Ncat:版本 7.10
我也尝试过其他版本,但是没有成功。
这是我给出的启动监听器的命令。如果我不启动绑定 shell,则此监听器可以正常工作,如果我不使用 ssl 绑定 shell 则在一起使用时会出现问题。
ncat -vvvvvlknp 9999 -e cmd.exe --ssl
这是侦听器的完整堆栈跟踪
Ncat: Version 7.10 ( https://nmap.org/ncat )
Ncat: Generating a temporary 1024-bit RSA key. Use --ssl-key and --ssl-cert to use a permanent one.
Ncat: SHA-1 fingerprint: F939 1FB9 B513 9F69 5528 52BC 84C6 C1D9 7361 0562
NCAT DEBUG: Initialized fdlist with 63 maxfds
Ncat: Listening on :::9999
NCAT DEBUG: Added fd 508 to list, nfds 1, maxfd 508
Ncat: Listening on 0.0.0.0:9999
NCAT DEBUG: Added fd 512 to list, nfds 2, maxfd 512
NCAT DEBUG: Added fd 0 to list, nfds 3, maxfd 512
NCAT DEBUG: Initialized fdlist with 60 maxfds
NCAT DEBUG: selecting, fdmax 512
NCAT DEBUG: select returned 1 fds ready
NCAT DEBUG: fd 512 is ready
Ncat: Connection from 127.0.0.1.
Ncat: Connection from 127.0.0.1:1916.
NCAT DEBUG: Added fd 516 to list, nfds 4, maxfd 516
NCAT DEBUG: selecting, fdmax 516
NCAT DEBUG: select returned 2 fds ready
NCAT DEBUG: fd 516 is ready
NCAT DEBUG: selecting, fdmax 516
NCAT DEBUG: select returned 1 fds ready
NCAT DEBUG: fd 516 is ready
NCAT DEBUG: Executing: cmd.exe
NCAT DEBUG: Creating named pipe "\\.\pipe\ncat-444-0"
NCAT DEBUG: Register subprocess 000000BC at index 0.
NCAT DEBUG: selecting, fdmax 516
NCAT DEBUG: Unregister subprocess 000000BC from index 0.
NCAT DEBUG: Subprocess still running, terminating it.
NCAT DEBUG: Subprocess ended with exit code 0.
NCAT DEBUG: Terminating subprocesses
NCAT DEBUG: max_index 1
NCAT DEBUG: Terminating subprocesses
NCAT DEBUG: max_index 1
连接到侦听器。我使用环回地址,因为这是同一个系统。如果我禁用 --ssl,此命令将起作用,
我在这里使用环回地址,但即使我使用多个虚拟机,结果也是相同的。
ncat 127.0.0.1 9999 -vvvv --ssl
这是传出连接的整个堆栈跟踪。
Ncat: Version 7.10 ( https://nmap.org/ncat )
libnsock nsock_set_loglevel(): Set log level to DEBUG
NCAT DEBUG: Using trusted CA certificates from C:\Program Files (x86)\Nmap\ca-bundle.crt.
NCAT DEBUG: Not doing certificate verification.
libnsock nsock_iod_new2(): nsock_iod_new (IOD #1)
libnsock event_new(): event_new (IOD #1) (EID #9)
libnsock nsock_connect_ssl(): SSL connection requested to 127.0.0.1:9999/tcp (IOD #1) EID 9
libnsock nsock_pool_add_event(): NSE #9: Adding event (timeout in 10000ms)
libnsock nsock_loop(): nsock_loop() started (no timeout). 1 events pending
Ncat: Subject: CN=localhost
Ncat: Issuer: CN=localhost
Ncat: SHA-1 fingerprint: F939 1FB9 B513 9F69 5528 52BC 84C6 C1D9 7361 0562
Ncat: Certificate verification failed (self signed certificate).
libnsock nsock_trace_handler_callback(): Callback: SSL-CONNECT SUCCESS for EID 9 [127.0.0.1:9999]
Ncat: SSL connection to 127.0.0.1:9999.
Ncat: SHA-1 fingerprint: F939 1FB9 B513 9F69 5528 52BC 84C6 C1D9 7361 0562
libnsock nsock_iod_new2(): nsock_iod_new (IOD #2)
libnsock event_new(): event_new (IOD #1) (EID #18)
libnsock nsock_read(): Read request from IOD #1 [127.0.0.1:9999] (timeout: -1ms) EID 18
libnsock nsock_pool_add_event(): NSE #18: Adding event (timeout in 584645012ms)
libnsock event_new(): event_new (IOD #2) (EID #26)
libnsock nsock_readbytes(): Read request for 0 bytes from IOD #2 [peer unspecified] EID 26
libnsock nsock_pool_add_event(): NSE #26: Adding event (timeout in 584645012ms)
libnsock event_delete(): event_delete (IOD #1) (EID #9)
libnsock nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 18 [127.0.0.1:9999] (114 bytes)
此处连接到监听器将启动绑定 shell。
Microsoft Windows [Version 10.0.16299.371](c) 2017 Microsoft Corporation. All rights reserved.
C:\Users\wetg>
libnsock event_new(): event_new (IOD #1) (EID #34)
libnsock nsock_readbytes(): Read request for 0 bytes from IOD #1 [127.0.0.1:9999] EID 34
libnsock nsock_pool_add_event(): NSE #34: Adding event (timeout in 584645012ms)
libnsock event_delete(): event_delete (IOD #1) (EID #18)
libnsock nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 26 [peer unspecified] (1 bytes): .
libnsock event_new(): event_new (IOD #1) (EID #43)
libnsock nsock_write(): Write request for 1 bytes to IOD #1 EID 43 [127.0.0.1:9999]
libnsock nsock_pool_add_event(): NSE #43: Adding event (timeout in 584640354ms)
libnsock event_delete(): event_delete (IOD #2) (EID #26)
libnsock nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 43 [127.0.0.1:9999]
libnsock event_new(): event_new (IOD #2) (EID #50)
libnsock nsock_readbytes(): Read request for 0 bytes from IOD #2 [peer unspecified] EID 50
libnsock nsock_pool_add_event(): NSE #50: Adding event (timeout in 584640354ms)
libnsock event_delete(): event_delete (IOD #1) (EID #43)
libnsock nsock_trace_handler_callback(): Callback: READ EOF for EID 34 [127.0.0.1:9999]
close: Result too large
这里它会自动关闭连接,因为“结果太大”。