nc (运行Netcat,该实用程序用于通过网络连接发送原始数据)

瑞兹 发表于 2021-02-07 10:48
浏览次数:
在手机上阅读

在类似Unix的操作系统上,nc命令运行Netcat,该实用程序用于通过网络连接发送原始数据。

查看英文版

目录

1 nc 运行系统环境

2 nc 描述

3 nc 语法

4 nc 例子

nc 运行系统环境

Unix&Linux

nc 描述

Netcat是使用TCP或UDP协议跨网络连接读取和写入 数据的实用程序。它被设计为可靠的“后端”工具,可以直接使用或由其他程序和脚本驱动。同时,它是功能丰富的网络调试和探索工具,因为它几乎可以创建您需要的任何类型的连接,并且具有一些有趣的内置功能。常见用途包括:

  • 简单的TCP代理
  • 基于Shell脚本的HTTP客户端和服务器
  • 网络守护程序测试
  • A Socks或HTTP ProxyCommand对于SSH

Netcat is a utility that reads and writes data across network connections, using the TCP or UDP protocol. It is designed to be a reliable "back-end" tool that can be used directly or driven by other programs and scripts. At the same time, it is a feature-rich network debugging and exploration tool since it can create almost any kind of connection you would need and has several interesting built-in capabilities. Common uses include:

  • Simple TCP proxies
  • Shell-script based HTTP clients and servers
  • Network daemon testing
  • Socks or HTTP ProxyCommand for ssh

查看英文版

查看中文版

nc 语法

nc [-46bCDdhklnrStUuvZz] [-I length] [-i interval] [-O length] 
   [-P proxy_username] [-p source_port] [-q seconds] [-s source] 
   [-T toskeyword] [-V rtable] [-w timeout] [-X proxy_protocol] 
   [-x proxy_address[:port]] [destination] [port]

选件

-4 强制nc仅使用IPv4地址。
-6 强制nc仅使用IPv6地址。
-b 允许广播。
-C 发送CR LF作为行尾。
-D 在套接字上启用调试。
-d 不要尝试从stdin读取。
-H 打印出nc帮助。
-I length 指定TCP接收缓冲区的大小。
-i interval 指定发送和接收的文本行之间的延迟时间间隔。此外,还会导致多个端口之间的连接延迟。
-k 在当前连接完成后,强制nc继续监听另一个连接。如果不使用-l选项,则使用此选项是错误的。
-l 用于指定nc应该侦听传入的连接,而不是发起与远程主机的连接。将此选项与-p-s-z选项一起使用是错误的。此外,使用-w选项指定的任何超时都将被忽略。
-n 不要在任何指定的地址,主机名或端口上进行任何DNS或服务查找。
-O length 指定TCP发送缓冲区的大小。
-P proxy_username 指定要提供给需要身份验证的代理服务器的用户名。如果未指定用户名,则不会尝试身份验证。目前只有HTTP CONNECT代理支持代理身份验证。
-p source_port 指定源端口nc应该使用,但要受特权限制和可用性的限制。
-q seconds 在stdin上执行EOF之后,等待指定的秒数,然后退出。如果秒为负数,请永远等待。
-r 指定应随机选择源端口或目标端口,而不是在一定范围内或系统分配顺序中顺序选择。
-S 启用RFC 2385 TCP MD5签名选项。
-s source 指定用于发送数据包的接口的IP。对于UNIX域数据报套接字,指定要创建和使用的本地临时套接字文件,以便可以接收数据报。将此选项与-l选项一起使用是错误的。
-T toskeyword 更改IPv4 TOS值。toskeyword可能是criticalinetcontrollowcastlowdelaynetcontrolthroughputreliability或DiffServ代码点之一:efaf11 ... af43cs0 ... cs7 ; 或十六进制或十进制的数字。
-t 使nc向RFC 854 DO和WILL请求发送RFC 854 DO N'T和WO N'T响应。这样就可以使用nc编写telnet会话的脚本。
-U 指定使用UNIX域套接字。
-u 使用UDP代替TCP的默认选项。对于UNIX域套接字,请使用数据报套接字而不是流套接字。如果使用UNIX域套接字,则除非给出-s标志,否则将在/ tmp中创建一个临时接收套接字。
-V rtable 设置要使用的路由表。默认值为0。
-v NC给予更多详细的输出。
-w timeout 超时秒后无法建立或处于空闲超时状态的连接。该-w标志对没有影响-l选项,即NC将永远听的连接,使用或不使用-w标志。默认为无超时。
-X proxy_protocol 与代理服务器通话时,要求nc使用指定的协议。支持的协议是“ 4 ”(SOCKS v.4),“ 5 ”(SOCKS v.5)和“ connect ”(HTTPS代理)。如果未指定协议,则使用SOCKS版本5。
-x proxy_address [:port] 请求nc应该使用proxy_addressport处的代理连接到目标。如果端口未指定,则公知端口的代理协议被使用(1080 SOCKS,3128为HTTPS)。
-Z DCCP模式。
-z 指定nc仅应扫描侦听守护程序,而不向其发送任何数据。将此选项与-l选项一起使用是错误的。

destination可以是数字IP地址或符号主机名(除非指定了-n选项)。通常,除非指定了-l选项(在这种情况下使用本地主机),否则必须指定目标。对于UNIX域套接字,目的地是必需的,并且是连接到的套接字路径(或在给定-l选项的情况下进行侦听)。

port可以是单个整数或端口范围。范围的形式为nn-mm。通常,除非指定了-U选项,否则必须指定目标端口。

客户端/服务器模型

使用nc构建非常基本的客户端/服务器模型非常简单。在一个控制台上,启动nc侦听特定端口上的连接。例如:

nc -l 1234

nc现在正在监听端口1234上的连接。在第二个控制台(或第二台机器)上,连接到正在监听的机器和端口:

nc 127.0.0.1 1234

端口之间现在应该有连接。在第二个控制台上键入的任何内容都将连接到第一个控制台,反之亦然。建立连接后,nc并不真正在意哪一侧被用作“服务器”,哪一侧被用作“客户端”。可以使用EOF(' ^ D ')终止连接。

现代netcat中没有-c-e选项,但是在通过重定向文件描述符建立连接后,您仍然可以执行命令。在此请谨慎,因为打开端口并让任何连接的人在您的站点上执行任意命令都是危险的。如果您确实需要这样做,请参考以下示例:

在“服务器”端:

rm -f / tmp / f; mkfifo / tmp / f
cat/ tmp / f | / bin / sh -i 2>&1 | nc -l 127.0.0.1 1234> / tmp / f

On 'client' side:

nc host.example.com 1234

(来自host.example.com的shell提示)

这样,您可以在/ tmp / f创建一个fifo,并使nc在“服务器”侧的地址127.0.0.1的端口1234上侦听,当“客户端”成功建立与该端口的连接时,/ bin / sh被执行在“服务器”端,并且将shell提示提供给“客户端”端。

连接终止后,nc也将退出。如果希望它继续监听,请使用-k,但是如果命令退出,则该选项将不会重新启动它或使nc保持运行。另外,一旦不再需要文件描述符,也不要忘记删除它:

rm -f / tmp / f

数据传输

上一节中的示例可以扩展为构建基本的数据传输模型。输入到连接一端的任何信息都将输出到另一端,并且可以轻松捕获输入和输出以模拟文件传输。

首先使用nc侦听特定端口,并将输出捕获到文件中:

nc -l 1234> filename.out

使用第二台计算机,连接到侦听nc进程,并向其提供要传输的文件:

nc host.example.com 1234 < filename.in

传输文件后,连接将自动关闭。

与服务器对话

有时与“手动”而不是通过用户界面与服务器对话很有用。当可能需要验证服务器正在响应客户端发出的命令发送的数据时,它可以帮助进行故障排除。例如,要检索网站的主页:

printf "GET / HTTP/1.0\r\n\r\n" | nc host.example.com 80

请注意,这还会显示Web服务器发送的标头。如有必要,可以使用诸如sed之类的工具对其进行过滤。

当用户知道服务器所需的请求格式时,可以构建更复杂的示例。作为另一个示例,可以使用以下方法将电子邮件提交到SMTP服务器:

nc [-C] localhost 25 << EOF
HELO host.example.com
MAIL FROM:
RCPT TO:
DATA
Body of e-mail.
.
QUIT
EOF

端口扫描

了解哪些端口已打开并正在目标计算机上运行服务可能很有用。该-z标志可以被用来告诉NC报告开放的端口,而不是启动连接。通常,通过将此选项与-v选项一起使用来打开详细输出到stderr很有用。

例如:

nc -zv host.example.com 20-30
Connection to host.example.com 22 port [tcp/ssh] succeeded!
Connection to host.example.com 25 port [tcp/smtp] succeeded!

指定了端口范围以将搜索限制到端口20-30,并按升序进行扫描。

您还可以指定要扫描的端口列表,例如:

nc -zv host.example.com 80 20 22
nc: connect to host.example.com 80 (tcp) failed: Connection refused 
nc: connect to host.example.com 20 (tcp) failed: Connection refused 
Connection to host.example.com port [tcp/ssh] succeeded!

端口将按照您指定的顺序进行扫描。

另外,了解正在运行的服务器软件和版本也可能很有用。此信息通常包含在问候语横幅中。要检索这些,必须先建立连接,然后在检索标语时断开连接。这可以通过使用-w标志指定较小的超时,或者通过向服务器发出“ QUIT”命令来实现:

echo "QUIT" | nc host.example.com 20-30
SSH-1.99-OpenSSH_3.6.1p2 Protocol mismatch. 
220 host.example.com IMS SMTP Receiver Version 0.84 Ready
nc [-46bCDdhklnrStUuvZz] [-I length] [-i interval] [-O length] 
   [-P proxy_username] [-p source_port] [-q seconds] [-s source] 
   [-T toskeyword] [-V rtable] [-w timeout] [-X proxy_protocol] 
   [-x proxy_address[:port]] [destination] [port]

Options

-4 Forces nc to use IPv4 addresses only.
-6 Forces nc to use IPv6 addresses only.
-b Allow broadcast.
-C Send CRLF as line-ending.
-D Enable debugging on the socket.
-d Do not attempt to read from stdin.
-h Prints out nc help.
-I length Specifies the size of the TCP receive buffer.
-i interval Specifies a delay time interval between lines of text sent and received. Also, causes a delay time between connections to multiple ports.
-k Forces nc to stay listening for another connection after its current connection is completed. It is an error to use this option without the -l option.
-l Used to specify that nc should listen for an incoming connection rather than initiate a connection to a remote host. It is an error to use this option in conjunction with the -p-s, or -z options. Additionally, any timeouts specified with the -w option are ignored.
-n Do not do any DNS or service lookups on any specified addresses, hostnames or ports.
-O length Specifies the size of the TCP send buffer.
-P proxy_username Specifies a username to present to a proxy server that requires authentication. If no username is specified then authentication will not be attempted. Proxy authentication is only supported for HTTP CONNECT proxies at present.
-p source_port Specifies the source port nc should use, subject to privilege restrictions and availability.
-q seconds after EOF on stdin, wait the specified number of seconds and then quit. If seconds is negative, wait forever.
-r Specifies that source or destination ports should be chosen randomly instead of sequentially within a range or in the order that the system assigns them.
-S Enables the RFC 2385 TCP MD5 signature option.
-s source Specifies the IP of the interface that is used to send the packets. For UNIX-domain datagram sockets, specifies the local temporary socket file to create and use so that datagrams can be received. It is an error to use this option in conjunction with the -l option.
-T toskeyword Change IPv4 TOS value. toskeyword may be one of criticalinetcontrollowcostlowdelaynetcontrolthroughputreliability, or one of the DiffServ Code Points: efaf11 ... af43cs0 ... cs7; or a number in either hex or decimal.
-t Causes nc to send RFC 854 DON'T and WON'T responses to RFC 854 DO and WILL requests. This makes it possible to use nc to script telnet sessions.
-U Specifies to use UNIX-domain sockets.
-u Use UDP instead of the default option of TCP. For UNIX-domain sockets, use a datagram socket instead of a stream socket. If a UNIX-domain socket is used, a temporary receiving socket is created in /tmp unless the -s flag is given.
-V rtable Set the routing table to be used. The default is 0.
-v Have nc give more verbose output.
-w timeout Connections which cannot be established or are idle timeout after timeout seconds. The -w flag has no effect on the -l option, i.e. nc will listen forever for a connection, with or without the -w flag. The default is no timeout.
-X proxy_protocol Requests that nc should use the specified protocol when talking to the proxy server. Supported protocols are "4" (SOCKS v.4), "5" (SOCKS v.5) and "connect" (HTTPS proxy). If the protocol is not specified, SOCKS version 5 is used.
-x proxy_address[:port] Requests that nc should connect to destination using a proxy at proxy_address and port. If port is not specified, the well-known port for the proxy protocol is used (1080 for SOCKS, 3128 for HTTPS).
-Z DCCP mode.
-z Specifies that nc should only scan for listening daemons, without sending any data to them. It is an error to use this option in conjunction with the -l option.

destination can be a numerical IP address or a symbolic hostname (unless the -n option is given). In general, a destination must be specified, unless the -l option is given (in which case the local host is used). For UNIX-domain sockets, a destination is required and is the socket path to connect to (or listen on if the -l option is given).

port can be a single integer or a range of ports. Ranges are in the form nn-mm. In general, a destination port must be specified, unless the -U option is given.

Client/Server model

It is quite simple to build a very basic client/server model using nc. On one console, start nc listening on a specific port for a connection. For example:

nc -l 1234

nc is now listening on port 1234 for a connection. On a second console (or a second machine), connect to the machine and port being listened on:

nc 127.0.0.1 1234

There should now be a connection between the ports. Anything typed at the second console will be concatenated to the first, and vice-versa. After the connection was set up, nc does not really care which side is being used as a ‘server’ and which side is being used as a ‘client’. The connection may be terminated using an EOF (‘^D’).

There is no -c or -e option in modern netcat, but you still can execute a command after connection being established by redirecting file descriptors. Be cautious here because opening a port and let anyone connected execute arbitrary command on your site is DANGEROUS. If you really need to do this, here is an example:

On ‘server’ side:

rm -f /tmp/f; mkfifo /tmp/f
cat /tmp/f | /bin/sh -i 2>&1 | nc -l 127.0.0.1 1234 > /tmp/f

On ‘client’ side:

nc host.example.com 1234

(shell prompt from host.example.com)

By doing this, you create a fifo at /tmp/f and make nc listen at port 1234 of address 127.0.0.1 on ‘server’ side, when a ‘client’ establishes a connection successfully to that port, /bin/sh gets executed on ‘server’ side and the shell prompt is given to ‘client’ side.

When connection is terminated, nc quits as well. Use -k if you want it keep listening, but if the command quits this option won't restart it or keep nc running. Also, don't forget to remove the file descriptor once you don't need it anymore:

rm -f /tmp/f

Data transfer

The example in the previous section can be expanded to build a basic data transfer model. Any information input into one end of the connection will be output to the other end, and input and output can be easily captured to emulate file transfer.

Start by using nc to listen on a specific port, with output captured into a file:

nc -l 1234 > filename.out

Using a second machine, connect to the listening nc process, feeding it the file that is to be transferred:

nc host.example.com 1234 < filename.in

After the file is transferred, the connection will close automatically.

Talking to servers

It is sometimes useful to talk to servers "by hand" rather than through a user interface. It can aid in troubleshooting, when it might be necessary to verify what data a server is sending in response to commands issued by the client. For example, to retrieve the homepage of a website:

printf "GET / HTTP/1.0\r\n\r\n" | nc host.example.com 80

Note that this also displays the headers sent by the web server. They can be filtered, using a tool such as sed, if necessary.

More complicated examples can be built up when the user knows the format of requests required by the server. As another example, an e-mail may be submitted to an SMTP server using:

nc [-C] localhost 25 << EOF
HELO host.example.com
MAIL FROM:
RCPT TO:
DATA
Body of e-mail.
.
QUIT
EOF

Port scanning

It may be useful to know which ports are open and running services on a target machine. The -z flag can be used to tell nc to report open ports, rather than initiate a connection. Usually, it's useful to turn on verbose output to stderr by use this option in conjunction with -v option.

For example:

nc -zv host.example.com 20-30
Connection to host.example.com 22 port [tcp/ssh] succeeded!
Connection to host.example.com 25 port [tcp/smtp] succeeded!

The port range was specified to limit the search to ports 20 - 30, and is scanned by increasing order.

You can also specify a list of ports to scan, for example:

nc -zv host.example.com 80 20 22
nc: connect to host.example.com 80 (tcp) failed: Connection refused 
nc: connect to host.example.com 20 (tcp) failed: Connection refused 
Connection to host.example.com port [tcp/ssh] succeeded!

The ports are scanned by the order you given.

Alternatively, it might be useful to know which server software is running, and which versions. This information is often contained in the greeting banners. To retrieve these, it is necessary to first make a connection, and then break the connection when the banner was retrieved. This can be accomplished by specifying a small timeout with the -w flag, or perhaps by issuing a "QUIT" command to the server:

echo "QUIT" | nc host.example.com 20-30
SSH-1.99-OpenSSH_3.6.1p2 Protocol mismatch. 
220 host.example.com IMS SMTP Receiver Version 0.84 Ready

查看英文版

查看中文版

nc 例子

nc -p 31337 -w 5 host.example.com 42

使用端口31337作为源端口,打开到host.example.com的端口42TCP连接,超时为5秒。

nc -u host.example.com 53

打开到host.example.com的端口53UDP连接。

nc -s 10.1.2.3 host.example.com 42

使用10.1.2.3作为连接本地端的IP,打开到host.example.com端口42TCP连接。

nc -lU /var/tmp/dsocket

创建并侦听UNIX域流套接字。

nc -x10.2.3.4:8080 -Xconnect host.example.com 42

连接到端口42host.example.com通过HTTP代理在10.2.3.4,端口8080ssh也可以使用此示例。

nc -x10.2.3.4:8080 -Xconnect -Pruser host.example.com 42

与上面的示例相同,但是这次如果代理需要,则使用用户名“ ruser ”启用代理身份验证。

nc -p 31337 -w 5 host.example.com 42

Opens a TCP connection to port 42 of host.example.com, using port 31337 as the source port, with a timeout of 5 seconds.

nc -u host.example.com 53

Opens a UDP connection to port 53 of host.example.com.

nc -s 10.1.2.3 host.example.com 42

Opens a TCP connection to port 42 of host.example.com using 10.1.2.3 as the IP for the local end of the connection.

nc -lU /var/tmp/dsocket

Creates and listens on a UNIX-domain stream socket.

nc -x10.2.3.4:8080 -Xconnect host.example.com 42

Connects to port 42 of host.example.com via an HTTP proxy at 10.2.3.4, port 8080. This example could also be used by ssh.

nc -x10.2.3.4:8080 -Xconnect -Pruser host.example.com 42

The same as the above example, but this time enabling proxy authentication with username "ruser" if the proxy requires it.

查看英文版

查看中文版

其他命令行

newalias | newform | newgrp | niscat | nischmod | nischown | nischttl | nisdefaults | nl | nohup | nroff | nisgrep | nispasswd | nistbladm | nice |

如此好文,分享给朋友
发表评论
验证码:
评论列表
共0条