I want to issue then following requests to a telnet session:
telnet www.example.com 80
GET / HTTP/1.1\r\nHost: www.example.com\r\nConnection: close\r\n\r\n
Telnet doesn't seem to recognise the '\r\n' as a carriage return and just sends the lot on to the remote host. What should I put in place of '\r\n' to render a carriage return in the telnet terminal. It does work when I paste the following into the terminal:
GET / HTTP/1.1
Host: www.example.com
Connection: close
followed by two presses of the RETURN key. Is there a hex code I can send to telnet i.e. \0x01 or something like that?
Can I change the options of the TELNET shell to show what I pasted also? I can't find a way to do SET LOCALECHO since I'm opening the TELNET shell and connecting at the same time.
Thanks for any help on this.
/r/n is a perfectly acceptable carriage return line feed character for ANSI, which is what most telnet clients communicate in. Are you applying the # sign in front of your string?
ie:
#"GET / HTTP/1.1\r\nHost: www.example.com\r\nConnection: close\r\n\r\n";
If you are trying to type in /r/n and pasting that input in raw, then the telnet component will often assume you wanted the characters sent as they are type(not as new lines) and do so accordingly.
Related
I came across an odd HTTP request in my Apache access log:
"GET www.example.com HTTP/1.0"
Using a browser (Waterfox, Firefox or Chrome, (in that order)) or PuTTY/cURL|Terminal how can I reproduce this HTTP request? Preferably for localhost as I can see the logs in real-time.
I did some reading and apparently cURL can only make absolute URL requests. I also have not been able to reproduce this with Edit and Resend in the Network panel of Waterfox. This request triggered some minor errors I wish to fix in my system.
In a terminal it's quite easy to perform any request.
You can
use telnet on port 80 telnet 127.0.0.1 80. Then you have to write the request (you may need to type fast, and the server may reject you for bad end lines \n instead of \r\n)
to bypass telnet limitation you can first write your requests with a simple printf:
# regular HTTP query
printf 'GET / HTTP/1.0\r\nHost: www.example.com\r\n\r\n'
# or the 'absolute url' mode
printf 'GET www.example.com HTTP/1.0\r\n\r\n'
# or even the official absolute uri mode, I think that's the correct one
printf 'GET http://www.example.com/ HTTP/1.0\r\n\r\n'
But printf is just the same thing as echo, with special charaters handling (like the \r\n). So you have to copy the result and paste it to telnet.
I prefer using netcat (sometimes called nc) to manage the tcp/ip socket connection instead of telnet, and put directly the printf result to the tcp/ip socket with a pipe (if you need https you'll have to use openssl_client instead of netcat). That's:
printf 'GET www.example.com HTTP/1.0\r\n\r\n' | nc -q 3 127.0.0.1 80
# or
printf 'GET http://www.example.com/ HTTP/1.0\r\n\r\n' | nc -q 3 127.0.0.1 80
And that's it you have your low tech browser. With the advantage of being able to write any sort of bad query. The aboslute url used in place of the location in the first header is something present in the RFC, to handle compatibility with the very old HTTP 0.9:
# HTTP 0.9
printf 'GET www.example.com/foo/bar \r\n' | nc -q 3 127.0.0.1 80
And in this request the right VirtualHost to use is the one from the location, not from the Host header:
# regular HTTP query
printf 'GET http://www.vhost2.com/foo HTTP/1.0\r\nHost: www.vhost1.com\r\n\r\n' |\
nc -q 3 127.0.0.1 80
That was the base of James Kettle's Host header attacks back in 2013. So I recommend you effectively track the minor events and fix them. And it's always good to learn how to inject any special url in your server.
You may be able to send crafted requests also with curl, but by definition real browsers and command line browsers tends to avoid sending badly crafted requests.
Tracking real response from HTTP servers from a terminal can also be quite effective when tracking down which server, or proxy is broken when you handle a big chain of such services. Learn how to talk HTTP in a tcp socket, without curl, that's usefull.
First install Telnet.
Then copy and paste the following into a terminal window:
telnet localhost 80
GET www.example.com HTTP/1.0
Press Enter two times.
This is what it looks like in my access logs:
::1 - - [30/Oct/2020:23:37:28 -0700] "GET www.example.com HTTP/1.0" 400 310
You can also do this with PHP. Here is a file I created called test.php:
<?php
$fp = stream_socket_client("tcp://localhost:80", $errno, $errstr, 30) or die("$errstr ($errno)");
$request = "GET www.example.com HTTP/1.0\r\n\r\n";
$written = 0;
do {
$bytes = fwrite($fp, substr($request, $written)) or die('fwrite error');
$written+= $bytes;
}
while ($written!==strlen($request));
fclose($fp) or die('fclose error');
echo 'Request sent successfully';
exit;
The above does the same thing it just uses PHP to do it. Create a PHP file with the above text, point your browser to it, it should say "Request sent successfully" and then check your access logs.
Edit:
If you need to use TLS then try the following instead. Again save as test.php and point your browser to this file:
$fp = fsockopen("tls://localhost", 443, $errno, $errstr, 30) or die("$errstr ($errno)");
$request = "GET www.example.com HTTP/1.0\r\n\r\n";
$written = 0;
do {
$bytes = fwrite($fp, substr($request, $written)) or die('fwrite error');
$written+= $bytes;
}
while ($written!==strlen($request));
while (!feof($fp)) {
echo fgets($fp, 128);
}
fclose($fp) or die('fclose error');
echo 'Request sent successfully';
exit;
Usually CTRL-C or CTRL-D quits a program. However, once in a while instead of quitting the program, pressing CTRL-C just escapes the characters and outputs it to the terminal screen. I've seen this happen multiple times before for different programs: Django, ssh, etc. I've noticed this happens when I've left the terminal for a long period of time.
Is there a way to revert the CTRL-C behavior back to what I would expect?
And what is the reasoning behind the escaped characters?
Here is an example output of what I mean by escaped CTRL-C and other characters:
^C^C^D^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^D^D^D^D^D^D^D^D^D^D^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^Z^D^D^D^D^D^D^D^D^D^D^D^D^D^D^D^D^D^D^D^D^D^D^D^D^D^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^D^D^D^D^D^D^D^D^D^D^D^D^D^D^[^[^D^D^D^D^Z^Z^Z^Z^Z^Z
This is because the connection to server may have been broken, so your terminal is just echoing what you do instead of being able to show you what the command or the server was responding. The way to get out of ssh in such is to use termination sequence ~ + . + Enter. Enter may not be always required
Below are the list of SSH escape sequences
~. - terminate connection (and any multiplexed sessions)
~B - send a BREAK to the remote system
~C - open a command line
~R - Request rekey (SSH protocol 2 only)
~^Z - suspend ssh
~# - list forwarded connections
~& - background ssh (when waiting for connections to terminate)
~? - this message
~~ - send the escape character by typing it twice
PS: Taken from https://lonesysadmin.net/2011/11/08/ssh-escape-sequences-aka-kill-dead-ssh-sessions/
I am connected to a Telnet server with Putty and looking at what is going on on the connection using Wireshark. The Telnet server rejects any Telnet options, so this is a pure NVT.
When I press Ctrl+D in Putty, it sends the following command to the Telnet server:
0xff 0xec
or, in decimal,
255 236
This looks a lot like a two-byte Telnet command, with the first byte (255) being IAC. However, while looking at RFC 854, I cannot find any mention of a command number 236 (0xec = 236, not to be confused with the Character Erase (EC) command).
Does anybody knows what this is? Am I missing something in the RFC or is this command defined somewhere else?
According to this, it is an End of File command.
The value is defined in RFC1116, which was in turn obsoleted by RFC1184, which defines the same EOF value.
I have one file input.txt containing commands which needs to be typed after telnetting to one ip address. How can I do this, without typing all commands one after the another in to telnet session?
On my windowXP machine,I setup a Winsshd server, and use the command "curl -T test.txt -u hdp:123 sftp://127.0.0.1:22" , it works fine, but when I change the port "22" to "ssh", it failed and prompt "curl: (6) Couldn't resolve host '127.0.0.1:ssh'", I donot know why?
curl used RFC3986 for specification of URLs and there is no capacity in that standard for non-numeric port numbers:
3.2.3. Port
The port subcomponent of authority is designated by an optional port number in decimal following the host and delimited from it by a single colon (":") character.
port = *DIGIT
It allows for translation of a DNS name, so that you can use localhost rather than 127.0.0.1 for example, but not for the port identifier. It would probably be a relatively minor change to allow curl to look up services externally (such as in /etc/services) but it currently does not do that.
You have to use the numerical port. 'SSH' is not a port, but port 22 is being used for a ssh connection.