telnet vs. netcat - Security

This is a discussion on telnet vs. netcat - Security ; I've been playing with netcat recently in an effort to learn more about security testing (I'm a total n00b right now, but learning!). In so doing, I've been comparing its output to that of telnet and found a few differences ...

+ Reply to Thread
Results 1 to 6 of 6

Thread: telnet vs. netcat

  1. telnet vs. netcat

    I've been playing with netcat recently in an effort to learn more about
    security testing (I'm a total n00b right now, but learning!). In so
    doing, I've been comparing its output to that of telnet and found a few
    differences that someone might be able to shine light on for me.

    When I run the command 'telnet mailhost 25', I can enter SMTP commands
    and elicit responses from the server, causing it to perform actions.
    When I use 'nc mailhost 25' and enter commands though, I get no
    response. I've watched the output of each with wireshark and the setup
    looks identical to me. First there's the boring TCP handshake stuff,
    followed by the inital SMTP greeting from the server. After this, I
    can send commands (I've been using EHLO) and it looks to me like both
    utilities produce the same exact type of packet. Is there some subtle
    difference here that I'm missing that causes the telnet-created packets
    to get a response but the nc-created ones to get dropped?

    Thanks for any info on these utilities!


  2. Re: telnet vs. netcat

    Okay, I figured it out if anyone happens to care.

    I was testing this against a Windows SMTP server. When I press enter
    on the keyboard to send the initial SMTP command, telnet was "smart"
    enough to convert this to a CRLN for Windoze sake whereas nc sends
    exactly what you give it (only the CR).

    This command:

    > echo -e -n "EHLO me\r\n" | nc mailhost 25


    gives the expected SMTP response.

    Thanks anyway!


    On Nov 6, 3:52 pm, "saucily" wrote:
    > I've been playing with netcat recently in an effort to learn more about
    > security testing (I'm a total n00b right now, but learning!). In so
    > doing, I've been comparing its output to that of telnet and found a few
    > differences that someone might be able to shine light on for me.
    >
    > When I run the command 'telnet mailhost 25', I can enter SMTP commands
    > and elicit responses from the server, causing it to perform actions.
    > When I use 'nc mailhost 25' and enter commands though, I get no
    > response. I've watched the output of each with wireshark and the setup
    > looks identical to me. First there's the boring TCP handshake stuff,
    > followed by the inital SMTP greeting from the server. After this, I
    > can send commands (I've been using EHLO) and it looks to me like both
    > utilities produce the same exact type of packet. Is there some subtle
    > difference here that I'm missing that causes the telnet-created packets
    > to get a response but the nc-created ones to get dropped?
    >
    > Thanks for any info on these utilities!



  3. Re: telnet vs. netcat

    "saucily" (06-11-06 15:52:40):

    > I've been playing with netcat recently in an effort to learn more
    > about security testing (I'm a total n00b right now, but learning!).
    > In so doing, I've been comparing its output to that of telnet and
    > found a few differences that someone might be able to shine light on
    > for me.
    >
    > When I run the command 'telnet mailhost 25', I can enter SMTP commands
    > and elicit responses from the server, causing it to perform actions.
    > When I use 'nc mailhost 25' and enter commands though, I get no
    > response. I've watched the output of each with wireshark and the
    > setup looks identical to me. First there's the boring TCP handshake
    > stuff, followed by the inital SMTP greeting from the server. After
    > this, I can send commands (I've been using EHLO) and it looks to me
    > like both utilities produce the same exact type of packet. Is there
    > some subtle difference here that I'm missing that causes the
    > telnet-created packets to get a response but the nc-created ones to
    > get dropped?


    Sure. Telnet is not a network analysis tool. It is an actual protocol
    (or even a protocol family), and 'telnet' is the client program. Using
    Telnet for testing purposes might even be a security risk for you,
    depending on your terminal emulator.

    However, all Telnet-based protocols (including FTP, SMTP, HTTP, POP,
    IRC, or almost any other textual protocol), have one thing in common:
    The client is required to send the full line change sequence, which
    involves a CR (carriage return), and an LF (line-feed), in that order.

    Well, Netcat on the other hand is a real network analysis tool, which
    does what you want it to do. If you type an LF, then it sends an LF.
    But SMTP requires the client to send CR-LF. Most servers would treat
    both CR and LF as a line change, but some servers try to be completely
    standards-compliant, most notably MS Hotmail.

    One workaround is the following command:

    | sed -e "s/$/\r/" | nc -vv test.xx 25

    This replaces all LFs in the input stream by CR-LF sequences.


    Regards,
    E.S.

  4. Re: telnet vs. netcat

    On Thu, 9 Nov 2006 05:49:35 +0100, Ertugrul Soeylemez wrote:

    > . . . Telnet is not a network analysis tool. It is an actual protocol
    > (or even a protocol family), and 'telnet' is the client program. Using
    > Telnet for testing purposes might even be a security risk for you,
    > depending on your terminal emulator.


    Very interesting! Particularly since I recently received
    a jpeg file with an embedded comment (apparently binary)
    that does something weird to GNOME Terminal, and I couldn't
    find any GNOME Terminal documentation that explained why
    0x0e should throw it into a weird state.

    --
    To email me, substitute nowhere->spamcop, invalid->net.

  5. Re: telnet vs. netcat

    Peter Pearson wrote:
    > I couldn't find any GNOME Terminal documentation that explained why
    > 0x0e should throw it into a weird state.


    Sadly, I've never found /any/ useful documentation provided by the GNOME
    project. However, I like the GNOME wm so I continue to use it. (Besides,
    it's not cost me anything so I don't like to complain.)

    To answer your question, though, Ctrl/N and Ctrl/O switch in and out of
    an alternate character set. (So you can usually fix the "wierd state"
    by Ctrl/O Enter.) This is part of the VT200/ANSI terminal specification,
    and you can find much more at http://vt100.net if you're interested.

    Chris

  6. Re: telnet vs. netcat

    On Fri, 10 Nov 2006 09:58:12 +0000, Chris Davies wrote:
    > Peter Pearson wrote:
    >> I couldn't find any GNOME Terminal documentation that explained why
    >> 0x0e should throw it into a weird state.

    [snip]
    > To answer your question, though, Ctrl/N and Ctrl/O switch in and out of
    > an alternate character set. (So you can usually fix the "wierd state"
    > by Ctrl/O Enter.) This is part of the VT200/ANSI terminal specification,
    > and you can find much more at http://vt100.net if you're interested.


    Hey, thanks! I poked through a bunch of VT100 documentation,
    but didn't find it. I see it now.

    --
    To email me, substitute nowhere->spamcop, invalid->net.

+ Reply to Thread