nerdexam
GIAC

GCIH · Question #653

An incident handler sees the following lines in the shell history of a user on a machine: mknod test p nc -l -p 11111 0<test | nc 10.1.1.10 54321 1>test What did this user implement?

The correct answer is B. A Netcat backpipe relay, receiving data on port 11111 and sending it to 10.1.1.10 port 54321.. The shell commands create a named pipe to wire two Netcat instances together, forming a relay that forwards traffic received on one port to a remote host on another port.

Web Application Attacks & Post-Exploitation

Question

An incident handler sees the following lines in the shell history of a user on a machine:

mknod test p nc -l -p 11111 0<test | nc 10.1.1.10 54321 1>test What did this user implement?

Options

  • AA Netcat listener that executes the contents of the file named test.
  • BA Netcat backpipe relay, receiving data on port 11111 and sending it to 10.1.1.10 port 54321.
  • CA Netcat client that stores its output in a file named test.
  • DA Netcat backdoor with a destination port of 11111 and source port of 54321.

How the community answered

(24 responses)
  • A
    4% (1)
  • B
    58% (14)
  • C
    25% (6)
  • D
    13% (3)

Why each option

The shell commands create a named pipe to wire two Netcat instances together, forming a relay that forwards traffic received on one port to a remote host on another port.

AA Netcat listener that executes the contents of the file named test.

No command execution flag (such as -e or -c) is present in either nc invocation, so no file contents are executed.

BA Netcat backpipe relay, receiving data on port 11111 and sending it to 10.1.1.10 port 54321.Correct

mknod test p creates a FIFO named pipe. The first nc listens on port 11111 with stdin redirected from the pipe, and the second nc connects to 10.1.1.10:54321 with stdout redirected back into the pipe. This forms a bidirectional relay - data arriving on 11111 flows to 10.1.1.10:54321 and responses flow back - a classic Netcat backpipe used for traffic pivoting.

CA Netcat client that stores its output in a file named test.

A simple client storing output to a file would use nc host port > file; the named pipe and dual-listener construct here creates a relay, not a passive output capture.

DA Netcat backdoor with a destination port of 11111 and source port of 54321.

Neither nc invocation spawns a shell or binds a backdoor - the construct is a stateless relay with no command execution capability.

Concept tested: Netcat named pipe backpipe traffic relay

Source: https://www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf

Topics

#netcat relay#named pipe#pivoting#shell history analysis

Community Discussion

No community discussion yet for this question.

Full GCIH Practice