Create a Secure Chat in Netcat

Introduction

In this lab, you will learn how to establish secure communication between two endpoints using Netcat and OpenSSL. You'll practice creating encrypted tunnels with SSL certificates while configuring both listener and client components for protected messaging.

Through hands-on exercises, you'll generate self-signed certificates, set up an OpenSSL server, and connect via Netcat to verify end-to-end encryption. This practical experience will enhance your understanding of basic cybersecurity tools for securing network communications.

Skills Graph

Install Netcat and OpenSSL

In this step, you will install two essential networking tools: Netcat and OpenSSL. Netcat (often called nc) is like a digital Swiss Army knife for network communication - it allows you to read from and write to network connections directly from the command line. OpenSSL is a powerful toolkit that provides encryption functions, which we'll use to secure our chat messages.

Before installing any software, it's good practice to update your package list. This ensures you'll get the latest stable versions of the tools:

sudo apt update

Now let's install Netcat. This command will download and install the package automatically:

sudo apt install -y netcat

Next, we'll install OpenSSL. This provides the encryption capabilities we need for secure communication:

sudo apt install -y openssl

After installation, we should verify both tools are working correctly. The following commands will show version information - the first line shows Netcat's version, and the second shows OpenSSL's:

nc -h | head -n 1
openssl version

You should see output similar to this, though version numbers may vary:

OpenBSD netcat (Debian patchlevel 1.217-2ubuntu1)
OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)

If you see version information like this, congratulations! You've successfully installed both tools and are ready to proceed to the next step where we'll use them to create a secure chat.

Set Up an Encrypted Tunnel

In this step, you will create an encrypted tunnel using OpenSSL to secure your Netcat communication. This tunnel will encrypt all data transmitted between two endpoints, providing confidentiality for your network communications. Encryption is essential because it prevents unauthorized parties from reading your chat messages as they travel across the network.

1. First, generate a self-signed SSL certificate and private key in your project directory. A certificate is like a digital ID card that helps verify the identity of your chat server, while the private key is used to encrypt the data:

cd ~/project
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes -subj "/CN=localhost"

This command creates two important files: key.pem (your private key) and cert.pem (your public certificate). The -days 365 option makes the certificate valid for one year, and -nodes means the private key won't be password-protected for simplicity in this lab.

2. Verify the certificate files were created successfully by listing them:

ls -l key.pem cert.pem

You should see both files with sizes around 3-4KB. The -l flag shows detailed information including file permissions and sizes. If these files exist, you've successfully created your encryption materials.

3. Start the OpenSSL server that will handle the encrypted communications. This server will act as the secure middleman for your chat:

openssl s_server -quiet -key key.pem -cert cert.pem -port 12345

The -quiet flag reduces output messages, while -key and -cert specify the files we just created. Port 12345 is where the server will listen for incoming connections. Keep this terminal open and running - it's now waiting to securely communicate with clients. In the next steps, we'll connect to this secure server.

Start a Listener

In this step, you will set up a Netcat listener that will receive encrypted communications through the OpenSSL tunnel we created in the previous step. This listener will act as the receiving end of our secure communication channel. Think of it like setting up a secure mailbox that only you can access, where all messages are automatically locked before delivery.

1. First, ensure your OpenSSL server from Step 2 is still running in one terminal. This server acts as the encryption/decryption middleman between our chat participants. If not, restart it:

cd ~/project
openssl s_server -quiet -key key.pem -cert cert.pem -port 12345

The -quiet flag reduces output noise, while -key and -cert specify our encryption credentials. Port 12345 is where our secure tunnel operates.

2. In a new terminal window (or tab), navigate to your project directory. This separation helps manage different components of our secure chat system:

cd ~/project

3. Start the Netcat listener that will connect to our encrypted tunnel. Netcat will handle the actual message transmission while OpenSSL manages the encryption:

nc localhost 12345

Here, localhost means we're connecting to our own machine, and 12345 matches the port our OpenSSL server uses.

4. The terminal will now appear to hang - this is normal as Netcat is waiting for incoming connections. Keep this terminal open - we'll use it for secure communication in the next step. The "hang" means Netcat is actively listening, like a phone waiting for a call.

Note: The connection between Netcat and OpenSSL is now established, with all communication being automatically encrypted by OpenSSL before transmission. This means any text you type will first be scrambled by OpenSSL, sent through the network, then unscrambled by the recipient - making it unreadable to potential eavesdroppers.

Connect and Chat

In this step, you will establish a secure chat session between two terminals using the encrypted tunnel we created. This demonstrates how to securely transmit messages over an untrusted network. The encryption ensures that even if someone intercepts the communication, they won't be able to read your messages.

1. Ensure you have three terminal windows open:

   • Terminal 1: Running OpenSSL server (from Step 2) - This handles the encryption/decryption
   • Terminal 2: Running Netcat listener (from Step 3) - This receives and displays decrypted messages
   • Terminal 3: Will be used for sending messages - Your typing interface

2. In Terminal 3, connect to the encrypted tunnel as the client. This command tells OpenSSL to connect to our secure tunnel on port 12345:

cd ~/project
openssl s_client -quiet -connect localhost:12345

3. Type a test message in Terminal 3 and press Enter. This message will be automatically encrypted before transmission:

Hello secure world!

4. Switch to Terminal 2 (the listener) - you should see your encrypted message displayed in plaintext. This shows the message was successfully decrypted at the other end.

5. Now type a response in Terminal 2 and press Enter. The message will be encrypted before being sent back:

This is a secure reply!

6. The response should appear in Terminal 3. You now have a bidirectional secure chat channel where both sides can send and receive encrypted messages.

7. To exit the chat, press Ctrl+C in all terminals when finished. This properly closes all connections and stops the encryption processes.

Verify Encryption

In this final step, we'll verify that our SSL/TLS encryption is working correctly by examining the raw network traffic. This hands-on demonstration will show you exactly how encryption protects your data from being read by unauthorized parties. When we use OpenSSL with Netcat, all communication gets transformed into unreadable ciphertext during transmission.

1. First, we need a tool to inspect network traffic. Install tcpdump, which is a powerful command-line packet analyzer:

sudo apt install -y tcpdump

2. Open a new terminal window to monitor traffic. We'll specifically watch the loopback interface (lo) which handles local network traffic on your own machine. The -X flag shows both hexadecimal and ASCII output, while -n prevents DNS resolution for clearer output:

sudo tcpdump -i lo -X -n port 12345

3. In another terminal, let's restart our encrypted chat session exactly as we did earlier. This command establishes an SSL connection to our chat server running on port 12345:

cd ~/project
openssl s_client -quiet -connect localhost:12345

4. Now send a test message through this encrypted channel. Type anything you'd like - we'll use this simple example:

This message should be encrypted

5. Look at the tcpdump window. Instead of seeing your readable message, you'll observe scrambled data consisting of hexadecimal values and random ASCII characters. This is your message after encryption - completely unreadable without the proper decryption key.

6. To appreciate the difference, let's compare this with unencrypted traffic:

   • First, stop all running processes by pressing Ctrl+C in all terminal windows
   • Start a regular Netcat server without encryption: nc -l 12345
   • Connect to it from another terminal: nc localhost 12345
   • Send the exact same test message
   • Observe how tcpdump now clearly shows your plaintext message in the output

This comparison clearly demonstrates why encryption matters - without it, anyone monitoring the network can read your messages directly.

Summary

In this lab, you have learned how to create a secure chat channel using Netcat and OpenSSL. The process involved installing necessary tools, generating SSL certificates, and establishing encrypted communication through an OpenSSL tunnel.

You practiced setting up both server and client configurations while verifying encryption effectiveness. This combination of Netcat's networking and OpenSSL's security features demonstrates how to protect data transmission from potential eavesdropping.