NC netcat简介
UPDATE 12/27/04security fix in -e option for Windows
Netcat 1.11 for NT- nc111nt.zip
The originalversion of Netcat was written by *hobbit*
The NT version wasdone by Weld Pond
Netcat for NT isthe tcp/ip "Swiss Army knife" that never made it into any
of the resourcekits. It has proved to be an extremelyversatile tool on
the unix platform.So why should NT always be unix's poor cousin when it
comes to tcp/iptesting and exploration? I bet many NTadmins out there
keep a unix boxaround to use tools such as Netcat or to test their systems
with the unixversion of an NT vulnerability exploit. With Netcat for NT
part of thatfeeling disempowerment is over.
Included with thisrelease is Hobbit's original description of the powers
of Netcat. In this document I will briefly describe someof the things an
NT admin mightwant to do and know about with Netcat on NT. For more
detailed technicalinformation please read hobbit.txt included in the
nc11nt.ziparchive.
Basic Features
* Outbound or inbound connections, TCP orUDP, to or from any ports
* Full DNS forward/reverse checking, withappropriate warnings
* Ability to use any local source port
* Ability to use any locally-configurednetwork source address
* Built-in port-scanning capabilities,with randomizer
* Can read command line arguments fromstandard input
* Slow-send mode, one line every N seconds
* Hex dump of transmitted and receiveddata
* Ability to let another program serviceestablished
connections
* Telnet-options responder
New for NT
* Ability to run in the background withouta console window
* Ability to restart as a single-threadedserver to handle a new
connection
A simple exampleof using Netcat is to pull down a web page from a web
server. With Netcat you get to see the full HTTPheader so you can see
which web server aparticular site is running.
Since NT has arather anemic command processor, some of the things that are
easy in unix maybe a bit more clunky in NT. For the web page example first
create a fileget.txt that contains the following line and then a blank
line:
GET / HTTP/1.0
To use Netcat toretrieve the home page of a web site use the command:
nc -vwww.website.com 80 < get.txt
You will seeNetcat make a connection to port 80, send the text contained
in the fileget.txt, and then output the web server's response to stdout.
The -v is forverbose(冗长). It tells you a little info about the connection
when it starts.
It is a bit easierto just open the connection and then type at the console
to do the samething.
nc -vwww.website.com 80
Then just type inGET / HTTP/1.0 and hit a couple of returns. You will
see the same thingas above.
A far more exciting thing to do is to get a quickshell going on a remote
machine by using the -l or "listen" optionand the -e or "execute"
option. You run Netcat listening onparticular port for a connection.
When a connectionis made, Netcat executes the program of your choice
and connects thestdin and stdout of the program to the network connection.
nc -l -p 23 -t -ecmd.exe
will get Netcat listeningon port 23 (telnet). When it getsconnected to
by a client itwill spawn产生 a shell (cmd.exe). The -t option tells Netcat
to handle anytelnet negotiation the client might expect.
This will allowyou to telnet to the machine you have Netcat listening on
and get a cmd.exeshell when you connect. You could justas well use
Netcat instead oftelnet:
nc xxx.xxx.xxx.xxx23
把nc当作服务器端,监听指定端口,并且回应处理针对该端口的telnet连接
will get the jobdone. There is no authentication on thelistening side
so be a bit carefulhere. The shell is running with thepermissions of the
process thatstarted Netcat so be very careful. Ifyou were to use the
AT program toschedule Netcat to run listening on a port with the
-e cmd.exe option,when you connected you would get a shell with user
NTAUTHORITY\SYSTEM.
通过nc获得的shell的权限与启动nc的进程的权限一样。那么启动nc的是哪个进程呢?如何判断?
The beauty ofNetcat really shines when you realize that you can get it
listening on ANYport doing the same thing. Do a littleexploring and
see if thefirewall you may be behind lets port 53 through. Run Netcat
listening behindthe firewall on port 53.
nc -L -p 53 -ecmd.exe
Then from outsidethe firewall connect to the listening machine:
nc -vxxx.xxx.xxx.xx 53
If you get acommand prompt then you are executing commands on the
listeningmachine. Use 'exit' at the commandprompt for a clean
disconnect. The -L (note the capital L) option will restart Netcat with
the samecommand line when the connection is terminated. This way you can
connectover and over to the same Netcat process.
A new feature forthe NT version is the -d or detach分离 from console flag.
This will letNetcat run without an ugly console window cluttering up the
screen or showingup in the task list.
You can even getNetcat to listen on the NETBIOS ports that are probably
running on most NTmachines. This way you can get aconnection to a
machine that mayhave port filtering enabled in the TCP/IP Security Network
controlpanel. Unlike Unix, NT does not seem tohave any security around
which ports thatuser programs are allowed to bind to. This means any
user can run aprogram that will bind to the NETBIOS ports.
You will need tobind "in front of" some services that may already be
listening on thoseports. An example is the NETBIOS SessionService that
is running on port139 of NT machines that are sharing files. You need
to bind to aspecific source address (one of the IP addresses of the
machine) toaccomplish this. This gives Netcat priorityover the NETBIOS
service which is at a lowerpriority because it is bound to ANY IP address.
This is done withthe Netcat -s option:
nc -v -L -ecmd.exe -p 139 -s xxx.xxx.xxx.xxx
Now you canconnect to the machine on port 139 and Netcat will field
the connectionbefore NETBIOS does. You have effectivelyshut off
file sharing onthis machine by the way. You have donethis with just
user privileges toboot.
将nc绑定在一个已经正常使用中的端口上,但是这需要指定服务器的IP来提高nc的优先级,实质上是抢占了该端口的功能。之前的该端口的正常功能将不能再使用。
PROBLEMS withNetcat 1.1 for NT
There are a fewknown problems that will eventually be fixed. One is
the -w or timeoutoption. This works for final net readsbut not
forconnections. Another problem is usingthe -e option in UDP mode.
You may find thatsome of the features work on Windows 95. Most
of the listeningfeatures will not work on Windows 95 however. These will
be fixed in alater release.
Netcat isdistributed with full source code so that people can build
upon thiswork. If you add something useful ordiscover something
interesting aboutNT TCP/IP let met know.
Weld Pond