镜缘浮影 小人本住在 苏州的城外 家里有屋又有田 生活乐无边

nc基础用法

2015-11-17
wilmosfang
原文地址 http://soft.dog/2015/11/17/nc-basic/

前言

nc (NetCat) 是一个使用 TCP/IP 来读写网络数据的小工具。

Netcat is a featured networking utility which reads and writes data across network connections, using the TCP/IP protocol.

It is designed to be a reliable “back-end” tool that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and exploration tool, since it can create almost any kind of connection you would need and has several interesting built-in capabilities.

It provides access to the following main features:

  • Outbound and inbound connections, TCP or UDP, to or from any ports.
  • Featured tunneling mode which allows also special tunneling such as UDP to TCP, with the possibility of specifying all network parameters (source port/interface, listening port/interface, and the remote host allowed to connect to the tunnel.
  • Built-in port-scanning capabilities, with randomizer.
  • Advanced usage options, such as buffered send-mode (one line every N seconds), and hexdump (to stderr or to a specified file) of trasmitted and received data.
  • Optional RFC854 telnet codes parser and responder.

The GNU Netcat is distributed freely under the GNU General Public License (GPL).

下面分享一下它的基本用法

参数文档

Tip: 目前官方版本还是 11 Jan 2004 年 发布的 Netcat 0.7.1 ,访问官网可能得翻墙


概要


安装nc

[root@h102 ~]# yum -y install nc 
Loaded plugins: dellsysid, fastestmirror, refresh-packagekit, security
Setting up Install Process
Loading mirror speeds from cached hostfile
epel/metalink                                                                                                | 5.5 kB     00:00     
 * base: mirrors.163.com
 * epel: ftp.riken.jp
 * extras: mirrors.aliyun.com
 * updates: mirrors.163.com
base                                                                                                         | 3.7 kB     00:00     
dell-omsa-indep                                                                                              | 1.9 kB     00:00     
dell-omsa-specific                                                                                           | 1.9 kB     00:00     
elasticsearch-1.5                                                                                            | 2.9 kB     00:01     
epel                                                                                                         | 4.3 kB     00:00     
epel/primary_db                                                                                              | 5.7 MB     02:11     
extras                                                                                                       | 3.4 kB     00:00     
http://yum.theforeman.org/releases/1.8/el6/x86_64/repodata/repomd.xml: [Errno 12] Timeout on http://yum.theforeman.org/releases/1.8/el6/x86_64/repodata/repomd.xml: (28, 'Operation too slow. Less than 1 bytes/sec transfered the last 30 seconds')
Trying other mirror.
foreman-plugins                                                                                              | 2.9 kB     00:02     
mongodb-org-3.0                                                                                              | 2.9 kB     00:00     
percona-release-noarch                                                                                       |  951 B     00:00     
percona-release-x86_64                                                                                       |  951 B     00:00     
puppetlabs-deps                                                                                              | 2.5 kB     00:00     
puppetlabs-products                                                                                          | 2.5 kB     00:00     
rabbitmq_rabbitmq-server/signature                                                                           |  836 B     00:00     
rabbitmq_rabbitmq-server/signature                                                                           | 1.0 kB     00:00 ... 
rabbitmq_rabbitmq-server-source/signature                                                                    |  836 B     00:00     
rabbitmq_rabbitmq-server-source/signature                                                                    | 1.0 kB     00:00 ... 
rhscl-ruby193-epel-6-x86_64                                                                                  | 3.0 kB     00:00     
rhscl-v8314-epel-6-x86_64                                                                                    | 3.0 kB     00:00     
updates                                                                                                      | 3.4 kB     00:00     
varnish-4.0                                                                                                  |  951 B     00:00     
zabbix                                                                                                       |  951 B     00:00     
zabbix-non-supported                                                                                         |  951 B     00:00     
Resolving Dependencies
--> Running transaction check
---> Package nc.x86_64 0:1.84-24.el6 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

====================================================================================================================================
 Package                    Arch                           Version                               Repository                    Size
====================================================================================================================================
Installing:
 nc                         x86_64                         1.84-24.el6                           base                          57 k

Transaction Summary
====================================================================================================================================
Install       1 Package(s)

Total download size: 57 k
Installed size: 109 k
Downloading Packages:
nc-1.84-24.el6.x86_64.rpm                                                                                    |  57 kB     00:00     
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Warning: RPMDB altered outside of yum.
** Found 6 pre-existing rpmdb problem(s), 'yum check' output follows:
perl-DBD-MySQL-4.013-3.el6.x86_64 has missing requires of libmysqlclient.so.16()(64bit)
perl-DBD-MySQL-4.013-3.el6.x86_64 has missing requires of libmysqlclient.so.16(libmysqlclient_16)(64bit)
ruby-mysql-2.8.2-1.el6.x86_64 has missing requires of libmysqlclient.so.16()(64bit)
ruby-mysql-2.8.2-1.el6.x86_64 has missing requires of libmysqlclient.so.16(libmysqlclient_16)(64bit)
ruby193-rubygem-mysql2-0.3.11-4.el6.x86_64 has missing requires of libmysqlclient_r.so.16()(64bit)
ruby193-rubygem-mysql2-0.3.11-4.el6.x86_64 has missing requires of libmysqlclient_r.so.16(libmysqlclient_16)(64bit)
  Installing : nc-1.84-24.el6.x86_64                                                                                            1/1 
  Verifying  : nc-1.84-24.el6.x86_64                                                                                            1/1 

Installed:
  nc.x86_64 0:1.84-24.el6                                                                                                           

Complete!
[root@h102 ~]# 

端口扫描

[root@h102 ~]# nc -zvn 192.168.100.101  20-25
nc: connect to 192.168.100.101 port 20 (tcp) failed: No route to host
nc: connect to 192.168.100.101 port 21 (tcp) failed: No route to host
Connection to 192.168.100.101 22 port [tcp/*] succeeded!
nc: connect to 192.168.100.101 port 23 (tcp) failed: No route to host
nc: connect to 192.168.100.101 port 24 (tcp) failed: No route to host
nc: connect to 192.168.100.101 port 25 (tcp) failed: No route to host
[root@h102 ~]# nc -zvn 192.168.100.101  3306
Connection to 192.168.100.101 3306 port [tcp/*] succeeded!
[root@h102 ~]# 
Option Comment
-z 只作扫描,不发数据
-n 不作解析,数字状态
-v 给出详细信息

打开一个会话连接

[root@h102 ~]# nc -l 12345
hello
for test
i miss you
^_^
----------
[root@h101 BGPtest]# nc h102 12345
hello  
for test
i miss you
^_^ 

此刻,要确认server端的防火墙对于12345端口是打开的


文件传输

server端发文件

[root@h102 nc]# echo "abc test" > file.txt
[root@h102 nc]# nc -l 2345 < file.txt 
----------
[root@h101 nc]# nc h102 2345 > f.txt
[root@h101 nc]# cat f.txt 
abc test
[root@h101 nc]# 

server端收文件

[root@h102 nc]# nc -l 2345 > file.txt 
----------
[root@h101 nc]# echo "uiuiuiuiui" > f.txt 
[root@h101 nc]# nc -v h102 2345 < f.txt
Connection to h102 2345 port [tcp/dbm] succeeded!
[root@h101 nc]# 
----------
[root@h102 nc]# cat file.txt 
uiuiuiuiui
[root@h102 nc]# 

压缩打包发送

[root@h102 nc]# tar -cvf - /tmp/vmware-root | gzip  | nc -l 3456
tar: Removing leading `/' from member names
/tmp/vmware-root/
/tmp/vmware-root/vmware-db.pl.1979
/tmp/vmware-root/vmware-db.pl.1972
/tmp/vmware-root/vmware-db.pl.1966
/tmp/vmware-root/vmware-db.pl.1991
/tmp/vmware-root/vmware-db.pl.1963
/tmp/vmware-root/vmware-db.pl.1969
/tmp/vmware-root/vmware-db.pl.1967
/tmp/vmware-root/vmware-db.pl.1948
/tmp/vmware-root/vmware-db.pl.1971
/tmp/vmware-root/vmware-db.pl.1965
/tmp/vmware-root/vmware-db.pl.1960
/tmp/vmware-root/vmware-db.pl.1975
/tmp/vmware-root/vmware-db.pl.1959
/tmp/vmware-root/vmware-db.pl.1958
/tmp/vmware-root/vmware-db.pl.1964
/tmp/vmware-root/vmware-db.pl.1968
/tmp/vmware-root/vmware-db.pl.1983
/tmp/vmware-root/vmware-db.pl.1976
/tmp/vmware-root/vmware-db.pl.1980
/tmp/vmware-root/vmware-db.pl.1977
/tmp/vmware-root/vmware-db.pl.1984
/tmp/vmware-root/vmware-db.pl.1962
/tmp/vmware-root/vmware-db.pl.1952
/tmp/vmware-root/vmware-db.pl.1961
/tmp/vmware-root/vmware-db.pl.1974
/tmp/vmware-root/vmware-db.pl.1944
----------
[root@h101 nc]# nc -v h102 3456 | zcat  |tar -xvf -

gzip: stdin: decompression OK, trailing garbage ignored
tmp/vmware-root/
tmp/vmware-root/vmware-db.pl.1979
tmp/vmware-root/vmware-db.pl.1972
tmp/vmware-root/vmware-db.pl.1966
tmp/vmware-root/vmware-db.pl.1991
tmp/vmware-root/vmware-db.pl.1963
tmp/vmware-root/vmware-db.pl.1969
tmp/vmware-root/vmware-db.pl.1967
tmp/vmware-root/vmware-db.pl.1948
tmp/vmware-root/vmware-db.pl.1971
tmp/vmware-root/vmware-db.pl.1965
tmp/vmware-root/vmware-db.pl.1960
tmp/vmware-root/vmware-db.pl.1975
tmp/vmware-root/vmware-db.pl.1959
tmp/vmware-root/vmware-db.pl.1958
tmp/vmware-root/vmware-db.pl.1964
tmp/vmware-root/vmware-db.pl.1968
tmp/vmware-root/vmware-db.pl.1983
tmp/vmware-root/vmware-db.pl.1976
tmp/vmware-root/vmware-db.pl.1980
tmp/vmware-root/vmware-db.pl.1977
tmp/vmware-root/vmware-db.pl.1984
tmp/vmware-root/vmware-db.pl.1962
tmp/vmware-root/vmware-db.pl.1952
tmp/vmware-root/vmware-db.pl.1961
tmp/vmware-root/vmware-db.pl.1974
tmp/vmware-root/vmware-db.pl.1944
[root@h101 nc]# ll
total 8
-rw-r--r-- 1 root root   11 Nov 17 18:59 f.txt
drwxr-xr-x 3 root root 4096 Nov 17 19:44 tmp
[root@h101 nc]# ll tmp/vmware-root/
total 104
-rw-r--r-- 1 root root 90 Oct 21 21:55 vmware-db.pl.1944
-rw-r--r-- 1 root root 90 Oct 21 21:55 vmware-db.pl.1948
-rw-r--r-- 1 root root 90 Oct 21 21:55 vmware-db.pl.1952
-rw-r--r-- 1 root root 90 Nov 17 17:07 vmware-db.pl.1958
-rw-r--r-- 1 root root 90 Nov  5 20:23 vmware-db.pl.1959
-rw-r--r-- 1 root root 90 Oct 21 21:55 vmware-db.pl.1960
-rw-r--r-- 1 root root 90 Oct 23 09:05 vmware-db.pl.1961
-rw-r--r-- 1 root root 90 Nov 17 17:07 vmware-db.pl.1962
-rw-r--r-- 1 root root 90 Nov  5 20:23 vmware-db.pl.1963
-rw-r--r-- 1 root root 90 Nov 16 19:59 vmware-db.pl.1964
-rw-r--r-- 1 root root 90 Oct 23 09:05 vmware-db.pl.1965
-rw-r--r-- 1 root root 90 Nov 17 17:07 vmware-db.pl.1966
-rw-r--r-- 1 root root 90 Nov  5 20:23 vmware-db.pl.1967
-rw-r--r-- 1 root root 90 Nov 16 19:59 vmware-db.pl.1968
-rw-r--r-- 1 root root 90 Oct 23 09:05 vmware-db.pl.1969
-rw-r--r-- 1 root root 90 Oct 28 11:28 vmware-db.pl.1971
-rw-r--r-- 1 root root 90 Nov 16 19:59 vmware-db.pl.1972
-rw-r--r-- 1 root root 90 Nov 17 17:07 vmware-db.pl.1974
-rw-r--r-- 1 root root 90 Nov  5 20:23 vmware-db.pl.1975
-rw-r--r-- 1 root root 90 Nov  8 18:21 vmware-db.pl.1976
-rw-r--r-- 1 root root 90 Oct 23 09:05 vmware-db.pl.1977
-rw-r--r-- 1 root root 90 Oct 28 11:28 vmware-db.pl.1979
-rw-r--r-- 1 root root 90 Nov 16 19:59 vmware-db.pl.1980
-rw-r--r-- 1 root root 90 Oct 21 09:26 vmware-db.pl.1983
-rw-r--r-- 1 root root 90 Nov  8 18:21 vmware-db.pl.1984
-rw-r--r-- 1 root root 90 Oct 21 09:26 vmware-db.pl.1991
[root@h101 nc]# 

Tip: 第二步中的 zcat 可以使用 gunzipgzip -d 替代


加密传输

mcrypt 是一个简单的加密软件,结合它的管道功能可以实现加密传输

[root@h102 nc]# echo ooooooooo > file.txt 
[root@h102 nc]# mcrypt --flush --bare -F -q -m ecb < file.txt    | nc -l 4567
Enter the passphrase (maximum of 512 characters)
Please use a combination of upper and lower case letters and numbers.
Enter passphrase: 
Enter passphrase:
----------
[root@h101 nc]# nc h102 4567 | mcrypt  --flush --bare -F -q -d -m ecb > f.txt 
Enter passphrase: 
[root@h101 nc]# cat f.txt 
ooooooooo
[root@h101 nc]# 

远程克隆

使用这个方法可以实现批量部署

[root@h102 nc]# df -h 
Filesystem            Size  Used Avail Use% Mounted on
/dev/mapper/vg_temp-lv_root
                       50G   22G   25G  47% /
tmpfs                 935M     0  935M   0% /dev/shm
/dev/sda1             477M   34M  419M   8% /boot
/dev/mapper/vg_temp-lv_home
                      5.4G   12M  5.1G   1% /home
[root@h102 nc]# dd if=/dev/sda1  | nc -l 5678
1024000+0 records in
1024000+0 records out
524288000 bytes (524 MB) copied, 403.753 s, 1.3 MB/s
[root@h102 nc]#
----------
[root@h101 nc]# nc h102 5678 | dd of=h102.boot.backup
1022488+2911 records in
1024000+0 records out
524288000 bytes (524 MB) copied, 340.562 s, 1.5 MB/s
[root@h101 nc]# du -sh h102.boot.backup 
501M	h102.boot.backup
[root@h101 nc]# 

Tip: 使用下面方法可以查看其中的内容

[root@h101 nc]# mkdir /mnt/testboot
[root@h101 nc]# mount -o loop /tmp/nc/h102.boot.backup  /mnt/testboot/
[root@h101 nc]# cd /mnt/testboot/
[root@h101 testboot]# ls
config-2.6.32-504.el6.x86_64  initramfs-2.6.32-504.el6.x86_64.img    symvers-2.6.32-504.el6.x86_64.gz
efi                           initrd-2.6.32-504.el6.x86_64kdump.img  System.map-2.6.32-504.el6.x86_64
grub                          lost+found                             vmlinuz-2.6.32-504.el6.x86_64
[root@h101 testboot]# cd grub/
[root@h101 grub]# ls
device.map     fat_stage1_5  grub.conf         jfs_stage1_5  minix_stage1_5     splash.xpm.gz  stage2         vstafs_stage1_5
e2fs_stage1_5  ffs_stage1_5  iso9660_stage1_5  menu.lst      reiserfs_stage1_5  stage1         ufs2_stage1_5  xfs_stage1_5
[root@h101 grub]# cat grub.conf 
# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE:  You have a /boot partition.  This means that
#          all kernel and initrd paths are relative to /boot/, eg.
#          root (hd0,0)
#          kernel /vmlinuz-version ro root=/dev/mapper/vg_temp-lv_root
#          initrd /initrd-[generic-]version.img
#boot=/dev/sda
default=0
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title CentOS 6 (2.6.32-504.el6.x86_64)
	root (hd0,0)
	kernel /vmlinuz-2.6.32-504.el6.x86_64 ro root=/dev/mapper/vg_temp-lv_root rd_LVM_LV=vg_temp/lv_root rd_NO_LUKS LANG=en_US.UTF-8 rd_LVM_LV=vg_temp/lv_swap rd_NO_MD SYSFONT=latarcyrheb-sun16 crashkernel=auto  KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet
	initrd /initramfs-2.6.32-504.el6.x86_64.img
[root@h101 grub]# 
[root@h101 grub]# df -h 
Filesystem            Size  Used Avail Use% Mounted on
/dev/mapper/vg_temp-lv_root
                       50G  7.9G   39G  17% /
tmpfs                 1.9G     0  1.9G   0% /dev/shm
/dev/sda1             477M   34M  419M   8% /boot
/dev/mapper/vg_temp-lv_home
                      5.4G   12M  5.1G   1% /home
/tmp/nc/h102.boot.backup
                      477M   34M  419M   8% /mnt/testboot
[root@h101 grub]# 

远程控制

[root@h102 nc]# mkfifo /tmp/cmd_fifo
[root@h102 nc]# ll /tmp/cmd_fifo 
prw-r--r-- 1 root root 0 Nov 17 22:29 /tmp/cmd_fifo
[root@h102 nc]# cat /tmp/cmd_fifo | /bin/bash -i 2>&1 | nc -l 6789 > /tmp/cmd_fifo 
----------
[root@h101 grub]# nc h102 6789
[root@h102 nc]# 

[root@h102 nc]# ls
ls
abc
file.txt
tmp
xx
[root@h102 nc]# ls -l 
ls -l 
total 44
-rw-r--r-- 1 root root   662 Nov 17 19:35 abc
-rw-r--r-- 1 root root    10 Nov 17 21:53 file.txt
drwxr-xr-x 3 root root  4096 Nov 17 19:40 tmp
-rw-r--r-- 1 root root 30720 Nov 17 19:40 xx
[root@h102 nc]# echo "NB"        
echo "NB"
NB
[root@h102 nc]# hostname 
hostname
h102.temp
[root@h102 nc]# ip a 
ip a 
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:b6:a8:f8 brd ff:ff:ff:ff:ff:ff
    inet 192.168.2.80/24 brd 192.168.2.255 scope global eth3
    inet6 fe80::20c:29ff:feb6:a8f8/64 scope link 
       valid_lft forever preferred_lft forever
3: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:b6:a8:02 brd ff:ff:ff:ff:ff:ff
    inet 192.168.100.102/24 brd 192.168.100.255 scope global eth2
    inet6 fe80::20c:29ff:feb6:a802/64 scope link 
       valid_lft forever preferred_lft forever
[root@h102 nc]# 

整个过程是这样的:

  • 服务端创建一个fifo管道
  • 监听6789端口,然后把数据写到fifo管道
  • 管道里的数据被cat出来,作为bash的输入(被bash解释执行)
  • 标准输出与标准错误都被重定向到标准输出
  • 标准输出的结果又通过6789端口的网络连接从服务端反馈给客户端

所以产生的效果就是,客户端与服务端建立连接后,输入的内容会被服务端解释执行,然后将所有结果(标准输出,标准错误输出)反馈给客户端

Tip: 使用 -e 参数可以使用服务器来控制客户端,也叫反向shell

nc -l 7890
----------
nc h102 7890 -e /bin/bash

由于我的nc版本没有 -e 参数,所以暂时不能演示,下次找一下,有机会补起来


指定源端口

客户端发起连接默认是随机分配本地可用源端口,如

[root@h102 nc]# nc -l 5675

----------
[root@h102 ~]# netstat  -ant | grep 567
tcp        0      0 0.0.0.0:5675                0.0.0.0:*                   LISTEN      
tcp        0      0 192.168.100.102:5675        192.168.100.101:52326       ESTABLISHED 
[root@h102 ~]#

使用下面方法可以手动指定

[root@h101 grub]# nc h102 5675 -p 1234
----------
[root@h102 ~]# netstat  -ant | grep 567
tcp        0      0 0.0.0.0:5675                0.0.0.0:*                   LISTEN      
tcp        0      0 192.168.100.102:5675        192.168.100.101:1234        ESTABLISHED 
[root@h102 ~]# 

指定源地址

客户端发起连接会使用默认ip地址,如

[root@h102 nc]# nc -l 520

----------
[root@h102 ~]# netstat  -ant | grep 520
tcp        0      0 0.0.0.0:520                 0.0.0.0:*                   LISTEN      
tcp        0      0 192.168.100.102:520         192.168.100.101:54442       ESTABLISHED 
[root@h102 ~]#

使用下面方法可以手动指定源IP(顺便也可以使用-p来指定端口)

[root@h101 grub]# ip a 
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:56:78:05 brd ff:ff:ff:ff:ff:ff
    inet 192.168.2.84/24 brd 192.168.2.255 scope global eth3
    inet6 fe80::20c:29ff:fe56:7805/64 scope link 
       valid_lft forever preferred_lft forever
3: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:56:78:0f brd ff:ff:ff:ff:ff:ff
    inet 192.168.100.101/24 brd 192.168.100.255 scope global eth2
    inet 192.168.100.105/24 scope global secondary eth2
    inet6 fe80::20c:29ff:fe56:780f/64 scope link 
       valid_lft forever preferred_lft forever
[root@h101 grub]# nc h102 520 -s 192.168.100.105 -p 45678

----------
[root@h102 ~]# netstat  -ant | grep 520
tcp        0      0 0.0.0.0:520                 0.0.0.0:*                   LISTEN      
tcp        0      0 192.168.100.102:520         192.168.100.105:45678       ESTABLISHED 
[root@h102 ~]# 

原文地址 http://soft.dog/2015/11/17/nc-basic/

类似博客

评论