前言
nc (NetCat) 是一个使用 TCP/IP 来读写网络数据的小工具。
Netcat is a featured networking utility which reads and writes data across network connections, using the TCP/IP protocol.
It is designed to be a reliable “back-end” tool that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and exploration tool, since it can create almost any kind of connection you would need and has several interesting built-in capabilities.
It provides access to the following main features:
- Outbound and inbound connections, TCP or UDP, to or from any ports.
- Featured tunneling mode which allows also special tunneling such as UDP to TCP, with the possibility of specifying all network parameters (source port/interface, listening port/interface, and the remote host allowed to connect to the tunnel.
- Built-in port-scanning capabilities, with randomizer.
- Advanced usage options, such as buffered send-mode (one line every N seconds), and hexdump (to stderr or to a specified file) of trasmitted and received data.
- Optional RFC854 telnet codes parser and responder.
The GNU Netcat is distributed freely under the GNU General Public License (GPL).
下面分享一下它的基本用法
Tip: 目前官方版本还是 11 Jan 2004 年 发布的 Netcat 0.7.1 ,访问官网可能得翻墙
概要
安装nc
[root@h102 ~]# yum -y install nc
Loaded plugins: dellsysid, fastestmirror, refresh-packagekit, security
Setting up Install Process
Loading mirror speeds from cached hostfile
epel/metalink | 5.5 kB 00:00
* base: mirrors.163.com
* epel: ftp.riken.jp
* extras: mirrors.aliyun.com
* updates: mirrors.163.com
base | 3.7 kB 00:00
dell-omsa-indep | 1.9 kB 00:00
dell-omsa-specific | 1.9 kB 00:00
elasticsearch-1.5 | 2.9 kB 00:01
epel | 4.3 kB 00:00
epel/primary_db | 5.7 MB 02:11
extras | 3.4 kB 00:00
http://yum.theforeman.org/releases/1.8/el6/x86_64/repodata/repomd.xml: [Errno 12] Timeout on http://yum.theforeman.org/releases/1.8/el6/x86_64/repodata/repomd.xml: (28, 'Operation too slow. Less than 1 bytes/sec transfered the last 30 seconds')
Trying other mirror.
foreman-plugins | 2.9 kB 00:02
mongodb-org-3.0 | 2.9 kB 00:00
percona-release-noarch | 951 B 00:00
percona-release-x86_64 | 951 B 00:00
puppetlabs-deps | 2.5 kB 00:00
puppetlabs-products | 2.5 kB 00:00
rabbitmq_rabbitmq-server/signature | 836 B 00:00
rabbitmq_rabbitmq-server/signature | 1.0 kB 00:00 ...
rabbitmq_rabbitmq-server-source/signature | 836 B 00:00
rabbitmq_rabbitmq-server-source/signature | 1.0 kB 00:00 ...
rhscl-ruby193-epel-6-x86_64 | 3.0 kB 00:00
rhscl-v8314-epel-6-x86_64 | 3.0 kB 00:00
updates | 3.4 kB 00:00
varnish-4.0 | 951 B 00:00
zabbix | 951 B 00:00
zabbix-non-supported | 951 B 00:00
Resolving Dependencies
--> Running transaction check
---> Package nc.x86_64 0:1.84-24.el6 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
====================================================================================================================================
Package Arch Version Repository Size
====================================================================================================================================
Installing:
nc x86_64 1.84-24.el6 base 57 k
Transaction Summary
====================================================================================================================================
Install 1 Package(s)
Total download size: 57 k
Installed size: 109 k
Downloading Packages:
nc-1.84-24.el6.x86_64.rpm | 57 kB 00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Warning: RPMDB altered outside of yum.
** Found 6 pre-existing rpmdb problem(s), 'yum check' output follows:
perl-DBD-MySQL-4.013-3.el6.x86_64 has missing requires of libmysqlclient.so.16()(64bit)
perl-DBD-MySQL-4.013-3.el6.x86_64 has missing requires of libmysqlclient.so.16(libmysqlclient_16)(64bit)
ruby-mysql-2.8.2-1.el6.x86_64 has missing requires of libmysqlclient.so.16()(64bit)
ruby-mysql-2.8.2-1.el6.x86_64 has missing requires of libmysqlclient.so.16(libmysqlclient_16)(64bit)
ruby193-rubygem-mysql2-0.3.11-4.el6.x86_64 has missing requires of libmysqlclient_r.so.16()(64bit)
ruby193-rubygem-mysql2-0.3.11-4.el6.x86_64 has missing requires of libmysqlclient_r.so.16(libmysqlclient_16)(64bit)
Installing : nc-1.84-24.el6.x86_64 1/1
Verifying : nc-1.84-24.el6.x86_64 1/1
Installed:
nc.x86_64 0:1.84-24.el6
Complete!
[root@h102 ~]#
端口扫描
[root@h102 ~]# nc -zvn 192.168.100.101 20-25
nc: connect to 192.168.100.101 port 20 (tcp) failed: No route to host
nc: connect to 192.168.100.101 port 21 (tcp) failed: No route to host
Connection to 192.168.100.101 22 port [tcp/*] succeeded!
nc: connect to 192.168.100.101 port 23 (tcp) failed: No route to host
nc: connect to 192.168.100.101 port 24 (tcp) failed: No route to host
nc: connect to 192.168.100.101 port 25 (tcp) failed: No route to host
[root@h102 ~]# nc -zvn 192.168.100.101 3306
Connection to 192.168.100.101 3306 port [tcp/*] succeeded!
[root@h102 ~]#
| Option | Comment |
|---|---|
-z |
只作扫描,不发数据 |
-n |
不作解析,数字状态 |
-v |
给出详细信息 |
打开一个会话连接
[root@h102 ~]# nc -l 12345
hello
for test
i miss you
^_^
----------
[root@h101 BGPtest]# nc h102 12345
hello
for test
i miss you
^_^
此刻,要确认server端的防火墙对于12345端口是打开的
文件传输
server端发文件
[root@h102 nc]# echo "abc test" > file.txt
[root@h102 nc]# nc -l 2345 < file.txt
----------
[root@h101 nc]# nc h102 2345 > f.txt
[root@h101 nc]# cat f.txt
abc test
[root@h101 nc]#
server端收文件
[root@h102 nc]# nc -l 2345 > file.txt
----------
[root@h101 nc]# echo "uiuiuiuiui" > f.txt
[root@h101 nc]# nc -v h102 2345 < f.txt
Connection to h102 2345 port [tcp/dbm] succeeded!
[root@h101 nc]#
----------
[root@h102 nc]# cat file.txt
uiuiuiuiui
[root@h102 nc]#
压缩打包发送
[root@h102 nc]# tar -cvf - /tmp/vmware-root | gzip | nc -l 3456
tar: Removing leading `/' from member names
/tmp/vmware-root/
/tmp/vmware-root/vmware-db.pl.1979
/tmp/vmware-root/vmware-db.pl.1972
/tmp/vmware-root/vmware-db.pl.1966
/tmp/vmware-root/vmware-db.pl.1991
/tmp/vmware-root/vmware-db.pl.1963
/tmp/vmware-root/vmware-db.pl.1969
/tmp/vmware-root/vmware-db.pl.1967
/tmp/vmware-root/vmware-db.pl.1948
/tmp/vmware-root/vmware-db.pl.1971
/tmp/vmware-root/vmware-db.pl.1965
/tmp/vmware-root/vmware-db.pl.1960
/tmp/vmware-root/vmware-db.pl.1975
/tmp/vmware-root/vmware-db.pl.1959
/tmp/vmware-root/vmware-db.pl.1958
/tmp/vmware-root/vmware-db.pl.1964
/tmp/vmware-root/vmware-db.pl.1968
/tmp/vmware-root/vmware-db.pl.1983
/tmp/vmware-root/vmware-db.pl.1976
/tmp/vmware-root/vmware-db.pl.1980
/tmp/vmware-root/vmware-db.pl.1977
/tmp/vmware-root/vmware-db.pl.1984
/tmp/vmware-root/vmware-db.pl.1962
/tmp/vmware-root/vmware-db.pl.1952
/tmp/vmware-root/vmware-db.pl.1961
/tmp/vmware-root/vmware-db.pl.1974
/tmp/vmware-root/vmware-db.pl.1944
----------
[root@h101 nc]# nc -v h102 3456 | zcat |tar -xvf -
gzip: stdin: decompression OK, trailing garbage ignored
tmp/vmware-root/
tmp/vmware-root/vmware-db.pl.1979
tmp/vmware-root/vmware-db.pl.1972
tmp/vmware-root/vmware-db.pl.1966
tmp/vmware-root/vmware-db.pl.1991
tmp/vmware-root/vmware-db.pl.1963
tmp/vmware-root/vmware-db.pl.1969
tmp/vmware-root/vmware-db.pl.1967
tmp/vmware-root/vmware-db.pl.1948
tmp/vmware-root/vmware-db.pl.1971
tmp/vmware-root/vmware-db.pl.1965
tmp/vmware-root/vmware-db.pl.1960
tmp/vmware-root/vmware-db.pl.1975
tmp/vmware-root/vmware-db.pl.1959
tmp/vmware-root/vmware-db.pl.1958
tmp/vmware-root/vmware-db.pl.1964
tmp/vmware-root/vmware-db.pl.1968
tmp/vmware-root/vmware-db.pl.1983
tmp/vmware-root/vmware-db.pl.1976
tmp/vmware-root/vmware-db.pl.1980
tmp/vmware-root/vmware-db.pl.1977
tmp/vmware-root/vmware-db.pl.1984
tmp/vmware-root/vmware-db.pl.1962
tmp/vmware-root/vmware-db.pl.1952
tmp/vmware-root/vmware-db.pl.1961
tmp/vmware-root/vmware-db.pl.1974
tmp/vmware-root/vmware-db.pl.1944
[root@h101 nc]# ll
total 8
-rw-r--r-- 1 root root 11 Nov 17 18:59 f.txt
drwxr-xr-x 3 root root 4096 Nov 17 19:44 tmp
[root@h101 nc]# ll tmp/vmware-root/
total 104
-rw-r--r-- 1 root root 90 Oct 21 21:55 vmware-db.pl.1944
-rw-r--r-- 1 root root 90 Oct 21 21:55 vmware-db.pl.1948
-rw-r--r-- 1 root root 90 Oct 21 21:55 vmware-db.pl.1952
-rw-r--r-- 1 root root 90 Nov 17 17:07 vmware-db.pl.1958
-rw-r--r-- 1 root root 90 Nov 5 20:23 vmware-db.pl.1959
-rw-r--r-- 1 root root 90 Oct 21 21:55 vmware-db.pl.1960
-rw-r--r-- 1 root root 90 Oct 23 09:05 vmware-db.pl.1961
-rw-r--r-- 1 root root 90 Nov 17 17:07 vmware-db.pl.1962
-rw-r--r-- 1 root root 90 Nov 5 20:23 vmware-db.pl.1963
-rw-r--r-- 1 root root 90 Nov 16 19:59 vmware-db.pl.1964
-rw-r--r-- 1 root root 90 Oct 23 09:05 vmware-db.pl.1965
-rw-r--r-- 1 root root 90 Nov 17 17:07 vmware-db.pl.1966
-rw-r--r-- 1 root root 90 Nov 5 20:23 vmware-db.pl.1967
-rw-r--r-- 1 root root 90 Nov 16 19:59 vmware-db.pl.1968
-rw-r--r-- 1 root root 90 Oct 23 09:05 vmware-db.pl.1969
-rw-r--r-- 1 root root 90 Oct 28 11:28 vmware-db.pl.1971
-rw-r--r-- 1 root root 90 Nov 16 19:59 vmware-db.pl.1972
-rw-r--r-- 1 root root 90 Nov 17 17:07 vmware-db.pl.1974
-rw-r--r-- 1 root root 90 Nov 5 20:23 vmware-db.pl.1975
-rw-r--r-- 1 root root 90 Nov 8 18:21 vmware-db.pl.1976
-rw-r--r-- 1 root root 90 Oct 23 09:05 vmware-db.pl.1977
-rw-r--r-- 1 root root 90 Oct 28 11:28 vmware-db.pl.1979
-rw-r--r-- 1 root root 90 Nov 16 19:59 vmware-db.pl.1980
-rw-r--r-- 1 root root 90 Oct 21 09:26 vmware-db.pl.1983
-rw-r--r-- 1 root root 90 Nov 8 18:21 vmware-db.pl.1984
-rw-r--r-- 1 root root 90 Oct 21 09:26 vmware-db.pl.1991
[root@h101 nc]#
Tip: 第二步中的 zcat 可以使用 gunzip 或 gzip -d 替代
加密传输
mcrypt 是一个简单的加密软件,结合它的管道功能可以实现加密传输
[root@h102 nc]# echo ooooooooo > file.txt
[root@h102 nc]# mcrypt --flush --bare -F -q -m ecb < file.txt | nc -l 4567
Enter the passphrase (maximum of 512 characters)
Please use a combination of upper and lower case letters and numbers.
Enter passphrase:
Enter passphrase:
----------
[root@h101 nc]# nc h102 4567 | mcrypt --flush --bare -F -q -d -m ecb > f.txt
Enter passphrase:
[root@h101 nc]# cat f.txt
ooooooooo
[root@h101 nc]#
远程克隆
使用这个方法可以实现批量部署
[root@h102 nc]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/vg_temp-lv_root
50G 22G 25G 47% /
tmpfs 935M 0 935M 0% /dev/shm
/dev/sda1 477M 34M 419M 8% /boot
/dev/mapper/vg_temp-lv_home
5.4G 12M 5.1G 1% /home
[root@h102 nc]# dd if=/dev/sda1 | nc -l 5678
1024000+0 records in
1024000+0 records out
524288000 bytes (524 MB) copied, 403.753 s, 1.3 MB/s
[root@h102 nc]#
----------
[root@h101 nc]# nc h102 5678 | dd of=h102.boot.backup
1022488+2911 records in
1024000+0 records out
524288000 bytes (524 MB) copied, 340.562 s, 1.5 MB/s
[root@h101 nc]# du -sh h102.boot.backup
501M h102.boot.backup
[root@h101 nc]#
Tip: 使用下面方法可以查看其中的内容
[root@h101 nc]# mkdir /mnt/testboot
[root@h101 nc]# mount -o loop /tmp/nc/h102.boot.backup /mnt/testboot/
[root@h101 nc]# cd /mnt/testboot/
[root@h101 testboot]# ls
config-2.6.32-504.el6.x86_64 initramfs-2.6.32-504.el6.x86_64.img symvers-2.6.32-504.el6.x86_64.gz
efi initrd-2.6.32-504.el6.x86_64kdump.img System.map-2.6.32-504.el6.x86_64
grub lost+found vmlinuz-2.6.32-504.el6.x86_64
[root@h101 testboot]# cd grub/
[root@h101 grub]# ls
device.map fat_stage1_5 grub.conf jfs_stage1_5 minix_stage1_5 splash.xpm.gz stage2 vstafs_stage1_5
e2fs_stage1_5 ffs_stage1_5 iso9660_stage1_5 menu.lst reiserfs_stage1_5 stage1 ufs2_stage1_5 xfs_stage1_5
[root@h101 grub]# cat grub.conf
# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE: You have a /boot partition. This means that
# all kernel and initrd paths are relative to /boot/, eg.
# root (hd0,0)
# kernel /vmlinuz-version ro root=/dev/mapper/vg_temp-lv_root
# initrd /initrd-[generic-]version.img
#boot=/dev/sda
default=0
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title CentOS 6 (2.6.32-504.el6.x86_64)
root (hd0,0)
kernel /vmlinuz-2.6.32-504.el6.x86_64 ro root=/dev/mapper/vg_temp-lv_root rd_LVM_LV=vg_temp/lv_root rd_NO_LUKS LANG=en_US.UTF-8 rd_LVM_LV=vg_temp/lv_swap rd_NO_MD SYSFONT=latarcyrheb-sun16 crashkernel=auto KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet
initrd /initramfs-2.6.32-504.el6.x86_64.img
[root@h101 grub]#
[root@h101 grub]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/vg_temp-lv_root
50G 7.9G 39G 17% /
tmpfs 1.9G 0 1.9G 0% /dev/shm
/dev/sda1 477M 34M 419M 8% /boot
/dev/mapper/vg_temp-lv_home
5.4G 12M 5.1G 1% /home
/tmp/nc/h102.boot.backup
477M 34M 419M 8% /mnt/testboot
[root@h101 grub]#
远程控制
[root@h102 nc]# mkfifo /tmp/cmd_fifo
[root@h102 nc]# ll /tmp/cmd_fifo
prw-r--r-- 1 root root 0 Nov 17 22:29 /tmp/cmd_fifo
[root@h102 nc]# cat /tmp/cmd_fifo | /bin/bash -i 2>&1 | nc -l 6789 > /tmp/cmd_fifo
----------
[root@h101 grub]# nc h102 6789
[root@h102 nc]#
[root@h102 nc]# ls
ls
abc
file.txt
tmp
xx
[root@h102 nc]# ls -l
ls -l
total 44
-rw-r--r-- 1 root root 662 Nov 17 19:35 abc
-rw-r--r-- 1 root root 10 Nov 17 21:53 file.txt
drwxr-xr-x 3 root root 4096 Nov 17 19:40 tmp
-rw-r--r-- 1 root root 30720 Nov 17 19:40 xx
[root@h102 nc]# echo "NB"
echo "NB"
NB
[root@h102 nc]# hostname
hostname
h102.temp
[root@h102 nc]# ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:b6:a8:f8 brd ff:ff:ff:ff:ff:ff
inet 192.168.2.80/24 brd 192.168.2.255 scope global eth3
inet6 fe80::20c:29ff:feb6:a8f8/64 scope link
valid_lft forever preferred_lft forever
3: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:b6:a8:02 brd ff:ff:ff:ff:ff:ff
inet 192.168.100.102/24 brd 192.168.100.255 scope global eth2
inet6 fe80::20c:29ff:feb6:a802/64 scope link
valid_lft forever preferred_lft forever
[root@h102 nc]#
整个过程是这样的:
- 服务端创建一个fifo管道
- 监听6789端口,然后把数据写到fifo管道
- 管道里的数据被cat出来,作为bash的输入(被bash解释执行)
- 标准输出与标准错误都被重定向到标准输出
- 标准输出的结果又通过6789端口的网络连接从服务端反馈给客户端
所以产生的效果就是,客户端与服务端建立连接后,输入的内容会被服务端解释执行,然后将所有结果(标准输出,标准错误输出)反馈给客户端
Tip: 使用
-e参数可以使用服务器来控制客户端,也叫反向shell
nc -l 7890
----------
nc h102 7890 -e /bin/bash
由于我的nc版本没有 -e 参数,所以暂时不能演示,下次找一下,有机会补起来
指定源端口
客户端发起连接默认是随机分配本地可用源端口,如
[root@h102 nc]# nc -l 5675
----------
[root@h102 ~]# netstat -ant | grep 567
tcp 0 0 0.0.0.0:5675 0.0.0.0:* LISTEN
tcp 0 0 192.168.100.102:5675 192.168.100.101:52326 ESTABLISHED
[root@h102 ~]#
使用下面方法可以手动指定
[root@h101 grub]# nc h102 5675 -p 1234
----------
[root@h102 ~]# netstat -ant | grep 567
tcp 0 0 0.0.0.0:5675 0.0.0.0:* LISTEN
tcp 0 0 192.168.100.102:5675 192.168.100.101:1234 ESTABLISHED
[root@h102 ~]#
指定源地址
客户端发起连接会使用默认ip地址,如
[root@h102 nc]# nc -l 520
----------
[root@h102 ~]# netstat -ant | grep 520
tcp 0 0 0.0.0.0:520 0.0.0.0:* LISTEN
tcp 0 0 192.168.100.102:520 192.168.100.101:54442 ESTABLISHED
[root@h102 ~]#
使用下面方法可以手动指定源IP(顺便也可以使用-p来指定端口)
[root@h101 grub]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:56:78:05 brd ff:ff:ff:ff:ff:ff
inet 192.168.2.84/24 brd 192.168.2.255 scope global eth3
inet6 fe80::20c:29ff:fe56:7805/64 scope link
valid_lft forever preferred_lft forever
3: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:56:78:0f brd ff:ff:ff:ff:ff:ff
inet 192.168.100.101/24 brd 192.168.100.255 scope global eth2
inet 192.168.100.105/24 scope global secondary eth2
inet6 fe80::20c:29ff:fe56:780f/64 scope link
valid_lft forever preferred_lft forever
[root@h101 grub]# nc h102 520 -s 192.168.100.105 -p 45678
----------
[root@h102 ~]# netstat -ant | grep 520
tcp 0 0 0.0.0.0:520 0.0.0.0:* LISTEN
tcp 0 0 192.168.100.102:520 192.168.100.105:45678 ESTABLISHED
[root@h102 ~]#