nc -l -e /bin/bash -p 10001
Not much to explain here. -l listens for incoming connections, -e executes /bin/bash when you connect, and -p chooses the port to listen on.
You must use a semicolon after each command.
will@hydra:~$ telnet localhost 10001
Trying 127.0.0.1…
Connected to localhost.
Escape character is ‘^]’.
whoami;
will
There you go. Obviously this has the potential for misuse; running this as root will create a remote backdoor after all. But it’s also a very useful administrative tool. Keep in mind that nc is not encrypted in any way, and anyone could use this to connect.
nc terminates after you exit your connection, and only one person can be connected at once.
From my experience, the nc build most distros release disable the -e option
Debian and Ubuntu don’t; I can’t imagine any good distro would. 🙂
If your distro does, just grab nc from here: http://netcat.sourceforge.net/source.php?url=/download.php