HakTip 87 – Netcat 101: Remote Shells From Windows into Linux

This week on HakTip Shannon is connecting to linux from windows with Netcat!

Download HD  |   Download MP4


Welcome to HakTip — the show where we breakdown concepts, tools and techniques for hackers, gurus and IT ninjas. I’m Shannon Morse and today I’m creating remote shells with Netcat in Linux!

Remote shells on Linux are similar to Windows. When you begin, you’ll notice no user prompt appears for you. You also need to run Netcat through sudo to do remote shells (super user).

This time, the listener is my Linux machine, so we will start there with this command: sudo nc –lp 31337 –e /bin/bash

This will start Netcat under super user control (or root), and open a persistant listening port on 31337, while pulling up /bin/bash (which is basically the equivalent of Windows command prompt.

Now on your Windows box, you can connect to the host PC and that opened port. The listener (my Linux machine) will give bash to my Windows PC. The command for this is: nc 31337We’re connected! It does look a little different than the Windows version,.

Now we’ll start toying around with some features of a remote shell on Linux. I’ve got both of my computers set up and connected, so now I’m going to type ls on my Windows command line to see a return listing of directories on my Linux machine.

Now let’s make a directory on the Linux machine. In Windows I can use mkdir MyDirectory. We can use the ls command again to see if the directory was indeed created. Now let’s add a new user and give them root access. The command is: useradd -g root NewName

Now I can use this command to make sure that user has been created: grep NewName /etc/passwd

Now I’m going to dump the entire /etc/passwd file using: tail /etc/passwd

Do you use Netcat? Send me a comment below or email us at [email protected]

And be sure to check out our sister show, Hak5 for more great stuff just like this. I’ll be there, reminding you to trust your technolust.


  • Giorgi

    NOTE TO VIEWERS: only perform the trick described in this video in a test/lab environment! Doing this on production system will expose it (and possibly the entire network) to attacks requiring little or no technical expertise.

    We are basically exposing the root shell on the network. This can be compared to allowing telnet access, with it’s inherent lack of encryption. But this is worse, as it allows anyone to gain superuser access to a remote system without being required to authenticate (enter a username and password). It’s true that an obscure port number is being used, but doing a simple port scan of hosts on the LAN using nmap or similar tools should reveal the port.

    Notes to Shannon:

    tail command does not dump the entire contents of a file, but cat command does. On GNU/Linux tail by default prints the last 10 lines of input, while head – the first 10. Another command to note is ‘less’ (a terminal pager) that displays the file/input one display at a time, but will dump the entire file/input if output is redirected somewhere other the the display (e.g. to a file via ‘>’ or to another command via a pipe). For example, this convoluted command sequence will dump the entire passwd file on screen:

    less /etc/passwd | cat # Just do ‘cat filename’ for Pete’s sake 🙂

    Also, it is accepted practice not to use uppercase letters in usernames on Unix-like systems.


  • tz

    bash -i or -l will get you the prompts (-i = interactive, -l = login), or you can just invoke “telnet localhost” or “ssh localhost”, especially the latter if there is a registered key to avoid a password. (I normally don’t have telnet on a linux box but do have ssh).

    socat is better than netcat. This is how I get to my system at home from my system at work or elsewhere through firewalls (run in a loop). I have a restricted shell so can’t do -e.

    socat exec:ssh REMOTEHOST nc -l 31337,stderr exec:”bash -ilm”,pty,stderr

    The only problem seems that the tty is in linemode so I’m editing locally. But I get prompts and colorizaiton

    • tz

      It might not have been obvious, but I ssh REMOTEHOST and then “nc localhost 31337” (or telnet localhost 31337) to get to my home computer.

      Figured it out, I had to do “stty -echo raw” then do “nc localhost 31337”, and “stty sane” when finished. Raw sends characters across.

      No job control – I think I need to do something with ptys so bash can do something with the “terminal” which is a pipe.

      • tz

        And one last bit of bashfulness.

        By replacing “bash -lim” with “ssh localhost”, I get a completely interactive shell. Socat uses pipes, but this makes it a read-only and a write-only pair, and bash wants to have one /dev/tty as read-write (as in socket or device). Netcat would probably work directly but again, I need to do a secure reverse shell to a host with a resticted version of nc. By replacing bash with something that will convert the dual-pipe to a pty, it makes everything work.

        I need to look more deeply into socat since I would think it would have the option.

  • CarmelinaIShroeder

    Howdy! Do you know if they make any plugins to help with SEO?
    I’m trying to get my blog to rank for some targeted keywords but I’m
    not seeing very good results. If you know of any please
    share. Many thanks!

  • IngeQGalligher

    Great items from you, man. I’ve take into accout your stuff previous
    to and you are simply extremely fantastic. I actually like
    what you have got right here, really like what you are stating
    and the best way during which you assert it.
    You are making it entertaining and you continue to take
    care of to stay it smart. I can’t wait to learn far more from you.
    This is really a great web site.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>