Esercitazione 1

Nell'esercitazione del 13/11, abbiamo visto due temi d'esame. Qui trovate i file relativi:

Slide del seminario di oggi

(usate tpp per visualizzarle)

--author Giovanni Agosta
--title Netcat Tutorial
--date today

An introduction to Netcat, the TCP/IP Swiss Army Knife



--newpage intro
--heading What is Netcat?

  * Basically, Netcat opens a TCP (or UDP) connection to a given set of address and port

  * The connection then functions as a pipe in both senses 
     - Anything sent to stdin is copied to the stdout of the other machine

  * Thus, it serves a purpose similar to pipes, but allows processes on different machines to be composed

  * And now, 9 quick & dirty tricks with Netcat!

--newpage cat
--heading 1 Chat & File Transfer

receiver:
--beginoutput
nc -l -p <#port> 
--endoutput

transmitter:
--beginoutput
nc localhost <#port>
nc <#address> <#port>
--endoutput

  * Use redirection of stdin/stdout to perform file transfer
  * Use -q to force termination after end of input or a given time
  * Communication is bidirectional

--newpage socket
--heading 2 Handling Information Requests

You can make up a simple server to make information available on a given port:

--beginoutput
while true ; do cat /proc/loadavg | nc -l p <#port> -q 1 > logfile.log ; done
--endoutput

  * This script returns the current content of the loadavg file from procfs to any request
  * It can be used to implement a quick and dirty version of process B from the exam of March 9, 2006

--newpage filter
--heading 3 Filter Network Traffic

Redirecting a streams on a given port through filters and finally to the actual server, which has been set to listen to a different port.

--beginoutput
mkfifo back
nc -l -p <#expectedport> 0<back | <infilter> | nc localhost <#actualport> | <outfilter> >back
--endoutput

  * Use a fifo to handle backward dataflow
  * Use a couple of netcat server and client to redirect traffic
  * Use any program or script to filter incoming and outcoming data

--newpage scanning
--heading 4 Port Scanning

Finding open ports and associated servers at a given address

--beginoutput
nc -v -z -w 1 <#address> <#port>-<#port>
--endoutput

  * Scans all ports in a range at the given address
  * Uses no input or output (-z)
  * Drops the connection after 1 second
  * Prints out the active ports (using the verbose option)

--newpage telnet
--heading 5 Telnet

On the local machine
--beginoutput
nc <#address> <#port>
--endoutput

On the remote machine
--beginoutput
nc -l <#port> -e /bin/bash
--endoutput

  * You obtain a shell into the remote machine


--newpage reverse
--heading 6 Reverse Telnet 

On the local machine
--beginoutput
nc -l -vv <#port>
--endoutput

On the remote machine
--beginoutput
nc -vv <#address> <#port> -e /bin/bash
--endoutput

  * You obtain a shell into the remote machine
  * Use cryptcat (netcat + blowfish) for such uses!

--newpage partition
--heading 7 Partition Cloning over the Network

Copying an entire partition to a different machine:

--beginoutput
dd if=/dev/<#partition> | netcat <#address> <#port>
netcat -l -p <#port> | dd of=/dev/<#partition>
--endoutput

  * Uses dd to read and write to/from the partition
  * Both partitions should be unmounted

--newpage search
--heading 8 Search Engine Querying

Querying the Google search engine:

--beginoutput
echo -e "GET /search?q=Mystara HTTP/1.1\nUser-agent: Mozilla\n\n" | netcat  google.com 80 | sed -e 's/\(<a href[^<>]*>\)/\n\1\n/g' | grep href=\"http | grep -v google | grep -v cache | sed -e 's/<a href=\"\([^\"]*\)\"[^>]*>/\1/g'
--endoutput

Let's have a look at the individual filters

--newpage search2
--heading Search Engine Querying

--beginoutput
echo -e "GET /search?q=Mystara HTTP/1.1\nUser-agent: Mozilla\n\n"
--endoutput

  * Build the query string as HTTP GET, specifying a valid (although ultimately fake) agent to avoid error messages such as "frames not supported"
  * Output the query to stdout

--beginoutput
netcat  google.com 80
--endoutput

  * Redirect stdin to google.com at port 80
  * At the same time, redirect response from google.com to stdout

--newpage search3
--heading Search Engine Querying

--beginoutput
sed -e 's/\(<a href[^<>]*>\)/\n\1\n/g'
sed -e 's/<a href=\"\([^\"]*\)\"[^>]*>/\1/g'
--endoutput

  * sed is a stream editor, runs as a filter
  * -e executes the following string as a sed script
  * s/<pattern>/<replacement>/g replaces every instance of the pattern within the input stream with the replacement string
  * \1 is a positional reference to the part of the pattern within \( \)

--newpage search4
--heading Search Engine Querying

  * Google's html comes without line breaks
  * The first sed filter puts each hyperlink on its own line 
  * Now we can grep for lines that contain an hyperlink

--beginoutput
grep href=\"http | grep -v google | grep -v cache
--endoutput

  * But not an internal hyperlink (either cache or links to other Google services)

--newpage webserver
--heading 9 A Web Server

--beginoutput
mkfifo p ; mkfifo f ; cat f > p &

while true ; do 
  nc -v -q 2 -l -p 8080 0<p | \
  grep -m1 GET | \
  sed -e 's/GET \/\([^ ]*\) HTTP[/0-9.]*/cat \/var\/www\/html\/\1 >f /ep ; q' \
  2>webserver.log ; 
done
--endoutput

--newpage conclusion
--heading Conclusion

--boldon
--center Like its namesake, netcat has (at least) 9 lives ;)
--boldoff

   /\_/\         Examples from:
  / 0 0 \          Few Useful Netcat Tricks (1-7)
 ====v====         the OpenBSD netcat documentation (8)
  \  W  /          and yours truly (9)
  |     |     _
  / ___ \    / 
 / /   \ \  |  
(((-----)))-'  
 /             
(      ___     
 \__.=|___E      (ascii art from http://nc.sourceforge.net)
       /