Ncat-Lua

From SecWiki
Jump to: navigation, search

This is the wiki page for data related to Ncat-Lua GSoC 2013 project.



Use cases for Lua

nmap-dev thread: http://seclists.org/nmap-dev/2013/q2/445

--lua-exec

David: I want to do

ncat --lua-exec program.lua

Ncat will fork and exec program.lua as if it were a shell script with --sh-exec. In fact, the above is the same as

ncat --sh-exec "lua program.lua"

except that you don't need a separate installation of Lua, and perhaps Ncat's Lua interpreter will have libraries available by default or something.)

Simple HTTP server/client

Quoting the todo/nmap.txt:

o [Ncat] This may sound ridiculous, but I'm starting to think that
  Ncat should offer a very simple built-in http server (e.g. for simply
  sharing files, etc.)  And maybe a simple client too.

Simple chat server

I want a chat that is similar to Ncat's built in one, but with /name command which lets users change their names. Sample code available here: https://gist.github.com/d33tah/5888643

Minimalistic IRC client

I'd like to run something like:

 ncat --with irc irc.freenode.net 6667

...and drop into a minimalistic IRC client, that does the PING for me and lets me talk on one channel.

httplookup

I want a service I can connect to and would let me perform HTTP queries the same way nslookup lets me peform DNS ones. After connecting, I will be greeted with '> ' command prompt. I first start by setting the remote host using the command "server nmap.org" and send the newline character. Then I'd like to type in the first line of the request (without the HTTP version), send the newline and get the reply headers, like in this example session:

> server nmap.org
> GET /

HTTP/1.1 200 OK
Date: Fri, 28 Jun 2013 20:28:42 GMT
Server: Apache/2.2.15 (CentOS)
Accept-Ranges: bytes
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

Telnet negotiation and CRLF replacement

David: The -t and -C options are implemented as special-purpose C code. (Grep for dotelnet and fix_line_endings.) It would be nice if these along with other things could be implemented as little Lua snippets. What I'm picturing here is not separate script files, but actual Lua source code as strings within the Ncat source code. Each little program would be like a filter that does CRLF substitution or whatever. This use case seems straightforward but I think the implementation is not trivial (but neither is it super hard). CRLF substitution needs to keep state across calls in case a CRLF crosses a buffer boundary. Telnet negotiation needs to send data in-band in response to information it receives. So neither is a simple block-at-a-time byte filter.

WebSocket mode

David: See RFC 6455. It would be nice to do

ncat --websocket ws://example.com:8000/
ncat --listen --websocket ws://localhost:8000/

What this involves is first sending a special HTTP request asking for a protocol change to WebSocket. Then you have to receive a response and do some SHA1 calculations and do error handling. After that you can send and receive data on the same TCP connection, but not directly: each little block of data needs to be encapsulated in WebSocket messages and frames. This is quite a heavyweight use case. An implementation that can do it, can probably do most of what we would want Lua integration to do. You should also be able to use SSL WebSocket in the obvious way:

ncat --websocket wss://example.com:8000/

Downgrade SQL auth

Martin Holst Swende: Patrik Karlsson wrote beanshell scripts for hatkit to downgrade SQL auth: https://bitbucket.org/holiman/hatkit-proxy/src/b9b6dad28cc5a437ba484cb9eb835b7a085aced8/resources/processors/ms-sql-downgrade.bs. Perhaps this could be done in Ncat script?

sslstrip

Like this.