Turn https://blog.csdn.net/open_data/article/details/47004291
A, the NC
1, nc install
# yum install nc
2, nc Detailed
linux nc command <netcat>
Function: powerful network tools
syntax: nc [-hlnruz] [- g < Gateway ...>] [- G <pointer number>] [- i <Delay seconds number>] [- o <output file>] [- p <communications port>] [- s <source address>] [- v ...] [ - w < timeout in seconds>] [host name] [communication port ...]
parameters:
-g <gateway> provided communications gateway router hops, most lost oh 8 may be provided.
-G <point number> Settings Source route point, a value which is a multiple of four.
-h online help.
-i <delay in seconds> set the time interval for transmitting information and scan communication ports.
-l use a listening mode, incoming data management and control.
-n directly using IP address, rather than by the domain name server.
-o <output file> specify the file name, the transmission of data to and from the hexadecimal word poured into the file is saved.
-p <communications port> Set the communication port used by the local host.
-r nonce designated communication port local and remote host.
-s <Source address> set local host sends the IP address of the packet.
-u Use UDP transport protocol.
-v display process execution instruction.
-w <timeout in seconds> set the time of waiting for connection.
Use -z 0 input / output mode, only the communication port during the scan.
Extended Resources:
192.168.2.34 -v -w 2 NC # 21-24 the -Z
NC: Connect to Port 21 is 192.168.2.34 (TCP) failed: Connection refused The
Connection Port 22 is to 192.168.2.34 [TCP / SSH] succeeded.!
NC: Connect to 192.168 Port 23 is .2.34 (TCP) failed: Connection refused the
NC: Connect to 192.168.2.34 Port 24 (TCP) failed: Connection refused the
2) copy files from 192.168.2.33 to 192.168.2.34
on 192.168.2.34: nc -l 1234> test.txt
in the 192.168.2.33: 192.168.2.34 NC <test.txt
. 3) simple chat tool
on 192.168.2.34: nc -l 1234
on 192.168.2.33: nc 192.168.2.34 1234
Thus, the parties can communicate with each other a. Use ctrl + C (or D) exit.
3. nc command operation the memcached
. 1) for storing data: the printf "SET 0 10 Key 6rnresultrn" | nc 192.168.2.34 11211
2) Data acquisition: printf "get keyrn" | nc 192.168.2.34 11211
3) delete the data: printf "the Delete keyrn" | nc 192.168.2.34 11211
4) View Status: printf "statsrn" | nc 192.168.2.34 11211
5) Analog top command to view the status: watch "echo stats" | nc 192.168.2.34 11211
6) empty the cache: printf "flush_allrn" | nc 192.168.2.34 11211 ( careful, emptied the cache is gone)
nc the -l 1234
nc 127.0.0.1 1234
to establish a connection port 1234, each sending input
nc -p 1234 -w 5 host.example.com 80
to establish a local port from the port 1234-80 host.example.com the 5 second timeout
NC -u host.example.com 53 is
U of UDP connections
echo -n "GET / HTTP / 1.0 " r "n" r "n" | nc host.example.com 80
is connected to the host and perform
nc -v -z host.example.com 70-80
scan ports (70-80), can be specified range. -v output details.
Extended Data II: command linux nc command to transfer files
nc doing with in the end I will not describe, nc file transfer under the main speaker today. Since no ssh, scp other remote access device's command the sudo, or set inside host.deny deny ssh, because in any case the. I crossed scp we used today to illustrate at a lightweight tool more useful, nc another powerful functions --- file transfer.
Here's an example:
the destination host listening
nc -l listen port> To receive the file name
nc -l 4444> cache.tar.gz
source host initiates a request
nc destination host ip destination port
nc 192.168.0.85 4444
netstat as follows
[root @ localhost jiangbao] the netstat -tpln #
TCP 18166 0 0 0.0.0.0:4444 0.0.0.0:* the LISTEN / NC
English described below
the DATA the TRANSFER
the Start ON by the using the listen to NC A specific Port, Output Captured with INTO A File:
$ 1234 NC -l> filename.out
the Using A SECOND Machine, NC Connect to The Listening Process, The feeding IT BE Transferred to File Which IS:
$ Nc host.example.com 1234
Extended information three: linux nc (NetCat) Detailed command, this article describes in great detail on nc, and some repeat the above information.
First, the version of
the usual Linux distributions come with NetCat (referred to as nc), even in rescue mode CD-ROM also provides a simple version of nc tool by the busybox. But different versions, which use slightly different parameters.
[the root @ hatest1 ~] # CAT / etc / Asianux-Release
the Asianux Release 2.0 (Trinity with SP2)
[the root @ hatest1 ~] # CAT / etc / redflag-Release
Red In Flag the DC Server Release 5.0 (Trinity with SP2)
[the root @ hatest1 ~ ] # of the type -a nc
nc IS / usr / bin / nc
[root @ hatest1 ~] # RPM -q nc
nc-1.10-22
is recommended prior to use, take a look at to help with the man nc. Here to version 1.10 on the Red Flag DC Server 5.0 will be briefly described.
Assuming that both the server information:
reference
server1: 192.168.228.221
server2: 192.168.228.222
Second, the common use
1, the remote copy files
from server1 copy files onto server2. Need to be on server2, activate the monitor with nc, run on server2:
[root @ hatest2 tmp] # nc -lp 1234> install.log
run on server1:
references
[root @ hatest1 ~] # LL install.log
-rw-r-R- 1 root root 39693 2007 install.log 12 Yue 20
[ ~ @ hatest1 the root] # 1234 NC 192.168.228.222. 1 -w <the install.log
2, the hard disk or partition cloning
operations with the above copies are identical, only needs to obtain data from the hard disk or partition dd, can then transmit.
Hard disk or partition cloning operation, has not carried on the mount system. Therefore, it is necessary to use the CD-ROM boot into rescue mode (or disc means Knoppix) after starting the system, a similar operation on a monitor Server2:
# NC -l -p 1234 | dd of = / dev / SDA
on server1 performed transmission, to complete the hard disk sda cloned from server1 to server2 task:
# dd IF = / dev / sda | nc 192.168.228.222 1234
※ prerequisite for completion of the work, is the need to implement the rescue mode CD-ROM support network card on the server, and properly configured IP.
3, port scan
can be performed:
quote
# nc -v -w 1 192.168.228.222 the -z from 1 to 1000
hatest2 [192.168.228.222] 22 (SSH) Open
4, save Web pages
# while true; do nc -l -p 80 -q 1 < somepage.html; done
5、模拟HTTP Headers
引用
[root@hatest1 ~]# nc www.linuxso.com 80
GET / HTTP/1.1
Host: ispconfig.org
Referrer: mypage.com
User-Agent: my-browser
HTTP/1.1 200 OK
Date: Tue, 16 Dec 2008 07:23:24 GMT
Server: Apache/2.2.6 (Unix) DAV/2 mod_mono/1.2.1 mod_python/3.2.8 Python/2.4.3 mod_perl/2.0.2 Perl/v5.8.8
Set-Cookie: PHPSESSID=bbadorbvie1gn037iih6lrdg50; path=/
Expires: 0
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Cache-Control: private, post-check=0, pre-check=0, max-age=0
Set-Cookie: oWn_sid=xRutAY; expires=Tue, 23-Dec-2008 07:23:24 GMT; path=/
Vary: the Accept-Encoding
Transfer-Encoding: chunked
Content-Type: text / HTML
[......]
after nc command, enter the red part of the contents, and then press Enter twice, you can get content from other HTTP Headers .
6, chat
nc may also be used as a chat tool simple characters, the same, need to start listening on Server2:
[@ hatest2 the root tmp] # 1234 nc -lp
transmission on server1:
[hatest1 the root @ ~] # nc 192.168.228.222 1234
In this way, the two sides can communicate with each other. Use Ctrl + D normal exit.
7, transfer directory
from the directory nginx-0.6.34 server1 copy content to server2. Need to be on server2, nc activated by listening, run on server2:
references
[root @ hatest2 tmp] # nc -l 1234 | tar xzvf -
running on server1:
references
[root @ hatest1 ~] # ll -d nginx-0.6. 34 is
drwxr-X. 8 XR-4096 12-23 1000 1000 17:25 Nginx-0.6.34
[hatest1 the root @ ~] # czvf the tar - Nginx-0.6.34 | 1234 NC 192.168.228.222
. 8, parameters Introduction
This is only a brief description of version 1.10, the detailed parameters still need to see the man:
references
you want to connect to somewhere: nc [-options] hostname port [ s] [ports] ...
to bind to port waiting for a connection: nc -l -p port [-options] [hostname] [port]
parameter:
-g Gateway Source-routing Hop Point [S], up to 8
-G NUM Source-routing pointer: 4, 8, 12, ...
-h help
- i secs delay interval
-l listening mode for inbound connections
-n specified number of IP addresses can not be used hostname
recording hexadecimal File transfer -o
-p local port number port
-r any given local and remote ports
-s addr local source address
-u UDP mode
-v verbose output - further details can be obtained with two -v
-w secs timeout time
-z switch off the input and output - when used for scanning, wherein the port number or you may specify a range specified by the formula lo-hi.
Third, the version differences
do not have to say nc version provided on different systems, it provides parameters to use slightly different.
For example, Red Flag Asianux 3.0 SP1 to save the parameters on the CD version is for use only part:
reference
# nc -h
V1.2.0 BusyBox (2008.04.14-01: 35 + 0000) Multi-binary Call
the Usage: NC [the OPTIONS] [the IP] [Port]
Netcat Opens A pipe to the IP: Port
the Options:
-l the listen MODE, the Connects for inbound
- PORT Port Number the local the p-
-i interval the SECS Delay Lines for Sent
-e PROG Program to the After Exec Connect (Dangerous!)
-w timeout for the Connects and SECS Final NET reads
nc version provided in Asianux 3.0 SP1 system is 1.84 , according to the above parameters will not perform write usage:
references
[root @ ftpserver ~] # RPM -q nc
nc-1.84-10
[root @ ftpserver ~] # nc the -lp 1234
usage: nc [-46DdhklnrStUuvzC] [-i interval the ] [-p source_port]
[-s a source_IP_address] [-T ToS] [-w timeout] [proxy_version -X]
[-x proxy_address [: Port]] [hostname] [Port [S]]
speak document view man, seen in this version - l is not with the -s, -p, used with -z, -w parameter will be ignored, so the correct usage is:
[root @ ftpserver tmp] # nc the -l 1234
Fourth, in the script
nc each after the second start the listener, will be completed at the same time the client connection and exit, with exit end service. So, if you need to constantly use nc data transmission, you need to use the loop in the script. Nc utilize more functionality, it can refer to the reference rpm script provided:
references
# rpm -qd nc
/usr/share/doc/nc-1.10/Changelog
/usr/share/doc/nc-1.10/README
/ usr / Share / DOC / 1.10-NC / scripts / the README
/usr/share/doc/nc-1.10/scripts/alta
/usr/share/doc/nc-1.10/scripts/bsh
/usr/share/doc/nc-1.10/ scripts / dist.sh
/usr/share/doc/nc-1.10/scripts/irc
/usr/share/doc/nc-1.10/scripts/iscan
/usr/share/doc/nc-1.10/scripts/ncp
/usr/share/doc/nc-1.10/scripts/probe
/usr/share/doc/nc-1.10/scripts/web
/ usr / report this content share / DOC / nc -1.10 / scripts / WebProxy
/usr/share/doc/nc-1.10/scripts/webrelay
/usr/share/doc/nc-1.10/scripts/websearch
/usr/share/man/man1/nc.1.gz
II. nMAP
1, install
# yum install nmap
2. Detailed
Nmap that is, Network Mapper, which is released under the Free Software Foundation's GNU General Public License (GPL) is. The basic functions: detection of a group of hosts are online; network services scan host port, sniffer provided; determine the host operating system. After downloading the software, the implementation of configure, make and make install three orders, the nmap binary code installed on your system, you can perform a nmap.
Official website to download: http: //nmap.org/download.html
Or download package
rpm -vhU http://nmap.org/dist/nmap-5.21-1.i386.rpm
rpm -vhU http://nmap.org/dist/zenmap-5.21-1.noarch.rpm
Test System: CentOS5.3
Nmap syntax is very simple, but very powerful. For example: Ping-scan command is "-sP", after determining the target host and network, can be scanned. If you run with root Nmap, Nmap functionality will be more enhanced, because the super-user can create easy to use custom Nmap data packets. For standalone use Nmap to scan or scan the entire network is very simple, as long as the destination address with a "/ mask" can be assigned to Nmap. Further, allowing the use of various types of Nmap specified network address, such as 192.168.1. *, The host is selected scanning subnet.
nmap to use
Here are the four basic scanning Nmap supports:
* TCP connect () port scan (-sT parameters).
* TCP synchronization (SYN) port scan (-sS parameters).
* UDP port scan (-sU parameters).
* Ping Scan (-sP parameters)
If you want to sketch the overall situation of a network, Ping Scan and TCP SYN scanning is most practical.
* Ping scanning by sending ICMP (Internet Control Message Protocol, Internet Control Message Protocol) echo request packet and a TCP ACK (the Acknowledge, abbreviated ACK) packet to determine the state of the host, the host is suitable for the detection of the specified segment running number.
* TCP SYN scanning all of a sudden do not really understand, but if it () scans compared with TCP connect, it is easy to see the characteristics of this scanning method. In TCP Connect () scan, the operating system itself by using the scanner system call to open a TCP connection that is complete, a complete handshake scanner opened between two hosts (SYN, SYN-ACK, and ACK) . Handshake shows that a full implementation of remote host port is open.
* TCP SYN scanning creates a half-open connection, except that the TCP connect () scan that, TCP SYN scanning transmitted is reset (RST) flag instead of the end ACK flag (i.e., SYN, SYN-ACK, or RST): If the remote host is listening and is open port, the remote host with its SYN-ACK, a transmitting Nmap the RST; remote host if the port is closed, its response will be the RST, the transfer case Nmap a port.
-sS using SYN + ACK method using TCP SYN,
-sT methods using TCP three-way handshake is all done
-sU method using UDP
-sP ICMP ECHO Request messenger, responsive to investigate port
-sF FIN SCAN
-sX
Invalid -sN all TCP packets messenger FLAG OFF, the error code is determined according to the port where
-P0 ignore ICMP ECHO request result, SCAN
-p scan port range specified in the destination port range SCAN
100, or the use of 25,100
-O detect the type of OS
-oN output file format file name is usually
-oX file name by DTD, XML format output
-oG file name, grep easy to format output
-sV service program name and version SCAN
Ping Scan: Use Nmap to scan the entire network intruder to find the target. By using "-sP" command, by default, for each scan Nmap to ICMP echo and a host sends a TCP ACK, the host will respond to any one was obtained Nmap. As follows.
[root@coremail ~]# nmap -sP 192.168.1.60
Starting Nmap 5.21 ( http://nmap.org ) at 2010-06-08 12:46 CST
Nmap scan report for 192.168.1.60
Host is up (0.00085s latency).
Nmap done: 1 IP address (1 host up) scanned in 0.49 seconds
Nmap supports different types of port scans, TCP connect scan can use "-sT" command, TCP connect () port scan (-sT parameters). As shown below:
[Coremail the root @ ~] # nmap -sT 192.168.92.129
Starting Nmap 5.21 ( http://nmap.org ) at 2010-06-08 12:51 CST
Nmap scan report for 192.168.92.129
Host is up (0.0017s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
11111/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 0.48 seconds
Hidden scan (Stealth Scanning). When scanning, if the attacker did not want to make information is recorded in a log on the target system, TCP SYN scans can help you a favor. Use "-sS" command, it may transmit a SYN scanning probe host or network. As follows.
[root@coremail ~]# nmap -sS www.baidu.com
Starting Nmap 5.21 ( http://nmap.org ) at 2010-06-08 12:51 CST
Nmap scan report for www.baidu.com (220.181.6.175)
Host is up (0.0094s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 56.54 seconds
If an attacker want to UDP scanning, you can know which ports are open on the UDP. O Nmap sends a byte UDP packet to each port. If the host is unreachable return to port, the port is closed. UDP port scan (the -sU parameter). As follows.
[root@coremail ~]# nmap -sU 192.168.92.129
Starting Nmap 5.21 ( http://nmap.org ) at 2010-06-08 12:53 CST
Nmap scan report for 192.168.92.129
Host is up (0.000019s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
68/udp open|filtered dhcpc
111/udp open rpcbind
123/udp open|filtered ntp
631/udp open|filtered ipp
Nmap done: 1 IP address (1 host up) scanned in 1.93 secon
The operating system recognizes. By using the "-O" option, you can type the remote operating system detection. Nmap by sending different types of detection signals to the host operating system narrow lookups. As shown in Figure 6.
[root@coremail ~]# nmap -sS -O 192.168.92.129
Starting Nmap 5.21 ( http://nmap.org ) at 2010-06-08 12:56 CST
Nmap scan report for 192.168.92.129
Host is up (0.00024s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
11111/tcp open unknown
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.15 - 2.6.30
Network Distance: 0 hops
OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 5.72 seconds
Ident scan. Attackers like to find a computer vulnerable to certain processes, such as a server running as root WEB. If the target machines running the identd, an attacker can "-I" option which users have found that TCP connection http daemon. We scan a Linux WEB server, for example, use the following command:
[root@coremail ~]# nmap -sT -p 80 -O www.baidu.com
Starting Nmap 5.21 ( http://nmap.org ) at 2010-06-08 12:58 CST
Nmap scan report for www.baidu.com (220.181.6.175)
Host is up (0.0069s latency).
PORT STATE SERVICE
80/tcp filtered http
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|storage-misc|WAP|game console
Running (JUST GUESSING) : Apple Mac OS X 10.5.X (96%), BlueArc embedded (87%), KCorp embedded (86%), Nintendo embedded (86%)
Aggressive OS guesses: Apple Mac OS X 10.5.5 (Leopard) (96%), BlueArc Titan 2100 NAS device (87%), KCorp KLG-575 WAP (86%), Nintendo DS game console (86%)
No exact OS matches for host (test conditions non-ideal).
OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 5.39 seconds
[root@coremail ~]# nmap -sT -p 80 -O 192.168.92.129
Starting Nmap 5.21 ( http://nmap.org ) at 2010-06-08 13:00 CST
Nmap scan report for 192.168.92.129
Host is up (0.00014s latency).
PORT STATE SERVICE
80/tcp open http
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.15 - 2.6.30
Network Distance: 0 hops
OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.86 seconds
Hide the source address of the scan:
Assuming your system IP is 192.168.1.20, but you want all your system NMAP packages sent are labeled as IP address 20.20.20.20, then you can send out a packet of Germany named sandi system with the following command:
nmap -S 20.20.20.20 -e eth0 -P0 -sS -v sandi
-P0 (not PING) and -sS (TCP SYN port scan hidden) so that the scanning Nmap performed without first send TCP packets based on ping. -sS option can help scan via initial SYN packet filtering firewall.
Let the system using the port 53 to transmit the data packets, and similar scanning above, the following command can be issued
nmap -g 53 -S 20.20.20.20 -e eth0 -P0 -sS -v sandi
In addition to these scans, Nmap also offers many options, this is one of many Linux essential magic of the attacker, through the software, we can well aware of the system, so as to lay a good foundation for the next attack.