#ifdef MSDOS
+#undef HAVE_FLOCK
+#undef HAVE_RANDOM
+#undef HAVE_LSTAT
+#undef HAVE_TERMIOS
+#undef UTMPX
+#undef HAVE_SYSINFO
+#undef HAVE_UNISTD_H
+#undef HAVE_DIRENT_H /* unless you have the k00l little wrapper from L5!! */
+#undef HAVE_STRINGS_H
+#undef HAVE_LASTLOG_H
+#undef HAVE_PATHS_H
+#undef HAVE_PARAM_H
+#undef HAVE_SYSMACROS_H
+#undef HAVE_SELECT_H
+#undef HAVE_TTYENT_H
+#endif /* MSDOS */
+
+/* buglix 4.x; dunno about 3.x on down. should be bsd4.2 */
+#ifdef ULTRIX
+#undef UTMPX
+#undef HAVE_PATHS_H
+#undef HAVE_SYSMACROS_H
+#undef HAVE_SELECT_H
+#endif /* buglix */
+
+/* some of this might still be broken on older sunoses */
+#ifdef SUNOS
+#undef VOID_MALLOC
+#undef UTMPX
+#undef HAVE_PATHS_H
+#undef HAVE_SELECT_H
+#endif /* sunos */
+
+/* "contact your vendor for a fix" */
+#ifdef SOLARIS
+/* has UTMPX */
+#undef HAVE_RANDOM
+#undef HAVE_SETPRIORITY
+#undef HAVE_STRINGS_H /* this is genuinely the case, go figure */
+#undef HAVE_PATHS_H
+#undef HAVE_SELECT_H
+#undef HAVE_TTYENT_H
+#endif /* SOLARIS */
+
+/* whatever aix variant MIT had at the time; 3.2.x?? */
+#ifdef AIX
+#undef UTMPX
+#undef HAVE_LASTLOG_H
+#define HAVE_LOGIN_H /* "special", in the educational sense */
+#endif /* aix */
+
+/* linux, which is trying as desperately as the gnu folks can to be
+ POSIXLY_CORRECT. I think I'm gonna hurl... */
+#ifdef LINUX
+#undef UTMPX
+#undef HAVE_SYSINFO
+#undef HAVE_SELECT_H
+#undef HAVE_TTYENT_H
+#endif /* linux */
+
+/* irix 5.x; may not be correct for earlier ones */
+#ifdef IRIX
+/* wow, does irix really have everything?! */
+#endif /* irix */
+
+/* osf on alphas */
+#ifdef OSF
+#undef UTMPX
+#undef HAVE_SELECT_H
+#endif /* osf */
+
+/* they's some FUCKED UP paths in this one! */
+#ifdef FREEBSD
+#undef UTMPX
+#undef HAVE_SYSINFO
+#undef HAVE_LASTLOG_H
+#undef HAVE_SYSMACROS_H
+#undef HAVE_SELECT_H /* actually a lie, but only for kernel */
+#endif /* freebsd */
+
+/* Originally from the sidewinder site, of all places, but subsequently
+ checked further under a more normal bsdi 2.0 */
+#ifdef BSDI
+#undef UTMPX
+#undef HAVE_LASTLOG_H
+#undef HAVE_SYSMACROS_H
+/* and their malloc.h was in sys/ ?! */
+#undef HAVE_SELECT_H
+#endif /* bsdi */
+
+/* netbsd/44lite, jives with amiga-netbsd from cactus */
+#ifdef NETBSD
+#undef UTMPX
+#undef HAVE_SYSINFO
+#undef HAVE_LASTLOG_H
+#undef HAVE_SELECT_H
+#endif /* netbsd */
+
+/* Hpux 9.0x, from BBN and various patches sent in */
+#ifdef HPUX
+#undef HAVE_RANDOM /* but *does* have ?rand48 -- need to consider.. */
+#undef HAVE_UTMPX
+#undef HAVE_LASTLOG_H /* has utmp/wtmp/btmp nonsense, and pututline() */
+#undef HAVE_PATHS_H
+#undef HAVE_SELECT_H
+#undef HAVE_TTYENT_H
+#endif /* hockeypux */
+
+/* Unixware [a loose definition of "unix", to be sure], 1.1.2 [at least]
+ from Brian Clapper. He wasn't sure about 2.0... */
+#ifdef UNIXWARE
+/* has UTMPX */
+#undef HAVE_SETPRIORITY
+/* NOTE: UnixWare does provide the BSD stuff, in "/usr/ucbinclude" (headers)
+ and "/usr/ucblib" (libraries). However, I've run into problems linking
+ stuff out of that version of the C library, when objects are also coming
+ out of the "regular" C library. My advice: Avoid the BSD compatibility
+ stuff wherever possible. Brian Clapper <bmc@telebase.com> */
+#undef HAVE_STRINGS_H
+#undef HAVE_PATHS_H
+#undef HAVE_TTYENT_H
+#endif /* UNIXWARE */
+
+/* A/UX 3.1.x from darieb@sandia.gov */
+#ifdef AUX
+#undef HAVE_RANDOM
+#undef HAVE_SELECT_H /* xxx: untested */
+#endif /* a/ux */
+
+/* NeXTSTEP 3.2 motorola mudge@l0pht.com xxx should also work with
+ white hardware and Sparc/HPPA. Should work with 3.3 too as it's
+ 4.3 / 4.4 bsd wrapped around mach */
+#ifdef NEXT
+#undef UTMPX
+#undef HAVE_SELECT_X
+#endif /* NeXTSTEP 3.2 motorola */
+
+/* Make some "generic" assumptions if all else fails */
+#ifdef GENERIC
+#undef HAVE_FLOCK
+#if defined(SYSV) && (SYSV < 4) /* TW leftover: old SV doesnt have symlinks */
+#undef HAVE_LSTAT
+#endif /* old SYSV */
+#undef HAVE_TERMIOS
+#undef UTMPX
+#undef HAVE_PATHS_H
+#undef HAVE_SELECT_H
+#endif /* generic */
+
+/* ================ */
+#endif /* GENERIC_H */
+
diff --git a/usr.bin/nc/nc.1 b/usr.bin/nc/nc.1
new file mode 100644
index 00000000000..cffb9f637b5
--- /dev/null
+++ b/usr.bin/nc/nc.1
@@ -0,0 +1,213 @@
+.\" $OpenBSD: nc.1,v 1.1 1996/09/05 08:55:32 deraadt Exp $
+.\"
+.\" Copyright (c) 1996 David Sacerdote
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\" 3. The name of the author may not be used to endorse or promote products
+.\" derived from this software without specific prior written permission
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd August 1, 1996
+.Dt nc 1
+.Sh NAME
+.Os
+.Nm nc
+.Nd
+Arbitrary tcp and udp connections and listens.
+.Pp
+.Nm nc
+.Op Fl e Ar command
+.Op Fl g Ar intermediates
+.Op Fl G Ar hopcount
+.Op Fl i Ar interval
+.Op Fl lnrtuvz
+.Op Fl o Ar filename
+.Op Fl p Ar source port
+.Op Fl s Ar ip address
+.Op Fl w Ar timeout
+.Op Ar hostname
+.Op Ar port[s...]
+.Pp
+.Sh DESCRIPTION
+The
+.Nm nc
+(or
+.Nm netcat )
+utility is used for just about anything under the sun
+involving TCP or UDP. It can open tcp connections, send udp packets,
+listen on arbitrary tcp and udp ports, do port scanning, and source
+routing. Unlike
+.Xr telnet 1 ,
+.Nm nc
+scripts nicely, and separates error messages onto standard error instead
+of sending them to standard output, as
+.Xr telnet 1
+does with some.
+.Pp
+Destination ports can be single integers, names as listed in
+.Xr /etc/services 5 ,
+or ranges. Ranges are in the form nn-mm, and several separate ports and/or
+ranges may be specified on the command line.
+.Pp
+Common uses include:
+.Bl -bullet
+.It
+simple tcp proxies
+.It
+shell\-script based http clients and servers
+.It
+network daemon testing
+.It
+source routing based connectivity testing
+.It
+and much, much more
+.El
+.Pp
+The options are as follows:
+.Bl -tag -width Ds
+.It Fl e Ar command
+Execute the specified command, using data from the network for stdin,
+and sending stdout and stderr to the network. This option is only present if
+.Nm nc
+was compiled with the GAPING_SECURITY_HOLE compile time option, since it
+allows users to make arbitrary programs available to anyone on the network.
+.It Fl g Ar intermediate-host
+Specifies a hop along a loose source routed path. Can be used more than
+once to build a chain of hop points.
+.It Fl G Ar pointer
+Positions the "hop counter" within the list of machines in the path of
+a source routed packet. Must be a multiple of 4.
+.It Fl i Ar seconds
+Specifies a delay time interval between lines of text sent and received.
+Also causes a delay time between connections to multiple ports.
+.It Fl l
+Is used to specify that
+.Nm nc
+should listen for an incoming connection, rather than initiate a
+connection to a remote host. Any hostname/ip address and port arguments
+restrict the source of inbound connections to only that address and
+source port.
+.It Fl n
+Do not do DNS lookups on any of the specified addresses or hostnames, or
+names of port numbers from /etc/services.
+.It Fl o Ar filename
+Create a hexadecimal log of data transferred in the specified file.
+Each line begins with < or >. < means "from the net" and > means
+"to the net."
+.It Fl p Ar port
+Specifies the source port
+.Nm nc
+should use, subject to privilege restrictions and availability.
+.It Fl r
+Specified that source and/or destination ports should be chosen semi-randomly
+instead of sequentially within a range or in the order that the
+system assigns.
+.It Fl s Ar hostname/ip-address
+Specifies the ip of the interface which is used to send the packets.
+On some platforms, this can be used for udp spoofing by using ifconfig
+to bring up a dummy interface with the desired source ip address.
+.It Fl t
+Causes
+.Nm nc
+to send RFC854 DON'T and WON'T responses to RFC854 DO
+and WILL requests. This makes it possible to use
+.Nm nc
+to script telnet sessions. The presence of this option can be
+enabled or disabled as a compile-time option.
+.It Fl u
+Use UDP instead of TCP.
+On most platforms,
+.Nm nc
+will behave as if a connection is established until it receives an
+ICMP packet indicating that there is no program listening to what it
+sends.
+.It Fl v
+Verbose. Cause
+.Nm nc
+to display connection information. Using \-v
+more than once will cause
+.Nm nc
+to become even more verbose.
+.It Fl w Ar timeout
+Specifies the number of seconds
+.Nm nc
+should wait before deciding that
+an attempt to establish a connection is hopeless.
+Also used to specify how long to wait for more network data after standard
+input closes.
+.It Fl z
+Specifies that
+.Nm nc
+should just scan for listening
+daemons, without sending any data to them. Diagnostic messages about refused
+connections will not be
+displayed unless \-v is specified twice.
+.Sh EXAMPLES
+.Pp
+.Bl -tag -width x
+.It Li "nc"
+Wait for the user to type what would normally be command-line
+arguments in at stdin.
+.It Li "nc example.host 42"
+Open a TCP connection to port 42 of example.host. If the connection
+fails, do not display any error messages, but simply exit.
+.It Li "nc -p 31337 example.host 42"
+Open a TCP connection to port 42 of example.host, and use port 31337
+as the source port.
+.It Li "nc -w 5 example.host 42"
+Open a tcp connection to port 42 of example.host, and time out after
+five seconds while attempting to connect.
+.It Li "nc -u example.host 53"
+Send any data from stdin
+to UDP port 53 of example.host, and display any data returned.
+.It Li "nc -s 10.1.2.3 example.host 42"
+Open a tcp connection to port 42 of example.host using 10.1.2.3 as the
+ip for the local end of the connection.
+.It Li "nc -v example.host 42"
+Open a tcp connection to port 42 of example.host, displaying some
+diagnostic messages on stderr.
+.It Li "nc -v -v example.host 42"
+Open a tcp connection to port 42 of example.host, displaying all
+diagnostic messages on stderr.
+.It Li "nc -v -z example.host 20-30"
+Attempt to open tcp connections to ports 20 through 30 of
+example.host, and report which ones
+.Nm nc
+was able to connect to.
+.It Li "nc -v -u -z -w 3 example.host 20-30"
+Send udp packets to ports 20-30 of example.host, and report which ones
+did not respond with an ICMP packet after three seconds.
+.It Li "nc -l -p 3000"
+Listen on TCP port 3000, and once there is a connection, send stdin to
+the remote host, and send data from the remote host to stdout.
+.It Li "echo foobar | nc example.host 1000"
+Connect to port 1000 of example.host, send the string "foobar"
+followed by a newline, and move data from port 1000 of example.host to
+stdout until example.host closes the connection.
+.El
+.Sh SEE ALSO
+.Xr telnet 1 ,
+.Xr cat 1 ,
+and the
+.Nm netcat
+.Pa README
+.Sh AUTHOR
+*Hobbit* [hobbit@avian.org]
diff --git a/usr.bin/nc/netcat.blurb b/usr.bin/nc/netcat.blurb
new file mode 100644
index 00000000000..2c540ad9dcc
--- /dev/null
+++ b/usr.bin/nc/netcat.blurb
@@ -0,0 +1,61 @@
+Netcat 1.10 is an updated release of Netcat, a simple Unix utility which reads
+and writes data across network connections using TCP or UDP protocol. It is
+designed to be a reliable "back-end" tool that can be used directly or easily
+driven by other programs and scripts. At the same time it is a feature-rich
+network debugging and exploration tool, since it can create almost any kind of
+connection you would need and has several interesting built-in capabilities.
+
+Some of netcat's major features are:
+
+ Outbound or inbound connections, TCP or UDP, to or from any ports
+ Full DNS forward/reverse checking, with appropriate warnings
+ Ability to use any local source port
+ Ability to use any locally-configured network source address
+ Built-in port-scanning capabilities, with randomizer
+ Built-in loose source-routing capability
+ Can read command line arguments from standard input
+ Slow-send mode, one line every N seconds
+ Hex dump of transmitted and received data
+ Optional ability to let another program service established connections
+ Optional telnet-options responder
+
+A very short list of potential uses:
+
+ Script backends
+ Scanning ports and inventorying services, automated probes
+ Backup handlers
+ File transfers
+ Server testing, simulation, debugging, and hijacking
+ Firewall testing
+ Proxy gatewaying
+ Network performance testing
+ Address spoofing tests
+ Protecting X servers
+ 1001 other uses you'll likely come up with
+
+Changes between the 1.00 release and this release:
+
+ Better portability -- updated generic.h and Makefile [thanx folks!]
+ Indication of local-end interface address on inbound connections
+ That's *Dave* Borman's telnet, not Paul Borman...
+ Better indication of DNS errors
+ Total byte counts printed if -v -v is used
+ A bunch of front-end driver companion programs and scripts
+ Better handling of stdin arguments-plus-data
+ Hex-dump feature
+ Telnet responder
+ Program exec works inbound or outbound now
+
+Netcat and the associated package is a product of Avian Research, and is freely
+available in full source form with no restrictions save an obligation to give
+credit where due. Get it via anonymous FTP at avian.org:/src/hacks/nc110.tgz
+which is a gzipped tar file and not to be confused with its version 1.00
+precursor, nc100.tgz. Other distribution formats can be accomodated upon
+request. Netcat is also mirrored at the following [faster] sites:
+
+ zippy.telcom.arizona.edu:/pub/mirrors/avian.org/hacks/nc110.tgz
+ ftp.sterling.com:/mirrors/avian.org/src/hacks/nc110.tgz
+ coast.cs.purdue.edu:/pub/tools/unix/netcat/nc110.tgz
+ ftp.rge.com:/pub/security/coast/mirrors/avian.org/netcat/nc110.tgz
+
+_H* 960320
diff --git a/usr.bin/nc/netcat.c b/usr.bin/nc/netcat.c
new file mode 100644
index 00000000000..5ceb4f1d2fd
--- /dev/null
+++ b/usr.bin/nc/netcat.c
@@ -0,0 +1,1668 @@
+/* Netcat 1.10 RELEASE 960320
+
+ A damn useful little "backend" utility begun 950915 or thereabouts,
+ as *Hobbit*'s first real stab at some sockets programming. Something that
+ should have and indeed may have existed ten years ago, but never became a
+ standard Unix utility. IMHO, "nc" could take its place right next to cat,
+ cp, rm, mv, dd, ls, and all those other cryptic and Unix-like things.
+
+ Read the README for the whole story, doc, applications, etc.
+
+ Layout:
+ conditional includes:
+ includes:
+ handy defines:
+ globals:
+ malloced globals:
+ cmd-flag globals:
+ support routines:
+ readwrite select loop:
+ main:
+
+ bluesky:
+ parse ranges of IP address as well as ports, perhaps
+ RAW mode!
+ backend progs to grab a pty and look like a real telnetd?!
+ backend progs to do various encryption modes??!?!
+*/
+
+#include "generic.h" /* same as with L5, skey, etc */
+
+/* conditional includes -- a very messy section which you may have to dink
+ for your own architecture [and please send diffs...]: */
+/* #undef _POSIX_SOURCE /* might need this for something? */
+#define HAVE_BIND /* ASSUMPTION -- seems to work everywhere! */
+#define HAVE_HELP /* undefine if you dont want the help text */
+/* #define ANAL /* if you want case-sensitive DNS matching */
+
+#ifdef HAVE_STDLIB_H
+#include <stdlib.h>
+#else
+#include <malloc.h>
+#endif
+#ifdef HAVE_SELECT_H /* random SV variants need this */
+#include <sys/select.h>
+#endif
+
+/* have to do this *before* including types.h. xxx: Linux still has it wrong */
+#ifdef FD_SETSIZE /* should be in types.h, butcha never know. */
+#undef FD_SETSIZE /* if we ever need more than 16 active */
+#endif /* fd's, something is horribly wrong! */
+#define FD_SETSIZE 16 /* <-- this'll give us a long anyways, wtf */
+#include <sys/types.h> /* *now* do it. Sigh, this is broken */
+
+#ifdef HAVE_RANDOM /* aficionados of ?rand48() should realize */
+#define SRAND srandom /* that this doesn't need *strong* random */
+#define RAND random /* numbers just to mix up port numbers!! */
+#else
+#define SRAND srand
+#define RAND rand
+#endif /* HAVE_RANDOM */
+
+/* includes: */
+#include <sys/time.h> /* timeval, time_t */
+#include <setjmp.h> /* jmp_buf et al */
+#include <sys/socket.h> /* basics, SO_ and AF_ defs, sockaddr, ... */
+#include <netinet/in.h> /* sockaddr_in, htons, in_addr */
+#include <netinet/in_systm.h> /* misc crud that netinet/ip.h references */
+#include <netinet/ip.h> /* IPOPT_LSRR, header stuff */
+#include <netdb.h> /* hostent, gethostby*, getservby* */
+#include <arpa/inet.h> /* inet_ntoa */
+#include <stdio.h>
+#include <string.h> /* strcpy, strchr, yadda yadda */
+#include <errno.h>
+#include <signal.h>
+#include <fcntl.h> /* O_WRONLY et al */
+
+/* handy stuff: */
+#define SA struct sockaddr /* socket overgeneralization braindeath */
+#define SAI struct sockaddr_in /* ... whoever came up with this model */
+#define IA struct in_addr /* ... should be taken out and shot, */
+ /* ... not that TLI is any better. sigh.. */
+#define SLEAZE_PORT 31337 /* for UDP-scan RTT trick, change if ya want */
+#define USHORT unsigned short /* use these for options an' stuff */
+#define BIGSIZ 8192 /* big buffers */
+
+#ifndef INADDR_NONE
+#define INADDR_NONE 0xffffffff
+#endif
+#ifdef MAXHOSTNAMELEN
+#undef MAXHOSTNAMELEN /* might be too small on aix, so fix it */
+#endif
+#define MAXHOSTNAMELEN 256
+
+struct host_poop {
+ char name[MAXHOSTNAMELEN]; /* dns name */
+ char addrs[8][24]; /* ascii-format IP addresses */
+ struct in_addr iaddrs[8]; /* real addresses: in_addr.s_addr: ulong */
+};
+#define HINF struct host_poop
+
+struct port_poop {
+ char name [64]; /* name in /etc/services */
+ char anum [8]; /* ascii-format number */
+ USHORT num; /* real host-order number */
+};
+#define PINF struct port_poop
+
+/* globals: */
+jmp_buf jbuf; /* timer crud */
+int jval = 0; /* timer crud */
+int netfd = -1;
+int ofd = 0; /* hexdump output fd */
+static char unknown[] = "(UNKNOWN)";
+static char p_tcp[] = "tcp"; /* for getservby* */
+static char p_udp[] = "udp";
+#ifdef HAVE_BIND
+extern int h_errno;
+/* stolen almost wholesale from bsd herror.c */
+static char * h_errs[] = {
+ "Error 0", /* but we *don't* use this */
+ "Unknown host", /* 1 HOST_NOT_FOUND */
+ "Host name lookup failure", /* 2 TRY_AGAIN */
+ "Unknown server error", /* 3 NO_RECOVERY */
+ "No address associated with name", /* 4 NO_ADDRESS */
+};
+#else
+int h_errno; /* just so we *do* have it available */
+#endif /* HAVE_BIND */
+int gatesidx = 0; /* LSRR hop count */
+int gatesptr = 4; /* initial LSRR pointer, settable */
+USHORT Single = 1; /* zero if scanning */
+unsigned int insaved = 0; /* stdin-buffer size for multi-mode */
+unsigned int wrote_out = 0; /* total stdout bytes */
+unsigned int wrote_net = 0; /* total net bytes */
+static char wrote_txt[] = " sent %d, rcvd %d";
+static char hexnibs[20] = "0123456789abcdef ";
+
+/* will malloc up the following globals: */
+struct timeval * timer1 = NULL;
+struct timeval * timer2 = NULL;
+SAI * lclend = NULL; /* sockaddr_in structs */
+SAI * remend = NULL;
+HINF ** gates = NULL; /* LSRR hop hostpoop */
+char * optbuf = NULL; /* LSRR or sockopts */
+char * bigbuf_in; /* data buffers */
+char * bigbuf_net;
+fd_set * ding1; /* for select loop */
+fd_set * ding2;
+PINF * portpoop = NULL; /* for getportpoop / getservby* */
+unsigned char * stage = NULL; /* hexdump line buffer */
+
+/* global cmd flags: */
+USHORT o_alla = 0;
+unsigned int o_interval = 0;
+USHORT o_listen = 0;
+USHORT o_nflag = 0;
+USHORT o_wfile = 0;
+USHORT o_random = 0;
+USHORT o_udpmode = 0;
+USHORT o_verbose = 0;
+unsigned int o_wait = 0;
+USHORT o_zero = 0;
+/* o_tn in optional section */
+
+/* Debug macro: squirt whatever message and sleep a bit so we can see it go
+ by. need to call like Debug ((stuff)) [with no ; ] so macro args match!
+ Beware: writes to stdOUT... */
+#ifdef DEBUG
+#define Debug(x) printf x; printf ("\n"); fflush (stdout); sleep (1);
+#else
+#define Debug(x) /* nil... */
+#endif
+
+
+/* support routines -- the bulk of this thing. Placed in such an order that
+ we don't have to forward-declare anything: */
+
+/* holler :
+ fake varargs -- need to do this way because we wind up calling through
+ more levels of indirection than vanilla varargs can handle, and not all
+ machines have vfprintf/vsyslog/whatever! 6 params oughta be enough. */
+void holler (str, p1, p2, p3, p4, p5, p6)
+ char * str;
+ char * p1, * p2, * p3, * p4, * p5, * p6;
+{
+ if (o_verbose) {
+ fprintf (stderr, str, p1, p2, p3, p4, p5, p6);
+#ifdef HAVE_BIND
+ if (h_errno) { /* if host-lookup variety of error ... */
+ if (h_errno > 4) /* oh no you don't, either */
+ fprintf (stderr, "preposterous h_errno: %d", h_errno);
+ else
+ fprintf (stderr, h_errs[h_errno]); /* handle it here */
+ h_errno = 0; /* and reset for next call */
+ }
+#endif
+ if (errno) { /* this gives funny-looking messages, but */
+ perror (" "); /* it's more portable than sys_errlist[]... */
+ } else /* xxx: do something better? */
+ fprintf (stderr, "\n");
+ fflush (stderr);
+ }
+} /* holler */
+
+/* bail :
+ error-exit handler, callable from anywhere */
+void bail (str, p1, p2, p3, p4, p5, p6)
+ char * str;
+ char * p1, * p2, * p3, * p4, * p5, * p6;
+{
+ o_verbose = 1;
+ holler (str, p1, p2, p3, p4, p5, p6);
+ close (netfd);
+ sleep (1);
+ exit (1);
+} /* bail */
+
+/* catch :
+ no-brainer interrupt handler */
+void catch ()
+{
+ errno = 0;
+ if (o_verbose > 1) /* normally we don't care */
+ bail (wrote_txt, wrote_net, wrote_out);
+ bail (" punt!");
+}
+
+/* timeout and other signal handling cruft */
+void tmtravel ()
+{
+ signal (SIGALRM, SIG_IGN);
+ alarm (0);
+ if (jval == 0)
+ bail ("spurious timer interrupt!");
+ longjmp (jbuf, jval);
+}
+
+/* arm :
+ set the timer. Zero secs arg means unarm */
+void arm (num, secs)
+ unsigned int num;
+ unsigned int secs;
+{
+ if (secs == 0) { /* reset */
+ signal (SIGALRM, SIG_IGN);
+ alarm (0);
+ jval = 0;
+ } else { /* set */
+ signal (SIGALRM, tmtravel);
+ alarm (secs);
+ jval = num;
+ } /* if secs */
+} /* arm */
+
+/* Hmalloc :
+ malloc up what I want, rounded up to *4, and pre-zeroed. Either succeeds
+ or bails out on its own, so that callers don't have to worry about it. */
+char * Hmalloc (size)
+ unsigned int size;
+{
+ unsigned int s = (size + 4) & 0xfffffffc; /* 4GB?! */
+ char * p = malloc (s);
+ if (p != NULL)
+ memset (p, 0, s);
+ else
+ bail ("Hmalloc %d failed", s);
+ return (p);
+} /* Hmalloc */
+
+/* findline :
+ find the next newline in a buffer; return inclusive size of that "line",
+ or the entire buffer size, so the caller knows how much to then write().
+ Not distinguishing \n vs \r\n for the nonce; it just works as is... */
+unsigned int findline (buf, siz)
+ char * buf;
+ unsigned int siz;
+{
+ register char * p;
+ register int x;
+ if (! buf) /* various sanity checks... */
+ return (0);
+ if (siz > BIGSIZ)
+ return (0);
+ x = siz;
+ for (p = buf; x > 0; x--) {
+ if (*p == '\n') {
+ x = (int) (p - buf);
+ x++; /* 'sokay if it points just past the end! */
+Debug (("findline returning %d", x))
+ return (x);
+ }
+ p++;
+ } /* for */
+Debug (("findline returning whole thing: %d", siz))
+ return (siz);
+} /* findline */
+
+/* comparehosts :
+ cross-check the host_poop we have so far against new gethostby*() info,
+ and holler about mismatches. Perhaps gratuitous, but it can't hurt to
+ point out when someone's DNS is fukt. Returns 1 if mismatch, in case
+ someone else wants to do something about it. */
+int comparehosts (poop, hp)
+ HINF * poop;
+ struct hostent * hp;
+{
+ errno = 0;
+ h_errno = 0;
+/* The DNS spec is officially case-insensitive, but for those times when you
+ *really* wanna see any and all discrepancies, by all means define this. */
+#ifdef ANAL
+ if (strcmp (poop->name, hp->h_name) != 0) { /* case-sensitive */
+#else
+ if (strcasecmp (poop->name, hp->h_name) != 0) { /* normal */
+#endif
+ holler ("DNS fwd/rev mismatch: %s != %s", poop->name, hp->h_name);
+ return (1);
+ }
+ return (0);
+/* ... do we need to do anything over and above that?? */
+} /* comparehosts */
+
+/* gethostpoop :
+ resolve a host 8 ways from sunday; return a new host_poop struct with its
+ info. The argument can be a name or [ascii] IP address; it will try its
+ damndest to deal with it. "numeric" governs whether we do any DNS at all,
+ and we also check o_verbose for what's appropriate work to do. */
+HINF * gethostpoop (name, numeric)
+ char * name;
+ USHORT numeric;
+{
+ struct hostent * hostent;
+ struct in_addr iaddr;
+ register HINF * poop = NULL;
+ register int x;
+
+/* I really want to strangle the twit who dreamed up all these sockaddr and
+ hostent abstractions, and then forced them all to be incompatible with
+ each other so you *HAVE* to do all this ridiculous casting back and forth.
+ If that wasn't bad enough, all the doc insists on referring to local ports
+ and addresses as "names", which makes NO sense down at the bare metal.
+
+ What an absolutely horrid paradigm, and to think of all the people who
+ have been wasting significant amounts of time fighting with this stupid
+ deliberate obfuscation over the last 10 years... then again, I like
+ languages wherein a pointer is a pointer, what you put there is your own
+ business, the compiler stays out of your face, and sheep are nervous.
+ Maybe that's why my C code reads like assembler half the time... */
+
+/* If we want to see all the DNS stuff, do the following hair --
+ if inet_addr, do reverse and forward with any warnings; otherwise try
+ to do forward and reverse with any warnings. In other words, as long
+ as we're here, do a complete DNS check on these clowns. Yes, it slows
+ things down a bit for a first run, but once it's cached, who cares? */
+
+ errno = 0;
+ h_errno = 0;
+ if (name)
+ poop = (HINF *) Hmalloc (sizeof (HINF));
+ if (! poop)
+ bail ("gethostpoop fuxored");
+ strcpy (poop->name, unknown); /* preload it */
+/* see wzv:workarounds.c for dg/ux return-a-struct inet_addr lossage */
+ iaddr.s_addr = inet_addr (name);
+
+ if (iaddr.s_addr == INADDR_NONE) { /* here's the great split: names... */
+ if (numeric)
+ bail ("Can't parse %s as an IP address", name);
+ hostent = gethostbyname (name);
+ if (! hostent)
+/* failure to look up a name is fatal, since we can't do anything with it */
+ bail ("%s: forward host lookup failed: ", name);
+ strncpy (poop->name, hostent->h_name, MAXHOSTNAMELEN - 2);
+ for (x = 0; hostent->h_addr_list[x] && (x < 8); x++) {
+ memcpy (&poop->iaddrs[x], hostent->h_addr_list[x], sizeof (IA));
+ strncpy (poop->addrs[x], inet_ntoa (poop->iaddrs[x]),
+ sizeof (poop->addrs[0]));
+ } /* for x -> addrs, part A */
+ if (! o_verbose) /* if we didn't want to see the */
+ return (poop); /* inverse stuff, we're done. */
+/* do inverse lookups in separate loop based on our collected forward addrs,
+ since gethostby* tends to crap into the same buffer over and over */
+ for (x = 0; poop->iaddrs[x].s_addr && (x < 8); x++) {
+ hostent = gethostbyaddr ((char *)&poop->iaddrs[x],
+ sizeof (IA), AF_INET);
+ if ((! hostent) || (! hostent-> h_name))
+ holler ("Warning: inverse host lookup failed for %s: ",
+ poop->addrs[x]);
+ else
+ (void) comparehosts (poop, hostent);
+ } /* for x -> addrs, part B */
+
+ } else { /* not INADDR_NONE: numeric addresses... */
+ memcpy (poop->iaddrs, &iaddr, sizeof (IA));
+ strncpy (poop->addrs[0], inet_ntoa (iaddr), sizeof (poop->addrs));
+ if (numeric) /* if numeric-only, we're done */
+ return (poop);
+ if (! o_verbose) /* likewise if we don't want */
+ return (poop); /* the full DNS hair */
+ hostent = gethostbyaddr ((char *) &iaddr, sizeof (IA), AF_INET);
+/* numeric or not, failure to look up a PTR is *not* considered fatal */
+ if (! hostent)
+ holler ("%s: inverse host lookup failed: ", name);
+ else {
+ strncpy (poop->name, hostent->h_name, MAXHOSTNAMELEN - 2);
+ hostent = gethostbyname (poop->name);
+ if ((! hostent) || (! hostent->h_addr_list[0]))
+ holler ("Warning: forward host lookup failed for %s: ",
+ poop->name);
+ else
+ (void) comparehosts (poop, hostent);
+ } /* if hostent */
+ } /* INADDR_NONE Great Split */
+
+/* whatever-all went down previously, we should now have a host_poop struct
+ with at least one IP address in it. */
+ h_errno = 0;
+ return (poop);
+} /* gethostpoop */
+
+/* getportpoop :
+ Same general idea as gethostpoop -- look up a port in /etc/services, fill
+ in global port_poop, but return the actual port *number*. Pass ONE of:
+ pstring to resolve stuff like "23" or "exec";
+ pnum to reverse-resolve something that's already a number.
+ If o_nflag is on, fill in what we can but skip the getservby??? stuff.
+ Might as well have consistent behavior here, and it *is* faster. */
+USHORT getportpoop (pstring, pnum)
+ char * pstring;
+ unsigned int pnum;
+{
+ struct servent * servent;
+ register int x;
+ register int y;
+ char * whichp = p_tcp;
+ if (o_udpmode)
+ whichp = p_udp;
+ portpoop->name[0] = '?'; /* fast preload */
+ portpoop->name[1] = '\0';
+
+/* case 1: reverse-lookup of a number; placed first since this case is much
+ more frequent if we're scanning */
+ if (pnum) {
+ if (pstring) /* one or the other, pleeze */
+ return (0);
+ x = pnum;
+ if (o_nflag) /* go faster, skip getservbyblah */
+ goto gp_finish;
+ y = htons (x); /* gotta do this -- see Fig.1 below */
+ servent = getservbyport (y, whichp);
+ if (servent) {
+ y = ntohs (servent->s_port);
+ if (x != y) /* "never happen" */
+ holler ("Warning: port-bynum mismatch, %d != %d", x, y);
+ strncpy (portpoop->name, servent->s_name, sizeof (portpoop->name));
+ } /* if servent */
+ goto gp_finish;
+ } /* if pnum */
+
+/* case 2: resolve a string, but we still give preference to numbers instead
+ of trying to resolve conflicts. None of the entries in *my* extensive
+ /etc/services begins with a digit, so this should "always work" unless
+ you're at 3com and have some company-internal services defined... */
+ if (pstring) {
+ if (pnum) /* one or the other, pleeze */
+ return (0);
+ x = atoi (pstring);
+ if (x)
+ return (getportpoop (NULL, x)); /* recurse for numeric-string-arg */
+ if (o_nflag) /* can't use names! */
+ return (0);
+ servent = getservbyname (pstring, whichp);
+ if (servent) {
+ strncpy (portpoop->name, servent->s_name, sizeof (portpoop->name));
+ x = ntohs (servent->s_port);
+ goto gp_finish;
+ } /* if servent */
+ } /* if pstring */
+
+ return (0); /* catches any problems so far */
+
+/* Obligatory netdb.h-inspired rant: servent.s_port is supposed to be an int.
+ Despite this, we still have to treat it as a short when copying it around.
+ Not only that, but we have to convert it *back* into net order for
+ getservbyport to work. Manpages generally aren't clear on all this, but
+ there are plenty of examples in which it is just quietly done. More BSD
+ lossage... since everything getserv* ever deals with is local to our own
+ host, why bother with all this network-order/host-order crap at all?!
+ That should be saved for when we want to actually plug the port[s] into
+ some real network calls -- and guess what, we have to *re*-convert at that
+ point as well. Fuckheads. */
+
+gp_finish:
+/* Fall here whether or not we have a valid servent at this point, with
+ x containing our [host-order and therefore useful, dammit] port number */
+ sprintf (portpoop->anum, "%d", x); /* always load any numeric specs! */
+ portpoop->num = (x & 0xffff); /* ushort, remember... */
+ return (portpoop->num);
+} /* getportpoop */
+
+/* nextport :
+ Come up with the next port to try, be it random or whatever. "block" is
+ a ptr to randports array, whose bytes [so far] carry these meanings:
+ 0 ignore
+ 1 to be tested
+ 2 tested [which is set as we find them here]
+ returns a USHORT random port, or 0 if all the t-b-t ones are used up. */
+USHORT nextport (block)
+ char * block;
+{
+ register unsigned int x;
+ register unsigned int y;
+
+ y = 70000; /* high safety count for rnd-tries */
+ while (y > 0) {
+ x = (RAND() & 0xffff);
+ if (block[x] == 1) { /* try to find a not-done one... */
+ block[x] = 2;
+ break;
+ }
+ x = 0; /* bummer. */
+ y--;
+ } /* while y */
+ if (x)
+ return (x);
+
+ y = 65535; /* no random one, try linear downsearch */
+ while (y > 0) { /* if they're all used, we *must* be sure! */
+ if (block[y] == 1) {
+ block[y] = 2;
+ break;
+ }
+ y--;
+ } /* while y */
+ if (y)
+ return (y); /* at least one left */
+
+ return (0); /* no more left! */
+} /* nextport */
+
+/* loadports :
+ set "to be tested" indications in BLOCK, from LO to HI. Almost too small
+ to be a separate routine, but makes main() a little cleaner... */
+void loadports (block, lo, hi)
+ char * block;
+ USHORT lo;
+ USHORT hi;
+{
+ USHORT x;
+
+ if (! block)
+ bail ("loadports: no block?!");
+ if ((! lo) || (! hi))
+ bail ("loadports: bogus values %d, %d", lo, hi);
+ x = hi;
+ while (lo <= x) {
+ block[x] = 1;
+ x--;
+ }
+} /* loadports */
+
+#ifdef GAPING_SECURITY_HOLE
+char * pr00gie = NULL; /* global ptr to -e arg */
+
+/* doexec :
+ fiddle all the file descriptors around, and hand off to another prog. Sort
+ of like a one-off "poor man's inetd". This is the only section of code
+ that would be security-critical, which is why it's ifdefed out by default.
+ Use at your own hairy risk; if you leave shells lying around behind open
+ listening ports you deserve to lose!! */
+doexec (fd)
+ int fd;
+{
+ register char * p;
+
+ dup2 (fd, 0); /* the precise order of fiddlage */
+ close (fd); /* is apparently crucial; this is */
+ dup2 (0, 1); /* swiped directly out of "inetd". */
+ dup2 (0, 2);
+ p = strrchr (pr00gie, '/'); /* shorter argv[0] */
+ if (p)
+ p++;
+ else
+ p = pr00gie;
+Debug (("gonna exec %s as %s...", pr00gie, p))
+ execl (pr00gie, p, NULL);
+ bail ("exec %s failed", pr00gie); /* this gets sent out. Hmm... */
+} /* doexec */
+#endif /* GAPING_SECURITY_HOLE */
+
+/* doconnect :
+ do all the socket stuff, and return an fd for one of
+ an open outbound TCP connection
+ a UDP stub-socket thingie
+ with appropriate socket options set up if we wanted source-routing, or
+ an unconnected TCP or UDP socket to listen on.
+ Examines various global o_blah flags to figure out what-all to do. */
+int doconnect (rad, rp, lad, lp)
+ IA * rad;
+ USHORT rp;
+ IA * lad;
+ USHORT lp;
+{
+ register int nnetfd;
+ register int rr;
+ int x, y;
+ errno = 0;
+
+/* grab a socket; set opts */
+newskt:
+ if (o_udpmode)
+ nnetfd = socket (AF_INET, SOCK_DGRAM, IPPROTO_UDP);
+ else
+ nnetfd = socket (AF_INET, SOCK_STREAM, IPPROTO_TCP);
+ if (nnetfd < 0)
+ bail ("Can't get socket");
+ if (nnetfd == 0) /* if stdin was closed this might *be* 0, */
+ goto newskt; /* so grab another. See text for why... */
+ x = 1;
+ rr = setsockopt (nnetfd, SOL_SOCKET, SO_REUSEADDR, &x, sizeof (x));
+ if (rr == -1)
+ holler ("nnetfd reuseaddr failed"); /* ??? */
+#ifdef SO_REUSEPORT /* doesnt exist everywhere... */
+ rr = setsockopt (nnetfd, SOL_SOCKET, SO_REUSEPORT, &x, sizeof (x));
+ if (rr == -1)
+ holler ("nnetfd reuseport failed"); /* ??? */
+#endif
+#if 0
+/* If you want to screw with RCVBUF/SNDBUF, do it here. Liudvikas Bukys at
+ Rochester sent this example, which would involve YET MORE options and is
+ just archived here in case you want to mess with it. o_xxxbuf are global
+ integers set in main() getopt loop, and check for rr == 0 afterward. */
+ rr = setsockopt(nnetfd, SOL_SOCKET, SO_RCVBUF, &o_rcvbuf, sizeof o_rcvbuf);
+ rr = setsockopt(nnetfd, SOL_SOCKET, SO_SNDBUF, &o_sndbuf, sizeof o_sndbuf);
+#endif
+
+ /* fill in all the right sockaddr crud */
+ lclend->sin_family = AF_INET;
+
+/* fill in all the right sockaddr crud */
+ lclend->sin_family = AF_INET;
+ remend->sin_family = AF_INET;
+
+/* if lad/lp, do appropriate binding */
+ if (lad)
+ memcpy (&lclend->sin_addr.s_addr, lad, sizeof (IA));
+ if (lp)
+ lclend->sin_port = htons (lp);
+ rr = 0;
+ if (lad || lp) {
+ x = (int) lp;
+/* try a few times for the local bind, a la ftp-data-port... */
+ for (y = 4; y > 0; y--) {
+ rr = bind (nnetfd, (SA *)lclend, sizeof (SA));
+ if (rr == 0)
+ break;
+ if (errno != EADDRINUSE)
+ break;
+ else {
+ holler ("retrying local %s:%d", inet_ntoa (lclend->sin_addr), lp);
+ sleep (2);
+ errno = 0; /* clear from sleep */
+ } /* if EADDRINUSE */
+ } /* for y counter */
+ } /* if lad or lp */
+ if (rr)
+ bail ("Can't grab %s:%d with bind",
+ inet_ntoa(lclend->sin_addr), lp);
+
+ if (o_listen)
+ return (nnetfd); /* thanks, that's all for today */
+
+ memcpy (&remend->sin_addr.s_addr, rad, sizeof (IA));
+ remend->sin_port = htons (rp);
+
+/* rough format of LSRR option and explanation of weirdness.
+Option comes after IP-hdr dest addr in packet, padded to *4, and ihl > 5.
+IHL is multiples of 4, i.e. real len = ip_hl << 2.
+ type 131 1 ; 0x83: copied, option class 0, number 3
+ len 1 ; of *whole* option!
+ pointer 1 ; nxt-hop-addr; 1-relative, not 0-relative
+ addrlist... var ; 4 bytes per hop-addr
+ pad-to-32 var ; ones, i.e. "NOP"
+
+If we want to route A -> B via hops C and D, we must add C, D, *and* B to the
+options list. Why? Because when we hand the kernel A -> B with list C, D, B
+the "send shuffle" inside the kernel changes it into A -> C with list D, B and
+the outbound packet gets sent to C. If B wasn't also in the hops list, the
+final destination would have been lost at this point.
+
+When C gets the packet, it changes it to A -> D with list C', B where C' is
+the interface address that C used to forward the packet. This "records" the
+route hop from B's point of view, i.e. which address points "toward" B. This
+is to make B better able to return the packets. The pointer gets bumped by 4,
+so that D does the right thing instead of trying to forward back to C.
+
+When B finally gets the packet, it sees that the pointer is at the end of the
+LSRR list and is thus "completed". B will then try to use the packet instead
+of forwarding it, i.e. deliver it up to some application.
+
+Note that by moving the pointer yourself, you could send the traffic directly
+to B but have it return via your preconstructed source-route. Playing with
+this and watching "tcpdump -v" is the best way to understand what's going on.
+
+Only works for TCP in BSD-flavor kernels. UDP is a loss; udp_input calls
+stripoptions() early on, and the code to save the srcrt is notdef'ed.
+Linux is also still a loss at 1.3.x it looks like; the lsrr code is { }...
+*/
+
+/* if any -g arguments were given, set up source-routing. We hit this after
+ the gates are all looked up and ready to rock, any -G pointer is set,
+ and gatesidx is now the *number* of hops */
+ if (gatesidx) { /* if we wanted any srcrt hops ... */
+/* don't even bother compiling if we can't do IP options here! */
+#ifdef IP_OPTIONS
+ if (! optbuf) { /* and don't already *have* a srcrt set */
+ char * opp; /* then do all this setup hair */
+ optbuf = Hmalloc (48);
+ opp = optbuf;
+ *opp++ = IPOPT_LSRR; /* option */
+ *opp++ = (char)
+ (((gatesidx + 1) * sizeof (IA)) + 3) & 0xff; /* length */
+ *opp++ = gatesptr; /* pointer */
+/* opp now points at first hop addr -- insert the intermediate gateways */
+ for ( x = 0; x < gatesidx; x++) {
+ memcpy (opp, gates[x]->iaddrs, sizeof (IA));
+ opp += sizeof (IA);
+ }
+/* and tack the final destination on the end [needed!] */
+ memcpy (opp, rad, sizeof (IA));
+ opp += sizeof (IA);
+ *opp = IPOPT_NOP; /* alignment filler */
+ } /* if empty optbuf */
+/* calculate length of whole option mess, which is (3 + [hops] + [final] + 1),
+ and apply it [have to do this every time through, of course] */
+ x = ((gatesidx + 1) * sizeof (IA)) + 4;
+ rr = setsockopt (nnetfd, IPPROTO_IP, IP_OPTIONS, optbuf, x);
+ if (rr == -1)
+ bail ("srcrt setsockopt fuxored");
+#else /* IP_OPTIONS */
+ holler ("Warning: source routing unavailable on this machine, ignoring");
+#endif /* IP_OPTIONS*/
+ } /* if gatesidx */
+
+/* wrap connect inside a timer, and hit it */
+ arm (1, o_wait);
+ if (setjmp (jbuf) == 0) {
+ rr = connect (nnetfd, (SA *)remend, sizeof (SA));
+ } else { /* setjmp: connect failed... */
+ rr = -1;
+ errno = ETIMEDOUT; /* fake it */
+ }
+ arm (0, 0);
+ if (rr == 0)
+ return (nnetfd);
+ close (nnetfd); /* clean up junked socket FD!! */
+ return (-1);
+} /* doconnect */
+
+/* dolisten :
+ just like doconnect, and in fact calls a hunk of doconnect, but listens for
+ incoming and returns an open connection *from* someplace. If we were
+ given host/port args, any connections from elsewhere are rejected. This
+ in conjunction with local-address binding should limit things nicely... */
+int dolisten (rad, rp, lad, lp)
+ IA * rad;
+ USHORT rp;
+ IA * lad;
+ USHORT lp;
+{
+ register int nnetfd;
+ register int rr;
+ HINF * whozis = NULL;
+ int x;
+ char * cp;
+ USHORT z;
+ errno = 0;
+
+/* Pass everything off to doconnect, who in o_listen mode just gets a socket */
+ nnetfd = doconnect (rad, rp, lad, lp);
+ if (nnetfd <= 0)
+ return (-1);
+ if (o_udpmode) { /* apparently UDP can listen ON */
+ if (! lp) /* "port 0", but that's not useful */
+ bail ("UDP listen needs -p arg");
+ } else {
+ rr = listen (nnetfd, 1); /* gotta listen() before we can get */
+ if (rr < 0) /* our local random port. sheesh. */
+ bail ("local listen fuxored");
+ }
+
+/* Various things that follow temporarily trash bigbuf_net, which might contain
+ a copy of any recvfrom()ed packet, but we'll read() another copy later. */
+
+/* I can't believe I have to do all this to get my own goddamn bound address
+ and port number. It should just get filled in during bind() or something.
+ All this is only useful if we didn't say -p for listening, since if we
+ said -p we *know* what port we're listening on. At any rate we won't bother
+ with it all unless we wanted to see it, although listening quietly on a
+ random unknown port is probably not very useful without "netstat". */
+ if (o_verbose) {
+ x = sizeof (SA); /* how 'bout getsockNUM instead, pinheads?! */
+ rr = getsockname (nnetfd, (SA *) lclend, &x);
+ if (rr < 0)
+ holler ("local getsockname failed");
+ strcpy (bigbuf_net, "listening on ["); /* buffer reuse... */
+ if (lclend->sin_addr.s_addr)
+ strcat (bigbuf_net, inet_ntoa (lclend->sin_addr));
+ else
+ strcat (bigbuf_net, "any");
+ strcat (bigbuf_net, "] %d ...");
+ z = ntohs (lclend->sin_port);
+ holler (bigbuf_net, z);
+ } /* verbose -- whew!! */
+
+/* UDP is a speeeeecial case -- we have to do I/O *and* get the calling
+ party's particulars all at once, listen() and accept() don't apply.
+ At least in the BSD universe, however, recvfrom/PEEK is enough to tell
+ us something came in, and we can set things up so straight read/write
+ actually does work after all. Yow. YMMV on strange platforms! */
+ if (o_udpmode) {
+ x = sizeof (SA); /* retval for recvfrom */
+ arm (2, o_wait); /* might as well timeout this, too */
+ if (setjmp (jbuf) == 0) { /* do timeout for initial connect */
+ rr = recvfrom /* and here we block... */
+ (nnetfd, bigbuf_net, BIGSIZ, MSG_PEEK, (SA *) remend, &x);
+Debug (("dolisten/recvfrom ding, rr = %d, netbuf %s ", rr, bigbuf_net))
+ } else
+ goto dol_tmo; /* timeout */
+ arm (0, 0);
+/* I'm not completely clear on how this works -- BSD seems to make UDP
+ just magically work in a connect()ed context, but we'll undoubtedly run
+ into systems this deal doesn't work on. For now, we apparently have to
+ issue a connect() on our just-tickled socket so we can write() back.
+ Again, why the fuck doesn't it just get filled in and taken care of?!
+ This hack is anything but optimal. Basically, if you want your listener
+ to also be able to send data back, you need this connect() line, which
+ also has the side effect that now anything from a different source or even a
+ different port on the other end won't show up and will cause ICMP errors.
+ I guess that's what they meant by "connect".
+ Let's try to remember what the "U" is *really* for, eh? */
+ rr = connect (nnetfd, (SA *)remend, sizeof (SA));
+ goto whoisit;
+ } /* o_udpmode */
+
+/* fall here for TCP */
+ x = sizeof (SA); /* retval for accept */
+ arm (2, o_wait); /* wrap this in a timer, too; 0 = forever */
+ if (setjmp (jbuf) == 0) {
+ rr = accept (nnetfd, (SA *)remend, &x);
+ } else
+ goto dol_tmo; /* timeout */
+ arm (0, 0);
+ close (nnetfd); /* dump the old socket */
+ nnetfd = rr; /* here's our new one */
+
+whoisit:
+ if (rr < 0)
+ goto dol_err; /* bail out if any errors so far */
+
+/* If we can, look for any IP options. Useful for testing the receiving end of
+ such things, and is a good exercise in dealing with it. We do this before
+ the connect message, to ensure that the connect msg is uniformly the LAST
+ thing to emerge after all the intervening crud. Doesn't work for UDP on
+ any machines I've tested, but feel free to surprise me. */
+#ifdef IP_OPTIONS
+ if (! o_verbose) /* if we wont see it, we dont care */
+ goto dol_noop;
+ optbuf = Hmalloc (40);
+ x = 40;
+ rr = getsockopt (nnetfd, IPPROTO_IP, IP_OPTIONS, optbuf, &x);
+ if (rr < 0)
+ holler ("getsockopt failed");
+Debug (("ipoptions ret len %d", x))
+ if (x) { /* we've got options, lessee em... */
+ unsigned char * q = (unsigned char *) optbuf;
+ char * p = bigbuf_net; /* local variables, yuk! */
+ char * pp = &bigbuf_net[128]; /* get random space farther out... */
+ memset (bigbuf_net, 0, 256); /* clear it all first */
+ while (x > 0) {
+ sprintf (pp, "%2.2x ", *q); /* clumsy, but works: turn into hex */
+ strcat (p, pp); /* and build the final string */
+ q++; p++;
+ x--;
+ }
+ holler ("IP options: %s", bigbuf_net);
+ } /* if x, i.e. any options */
+dol_noop:
+#endif /* IP_OPTIONS */
+
+/* find out what address the connection was *to* on our end, in case we're
+ doing a listen-on-any on a multihomed machine. This allows one to
+ offer different services via different alias addresses, such as the
+ "virtual web site" hack. */
+ memset (bigbuf_net, 0, 64);
+ cp = &bigbuf_net[32];
+ x = sizeof (SA);
+ rr = getsockname (nnetfd, (SA *) lclend, &x);
+ if (rr < 0)
+ holler ("post-rcv getsockname failed");
+ strcpy (cp, inet_ntoa (lclend->sin_addr));
+
+/* now check out who it is. We don't care about mismatched DNS names here,
+ but any ADDR and PORT we specified had better fucking well match the caller.
+ Converting from addr to inet_ntoa and back again is a bit of a kludge, but
+ gethostpoop wants a string and there's much gnarlier code out there already,
+ so I don't feel bad.
+ The *real* question is why BFD sockets wasn't designed to allow listens for
+ connections *from* specific hosts/ports, instead of requiring the caller to
+ accept the connection and then reject undesireable ones by closing. In
+ other words, we need a TCP MSG_PEEK. */
+ z = ntohs (remend->sin_port);
+ strcpy (bigbuf_net, inet_ntoa (remend->sin_addr));
+ whozis = gethostpoop (bigbuf_net, o_nflag);
+ errno = 0;
+ x = 0; /* use as a flag... */
+ if (rad) /* xxx: fix to go down the *list* if we have one? */
+ if (memcmp (rad, whozis->iaddrs, sizeof (SA)))
+ x = 1;
+ if (rp)
+ if (z != rp)
+ x = 1;
+ if (x) /* guilty! */
+ bail ("invalid connection to [%s] from %s [%s] %d",
+ cp, whozis->name, whozis->addrs[0], z);
+ holler ("connect to [%s] from %s [%s] %d", /* oh, you're okay.. */
+ cp, whozis->name, whozis->addrs[0], z);
+ return (nnetfd); /* open! */
+
+dol_tmo:
+ errno = ETIMEDOUT; /* fake it */
+dol_err:
+ close (nnetfd);
+ return (-1);
+} /* dolisten */
+
+/* udptest :
+ fire a couple of packets at a UDP target port, just to see if it's really
+ there. On BSD kernels, ICMP host/port-unreachable errors get delivered to
+ our socket as ECONNREFUSED write errors. On SV kernels, we lose; we'll have
+ to collect and analyze raw ICMP ourselves a la satan's probe_udp_ports
+ backend. Guess where one could swipe the appropriate code from...
+
+ Use the time delay between writes if given, otherwise use the "tcp ping"
+ trick for getting the RTT. [I got that idea from pluvius, and warped it.]
+ Return either the original fd, or clean up and return -1. */
+udptest (fd, where)
+ int fd;
+ IA * where;
+{
+ register int rr;
+
+ rr = write (fd, bigbuf_in, 1);
+ if (rr != 1)
+ holler ("udptest first write failed?! errno %d", errno);
+ if (o_wait)
+ sleep (o_wait);
+ else {
+/* use the tcp-ping trick: try connecting to a normally refused port, which
+ causes us to block for the time that SYN gets there and RST gets back.
+ Not completely reliable, but it *does* mostly work. */
+ o_udpmode = 0; /* so doconnect does TCP this time */
+/* Set a temporary connect timeout, so packet filtration doesnt cause
+ us to hang forever, and hit it */
+ o_wait = 5; /* enough that we'll notice?? */
+ rr = doconnect (where, SLEAZE_PORT, 0, 0);
+ if (rr > 0)
+ close (rr); /* in case it *did* open */
+ o_wait = 0; /* reset it */
+ o_udpmode++; /* we *are* still doing UDP, right? */
+ } /* if o_wait */
+ errno = 0; /* clear from sleep */
+ rr = write (fd, bigbuf_in, 1);
+ if (rr == 1) /* if write error, no UDP listener */
+ return (fd);
+ close (fd); /* use it or lose it! */
+ return (-1);
+} /* udptest */
+
+/* oprint :
+ Hexdump bytes shoveled either way to a running logfile, in the format:
+D offset - - - - --- 16 bytes --- - - - - # .... ascii .....
+ where "which" sets the direction indicator, D:
+ 0 -- sent to network, or ">"
+ 1 -- rcvd and printed to stdout, or "<"
+ and "buf" and "n" are data-block and length. If the current block generates
+ a partial line, so be it; we *want* that lockstep indication of who sent
+ what when. Adapted from dgaudet's original example -- but must be ripping
+ *fast*, since we don't want to be too disk-bound... */
+void oprint (which, buf, n)
+ int which;
+ char * buf;
+ int n;
+{
+ int bc; /* in buffer count */
+ int obc; /* current "global" offset */
+ int soc; /* stage write count */
+ register unsigned char * p; /* main buf ptr; m.b. unsigned here */
+ register unsigned char * op; /* out hexdump ptr */
+ register unsigned char * a; /* out asc-dump ptr */
+ register int x;
+ register unsigned int y;
+
+ if (! ofd)
+ bail ("oprint called with no open fd?!");
+ if (n == 0)
+ return;
+
+ op = stage;
+ if (which) {
+ *op = '<';
+ obc = wrote_out; /* use the globals! */
+ } else {
+ *op = '>';
+ obc = wrote_net;
+ }
+ op++; /* preload "direction" */
+ *op = ' ';
+ p = (unsigned char *) buf;
+ bc = n;
+ stage[59] = '#'; /* preload separator */
+ stage[60] = ' ';
+
+ while (bc) { /* for chunk-o-data ... */
+ x = 16;
+ soc = 78; /* len of whole formatted line */
+ if (bc < x) {
+ soc = soc - 16 + bc; /* fiddle for however much is left */
+ x = (bc * 3) + 11; /* 2 digits + space per, after D & offset */
+ op = &stage[x];
+ x = 16 - bc;
+ while (x) {
+ *op++ = ' '; /* preload filler spaces */
+ *op++ = ' ';
+ *op++ = ' ';
+ x--;
+ }
+ x = bc; /* re-fix current linecount */
+ } /* if bc < x */
+
+ bc -= x; /* fix wrt current line size */
+ sprintf (&stage[2], "%8.8x ", obc); /* xxx: still slow? */
+ obc += x; /* fix current offset */
+ op = &stage[11]; /* where hex starts */
+ a = &stage[61]; /* where ascii starts */
+
+ while (x) { /* for line of dump, however long ... */
+ y = (int)(*p >> 4); /* hi half */
+ *op = hexnibs[y];
+ op++;
+ y = (int)(*p & 0x0f); /* lo half */
+ *op = hexnibs[y];
+ op++;
+ *op = ' ';
+ op++;
+ if ((*p > 31) && (*p < 127))
+ *a = *p; /* printing */
+ else
+ *a = '.'; /* nonprinting, loose def */
+ a++;
+ p++;
+ x--;
+ } /* while x */
+ *a = '\n'; /* finish the line */
+ x = write (ofd, stage, soc);
+ if (x < 0)
+ bail ("ofd write err");
+ } /* while bc */
+} /* oprint */
+
+#ifdef TELNET
+USHORT o_tn = 0; /* global -t option */
+
+/* atelnet :
+ Answer anything that looks like telnet negotiation with don't/won't.
+ This doesn't modify any data buffers, update the global output count,
+ or show up in a hexdump -- it just shits into the outgoing stream.
+ Idea and codebase from Mudge@l0pht.com. */
+void atelnet (buf, size)
+ unsigned char * buf; /* has to be unsigned here! */
+ unsigned int size;
+{
+ static unsigned char obuf [4]; /* tiny thing to build responses into */
+ register int x;
+ register unsigned char y;
+ register unsigned char * p;
+
+ y = 0;
+ p = buf;
+ x = size;
+ while (x > 0) {
+ if (*p != 255) /* IAC? */
+ goto notiac;
+ obuf[0] = 255;
+ p++; x--;
+ if ((*p == 251) || (*p == 252)) /* WILL or WONT */
+ y = 254; /* -> DONT */
+ if ((*p == 253) || (*p == 254)) /* DO or DONT */
+ y = 252; /* -> WONT */
+ if (y) {
+ obuf[1] = y;
+ p++; x--;
+ obuf[2] = *p; /* copy actual option byte */
+ (void) write (netfd, obuf, 3);
+/* if one wanted to bump wrote_net or do a hexdump line, here's the place */
+ y = 0;
+ } /* if y */
+notiac:
+ p++; x--;
+ } /* while x */
+} /* atelnet */
+#endif /* TELNET */
+
+/* readwrite :
+ handle stdin/stdout/network I/O. Bwahaha!! -- the select loop from hell.
+ In this instance, return what might become our exit status. */
+int readwrite (fd)
+ int fd;
+{
+ register int rr;
+ register char * zp; /* stdin buf ptr */
+ register char * np; /* net-in buf ptr */
+ unsigned int rzleft;
+ unsigned int rnleft;
+ USHORT netretry; /* net-read retry counter */
+ USHORT wretry; /* net-write sanity counter */
+ USHORT wfirst; /* one-shot flag to skip first net read */
+
+/* if you don't have all this FD_* macro hair in sys/types.h, you'll have to
+ either find it or do your own bit-bashing: *ding1 |= (1 << fd), etc... */
+ if (fd > FD_SETSIZE) {
+ holler ("Preposterous fd value %d", fd);
+ return (1);
+ }
+ FD_SET (fd, ding1); /* global: the net is open */
+ netretry = 2;
+ wfirst = 0;
+ rzleft = rnleft = 0;
+ if (insaved) {
+ rzleft = insaved; /* preload multi-mode fakeouts */
+ zp = bigbuf_in;
+ wfirst = 1;
+ if (Single) /* if not scanning, this is a one-off first */
+ insaved = 0; /* buffer left over from argv construction, */
+ else {
+ FD_CLR (0, ding1); /* OR we've already got our repeat chunk, */
+ close (0); /* so we won't need any more stdin */
+ } /* Single */
+ } /* insaved */
+ if (o_interval)
+ sleep (o_interval); /* pause *before* sending stuff, too */
+ errno = 0; /* clear from sleep, close, whatever */
+
+/* and now the big ol' select shoveling loop ... */
+ while (FD_ISSET (fd, ding1)) { /* i.e. till the *net* closes! */
+ wretry = 8200; /* more than we'll ever hafta write */
+ if (wfirst) { /* any saved stdin buffer? */
+ wfirst = 0; /* clear flag for the duration */
+ goto shovel; /* and go handle it first */
+ }
+ *ding2 = *ding1; /* FD_COPY ain't portable... */
+/* some systems, notably linux, crap into their select timers on return, so
+ we create a expendable copy and give *that* to select. *Fuck* me ... */
+ if (timer1)
+ memcpy (timer2, timer1, sizeof (struct timeval));
+ rr = select (16, ding2, 0, 0, timer2); /* here it is, kiddies */
+ if (rr < 0) {
+ if (errno != EINTR) { /* might have gotten ^Zed, etc ?*/
+ holler ("select fuxored");
+ close (fd);
+ return (1);
+ }
+ } /* select fuckup */
+/* if we have a timeout AND stdin is closed AND we haven't heard anything
+ from the net during that time, assume it's dead and close it too. */
+ if (rr == 0) {
+ if (! FD_ISSET (0, ding1))
+ netretry--; /* we actually try a coupla times. */
+ if (! netretry) {
+ if (o_verbose > 1) /* normally we don't care */
+ holler ("net timeout");
+ close (fd);
+ return (0); /* not an error! */
+ }
+ } /* select timeout */
+/* xxx: should we check the exception fds too? The read fds seem to give
+ us the right info, and none of the examples I found bothered. */
+
+/* Ding!! Something arrived, go check all the incoming hoppers, net first */
+ if (FD_ISSET (fd, ding2)) { /* net: ding! */
+ rr = read (fd, bigbuf_net, BIGSIZ);
+ if (rr <= 0) {
+ FD_CLR (fd, ding1); /* net closed, we'll finish up... */
+ rzleft = 0; /* can't write anymore: broken pipe */
+ } else {
+ rnleft = rr;
+ np = bigbuf_net;
+#ifdef TELNET
+ if (o_tn)
+ atelnet (np, rr); /* fake out telnet stuff */
+#endif /* TELNET */
+ } /* if rr */
+Debug (("got %d from the net, errno %d", rr, errno))
+ } /* net:ding */
+
+/* if we're in "slowly" mode there's probably still stuff in the stdin
+ buffer, so don't read unless we really need MORE INPUT! MORE INPUT! */
+ if (rzleft)
+ goto shovel;
+
+/* okay, suck more stdin */
+ if (FD_ISSET (0, ding2)) { /* stdin: ding! */
+ rr = read (0, bigbuf_in, BIGSIZ);
+/* Considered making reads here smaller for UDP mode, but 8192-byte
+ mobygrams are kinda fun and exercise the reassembler. */
+ if (rr <= 0) { /* at end, or fukt, or ... */
+ FD_CLR (0, ding1); /* disable and close stdin */
+ close (0);
+ } else {
+ rzleft = rr;
+ zp = bigbuf_in;
+/* special case for multi-mode -- we'll want to send this one buffer to every
+ open TCP port or every UDP attempt, so save its size and clean up stdin */
+ if (! Single) { /* we might be scanning... */
+ insaved = rr; /* save len */
+ FD_CLR (0, ding1); /* disable further junk from stdin */
+ close (0); /* really, I mean it */
+ } /* Single */
+ } /* if rr/read */
+ } /* stdin:ding */
+
+shovel:
+/* now that we've dingdonged all our thingdings, send off the results.
+ Geez, why does this look an awful lot like the big loop in "rsh"? ...
+ not sure if the order of this matters, but write net -> stdout first. */
+
+/* sanity check. Works because they're both unsigned... */
+ if ((rzleft > 8200) || (rnleft > 8200)) {
+ holler ("Bogus buffers: %d, %d", rzleft, rnleft);
+ rzleft = rnleft = 0;
+ }
+/* net write retries sometimes happen on UDP connections */
+ if (! wretry) { /* is something hung? */
+ holler ("too many output retries");
+ return (1);
+ }
+ if (rnleft) {
+ rr = write (1, np, rnleft);
+ if (rr > 0) {
+ if (o_wfile)
+ oprint (1, np, rr); /* log the stdout */
+ np += rr; /* fix up ptrs and whatnot */
+ rnleft -= rr; /* will get sanity-checked above */
+ wrote_out += rr; /* global count */
+ }
+Debug (("wrote %d to stdout, errno %d", rr, errno))
+ } /* rnleft */
+ if (rzleft) {
+ if (o_interval) /* in "slowly" mode ?? */
+ rr = findline (zp, rzleft);
+ else
+ rr = rzleft;
+ rr = write (fd, zp, rr); /* one line, or the whole buffer */
+ if (rr > 0) {
+ if (o_wfile)
+ oprint (0, zp, rr); /* log what got sent */
+ zp += rr;
+ rzleft -= rr;
+ wrote_net += rr; /* global count */
+ }
+Debug (("wrote %d to net, errno %d", rr, errno))
+ } /* rzleft */
+ if (o_interval) { /* cycle between slow lines, or ... */
+ sleep (o_interval);
+ errno = 0; /* clear from sleep */
+ continue; /* ...with hairy select loop... */
+ }
+ if ((rzleft) || (rnleft)) { /* shovel that shit till they ain't */
+ wretry--; /* none left, and get another load */
+ goto shovel;
+ }
+ } /* while ding1:netfd is open */
+
+/* XXX: maybe want a more graceful shutdown() here, or screw around with
+ linger times?? I suspect that I don't need to since I'm always doing
+ blocking reads and writes and my own manual "last ditch" efforts to read
+ the net again after a timeout. I haven't seen any screwups yet, but it's
+ not like my test network is particularly busy... */
+ close (fd);
+ return (0);
+} /* readwrite */
+
+/* main :
+ now we pull it all together... */
+main (argc, argv)
+ int argc;
+ char ** argv;
+{
+#ifndef HAVE_GETOPT
+ extern char * optarg;
+ extern int optind, optopt;
+#endif
+ register int x;
+ register char *cp;
+ HINF * gp;
+ HINF * whereto = NULL;
+ HINF * wherefrom = NULL;
+ IA * ouraddr = NULL;
+ IA * themaddr = NULL;
+ USHORT o_lport = 0;
+ USHORT ourport = 0;
+ USHORT loport = 0; /* for scanning stuff */
+ USHORT hiport = 0;
+ USHORT curport = 0;
+ char * randports = NULL;
+
+#ifdef HAVE_BIND
+/* can *you* say "cc -yaddayadda netcat.c -lresolv -l44bsd" on SunLOSs? */
+ res_init();
+#endif
+/* I was in this barbershop quartet in Skokie IL ... */
+/* round up the usual suspects, i.e. malloc up all the stuff we need */
+ lclend = (SAI *) Hmalloc (sizeof (SA));
+ remend = (SAI *) Hmalloc (sizeof (SA));
+ bigbuf_in = Hmalloc (BIGSIZ);
+ bigbuf_net = Hmalloc (BIGSIZ);
+ ding1 = (fd_set *) Hmalloc (sizeof (fd_set));
+ ding2 = (fd_set *) Hmalloc (sizeof (fd_set));
+ portpoop = (PINF *) Hmalloc (sizeof (PINF));
+
+ errno = 0;
+ gatesptr = 4;
+ h_errno = 0;
+
+/* catch a signal or two for cleanup */
+ signal (SIGINT, catch);
+ signal (SIGQUIT, catch);
+ signal (SIGTERM, catch);
+/* and suppress others... */
+#ifdef SIGURG
+ signal (SIGURG, SIG_IGN);
+#endif
+#ifdef SIGPIPE
+ signal (SIGPIPE, SIG_IGN); /* important! */
+#endif
+
+/* if no args given at all, get 'em from stdin, construct an argv, and hand
+ anything left over to readwrite(). */
+ if (argc == 1) {
+ cp = argv[0];
+ argv = (char **) Hmalloc (128 * sizeof (char *)); /* XXX: 128? */
+ argv[0] = cp; /* leave old prog name intact */
+ cp = Hmalloc (BIGSIZ);
+ argv[1] = cp; /* head of new arg block */
+ fprintf (stderr, "Cmd line: ");
+ fflush (stderr); /* I dont care if it's unbuffered or not! */
+ insaved = read (0, cp, BIGSIZ); /* we're gonna fake fgets() here */
+ if (insaved <= 0)
+ bail ("wrong");
+ x = findline (cp, insaved);
+ if (x)
+ insaved -= x; /* remaining chunk size to be sent */
+ if (insaved) /* which might be zero... */
+ memcpy (bigbuf_in, &cp[x], insaved);
+ cp = strchr (argv[1], '\n');
+ if (cp)
+ *cp = '\0';
+ cp = strchr (argv[1], '\r'); /* look for ^M too */
+ if (cp)
+ *cp = '\0';
+
+/* find and stash pointers to remaining new "args" */
+ cp = argv[1];
+ cp++; /* skip past first char */
+ x = 2; /* we know argv 0 and 1 already */
+ for (; *cp != '\0'; cp++) {
+ if (*cp == ' ') {
+ *cp = '\0'; /* smash all spaces */
+ continue;
+ } else {
+ if (*(cp-1) == '\0') {
+ argv[x] = cp;
+ x++;
+ }
+ } /* if space */
+ } /* for cp */
+ argc = x;
+ } /* if no args given */
+
+/* If your shitbox doesn't have getopt, step into the nineties already. */
+/* optarg, optind = next-argv-component [i.e. flag arg]; optopt = last-char */
+ while ((x = getopt (argc, argv, "ae:g:G:hi:lno:p:rs:tuvw:z")) != EOF) {
+/* Debug (("in go: x now %c, optarg %x optind %d", x, optarg, optind)) */
+ switch (x) {
+ case 'a':
+ bail ("all-A-records NIY");
+ o_alla++; break;
+#ifdef GAPING_SECURITY_HOLE
+ case 'e': /* prog to exec */
+ pr00gie = optarg;
+ break;
+#endif
+ case 'G': /* srcrt gateways pointer val */
+ x = atoi (optarg);
+ if ((x) && (x == (x & 0x1c))) /* mask off bits of fukt values */
+ gatesptr = x;
+ else
+ bail ("invalid hop pointer %d, must be multiple of 4 <= 28", x);
+ break;
+ case 'g': /* srcroute hop[s] */
+ if (gatesidx > 8)
+ bail ("too many -g hops");
+ if (gates == NULL) /* eat this, Billy-boy */
+ gates = (HINF **) Hmalloc (sizeof (HINF *) * 10);
+ gp = gethostpoop (optarg, o_nflag);
+ if (gp)
+ gates[gatesidx] = gp;
+ gatesidx++;
+ break;
+ case 'h':
+ errno = 0;
+#ifdef HAVE_HELP
+ helpme(); /* exits by itself */
+#else
+ bail ("no help available, dork -- RTFS");
+#endif
+ case 'i': /* line-interval time */
+ o_interval = atoi (optarg) & 0xffff;
+ if (! o_interval)
+ bail ("invalid interval time %s", optarg);
+ break;
+ case 'l': /* listen mode */
+ o_listen++; break;
+ case 'n': /* numeric-only, no DNS lookups */
+ o_nflag++; break;
+ case 'o': /* hexdump log */
+ stage = (unsigned char *) optarg;
+ o_wfile++; break;
+ case 'p': /* local source port */
+ o_lport = getportpoop (optarg, 0);
+ if (o_lport == 0)
+ bail ("invalid local port %s", optarg);
+ break;
+ case 'r': /* randomize various things */
+ o_random++; break;
+ case 's': /* local source address */
+/* do a full lookup [since everything else goes through the same mill],
+ unless -n was previously specified. In fact, careful placement of -n can
+ be useful, so we'll still pass o_nflag here instead of forcing numeric. */
+ wherefrom = gethostpoop (optarg, o_nflag);
+ ouraddr = &wherefrom->iaddrs[0];
+ break;
+#ifdef TELNET
+ case 't': /* do telnet fakeout */
+ o_tn++; break;
+#endif /* TELNET */
+ case 'u': /* use UDP */
+ o_udpmode++; break;
+ case 'v': /* verbose */
+ o_verbose++; break;
+ case 'w': /* wait time */
+ o_wait = atoi (optarg);
+ if (o_wait <= 0)
+ bail ("invalid wait-time %s", optarg);
+ timer1 = (struct timeval *) Hmalloc (sizeof (struct timeval));
+ timer2 = (struct timeval *) Hmalloc (sizeof (struct timeval));
+ timer1->tv_sec = o_wait; /* we need two. see readwrite()... */
+ break;
+ case 'z': /* little or no data xfer */
+ o_zero++;
+ break;
+ default:
+ errno = 0;
+ bail ("nc -h for help");
+ } /* switch x */
+ } /* while getopt */
+
+/* other misc initialization */
+Debug (("fd_set size %d", sizeof (*ding1))) /* how big *is* it? */
+ FD_SET (0, ding1); /* stdin *is* initially open */
+ if (o_random) {
+ SRAND (time (0));
+ randports = Hmalloc (65536); /* big flag array for ports */
+ }
+#ifdef GAPING_SECURITY_HOLE
+ if (pr00gie) {
+ close (0); /* won't need stdin */
+ o_wfile = 0; /* -o with -e is meaningless! */
+ ofd = 0;
+ }
+#endif /* G_S_H */
+ if (o_wfile) {
+ ofd = open (stage, O_WRONLY | O_CREAT | O_TRUNC, 0664);
+ if (ofd <= 0) /* must be > extant 0/1/2 */
+ bail ("can't open %s", stage);
+ stage = (unsigned char *) Hmalloc (100);
+ }
+
+/* optind is now index of first non -x arg */
+Debug (("after go: x now %c, optarg %x optind %d", x, optarg, optind))
+/* Debug (("optind up to %d at host-arg %s", optind, argv[optind])) */
+/* gonna only use first addr of host-list, like our IQ was normal; if you wanna
+ get fancy with addresses, look up the list yourself and plug 'em in for now.
+ unless we finally implement -a, that is. */
+ if (argv[optind])
+ whereto = gethostpoop (argv[optind], o_nflag);
+ if (whereto && whereto->iaddrs)
+ themaddr = &whereto->iaddrs[0];
+ if (themaddr)
+ optind++; /* skip past valid host lookup */
+ errno = 0;
+ h_errno = 0;
+
+/* Handle listen mode here, and exit afterward. Only does one connect;
+ this is arguably the right thing to do. A "persistent listen-and-fork"
+ mode a la inetd has been thought about, but not implemented. A tiny
+ wrapper script can handle such things... */
+ if (o_listen) {
+ curport = 0; /* rem port *can* be zero here... */
+ if (argv[optind]) { /* any rem-port-arg? */
+ curport = getportpoop (argv[optind], 0);
+ if (curport == 0) /* if given, demand correctness */
+ bail ("invalid port %s", argv[optind]);
+ } /* if port-arg */
+ netfd = dolisten (themaddr, curport, ouraddr, o_lport);
+/* dolisten does its own connect reporting, so we don't holler anything here */
+ if (netfd > 0) {
+#ifdef GAPING_SECURITY_HOLE
+ if (pr00gie) /* -e given? */
+ doexec (netfd);
+#endif /* GAPING_SECURITY_HOLE */
+ x = readwrite (netfd); /* it even works with UDP! */
+ if (o_verbose > 1) /* normally we don't care */
+ holler (wrote_txt, wrote_net, wrote_out);
+ exit (x); /* "pack out yer trash" */
+ } else /* if no netfd */
+ bail ("no connection");
+ } /* o_listen */
+
+/* fall thru to outbound connects. Now we're more picky about args... */
+ if (! themaddr)
+ bail ("no destination");
+ if (argv[optind] == NULL)
+ bail ("no port[s] to connect to");
+ if (argv[optind + 1]) /* look ahead: any more port args given? */
+ Single = 0; /* multi-mode, case A */
+ ourport = o_lport; /* which can be 0 */
+
+/* everything from here down is treated as as ports and/or ranges thereof, so
+ it's all enclosed in this big ol' argv-parsin' loop. Any randomization is
+ done within each given *range*, but in separate chunks per each succeeding
+ argument, so we can control the pattern somewhat. */
+ while (argv[optind]) {
+ hiport = loport = 0;
+ cp = strchr (argv[optind], '-'); /* nn-mm range? */
+ if (cp) {
+ *cp = '\0';
+ cp++;
+ hiport = getportpoop (cp, 0);
+ if (hiport == 0)
+ bail ("invalid port %s", cp);
+ } /* if found a dash */
+ loport = getportpoop (argv[optind], 0);
+ if (loport == 0)
+ bail ("invalid port %s", argv[optind]);
+ if (hiport > loport) { /* was it genuinely a range? */
+ Single = 0; /* multi-mode, case B */
+ curport = hiport; /* start high by default */
+ if (o_random) { /* maybe populate the random array */
+ loadports (randports, loport, hiport);
+ curport = nextport (randports);
+ }
+ } else /* not a range, including args like "25-25" */
+ curport = loport;
+Debug (("Single %d, curport %d", Single, curport))
+
+/* Now start connecting to these things. curport is already preloaded. */
+ while (loport <= curport) {
+ if ((! o_lport) && (o_random)) { /* -p overrides random local-port */
+ ourport = (RAND() & 0xffff); /* random local-bind -- well above */
+ if (ourport < 8192) /* resv and any likely listeners??? */
+ ourport += 8192; /* if it *still* conflicts, use -s. */
+ }
+ curport = getportpoop (NULL, curport);
+ netfd = doconnect (themaddr, curport, ouraddr, ourport);
+Debug (("netfd %d from port %d to port %d", netfd, ourport, curport))
+ if (netfd > 0)
+ if (o_zero && o_udpmode) /* if UDP scanning... */
+ netfd = udptest (netfd, themaddr);
+ if (netfd > 0) { /* Yow, are we OPEN YET?! */
+ x = 0; /* pre-exit status */
+ holler ("%s [%s] %d (%s) open",
+ whereto->name, whereto->addrs[0], curport, portpoop->name);
+#ifdef GAPING_SECURITY_HOLE
+ if (pr00gie) /* exec is valid for outbound, too */
+ doexec (netfd);
+#endif /* GAPING_SECURITY_HOLE */
+ if (! o_zero)
+ x = readwrite (netfd); /* go shovel shit */
+ } else { /* no netfd... */
+ x = 1; /* preload exit status for later */
+/* if we're scanning at a "one -v" verbosity level, don't print refusals.
+ Give it another -v if you want to see everything. */
+ if ((Single || (o_verbose > 1)) || (errno != ECONNREFUSED))
+ holler ("%s [%s] %d (%s)",
+ whereto->name, whereto->addrs[0], curport, portpoop->name);
+ } /* if netfd */
+ close (netfd); /* just in case we didn't already */
+ if (o_interval)
+ sleep (o_interval); /* if -i, delay between ports too */
+ if (o_random)
+ curport = nextport (randports);
+ else
+ curport--; /* just decrement... */
+ } /* while curport within current range */
+ optind++;
+ } /* while remaining port-args -- end of big argv-ports loop*/
+
+ errno = 0;
+ if (o_verbose > 1) /* normally we don't care */
+ holler (wrote_txt, wrote_net, wrote_out);
+ if (Single)
+ exit (x); /* give us status on one connection */
+ exit (0); /* otherwise, we're just done */
+} /* main */
+
+#ifdef HAVE_HELP /* unless we wanna be *really* cryptic */
+/* helpme :
+ the obvious */
+helpme()
+{
+ o_verbose = 1;
+ holler ("[v1.10]\n\
+connect to somewhere: nc [-options] hostname port[s] [ports] ... \n\
+listen for inbound: nc -l -p port [-options] [hostname] [port]\n\
+options:");
+/* sigh, this necessarily gets messy. And the trailing \ characters may be
+ interpreted oddly by some compilers, generating or not generating extra
+ newlines as they bloody please. u-fix... */
+#ifdef GAPING_SECURITY_HOLE /* needs to be separate holler() */
+ holler ("\
+ -e prog program to exec after connect [dangerous!!]");
+#endif
+ holler ("\
+ -g gateway source-routing hop point[s], up to 8\n\
+ -G num source-routing pointer: 4, 8, 12, ...\n\
+ -h this cruft\n\
+ -i secs delay interval for lines sent, ports scanned\n\
+ -l listen mode, for inbound connects\n\
+ -n numeric-only IP addresses, no DNS\n\
+ -o file hex dump of traffic\n\
+ -p port local port number\n\
+ -r randomize local and remote ports\n\
+ -s addr local source address");
+#ifdef TELNET
+ holler ("\
+ -t answer TELNET negotiation");
+#endif
+ holler ("\
+ -u UDP mode\n\
+ -v verbose [use twice to be more verbose]\n\
+ -w secs timeout for connects and final net reads\n\
+ -z zero-I/O mode [used for scanning]");
+ bail ("port numbers can be individual or ranges: lo-hi [inclusive]");
+} /* helpme */
+#endif /* HAVE_HELP */
+
+/* None genuine without this seal! _H*/
diff --git a/usr.bin/nc/scripts/README b/usr.bin/nc/scripts/README
new file mode 100644
index 00000000000..07aee0c8ea3
--- /dev/null
+++ b/usr.bin/nc/scripts/README
@@ -0,0 +1,5 @@
+A collection of example scripts that use netcat as a backend, each
+documented by its own internal comments.
+
+I'll be the first to admit that some of these are seriously *sick*,
+but they do work and are quite useful to me on a daily basis.
diff --git a/usr.bin/nc/scripts/alta b/usr.bin/nc/scripts/alta
new file mode 100644
index 00000000000..7a091767e8e
--- /dev/null
+++ b/usr.bin/nc/scripts/alta
@@ -0,0 +1,33 @@
+#! /bin/sh
+## special handler for altavista, since they only hand out chunks of 10 at
+## a time. Tries to isolate out results without the leading/trailing trash.
+## multiword arguments are foo+bar, as usual.
+## Second optional arg switches the "what" field, to e.g. "news"
+
+test "${1}" = "" && echo 'Needs an argument to search for!' && exit 1
+WHAT="web"
+test "${2}" && WHAT="${2}"
+
+# convert multiple args
+PLUSARG="`echo $* | sed 's/ /+/g'`"
+
+# Plug in arg. only doing simple-q for now; pg=aq for advanced-query
+# embedded quotes define phrases; otherwise it goes wild on multi-words
+QB="GET /cgi-bin/query?pg=q&what=${WHAT}&fmt=c&q=\"${PLUSARG}\""
+
+# ping 'em once, to get the routing warm
+nc -z -w 8 www.altavista.digital.com 24015 2> /dev/null
+echo "=== Altavista ==="
+
+for xx in 0 10 20 30 40 50 60 70 80 90 100 110 120 130 140 150 160 170 180 \
+ 190 200 210 220 230 240 250 260 270 280 290 300 310 320 330 340 350 ; do
+ echo "${QB}&stq=${xx}" | nc -w 15 www.altavista.digital.com 80 | \
+ egrep '^<a href="http://'
+done
+
+exit 0
+
+# old filter stuff
+ sed -e '/Documents .* matching .* query /,/query?.*stq=.* Document/p' \
+ -e d
+
diff --git a/usr.bin/nc/scripts/bsh b/usr.bin/nc/scripts/bsh
new file mode 100644
index 00000000000..796e480354a
--- /dev/null
+++ b/usr.bin/nc/scripts/bsh
@@ -0,0 +1,29 @@
+#! /bin/sh
+## a little wrapper to "password" and re-launch a shell-listener.
+## Arg is taken as the port to listen on. Define "NC" to point wherever.
+
+NC=nc
+
+case "$1" in
+ ?* )
+ LPN="$1"
+ export LPN
+ sleep 1
+ echo "-l -p $LPN -e $0" | $NC > /dev/null 2>&1 &
+ echo "launched on port $LPN"
+ exit 0
+ ;;
+esac
+
+# here we play inetd
+echo "-l -p $LPN -e $0" | $NC > /dev/null 2>&1 &
+
+while read qq ; do
+case "$qq" in
+# here's yer password
+ gimme )
+ cd /
+ exec csh -i
+ ;;
+esac
+done
diff --git a/usr.bin/nc/scripts/dist.sh b/usr.bin/nc/scripts/dist.sh
new file mode 100644
index 00000000000..4d2534a0e35
--- /dev/null
+++ b/usr.bin/nc/scripts/dist.sh
@@ -0,0 +1,23 @@
+#! /bin/sh
+## This is a quick example listen-exec server, which was used for a while to
+## distribute netcat prereleases. It illustrates use of netcat both as a
+## "fake inetd" and a syslogger, and how easy it then is to crock up a fairly
+## functional server that restarts its own listener and does full connection
+## logging. In a half-screen of shell script!!
+
+PORT=31337
+
+sleep 1
+SRC=`tail -1 dist.log`
+echo "<36>elite: ${SRC}" | ./nc -u -w 1 localhost 514 > /dev/null 2>&1
+echo ";;; Hi, ${SRC}..."
+echo ";;; This is a PRERELEASE version of 'netcat', tar/gzip/uuencoded."
+echo ";;; Unless you are capturing this somehow, it won't do you much good."
+echo ";;; Ready?? Here it comes! Have phun ..."
+sleep 8
+cat dist.file
+sleep 1
+./nc -v -l -p ${PORT} -e dist.sh < /dev/null >> dist.log 2>&1 &
+sleep 1
+echo "<36>elite: done" | ./nc -u -w 1 localhost 514 > /dev/null 2>&1
+exit 0
diff --git a/usr.bin/nc/scripts/irc b/usr.bin/nc/scripts/irc
new file mode 100644
index 00000000000..3557d7a0c6e
--- /dev/null
+++ b/usr.bin/nc/scripts/irc
@@ -0,0 +1,79 @@
+#! /bin/sh
+## Shit-simple script to supply the "privmsg <recipient>" of IRC typein, and
+## keep the connection alive. Pipe this thru "nc -v -w 5 irc-server port".
+## Note that this mechanism makes the script easy to debug without being live,
+## since it just echoes everything bound for the server.
+## if you want autologin-type stuff, construct some appropriate files and
+## shovel them in using the "<" mechanism.
+
+# magic arg: if "tick", do keepalive process instead of main loop
+if test "$1" = "tick" ; then
+# ignore most signals; the parent will nuke the kid
+# doesn't stop ^Z, of course.
+ trap '' 1 2 3 13 14 15 16
+ while true ; do
+ sleep 60
+ echo "PONG !"
+ done
+fi
+
+# top level: fire ourselves off as the keepalive process, and keep track of it
+sh $0 tick &
+ircpp=$!
+echo "[Keepalive: $ircpp]" >&2
+# catch our own batch of signals: hup int quit pipe alrm term urg
+trap 'kill -9 $ircpp ; exit 0' 1 2 3 13 14 15 16
+sleep 2
+
+sender=''
+savecmd=''
+
+# the big honkin' loop...
+while read xx yy ; do
+ case "${xx}" in
+# blank line: do nothing
+ "")
+ continue
+ ;;
+# new channel or recipient; if bare ">", we're back to raw literal mode.
+ ">")
+ if test "${yy}" ; then
+ sender="privmsg ${yy} :"
+ else
+ sender=''
+ fi
+ continue
+ ;;
+# send crud from a file, one line per second. Can you say "skr1pt kidz"??
+# *Note: uses current "recipient" if set.
+ "<")
+ if test -f "${yy}" ; then
+ ( while read zz ; do
+ sleep 1
+ echo "${sender}${zz}"
+ done ) < "$yy"
+ echo "[done]" >&2
+ else
+ echo "[File $yy not found]" >&2
+ fi
+ continue
+ ;;
+# do and save a single command, for quick repeat
+ "/")
+ if test "${yy}" ; then
+ savecmd="${yy}"
+ fi
+ echo "${savecmd}"
+ ;;
+# default case goes to recipient, just like always
+ *)
+ echo "${sender}${xx} ${yy}"
+ continue
+ ;;
+ esac
+done
+
+# parting shot, if you want it
+echo "quit :Bye all!"
+kill -9 $ircpp
+exit 0
diff --git a/usr.bin/nc/scripts/iscan b/usr.bin/nc/scripts/iscan
new file mode 100644
index 00000000000..6279bc817fe
--- /dev/null
+++ b/usr.bin/nc/scripts/iscan
@@ -0,0 +1,35 @@
+#! /bin/sh
+## duplicate DaveG's ident-scan thingie using netcat. Oooh, he'll be pissed.
+## args: target port [port port port ...]
+## hose stdout *and* stderr together.
+##
+## advantages: runs slower than ident-scan, giving remote inetd less cause
+## for alarm, and only hits the few known daemon ports you specify.
+## disadvantages: requires numeric-only port args, the output sleazitude,
+## and won't work for r-services when coming from high source ports.
+
+case "${2}" in
+ "" ) echo needs HOST and at least one PORT ; exit 1 ;;
+esac
+
+# ping 'em once and see if they *are* running identd
+nc -z -w 9 "$1" 113 || { echo "oops, $1 isn't running identd" ; exit 0 ; }
+
+# generate a randomish base port
+RP=`expr $$ % 999 + 31337`
+
+TRG="$1"
+shift
+
+while test "$1" ; do
+ nc -v -w 8 -p ${RP} "$TRG" ${1} < /dev/null > /dev/null &
+ PROC=$!
+ sleep 3
+ echo "${1},${RP}" | nc -w 4 -r "$TRG" 113 2>&1
+ sleep 2
+# does this look like a lamer script or what...
+ kill -HUP $PROC
+ RP=`expr ${RP} + 1`
+ shift
+done
+
diff --git a/usr.bin/nc/scripts/ncp b/usr.bin/nc/scripts/ncp
new file mode 100644
index 00000000000..1931b033858
--- /dev/null
+++ b/usr.bin/nc/scripts/ncp
@@ -0,0 +1,46 @@
+#! /bin/sh
+## Like "rcp" but uses netcat on a high port.
+## do "ncp targetfile" on the RECEIVING machine
+## then do "ncp sourcefile receivinghost" on the SENDING machine
+## if invoked as "nzp" instead, compresses transit data.
+
+## pick your own personal favorite port, which will be used on both ends.
+## You should probably change this for your own uses.
+MYPORT=23456
+
+## if "nc" isn't systemwide or in your PATH, add the right place
+# PATH=${HOME}:${PATH} ; export PATH
+
+test "$3" && echo "too many args" && exit 1
+test ! "$1" && echo "no args?" && exit 1
+me=`echo $0 | sed 's+.*/++'`
+test "$me" = "nzp" && echo '[compressed mode]'
+
+# if second arg, it's a host to send an [extant] file to.
+if test "$2" ; then
+ test ! -f "$1" && echo "can't find $1" && exit 1
+ if test "$me" = "nzp" ; then
+ compress -c < "$1" | nc -v -w 2 $2 $MYPORT && exit 0
+ else
+ nc -v -w 2 $2 $MYPORT < "$1" && exit 0
+ fi
+ echo "transfer FAILED!"
+ exit 1
+fi
+
+# fall here for receiver. Ask before trashing existing files
+if test -f "$1" ; then
+ echo -n "Overwrite $1? "
+ read aa
+ test ! "$aa" = "y" && echo "[punted!]" && exit 1
+fi
+# 30 seconds oughta be pleeeeenty of time, but change if you want.
+if test "$me" = "nzp" ; then
+ nc -v -w 30 -p $MYPORT -l < /dev/null | uncompress -c > "$1" && exit 0
+else
+ nc -v -w 30 -p $MYPORT -l < /dev/null > "$1" && exit 0
+fi
+echo "transfer FAILED!"
+# clean up, since even if the transfer failed, $1 is already trashed
+rm -f "$1"
+exit 1
diff --git a/usr.bin/nc/scripts/probe b/usr.bin/nc/scripts/probe
new file mode 100644
index 00000000000..c47dc3f495e
--- /dev/null
+++ b/usr.bin/nc/scripts/probe
@@ -0,0 +1,50 @@
+#! /bin/sh
+## launch a whole buncha shit at yon victim in no particular order; capture
+## stderr+stdout in one place. Run as root for rservice and low -p to work.
+## Fairly thorough example of using netcat to collect a lot of host info.
+## Will set off every intrusion alarm in existence on a paranoid machine!
+
+# where .d files are kept; "." if nothing else
+DDIR=../data
+# address of some well-connected router that groks LSRR
+GATE=192.157.69.11
+
+# might conceivably wanna change this for different run styles
+UCMD='nc -v -w 8'
+
+test ! "$1" && echo Needs victim arg && exit 1
+
+echo '' | $UCMD -w 9 -r "$1" 13 79 6667 2>&1
+echo '0' | $UCMD "$1" 79 2>&1
+# if LSRR was passed thru, should get refusal here:
+$UCMD -z -r -g $GATE "$1" 6473 2>&1
+$UCMD -r -z "$1" 6000 4000-4004 111 53 2105 137-140 1-20 540-550 95 87 2>&1
+# -s `hostname` may be wrong for some multihomed machines
+echo 'UDP echoecho!' | nc -u -p 7 -s `hostname` -w 3 "$1" 7 19 2>&1
+echo '113,10158' | $UCMD -p 10158 "$1" 113 2>&1
+rservice bin bin | $UCMD -p 1019 "$1" shell 2>&1
+echo QUIT | $UCMD -w 8 -r "$1" 25 158 159 119 110 109 1109 142-144 220 23 2>&1
+# newline after any telnet trash
+echo ''
+echo PASV | $UCMD -r "$1" 21 2>&1
+echo 'GET /' | $UCMD -w 10 "$1" 80 81 210 70 2>&1
+# sometimes contains useful directory info:
+echo 'GET /robots.txt' | $UCMD -w 10 "$1" 80 2>&1
+# now the big red lights go on
+rservice bin bin 9600/9600 | $UCMD -p 1020 "$1" login 2>&1
+rservice root root | $UCMD -r "$1" exec 2>&1
+echo 'BEGIN big udp -- everything may look "open" if packet-filtered'
+data -g < ${DDIR}/nfs-0.d | $UCMD -i 1 -u "$1" 2049 | od -x 2>&1
+# no wait-time, uses RTT hack
+nc -v -z -u -r "$1" 111 66-70 88 53 87 161-164 121-123 213 49 2>&1
+nc -v -z -u -r "$1" 137-140 694-712 747-770 175-180 2103 510-530 2>&1
+echo 'END big udp'
+$UCMD -r -z "$1" 175-180 2000-2003 530-533 1524 1525 666 213 8000 6250 2>&1
+# Use our identd-sniffer!
+iscan "$1" 21 25 79 80 111 53 6667 6000 2049 119 2>&1
+# this gets pretty intrusive, but what the fuck. Probe for portmap first
+if nc -w 5 -z -u "$1" 111 ; then
+ showmount -e "$1" 2>&1
+ rpcinfo -p "$1" 2>&1
+fi
+exit 0
diff --git a/usr.bin/nc/scripts/web b/usr.bin/nc/scripts/web
new file mode 100644
index 00000000000..382b18e1e3f
--- /dev/null
+++ b/usr.bin/nc/scripts/web
@@ -0,0 +1,148 @@
+#! /bin/sh
+## The web sucks. It is a mighty dismal kludge built out of a thousand
+## tiny dismal kludges all band-aided together, and now these bottom-line
+## clueless pinheads who never heard of "TCP handshake" want to run
+## *commerce* over the damn thing. Ye godz. Welcome to TV of the next
+## century -- six million channels of worthless shit to choose from, and
+## about as much security as today's cable industry!
+##
+## Having grown mightily tired of pain in the ass browsers, I decided
+## to build the minimalist client. It doesn't handle POST, just GETs, but
+## the majority of cgi forms handlers apparently ignore the method anyway.
+## A distinct advantage is that it *doesn't* pass on any other information
+## to the server, like Referer: or info about your local machine such as
+## Netscum tries to!
+##
+## Since the first version, this has become the *almost*-minimalist client,
+## but it saves a lot of typing now. And with netcat as its backend, it's
+## totally the balls. Don't have netcat? Get it here in /src/hacks!
+## _H* 950824, updated 951009 et seq.
+##
+## args: hostname [port]. You feed it the filename-parts of URLs.
+## In the loop, HOST, PORT, and SAVE do the right things; a null line
+## gets the previous spec again [useful for initial timeouts]; EOF to exit.
+## Relative URLs behave like a "cd" to wherever the last slash appears, or
+## just use the last component with the saved preceding "directory" part.
+## "\" clears the "filename" part and asks for just the "directory", and
+## ".." goes up one "directory" level while retaining the "filename" part.
+## Play around; you'll get used to it.
+
+if test "$1" = "" ; then
+ echo Needs hostname arg.
+ exit 1
+fi
+umask 022
+
+# optional PATH fixup
+# PATH=${HOME}:${PATH} ; export PATH
+
+test "${PAGER}" || PAGER=more
+BACKEND="nc -v -w 15"
+TMPAGE=/tmp/web$$
+host="$1"
+port="80"
+if test "$2" != "" ; then
+ port="$2"
+fi
+
+spec="/"
+specD="/"
+specF=''
+saving=''
+
+# be vaguely smart about temp file usage. Use your own homedir if you're
+# paranoid about someone symlink-racing your shell script, jeez.
+rm -f ${TMPAGE}
+test -f ${TMPAGE} && echo "Can't use ${TMPAGE}" && exit 1
+
+# get loopy. Yes, I know "echo -n" aint portable. Everything echoed would
+# need "\c" tacked onto the end in an SV universe, which you can fix yourself.
+while echo -n "${specD}${specF} " && read spec ; do
+ case $spec in
+ HOST)
+ echo -n 'New host: '
+ read host
+ continue
+ ;;
+ PORT)
+ echo -n 'New port: '
+ read port
+ continue
+ ;;
+ SAVE)
+ echo -n 'Save file: '
+ read saving
+# if we've already got a page, save it
+ test "${saving}" && test -f ${TMPAGE} &&
+ echo "=== ${host}:${specD}${specF} ===" >> $saving &&
+ cat ${TMPAGE} >> $saving && echo '' >> $saving
+ continue
+ ;;
+# changing the logic a bit here. Keep a state-concept of "current dir"
+# and "current file". Dir is /foo/bar/ ; file is "baz" or null.
+# leading slash: create whole new state.
+ /*)
+ specF=`echo "${spec}" | sed 's|.*/||'`
+ specD=`echo "${spec}" | sed 's|\(.*/\).*|\1|'`
+ spec="${specD}${specF}"
+ ;;
+# embedded slash: adding to the path. "file" part can be blank, too
+ */*)
+ specF=`echo "${spec}" | sed 's|.*/||'`
+ specD=`echo "${specD}${spec}" | sed 's|\(.*/\).*|\1|'`
+ ;;
+# dotdot: jump "up" one level and just reprompt [confirms what it did...]
+ ..)
+ specD=`echo "${specD}" | sed 's|\(.*/\)..*/|\1|'`
+ continue
+ ;;
+# blank line: do nothing, which will re-get the current one
+ '')
+ ;;
+# hack-quoted blank line: "\" means just zero out "file" part
+ '\')
+ specF=''
+ ;;
+# sigh
+ '?')
+ echo Help yourself. Read the script fer krissake.
+ continue
+ ;;
+# anything else is taken as a "file" part
+ *)
+ specF=${spec}
+ ;;
+ esac
+
+# now put it together and stuff it down a connection. Some lame non-unix
+# http servers assume they'll never get simple-query format, and wait till
+# an extra newline arrives. If you're up against one of these, change
+# below to (echo GET "$spec" ; echo '') | $BACKEND ...
+ spec="${specD}${specF}"
+ echo GET "${spec}" | $BACKEND $host $port > ${TMPAGE}
+ ${PAGER} ${TMPAGE}
+
+# save in a format that still shows the URLs we hit after a de-html run
+ if test "${saving}" ; then
+ echo "=== ${host}:${spec} ===" >> $saving
+ cat ${TMPAGE} >> $saving
+ echo '' >> $saving
+ fi
+done
+rm -f ${TMPAGE}
+exit 0
+
+#######
+# Encoding notes, finally from RFC 1738:
+# %XX -- hex-encode of special chars
+# allowed alphas in a URL: $_-.+!*'(),
+# relative names *not* described, but obviously used all over the place
+# transport://user:pass@host:port/path/name?query-string
+# wais: port 210, //host:port/database?search or /database/type/file?
+# cgi-bin/script?arg1=foo&arg2=bar&... scripts have to parse xxx&yyy&zzz
+# ISMAP imagemap stuff: /bin/foobar.map?xxx,yyy -- have to guess at coords!
+# local access-ctl files: ncsa: .htaccess ; cern: .www_acl
+#######
+# SEARCH ENGINES: fortunately, all are GET forms or at least work that way...
+# multi-word args for most cases: foo+bar
+# See 'websearch' for concise results of this research...
diff --git a/usr.bin/nc/scripts/webproxy b/usr.bin/nc/scripts/webproxy
new file mode 100644
index 00000000000..cee2d29fd14
--- /dev/null
+++ b/usr.bin/nc/scripts/webproxy
@@ -0,0 +1,138 @@
+#! /bin/sh
+## Web proxy, following the grand tradition of Web things being handled by
+## gross scripts. Uses netcat to listen on a high port [default 8000],
+## picks apart requests and sends them on to the right place. Point this
+## at the browser client machine you'll be coming from [to limit access to
+## only it], and point the browser's concept of an HTTP proxy to the
+## machine running this. Takes a single argument of the client that will
+## be using it, and rejects connections from elsewhere. LOGS the queries
+## to a configurable logfile, which can be an interesting read later on!
+## If the argument is "reset", the listener and logfile are cleaned up.
+##
+## This works surprisingly fast and well, for a shell script, although may
+## randomly fail when hammered by a browser that tries to open several
+## connections at once. Drop the "maximum connections" in your browser if
+## this is a problem.
+##
+## A more degenerate case of this, or preferably a small C program that
+## does the same thing under inetd, could handle a small site's worth of
+## proxy queries. Given the way browsers are evolving, proxies like this
+## can play an important role in protecting your own privacy.
+##
+## If you grabbed this in ASCII mode, search down for "eew" and make sure
+## the embedded-CR check is intact, or requests might hang.
+##
+## Doesn't handle POST forms. Who cares, if you're just watching HTTV?
+## Dumbness here has a highly desirable side effect: it only sends the first
+## GET line, since that's all you really ever need to send, and suppresses
+## the other somewhat revealing trash that most browsers insist on sending.
+
+# set these as you wish: proxy port...
+PORT=8000
+# logfile spec: a real file or /dev/null if you don't care
+LFILE=${0}.log
+# optional: where to dump connect info, so you can see if anything went wrong
+# CFILE=${0}.conn
+# optional extra args to the listener "nc", for instance "-s inside-net-addr"
+# XNC=''
+
+# functionality switch has to be done fast, so the next listener can start
+# prelaunch check: if no current client and no args, bail.
+case "${1}${CLIENT}" in
+ "")
+ echo needs client hostname
+ exit 1
+ ;;
+esac
+
+case "${1}" in
+ "")
+# Make like inetd, and run the next relayer process NOW. All the redirection
+# is necessary so this shell has NO remaining channel open to the net.
+# This will hang around for 10 minutes, and exit if no new connections arrive.
+# Using -n for speed, avoiding any DNS/port lookups.
+ nc -w 600 -n -l -p $PORT -e "$0" $XNC "$CLIENT" < /dev/null > /dev/null \
+ 2> $CFILE &
+ ;;
+esac
+
+# no client yet and had an arg, this checking can be much slower now
+umask 077
+
+if test "$1" ; then
+# if magic arg, just clean up and then hit our own port to cause server exit
+ if test "$1" = "reset" ; then
+ rm -f $LFILE
+ test -f "$CFILE" && rm -f $CFILE
+ nc -w 1 -n 127.0.0.1 $PORT < /dev/null > /dev/null 2>&1
+ exit 0
+ fi
+# find our ass with both hands
+ test ! -f "$0" && echo "Oops, cannot find my own corporeal being" && exit 1
+# correct launch: set up client access control, passed along thru environment.
+ CLIENT="$1"
+ export CLIENT
+ test "$CFILE" || CFILE=/dev/null
+ export CFILE
+ touch "$CFILE"
+# tell us what happened during the last run, if possible
+ if test -f "$CFILE" ; then
+ echo "Last connection results:"
+ cat $CFILE
+ fi
+
+# ping client machine and get its bare IP address
+ CLIENT=`nc -z -v -w 8 "$1" 22000 2>&1 | sed 's/.*\[\(..*\)\].*/\1/'`
+ test ! "$CLIENT" && echo "Can't find address of $1" && exit 1
+
+# if this was an initial launch, be informative about it
+ echo "=== Launch: $CLIENT" >> $LFILE
+ echo "Proxy running -- will accept connections on $PORT from $CLIENT"
+ echo " Logging queries to $LFILE"
+ test -f "$CFILE" && echo " and connection fuckups to $CFILE"
+
+# and run the first listener, showing us output just for the first hit
+ nc -v -w 600 -n -l -p $PORT -e "$0" $XNC "$CLIENT" &
+ exit 0
+fi
+
+# Fall here to handle a page.
+# GET type://host.name:80/file/path HTTP/1.0
+# Additional: trash
+# More: trash
+# <newline>
+
+read x1 x2 x3 x4
+echo "=== query: $x1 $x2 $x3 $x4" >> $LFILE
+test "$x4" && echo "extra junk after request: $x4" && exit 0
+# nuke questionable characters and split up the request
+hurl=`echo "$x2" | sed -e "s+.*//++" -e 's+[\`'\''|$;<>{}\\!*()"]++g'`
+# echo massaged hurl: $hurl >> $LFILE
+hh=`echo "$hurl" | sed -e "s+/.*++" -e "s+:.*++"`
+hp=`echo "$hurl" | sed -e "s+.*:++" -e "s+/.*++"`
+test "$hp" = "$hh" && hp=80
+hf=`echo "$hurl" | sed -e "s+[^/]*++"`
+# echo total split: $hh : $hp : $hf >> $LFILE
+# suck in and log the entire request, because we're curious
+# Fails on multipart stuff like forms; oh well...
+if test "$x3" ; then
+ while read xx ; do
+ echo "${xx}" >> $LFILE
+ test "${xx}" || break
+# eew, buried returns, gross but necessary for DOS stupidity:
+ test "${xx}" = " " && break
+ done
+fi
+# check for non-GET *after* we log the query...
+test "$x1" != "GET" && echo "sorry, this proxy only does GETs" && exit 0
+# no, you can *not* phone home, you miserable piece of shit
+test "`echo $hh | fgrep -i netscap`" && \
+ echo "access to Netscam's servers <b>DENIED.</b>" && exit 0
+# Do it. 30 sec net-wait time oughta be *plenty*...
+# Some braindead servers have forgotten how to handle the simple-query syntax.
+# If necessary, replace below with (echo "$x1 $hf" ; echo '') | nc...
+echo "$x1 $hf" | nc -w 30 "$hh" "$hp" 2> /dev/null || \
+ echo "oops, can't get to $hh : $hp".
+echo "sent \"$x1 $hf\" to $hh : $hp" >> $LFILE
+exit 0
+
diff --git a/usr.bin/nc/scripts/webrelay b/usr.bin/nc/scripts/webrelay
new file mode 100644
index 00000000000..829a8b07081
--- /dev/null
+++ b/usr.bin/nc/scripts/webrelay
@@ -0,0 +1,44 @@
+#! /bin/sh
+## web relay -- a degenerate version of webproxy, usable with browsers that
+## don't understand proxies. This just forwards connections to a given server.
+## No query logging, no access control [although you can add it to XNC for
+## your own run], and full-URL links will undoubtedly confuse the browser
+## if it can't reach the server directly. This was actually written before
+## the full proxy was, and it shows.
+## The arguments in this case are the destination server and optional port.
+## Please flame pinheads who use self-referential absolute links.
+
+# set these as you wish: proxy port...
+PORT=8000
+# any extra args to the listening "nc", for instance "-s inside-net-addr"
+XNC=''
+
+# functionality switch, which has to be done fast to start the next listener
+case "${1}${RDEST}" in
+ "")
+ echo needs hostname
+ exit 1
+ ;;
+esac
+
+case "${1}" in
+ "")
+# no args: fire off new relayer process NOW. Will hang around for 10 minutes
+ nc -w 600 -l -n -p $PORT -e "$0" $XNC < /dev/null > /dev/null 2>&1 &
+# and handle this request, which will simply fail if vars not set yet.
+ exec nc -w 15 $RDEST $RPORT
+ ;;
+esac
+
+# Fall here for setup; this can now be slower.
+RDEST="$1"
+RPORT="$2"
+test "$RPORT" || RPORT=80
+export RDEST RPORT
+
+# Launch the first relayer same as above, but let its error msgs show up
+# will hang around for a minute, and exit if no new connections arrive.
+nc -v -w 600 -l -p $PORT -e "$0" $XNC < /dev/null > /dev/null &
+echo \
+ "Relay to ${RDEST}:${RPORT} running -- point your browser here on port $PORT"
+exit 0
diff --git a/usr.bin/nc/scripts/websearch b/usr.bin/nc/scripts/websearch
new file mode 100644
index 00000000000..60c3a3356a7
--- /dev/null
+++ b/usr.bin/nc/scripts/websearch
@@ -0,0 +1,77 @@
+#! /bin/sh
+## Hit the major search engines. Hose the [large] output to a file!
+## autoconverts multiple arguments into the right format for given servers --
+## usually worda+wordb, with certain lame exceptions like dejanews.
+## Extracting and post-sorting the URLs is highly recommended...
+##
+## Altavista currently handled by a separate script; may merge at some point.
+##
+## _H* original 950824, updated 951218 and 960209
+
+test "${1}" = "" && echo 'Needs argument[s] to search for!' && exit 1
+PLUSARG="`echo $* | sed 's/ /+/g'`"
+PIPEARG="`echo ${PLUSARG} | sed 's/+/|/g'`"
+IFILE=/tmp/.webq.$$
+
+# Don't have "nc"? Get "netcat" from avian.org and add it to your toolkit.
+doquery () {
+ echo GET "$1" | nc -v -i 1 -w 30 "$2" "$3"
+}
+
+# changed since original: now supplying port numbers and separator lines...
+
+echo "=== Yahoo ==="
+doquery "/bin/search?p=${PLUSARG}&n=300&w=w&s=a" search.yahoo.com 80
+
+echo '' ; echo "=== Webcrawler ==="
+doquery "/cgi-bin/WebQuery?searchText=${PLUSARG}&maxHits=300" webcrawler.com 80
+
+# the infoseek lamers want "registration" before they do a real search, but...
+echo '' ; echo "=== Infoseek ==="
+echo " is broken."
+# doquery "WW/IS/Titles?qt=${PLUSARG}" www2.infoseek.com 80
+# ... which doesn't work cuz their lame server wants the extra newlines, WITH
+# CRLF pairs ferkrissake. Fuck 'em for now, they're hopelessly broken. If
+# you want to play, the basic idea and query formats follow.
+# echo "GET /WW/IS/Titles?qt=${PLUSARG}" > $IFILE
+# echo "" >> $IFILE
+# nc -v -w 30 guide-p.infoseek.com 80 < $IFILE
+
+# this is kinda flakey; might have to do twice??
+echo '' ; echo "=== Opentext ==="
+doquery "/omw/simplesearch?SearchFor=${PLUSARG}&mode=phrase" \
+ search.opentext.com 80
+
+# looks like inktomi will only take hits=100, or defaults back to 30
+# we try to suppress all the stupid rating dots here, too
+echo '' ; echo "=== Inktomi ==="
+doquery "/query/?query=${PLUSARG}&hits=100" ink3.cs.berkeley.edu 1234 | \
+ sed '/^<IMG ALT.*inktomi.*\.gif">$/d'
+
+#djnews lame shit limits hits to 120 and has nonstandard format
+echo '' ; echo "=== Dejanews ==="
+doquery "/cgi-bin/nph-dnquery?query=${PIPEARG}+maxhits=110+format=terse+defaultOp=AND" \
+ smithers.dejanews.com 80
+
+# OLD lycos: used to work until they fucking BROKE it...
+# doquery "/cgi-bin/pursuit?query=${PLUSARG}&maxhits=300&terse=1" \
+# query5.lycos.cs.cmu.edu 80
+# NEW lycos: wants the User-agent field present in query or it returns nothing
+# 960206: webmaster@lycos duly bitched at
+# 960208: reply received; here's how we will now handle it:
+echo \
+"GET /cgi-bin/pursuit?query=${PLUSARG}&maxhits=300&terse=terse&matchmode=and&minscore=.5 HTTP/1.x" \
+ > $IFILE
+echo "User-agent: *FUCK OFF*" >> $IFILE
+echo "Why: go ask todd@pointcom.com (Todd Whitney)" >> $IFILE
+echo '' >> $IFILE
+echo '' ; echo "=== Lycos ==="
+nc -v -i 1 -w 30 twelve.srv.lycos.com 80 < $IFILE
+
+rm -f $IFILE
+exit 0
+
+# CURRENTLY BROKEN [?]
+# infoseek
+
+# some args need to be redone to ensure whatever "and" mode applies