Re: --exec and --sh-exec now supported in Windows Ncat

[jah <jah () zadkiel plus com>]

On 12/03/2009 20:39, David Fifield wrote:
> Hello all,
>
> It used to be that --exec and --sh-exec didn't work on Windows because
> they relied on the fork system call. There are now replacement functions
> that emulate the Unix behavior on Windows, so they work now. You can do
>
> ncat.exe -l --exec "C:\WINDOWS\system32\cmd.exe"
> ncat.exe -l --sh-exec "echo Hello World!"
>
> Sorry, I don't know any really fun examples. The Unix emulation is
> pretty complete. --sh-exec uses cmd.exe /C to start the given program,
> so you can use pipelines and redirection as in Unix. All subprocesses
> are killed when the main Ncat process is killed, even though this means
> that Ncat has to track them itself. The only inconsistency is that
> --exec doesn't require the full path name like it does on Unix. It
> searches the PATH just like --sh-exec, so the first example could have
> used plain "cmd.exe". It would be possible to require the full path
> name, but I don't know if that's even desired.
This is great news!  I've had a little play with it and it looks good. 
I'm looking forward to being able to do some routine admin stuff on a
couple of headless windows boxes without having to use VNC (and maybe
I'll come-up with some fun usage examples at some point).

As for requiring the full path with --exec - I can't think of a reason
why that would be desirable as long as it accepts a full path - which it
does.

I did notice the following when using -v.  Compare this, without verbosity:

C:\>ncat 127.0.0.1 34
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

U:\jah\Desktop>

and this with verbosity:

C:\>ncat 127.0.0.1 34 -v
NSOCK (0.0000s) TCP connection requested to 127.0.0.1:34 (IOD #1) EID 8
NSOCK (0.0160s) Callback: CONNECT SUCCESS for EID 8 [127.0.0.1:34]
NSOCK (0.0160s) Read request from IOD #1 [127.0.0.1:34] (timeout: -1ms)
EID 18
NSOCK (0.0160s) Read request for 0 bytes from IOD #2 (peer unspecified)
EID 26
NSOCK (0.0320s) Callback: READ SUCCESS for EID 18 [127.0.0.1:34] (99 bytes)
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

U:\jah\Desktop>NSOCK (0.0320s) Read request for 0 bytes from IOD #1
[127.0.0.1:34] EID 34


That last line of output is printed after the remote prompt.  Perhaps
there's not a great deal you can do about this and it's not really a
major issue, but I thought I'd mention it.

I think it's really cool that the lack of fork on windows didn't
preclude these features of ncat from the windows version - very nice
work indeed.

jah




_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org