Write-up to Simple Netcat Socat Reverse Shells


In an exercise the reverse shell should be created with Netcat. This program is according to Wikipedia fairly general-purpose:

  • Outgoing or incoming connections, TCP or UDP, to or from any port.
  • Full DNS forward/backward checking, with appropriate warnings.
  • Ability to use any local source port
  • Ability to use any locally configured network source address
  • Built-in port scanning capabilities with random number generator
  • Built-in loose source routing capability
  • Can read command line arguments from standard input
  • Slow send mode, one line every N seconds
  • Hex dump of sent and received data
  • Optional ability to let another program service establish connections
  • Optional telnet options responder

The shell tool is usually nc or ncat. The configuration is easier if you keep in mind that nc works in 2 modes. The connect mode allows for example the output of local programs to be sent over the network (e.g. to socat). The listen mode does exactly the opposite, waits until someone sends it data. Default is the connect mode in ncat. The documentation for ncat is very helpful. For example, ncat makes tcp connections by default and with -u you can switch to udp.

Examples for ncat

Examples for connect

ncat elsensohn.ch 80

# And inside the program

# Result is a HTTP HTML page 

Examples for listen

ncat -l 8080

# Connection afterwards with e.g. telnet 
telnet localhost 8080

Examples for sending / receiving of a file

# send a file
ncat -l  8080 > file.txt

# receive a file
ncat 8080 --send-only < data.txt

Remote Code Execution Example

# run received text in bash
ncat -l 10000 -e /bin/bash

# send text to let it interpret by the receiver (works also with other tools)
ncat localhost 8080

In the exercise is also used socat that is a relay for bidirectional data transmissions between two independent data channels. There are many types of channels that socat can connect, including (see Getting Started Socat):

  • files
  • lines
  • devices
  • Sockets (UNIX, IP4, IP6 - raw, UDP, TCP)
  • file descriptors (stdin, etc.)
  • programs

According to Getting Started Socat netcat and Socat do similar things, but Socat has more additional functionality, such as allowing multiple clients to listen on a port or reusing connections.


Is it possible to use UDP?

with the -u parameter.

Can you run an HTTP endpoint with netcat?

You could put netcat in between to do port redirection for example. But it needs a http server, because netcat only does the transfer.