The full name of nc is netcat. Redirect the nc server to bash, and you can get a remote shell
1. On the server:
1) build a named pipe mkfifo pipe
2) combine anonymous pipe redirection nc -l -p 4444 < pipe|bash > pipe
2. On the client:
assume the server ip 1.1.1.1 nc 1.1.1.1 444
Then the client is now connected to the server 1.1.1.1, and has obtained a server remote shell, which can execute remote commands like locally. The
server redirection command is a bit confusing at first glance, draw a simple diagram Help understanding, as follows: 
According to this figure, take a look at the basic process of the entire remote shell
当nc连接到服务端后
1) nc客户端通过网络发送命令到远程nc服务端
2) nc服务端通过匿名管道重定向至bash
3) bash执行客户端发送过来的命令,并重定向至命名管道pipe
4) 由于nc服务端重定向输入至命名管道pipe,所以bash执行结果会经过pipe,接着传送至nc服务端
5) nc服务端把从命名管道pipe读取的数据通过网络发送给nc客户端. 所以,这里其实是一条命令巧妙的包含了两条管道,并且使其各司其职.However, the entire connection established by nc is not encrypted, so it is not secure. Therefore, an encrypted version of nc has appeared. The name is called cryptcat. The method of use is basically the same as that of nc, but it has an extra layer of encryption function than nc. , It is relatively safe to use.