Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: Ncat lua execution
From: Martin Holst Swende <martin () swende se>
Date: Thu, 16 Jan 2014 21:30:06 +0100

On 2014-01-15 21:04, Martin Holst Swende wrote:
On 2014-01-15 20:57, Jacek Wielemborek wrote:
15/01/2014 20:49:24 Martin Holst Swende<martin () swende se>:
Hi,

I've started experimenting a bit with Ncat and the "new" Ncat lua execution.
My first experiment wast to make a generic logging SSL/TCP proxy. That's
easy:

ncat --listen --ssl --ssl-cert test-cert.pem --keep-open --ssl-key
test-key.pem -o output.log --hex-dump output-hex.log --sh-exec "ncat --ssl
www.dn.se  443"

Now, I would also like to modify the traffic on the fly, in either
direction. Using a lua-script which converts ASCII-characters to uppercase
in http-responses would be a good starting point. Is that kind of
modification possible with the new scripting capabilities? After reading up
a bit on how ncat command execution works, it seems that the command
execution is more aimed at "net-enabling" processes which are otherwise not
network-enabled, but perhaps some clever pipe wizardry can be used to
achieve the effect I am aiming for..?

Answering my own email here, just for completeness sake. There was some pipe wizardry that could be applied, allowing me to do the processing in python.

Ignoring the SSL-things, this is the listener side. The web server is the target I want to proxy to:

#python -m SimpleHTTPServer & ncat -l --sh-exec "upper| ncat localhost 8000 | upper"
[1] 8053
Serving HTTP on 0.0.0.0 port 8000 ...
127.0.0.1 - - [16/Jan/2014 21:18:43] "GET / HTTP/1.0" 200 -

And the "client" connects to the mitm-station, which modifies the traffic in both directions:

#ncat localhost
get / http/1.0

HTTP/1.0 200 OK
SERVER: SIMPLEHTTP/0.6 PYTHON/2.7.5+
DATE: THU, 16 JAN 2014 20:18:43 GMT
CONTENT-TYPE: TEXT/HTML; CHARSET=UTF-8

The "upper" is a python script which looks like this:

#!/usr/bin/python
import sys

def transmit(data):
    sys.stdout.write(data)
    sys.stdout.flush()
    return ""

def read():
    x = sys.stdin.readline()
    while x:
        yield x
        x = sys.stdin.readline()

for line in read():
    transmit(line.upper())

The "readline" stuff within the python script is not suitable for binary data, in which case the sys.stdin.read(1) should be used instead, and possibly the -U flag is needed, I'm not sure. More pythonic ways of reading, such as "for line in fileinput.input()" fails, since that lazy construction does not start reading until the connection is closed.

This method of throwing together a scriptable, ssl-enabled tcp proxy for mitm logging/tampering scenarios is awesome. And by that I don't mean that I'm awesome, I mean that Ncat is awesome and I only now noticed :)

Regards,
Martin

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault