Security Basics mailing list archives
RE: nc help needed.
From: "Fields, James" <James.Fields () bcbsfl com>
Date: Tue, 28 Sep 2004 13:19:28 -0400
Actually, on the box where nc is listening for incoming connections on port 139, the -s refers to its own IP address. In the example below, it would look like: 192.168.10.14> nc.exe -v -L -d -e cmd.exe -p 139 -s 192.168.10.14 The -s option ALWAYS refers to the "local" IP address rather than a remote address. If you specify -s from the attacking machine, you can use it to spoof source addresses or to force NC to use one of several addresses on a machine that has more than one. Used on the "target" machine, -s says "bind netcat to port X on local IP address Y." This is required because NetBIOS by default binds to "all" IP addresses; the only way for NC to preempt it is to bind to a *specific* address. This overrides NetBIOS binding to "all". HOWEVER - this will BREAK NetBIOS on that address. You aren't silently intercepting, you're knocking NetBIOS aside (or whatever service wanted to run on the port you're specifying). You might also look at the options with hping, where you can "listen" on a service port already being used for a "trigger" or signature that then causes hping to do something... -----Original Message----- From: Gautam R. Singh [mailto:gautam.singh () gmail com] Sent: Saturday, September 25, 2004 11:39 AM To: security-basics () securityfocus com Subject: Re: nc help needed. The -s I believe would be the source address - the ip address of the m/c from where u are connecting. 192.168.10.14> nc.exe -v -L -d -e cmd.exe -p 139 -s 192.168.10.15 192.168.10.15> telnet 192.168.10.14 139 or 192.168.10.15> nc -v 192.168.10.14 139 Try to use a different port and see if it is working. If it does,then use 139. ~gautam On Fri, 24 Sep 2004 18:56:59 +0530, Vijay Kumar <vijay () calsoftinc com> wrote:
Hi, Thanks a ton for all the replies. I know that Netbios is using port
139.
Since the Windows computer is currently accepting null sessions, we should be able to connect to this port via netcat. ( am i right ? ) Have been reading these lines from the documentation, which talks
about
assigning proirity to the netcat session we are trying to establish. Hence I am sure this should work, we are mising on something. Does anyone has anything to add ? Also I am not understanding whether the -s <ip address> should be the computer running netcat or the detination (target) machine ? "" You will need to bind "in front of" some services that may already
be
listening on those ports. An example is the NETBIOS Session Service that is running on port 139 of NT machines that are sharing files.
You
need to bind to a specific source address (one of the IP addresses of the machine) to accomplish this. This gives Netcat priority over the NETBIOS service which is at a lower priority because it is bound to
ANY
IP address. This is done with the Netcat -s option: nc -v -L -e cmd.exe -p 139 -s xxx.xxx.xxx.xxx Now you can connect to the machine on port 139 and Netcat will field the connection before NETBIOS does. You have effectively shut off file sharing on this machine by the way. You have done this with just user privileges to boot. "" Have not used psexec -> will try it. Regards Vijay. On Fri, 2004-09-24 at 17:55, Scream wrote:using the -p 139 command line switch would attempt to bind to port
139 on
the machine you are running it on which being a windows machine is
already
in use.. If you are trying to connect to the remote then it would be , this
however
will not spawn a cmd session. nc -v ip addr 139 ----- Original Message ----- From: "Vijay Kumar" <vijay () calsoftinc com> To: <security-basics () securityfocus com> Sent: Thursday, September 23, 2004 11:21 AM Subject: nc help needed.Hi, Trying to use the nc command from a windows 2k box : nc -v -L -e cmd.exe -p 139 -s xxx.xxx.xxx.xxx The error given is : Can't grab xxx.xxx.xxx.xxx:139 with bind. s -> destination host where the null sessions on 139 are accepted. Any clue, how to to get the cmd working on the remote host ? Regards, Vijay.
------------------------------------------------------------------------ --
-Computer Forensics Training at the InfoSec Institute. All of our
class
sizesare guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Gain the in-demand
skills
ofa certified computer examiner, learn to recover trace data left
behind by
fraud, theft, and cybercrime perpetrators. Discover the source of
computer
crime and abuse so that it never happens again.
http://www.infosecinstitute.com/courses/computer_forensics_training.html
------------------------------------------------------------------------ --
--
------------------------------------------------------------------------ ---
Computer Forensics Training at the InfoSec Institute. All of our class
sizes
are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Gain the in-demand
skills of
a certified computer examiner, learn to recover trace data left behind
by
fraud, theft, and cybercrime perpetrators. Discover the source of
computer
crime and abuse so that it never happens again.
http://www.infosecinstitute.com/courses/computer_forensics_training.html
------------------------------------------------------------------------ ----
-- Gautam R. Singh PGP Key: http://gautam.techwhack.com/key/ NOTE: The information contained in this message is confidential and intended only for the use of the individual or entity identified. If the reader of this message is not the intended recipient, any dissemination, distribution or copying of the information in this message is strictly prohibited. If you have received this message by error, please notify the sender immediately. -- Gautam R. Singh PGP Key: http://gautam.techwhack.com/key/ NOTE: The information contained in this message is confidential and intended only for the use of the individual or entity identified. If the reader of this message is not the intended recipient, any dissemination, distribution or copying of the information in this message is strictly prohibited. If you have received this message by error, please notify the sender immediately. Blue Cross Blue Shield of Florida, Inc., and its subsidiary and affiliate companies are not responsible for errors or omissions in this e-mail message. Any personal comments made in this e-mail do not reflect the views of Blue Cross Blue Shield of Florida, Inc. The information contained in this document may be confidential and intended solely for the use of the individual or entity to whom it is addressed. This document may contain material that is privileged or protected from disclosure under applicable law. If you are not the intended recipient or the individual responsible for delivering to the intended recipient, please (1) be advised that any use, dissemination, forwarding, or copying of this document IS STRICTLY PROHIBITED; and (2) notify sender immediately by telephone and destroy the document. THANK YOU.
Current thread:
- Re: nc help needed., (continued)
- Re: nc help needed. Forrest Rae (Sep 24)
- Re: nc help needed. mike (Sep 26)
- Re: nc help needed. H Carvey (Sep 24)
- RE: nc help needed. Adam Maxwell (Sep 24)
- Re: nc help needed. Vijay Kumar (Sep 24)
- Fwd: nc help needed. Gautam R. Singh (Sep 27)
- Re: nc help needed. Marcos E. Rodriguez (Sep 27)
- Message not available
- Re: nc help needed. Gautam R. Singh (Sep 28)
- RE: nc help needed. Michael Shirk (Sep 25)
- Re: nc help needed. Johannes Lichtenberger (Sep 27)
- RE: nc help needed. Fields, James (Sep 29)