Building a simple reverse shell on Windows with Netcat (Part 1)

Yannik Gartmann
3 min readOct 18, 2021

--

Photo by Clint Patterson on Unsplash

In this post, I want to show you how easy a reverse shell can be established on a Windows system using Netcat.

Before executing any command, I highly recommend reading the documentation and understanding what you are performing. Some of the parameters and commands I’ll explain as we go on in this post.

I would like to point out whatever we are doing here was done as a school assignment using the virtual learning environment smartlearn.ch. Please, do not mess with productive systems! Always use a private learning environment! I’ll take no responsibility for damages on your system(s) or legal actions against you. So, please be careful :)

Setup

We are using vmKL1 as an attacker and vmWP1 as a victim of our attack. Before starting with the “attack”, let’s ensure Netcat is installed on our victim machine.

Background information

Let’s start by understanding what a reverse shell is and what it is doing. As the name already suggests, we connect the victim to a server controlled by us. Typically, in an IT environment, outbound traffic is less restricted than inbound traffic. This can be used to the attackers advantage. He has to access once a server or client, install the payload hidden from a sysadmin, and have unlimited access to a machine afterwards.

Sounds complicated, right? Actually, no, there are plenty of possibilities to access a system. For example, an attacker can join your office and plug a malicious USB into an unlocked notebook during lunchtime. A more straightforward approach could be sending a malicious e-mail with the reverse shell as an attachment to a user.

Attack!

Of course, this will be done hidden from the user in a real-world attack, but for demonstration purposes, we make the attack obvious.

The critical piece of the attack is the “-e” parameter from the Netcat command. This parameter allows us to specify what shell will be used for the connection. We use “cmd.exe” on a Windows system, and on Linux, we use “/bin/bash”.

On vmKL1 (attacker), we begin to listen on port 4444 with these additional parameters -v (Verbose) and -n (use no DNS) (Screenshot 2). Secondly, we start Netcat on vmWP1 (victim) and connect it to our control system (Screenshot 1). Let’s go back to vmKL1 and look at the console. We see the standard windows prompt, and now, we do some sketchy stuff and create an unwanted folder on the victim’s system! (Screenshot 2). Let’s go back to vmWP1, open Windows Explorer, and look into the user’s directory. We will discover the recently created folder (Screenshot 3).

Screenshot 1 of vmWP1
Screenshot 2 of vmKL1
Screenshot 3 of vmWP1

Leesons learned

As we have seen in the demonstration above, a reverse shell can be established quickly and placed in the right location do a lot of damage. So, be aware of a potential attack from the inside. Always check your outbound traffic for malicious activities and put sufficient security in place. Remove unnecessary privileges from users and train them with awareness practice.

I hope you have enjoyed this post and have learned at least how important security is. Keep you and your networks safe :)

  • Yannik

Next steps

--

--