debian:/# nc -h
[v1.10-38]
connect to somewhere: nc [-options] hostname port[s] [ports] ...
listen for inbound: nc -l -p port [-options] [hostname] [port]
options:
-c shell commands as `-e'; use /bin/sh to exec [dangerous!!]
-e filename program to exec after connect [dangerous!!]
-b allow broadcasts
-g gateway source-routing hop point[s], up to 8
-G num source-routing pointer: 4, 8, 12, ...
-h this cruft
-i secs delay interval for lines sent, ports scanned
-k set keepalive option on socket
-l listen mode, for inbound connects
-n numeric-only IP addresses, no DNS
-o file hex dump of traffic
-p port local port number
-r randomize local and remote ports
-q secs quit after EOF on stdin and delay of secs
-s addr local source address
-T tos set Type Of Service
-t answer TELNET negotiation
-u UDP mode
-v verbose [use twice to be more verbose]
-w secs timeout for connects and final net reads
-z zero-I/O mode [used for scanning]
port numbers can be individual or ranges: lo-hi [inclusive];
hyphens in port names must be backslash escaped (e.g. 'ftp\-data').
debian:/#
debian:/# nc -l -p 81 -v
listening on [any] 81 ...
在其可连接的浏览器输入http://10.10.10.136:81,在监听的服务器端看到如下:
10.10.10.1: inverse host lookup failed: Host name lookup failure
connect to [10.10.10.136] from (UNKNOWN) [10.10.10.1] 27301
GET / HTTP/1.1
Host: 10.10.10.136:81
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.0.12) Gecko/2009070611 Firefox/3.0.12
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: gb2312,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
debian:~# nc -v -z -w2 10.10.10.136 1-100
10.10.10.136: inverse host lookup failed: Host name lookup failure
(UNKNOWN) [10.10.10.136] 80 (www) open
(UNKNOWN) [10.10.10.136] 22 (ssh) open
debian:~# nc -u -v -z -w2 10.10.10.136 1-1000
10.10.10.136: inverse host lookup failed: Host name lookup failure
(UNKNOWN) [10.10.10.136] 883 (?) open
debian:~# nc -v -z -w2 10.10.10.136 1-100 -n
(UNKNOWN) [10.10.10.136] 80 (www) open
(UNKNOWN) [10.10.10.136] 22 (ssh) open
debian:~# nc -v -z -w2 10.10.10.136 1-100 -n -s 10.10.10.136
(UNKNOWN) [10.10.10.136] 80 (www) open
(UNKNOWN) [10.10.10.136] 22 (ssh) open
debian:~# nc -v -z -w2 10.10.10.136 1-100 -n -s 192.168.203.139
(UNKNOWN) [10.10.10.136] 80 (www) open
(UNKNOWN) [10.10.10.136] 22 (ssh) open
debian:~#
debian:~# nc -vv -l -p 21 -n -e /bin/sh 终端一 中
list ening on [any] 21 ...
再开一个端口查看信息;
debian:/# nc 192.168.203.139 21 终端二中 输入
再次看终端一,变化如下
debian:~# nc -vv -l -p 21 -n -e /bin/sh
listening on [any] 21 ...
connect to [192.168.203.139] from (UNKNOWN) [192.168.203.139] 58873
回到终端二 做命令操作
debian:/# nc 192.168.203.139 21
ps -ef |grep sshd 这里是直接输入的
root 2158 1 0 11:40 ? 00:00:00 /usr/sbin/sshd
root 2891 2158 0 11:43 ? 00:00:09 sshd: root@pts/0
root 4477 2158 0 14:09 ? 00:00:02 sshd: root@pts/1
date
2009年 07月 30日 星期四 16:21:53 CST
uname -a
Linux debian 2.6.26-1-686 #1 SMP Fri Mar 13 18:08:45 UTC 2009 i686 GNU/Linux
w
16:22:16 up 4:41, 2 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root pts/0 10.10.10.1 11:43 0.00s 2.36s 0.00s nc 192.168.203.
root pts/1 10.10.10.1 14:09 28.00s 1.20s 0.04s sh
users
root root
id
uid=0(root) gid=0(root) groups=0(root)
ls -l mysql*
-rw-r--r-- 1 root root 155008 07-19 11:47 mysql-zrm_2.1_all.deb
-rw-r--r-- 1 root root 10374 07-19 11:46 mysql-zrm-client_2.1_all.deb
netstat -anpt |grep nc
tcp 0 23 192.168.203.139:58873 192.168.203.139:21 ESTABLISHED 5568/nc
netstat -anpt |grep 21
tcp 0 0 127.0.0.1:11211 0.0.0.0:* LISTEN 2668/memcached
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2158/sshd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 2321/cupsd
tcp 0 0 192.168.203.139:58873 192.168.203.139:21 ESTABLISHED 5568/nc
tcp 0 0 192.168.203.139:21 192.168.203.139:58873 ESTABLISHED 5556/sh
tcp6 0 0 :::22 :::* LISTEN 2158/sshd
tcp6 0 0 ::1:631 :::* LISTEN 2321/cupsd
exit
debian:/#
终端一中 也自动退出
debian:~# nc -vv -l -p 21 -n -e /bin/sh
listening on [any] 21 ...
connect to [192.168.203.139] from (UNKNOWN) [192.168.203.139] 38298
real 0m0.000s
user 0m0.000s
sys 0m0.000s
debian:~#
[v1.10-38]
connect to somewhere: nc [-options] hostname port[s] [ports] ...
listen for inbound: nc -l -p port [-options] [hostname] [port]
options:
-c shell commands as `-e'; use /bin/sh to exec [dangerous!!]
-e filename program to exec after connect [dangerous!!]
-b allow broadcasts
-g gateway source-routing hop point[s], up to 8
-G num source-routing pointer: 4, 8, 12, ...
-h this cruft
-i secs delay interval for lines sent, ports scanned
-k set keepalive option on socket
-l listen mode, for inbound connects
-n numeric-only IP addresses, no DNS
-o file hex dump of traffic
-p port local port number
-r randomize local and remote ports
-q secs quit after EOF on stdin and delay of secs
-s addr local source address
-T tos set Type Of Service
-t answer TELNET negotiation
-u UDP mode
-v verbose [use twice to be more verbose]
-w secs timeout for connects and final net reads
-z zero-I/O mode [used for scanning]
port numbers can be individual or ranges: lo-hi [inclusive];
hyphens in port names must be backslash escaped (e.g. 'ftp\-data').
debian:/#
debian:/# nc -l -p 81 -v
listening on [any] 81 ...
在其可连接的浏览器输入http://10.10.10.136:81,在监听的服务器端看到如下:
10.10.10.1: inverse host lookup failed: Host name lookup failure
connect to [10.10.10.136] from (UNKNOWN) [10.10.10.1] 27301
GET / HTTP/1.1
Host: 10.10.10.136:81
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.0.12) Gecko/2009070611 Firefox/3.0.12
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: gb2312,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
debian:~# nc -v -z -w2 10.10.10.136 1-100
10.10.10.136: inverse host lookup failed: Host name lookup failure
(UNKNOWN) [10.10.10.136] 80 (www) open
(UNKNOWN) [10.10.10.136] 22 (ssh) open
debian:~# nc -u -v -z -w2 10.10.10.136 1-1000
10.10.10.136: inverse host lookup failed: Host name lookup failure
(UNKNOWN) [10.10.10.136] 883 (?) open
debian:~# nc -v -z -w2 10.10.10.136 1-100 -n
(UNKNOWN) [10.10.10.136] 80 (www) open
(UNKNOWN) [10.10.10.136] 22 (ssh) open
debian:~# nc -v -z -w2 10.10.10.136 1-100 -n -s 10.10.10.136
(UNKNOWN) [10.10.10.136] 80 (www) open
(UNKNOWN) [10.10.10.136] 22 (ssh) open
debian:~# nc -v -z -w2 10.10.10.136 1-100 -n -s 192.168.203.139
(UNKNOWN) [10.10.10.136] 80 (www) open
(UNKNOWN) [10.10.10.136] 22 (ssh) open
debian:~#
debian:~# nc -vv -l -p 21 -n -e /bin/sh 终端一 中
list ening on [any] 21 ...
再开一个端口查看信息;
debian:/# nc 192.168.203.139 21 终端二中 输入
再次看终端一,变化如下
debian:~# nc -vv -l -p 21 -n -e /bin/sh
listening on [any] 21 ...
connect to [192.168.203.139] from (UNKNOWN) [192.168.203.139] 58873
回到终端二 做命令操作
debian:/# nc 192.168.203.139 21
ps -ef |grep sshd 这里是直接输入的
root 2158 1 0 11:40 ? 00:00:00 /usr/sbin/sshd
root 2891 2158 0 11:43 ? 00:00:09 sshd: root@pts/0
root 4477 2158 0 14:09 ? 00:00:02 sshd: root@pts/1
date
2009年 07月 30日 星期四 16:21:53 CST
uname -a
Linux debian 2.6.26-1-686 #1 SMP Fri Mar 13 18:08:45 UTC 2009 i686 GNU/Linux
w
16:22:16 up 4:41, 2 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root pts/0 10.10.10.1 11:43 0.00s 2.36s 0.00s nc 192.168.203.
root pts/1 10.10.10.1 14:09 28.00s 1.20s 0.04s sh
users
root root
id
uid=0(root) gid=0(root) groups=0(root)
ls -l mysql*
-rw-r--r-- 1 root root 155008 07-19 11:47 mysql-zrm_2.1_all.deb
-rw-r--r-- 1 root root 10374 07-19 11:46 mysql-zrm-client_2.1_all.deb
netstat -anpt |grep nc
tcp 0 23 192.168.203.139:58873 192.168.203.139:21 ESTABLISHED 5568/nc
netstat -anpt |grep 21
tcp 0 0 127.0.0.1:11211 0.0.0.0:* LISTEN 2668/memcached
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2158/sshd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 2321/cupsd
tcp 0 0 192.168.203.139:58873 192.168.203.139:21 ESTABLISHED 5568/nc
tcp 0 0 192.168.203.139:21 192.168.203.139:58873 ESTABLISHED 5556/sh
tcp6 0 0 :::22 :::* LISTEN 2158/sshd
tcp6 0 0 ::1:631 :::* LISTEN 2321/cupsd
exit
debian:/#
终端一中 也自动退出
debian:~# nc -vv -l -p 21 -n -e /bin/sh
listening on [any] 21 ...
connect to [192.168.203.139] from (UNKNOWN) [192.168.203.139] 38298
real 0m0.000s
user 0m0.000s
sys 0m0.000s
debian:~#