Netcat

netcat Introduce

Netcat Is a mainstream command line network tool . It's mainly about building a community **** A transport layer connection , It can be read interactively 、 Write application layer data . Support TCP、UDP Two transport layer protocols , Also support Unix domain socket. Connect to the server as a client , As a server, it provides a network interface for some programs . Can be used to do some troubleshooting 、 File transfer 、 Four tier agent .

Unix domain sockets Use the address of the system file as your identity . It can be referenced by system processes . So two processes can open one at the same time Unix domain sockets To communicate . But this kind of communication happens in the kernel of the system, not in the network .

image

Some uses

Network troubleshooting

  1. Check if the port is enabled
    • nc 192.168.31.111 22 -v
  2. Check if the port is available
    • nc 127.0.0.1 2345 -v

client

Some plaintext protocols can interact with the server , Such as HTTP、Redis、memcache、smtp Such agreement

  1. HTTP client
    • Single HTTP request
      • printf "GET / HTTP/1.1\r\n\r\n" | nc 127.0.0.1 8000
    • Multiple HTTP request
      • nc 192.168.31.111 8080 < multiple_http_request
  2. Redis client
    • nc 192.168.31.111 6379
  3. SMTP client
    • nc smtp.sina.com 25 -v
  4. memcache client
    • nc 192.168.31.111 11211 -v
  5. JSON RPC client
    • nc 192.168.31.111 8101 -v

Protocol detection

For some non plaintext protocols , such as SSH、MySQL etc. , Although the interaction with the server is not very friendly , But we can do some protocol type detection .

  1. SSH Protocol detection

    • nc 192.168.31.111 22
    • Output : SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.3
  2. MySQL Protocol detection
    • nc 192.168.31.111 3306
    • Output : Q5.7.21-20-log}El/n}f a-ag[qgosOmysql_native_password

Server side

netcat You can listen to an address , As a server , Accept requests from clients .

  • Monitoring is local 2345 port nc -l 2345
File transfer
  • Server side : nc -l 2345 < test.php
  • client :nc 192.168.100.100 > test.php
As a network interface to a program

You need to name the pipe (named pipe) Implementation of two processes of input and output redirection .

Named pipeline is a kind of first in first out communication mechanism between computer processes . It's a class Unix The expansion of the system's traditional pipeline . Traditional pipelines are anonymous , Its lifetime does not exceed the lifetime of the process that created the pipeline . But named pipes can live as long as the operating system runs .
With the traditional nameless shell The pipeline is different , Named pipes take advantage of the file system . Use mkfifo or mknod Create named pipes . Two processes can be opened by the name of the pipe 、 Read write pipeline .

jsonnrpc_server.py It's a simple one json rpc Realization , It receives requests from standard input , take jsonrpc Response output to standard output .

  • jsonrpc Server side : nc -l 2345 < /tmp/jsonrpc | ./jsonrpc_server.py > /tmp/jsonrpc
  • jsonrpc client : nc 127.0.0.1 2345

image

Reverse proxy

HTTP

mkfifo /tmp/netcat_tunnel
nc -l 8081 < /tmp/netcat_tunnel | nc www.baidu.com 80 > /tmp/netcat_tunnel
curl 127.0.0.1:8081 -H 'Host: www.baidu.com'

HTTPS

nc -l 8081 < /tmp/netcat_tunnel | nc www.baidu.com 443 > /tmp/netcat_tunnel
curl https://127.0.0.1:8081 -H 'Host: www.baidu.com' -I -k

SSH

nc -l 8081 < /tmp/netcat_tunnel | nc 192.168.31.111 22 > /tmp/netcat_tunnel
ssh root@127.0.0.1 -p8081 -i ~/.ssh/id_rsa

Security

Port scanning

scanning 192.168.31.111 Upper 22 To 80 Port number

nc -z 192.168.31.111 22-80

reverse shell

nc -l 2345 &lt; /tmp/netcat_tunnel | sh -i &gt; /tmp/netcat_tunnel

OpenSSL

openssl The suit provides two subcommands ,s_server and s_client Namely ssl The server and ssl client .

Encrypted file transfer (openssl)

  1. Generate a self-signed certificate
    openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365
  2. start-up openssl Server side
    openssl s_server -key key.pem -cert cert.pem -port 2345 < test.php
  3. The client receives the file
    openssl s_client -host 127.0.0.1 -port 2345 -sess_out test.php