Binary Netcat

Thomas Ptacek | August 24th, 2005 | Filed Under: Uncategorized

I’m writing this primarily because I think I’m doing something wrong and hope someone has a simpler way of doing this, though I am actually happy with how my technique has turned out.

I’m doing binary protocol reverse engineering work for something that runs on a TCP port. To set the scene:

1. I have two legitimate participants of the protocol connected to each other.

2. I proxy between the two with a simple plug gateway that dumps the TCP data running between them.

3. I inspect the dumps offline, break them into messages, modify them, and re-inject them to see what happens.

All very straightforward. The tricky part, if you can call it “tricky”, is in step #3.

With a text-based protocol, playing games with the protocol is simple: I’ll use netcat and type or cut-and-paste into a terminal window.

With a binary protocol it’s not as simple. What I’d normally do is cat a binary file into netcat, which obviously works fine. The trouble is, this is a real protocol, meaning I have to wait for responses to my data and formulate messages accordingly. In other words, I need interactivity.

And here’s where netcat stops being useful; I can’t figure out any decent way of interactively generating and parsing binary data in netcat. Two things netcat could do to make it useable in this case:

1. Have a mode to print hexdumps of received data in real time.

2. Have a mode that would interpret escapes as hex codes and generate the appropriate bytes.

I can’t find a version of netcat that does either.

Here’s what I’ve resorted to:

• A netcat-sized C program (I call it “telson”) that makes TCP connections and proxies between it and a UDP port bound to loopback and prints hexdumps of all data sent and received.

  (Why UDP? Because netcat has that unbelievably irrritating habit of sitting around waiting for a SIGSTOP after it finishes reading stdin).

• An even smaller program that reads standard input and generates UDP messages to the telson loopback port (I call it “blit”). Yes, this is basically netcat, but it’s easier to use.

• An even smaller program than that which reads pairs of ASCII digits as hex codes and generates the bytes (I call it “hexbin”). Yes, this is basically printf(1), but it’s easier to use.

This is about 120 lines of code (not counting the event loop in telson, which is basically libevent). Here’s what it enables me to do:

• In one window: telson foo:666

• In the other: hexbin 01FF01FF | blit

• Result in the telson window:

  %CONNECTING foo:666
     %CONNECTED
     %YOU-SAY
     00000000 01 FF 01 FF  -- -- -- -- |........|
     %
     %THEY-SAY
     00000000 FF AA FF AA  -- -- -- -- |........|
     %
     %DISCONNECTED

• Or: dd if=/dev/zero count=4 | blit

• Or: dd if=/dev/rand count=4 | blit

• Or: c 5000 0x41 | blit

  (btw: ‘c’ is my most useful tiny C program ever; guess what it does).

So like I said, I’m pretty happy with this; I get to use Unix pipelines to generate interesting traffic interactively (as long as all I want is to SEE the output from the other side of the connection, and not actually USE it —- fortunately, this is 80% of the reverse engineering problem). Pipelines mean I can write tiny little Unix filters to:

• Generate U32 and U16 values

• Flip byte order

• Prepend length words to strings from “echo”

• etc, etc.

I feel bad about writing code against this problem, though. Like I’m just too dumb to know how to use the tools I already have.

So I guess my question is, is there a telnet/netcat-like tool, or some mysterious option to either, that interactively generates binary? Maybe there’s some weird xterm command.