netcat (nc) [網絡上的利刀]

更新時間: 2018-09-21

目錄

 


安裝

 

apt-get install netcat

 


Telnet

 

# it handles binary data as regular data

nc -t 192.168.1.2

# use another source ip

nc -s <source_ip> -t <target> 25

opt:

-s, --source addr

-p, --source-port port

-C, --crlf                            # Use CRLF for EOL sequence

 


Port Listening (Chatting)

 

nc -l 4431

# 加入 -v 可以看到對方 Source IP

nc -v -l 4431

Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on 0.0.0.0:4431
Ncat: Connection from c.c.c.c.
Ncat: Connection from c.c.c.c:41134.
test

Other Opts

-k, --keep-open            Accept multiple connections in listen mode

Normally a listening server accepts only one connection and then quits when the connection is closed.

It accept multiple simultaneous connections and wait for more connections after they have all been closed.

 


Transferring File

 

Transfer File

Receiver Side

nc -v -l 6666 | gzip -d | pv > vda.qcow2

 * gzip 比 bzip2 有效

raw:    real 0m19.214s           # 96 MiB/s (Disk IO Limit)

gzip:   1.88GiB -> 873MiB      real 1m17.842s # 11.2 MiB/s

bzip2: 1.88GiB -> 818MiB      real 3m20.568s

-v               # Have nc give more verbose output.

Listening on [0.0.0.0] (family 0, port 6666)
Connection from localhost.localdomain 52152 received!

# Sender Side

gzip -c vda.qcow2 | pv | nc -w 3 127.0.0.1 6666

Clone Disk

(sda)ServerA --nc--> (6666/tcp)ServerB(sda)

# Destination

# 使用 lz4 取代 gzip 有較好 performance (Low CPU)

# 在慢的 link 建議使用 xz

nc -v -l -p 6666 | gzip -d | dd bs=16M of=/dev/sda

Notes

不是所有版本的 nc 都有 "-N"

# Source

dd bs=16M if=/dev/sda | gzip -c | pv -L 5m | nc -w 3 ServerB 6666

Note

  • pv -L 5m    # 限速 5Mibytes
  • gzip 要在 pv 之前

Transfer with md5 checksum

pipe

 


netcat terminate when stdin closes

 

Sender 用 -w 及 -q; Receiver 不用 -N 都得

Opts

-w timeout   # Set a fixed timeout for connection.
                   # Connections which cannot be established or are idle timeout after timeout seconds.

-q seconds   # After EOF on stdin, wait the specified number of seconds and then quit.
                  # If seconds is negative, wait forever (default).  "0" 代表立即關
                  # Specifying a non-negative seconds implies -N

-N               # shutdown the network socket after EOF on the input.

 


Port Scanning

 

$ nc -v -n -z -w 1 192.168.1.2 1-1000

-n     # prevents DNS lookup

-z     # Zero-I/O mode. In both cases, no data is transfered.

In connect mode

it means that as soon as the port is open it is immediately shutdown and closed.

In listen mode

it makes netcat refusing all the incoming connections thus running in timeout (if set), or waiting forever.

-w1   # makes the connection timeout after 1 second of inactivity

i.e.

成功

nc -z -w 1 192.168.251.42 1433

Connection to 192.168.251.42 1433 port [tcp/ms-sql-s] succeeded!

失敗

nc -z -w 1 192.168.251.42 1434

echo $?

1

UDP

 

-u      # Use UDP instead of the default option of TCP.

-v      # Have nc give more verbose output.

-w N  # sec

i.e.

測試 IPSec 的 port

nc -v -w 1 -u 192.168.123.33 500

* 加 -v 後才有以下 msg
Connection to 192.168.123.33 500 port [udp/isakmp] succeeded!

# nc send single udp packet

echo '' | nc -u -w 1 datahunter.org 4001

 


Proxy

 

# Input (TCP Port: 1234) --> Web --> Output (TCP Port: 2345)

$ nc -l -p 1234 | nc www.google.com 80 | nc -l -p 2345

 


BackDoor

 

$ nc -l -p 12345 -e /bin/bash

 


Port response

 

# until ssh port has response

until nc -vzw 2 $IP 22; do sleep 2; done

 


Scripts

 

mon a port & e-mail alarm

chk-port.sh

#!/bin/bash

msg="IPSec_Fail - Server-X"
email="admin@domain1 admin@domain2"

# check mssql
nc -z -w 1 192.168.251.42 1433

if [ $? != 0 ];then
    echo $msg
    echo "$msg" | mail -s "$msg" $email
fi

 


Window 的 nc

 

https://nmap.org/ncat/

 


 

 

 

 

 

Creative Commons license icon Creative Commons license icon