GCIH · Question #653
An incident handler sees the following lines in the shell history of a user on a machine: mknod test p nc -l -p 11111 0<test | nc 10.1.1.10 54321 1>test What did this user implement?
The correct answer is B. A Netcat backpipe relay, receiving data on port 11111 and sending it to 10.1.1.10 port 54321.. The shell commands create a named pipe to wire two Netcat instances together, forming a relay that forwards traffic received on one port to a remote host on another port.
Question
An incident handler sees the following lines in the shell history of a user on a machine:
mknod test p nc -l -p 11111 0<test | nc 10.1.1.10 54321 1>test What did this user implement?
Options
- AA Netcat listener that executes the contents of the file named test.
- BA Netcat backpipe relay, receiving data on port 11111 and sending it to 10.1.1.10 port 54321.
- CA Netcat client that stores its output in a file named test.
- DA Netcat backdoor with a destination port of 11111 and source port of 54321.
How the community answered
(24 responses)- A4% (1)
- B58% (14)
- C25% (6)
- D13% (3)
Why each option
The shell commands create a named pipe to wire two Netcat instances together, forming a relay that forwards traffic received on one port to a remote host on another port.
No command execution flag (such as -e or -c) is present in either nc invocation, so no file contents are executed.
mknod test p creates a FIFO named pipe. The first nc listens on port 11111 with stdin redirected from the pipe, and the second nc connects to 10.1.1.10:54321 with stdout redirected back into the pipe. This forms a bidirectional relay - data arriving on 11111 flows to 10.1.1.10:54321 and responses flow back - a classic Netcat backpipe used for traffic pivoting.
A simple client storing output to a file would use nc host port > file; the named pipe and dual-listener construct here creates a relay, not a passive output capture.
Neither nc invocation spawns a shell or binds a backdoor - the construct is a stateless relay with no command execution capability.
Concept tested: Netcat named pipe backpipe traffic relay
Source: https://www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf
Topics
Community Discussion
No community discussion yet for this question.