2023年8月2日发(作者：)

Python⿊帽⼦⿊客与渗透测试编程之道（三）取代netcatnetcat是个计算机⽹络公⽤程式，⽤来对⽹络连线TCP或者UDP进⾏读写。透过端⼝3333（-l 监听状态listen）从机器foo复制到机器bar复制档案：user@bar$ nc -l -p 3333 > r@foo$ nc bar 3333 < 在端⼝25建⽴内容未加⼯过的连接（类似telnet）：nc 25利⽤零模式I/O（参数 -z）检查192.168.0.1的UDP端⼝（参数 -u）80-90是否开启：nc -vzu 192.168.0.1 80-90贴下代码，我⾃⼰跟着书上写的过程遇到的问题，就是缩进没对齐，导致整个程序后⾯出错了。由于代码⽐较长，找起来⽐较花时间，于是就在⽹上⽤了别⼈敲好的，运⾏出书上的结果了。#!/usr/bin/env python2.7import sysimport socketimport getoptimport threadingimport subprocess# define some global variableslisten = Falsecommand = Falseupload = Falseexecute = ""target = ""upload_destination = ""port = 0# this runs a command and returns the outputdef run_command(command):

# trim the newline command = ()

# run the command and get the output back try: output = _output(command,stderr=, shell=True) except: output = "Failed to execute "

# send the output back to the client return output# this handles incoming client connectionsdef client_handler(client_socket): global upload global execute global command

# check for upload if len(upload_destination):

# read in all of the bytes and write to our destination file_buffer = ""

# keep reading data until none is available while True: data = client_(1024) data = client_(1024)

if not data: break else: file_buffer += data

# now we take these bytes and try to write them out try: file_descriptor = open(upload_destination,"wb") file_(file_buffer) file_()

# acknowledge that we wrote the file out client_("Successfully saved file to %srn" % upload_destination) except: client_("Failed to save file to %srn" % upload_destination)

# check for command execution if len(execute):

# run the command output = run_command(execute)

client_(output)

# now we go into another loop if a command shell was requested if command:

while True: # show a simple prompt client_(" ")

# now we receive until we see a linefeed (enter key) cmd_buffer = "" while "n" not in cmd_buffer: cmd_buffer += client_(1024)

# we have a valid command so execute it and send back the results response = run_command(cmd_buffer)

# send back the response client_(response)

# this is for incoming connectionsdef server_loop(): global target global port

# if no target is defined we listen on all interfaces if not len(target): target = "0.0.0.0"

server = (_INET, _STREAM) ((target,port))

(5)

while True: client_socket, addr = ()

# spin off a thread to handle our new client # spin off a thread to handle our new client client_thread = (target=client_handler,args=(client_socket,)) client_()

# if we don't listen we are ake it client_sender(buffer):

client = (_INET, _STREAM)

try: # connect to our target host t((target,port))

# if we detect input from stdin send it

# if not we are going to wait for the user to punch some in

if len(buffer):

(buffer)

while True:

# now wait for data back recv_len = 1 response = ""

while recv_len: data = (4096) recv_len = len(data) response+= data

if recv_len < 4096: break

print response,

# wait for more input buffer = raw_input("") buffer += "n"

# send it off (buffer)

except: # just catch generic errors - you can do your homework to beef this up print "[*] Exception! Exiting."

# teardown the connection

()

def usage(): print "Netcat Replacement" print print "Usage: -t target_host -p port" print "-l --listen - listen on [host]:[port] for incoming connections" print "-e --execute=file_to_run - execute the given file upon receiving a connection" print "-c --command - initialize a command shell" print "-u --upload=destination - upon receiving connection upload a file and write to [destination]" print print print "Examples: " print "Examples: " print " -t 192.168.0.1 -p 5555 -l -c" print " -t 192.168.0.1 -p 5555 -l -u=c:" print " -t 192.168.0.1 -p 5555 -l -e="cat /etc/passwd"" print "echo 'ABCDEFGHI' | ./ -t 192.168.11.12 -p 135" (0)def main(): global listen global port global execute global command global upload_destination global target

if not len([1:]): usage()

# read the commandline options try: opts, args = ([1:],"hle:t:p:cu:",["help","listen","execute","target","port","command","upload"]) except Error as err: print str(err) usage()

for o,a in opts: if o in ("-h","--help"): usage() elif o in ("-l","--listen"): listen = True elif o in ("-e", "--execute"): execute = a elif o in ("-c", "--commandshell"): command = True elif o in ("-u", "--upload"): upload_destination = a elif o in ("-t", "--target"): target = a elif o in ("-p", "--port"): port = int(a) else: assert False,"Unhandled Option"

# are we going to listen or just send data from stdin if not listen and len(target) and port > 0:

# read in the buffer from the commandline # this will block, so send CTRL-D if not sending input # to stdin buffer = ()

# send data off client_sender(buffer)

# we are going to listen and potentially

# upload things, execute commands and drop a shell back # depending on our command line options above if listen: server_loop()main() 运⾏情况：在⼀个终端中输⼊：root@kali:~# ./ -l -p 9999 -c按回车之后什么都没有显⽰，它已经在监听了。接下来打开⼀个新的终端，输⼊：root@kali:~# ./ -t localhost -p 9999接下来还是没反应，接着按住ctrl+d键，就会如图所⽰：接着输⼊：会显⽰⽂件数及它们的属性。再输⼊别的命令试试：pwd命令 Linux中⽤ pwd 命令来查看”当前⼯作⽬录“的完整路径。可以看到，我们返回了典型的命令⾏shell，由于我们在⼀个UNIX主机上，所以可以运⾏⼀些本地命令并回传其输出，就好像我们通过SSH登录⼀样，或者像是在⽬标主机本地运⾏。我们可以使⽤⽼派的⽅式直接利⽤客户端发送HTTP请求：root@kali:~# echo -ne "GET / HTTP/1.1rnHost: n" | ./ -t -p 80