Xinetd UDP portnock
thia utilizes the built-in βxinetdβ daemon, which is used to manage network-based services on Linux systems. Xinetd listens for incoming requests to ports we can define, and when a specific request is received, we can have it execute a command of our choosing. Of course, this is useful to us!
For our purposes, we will create a custom xinetd service, which listens on a UDP port which we can send a single UDP packet to. Once that packet is received to the port we define, it will initiate a netcat reverse shell back to our attacker system. Weβre calling it a UDP port-knock backdoor because once we βknockβ on our UDP port, it gives us an immediate reverse shell
Port knocking is a well-known concept, but weβre implementing it differently, not requiring any third-party software.
Another bonus is it will persist across reboots
To create our xinetd backdoor, we should follow these steps:
Step 1. On the target machine, weβre going to create a custom xinetd service. Weβve put together a bash script (xinetd_server.sh) you can simply run on the target host, and it can be downloaded here:
The following script, when executed, will create a new xinetd service called βservices-udp.β The βservices-udpβ custom service will be configured to listen on port 65534 UDP on the target machine. It will also require that netcat (nc) is on the target host in the usual /bin/ directory. It will copy the nc executable to a file called β/bin/services-udp.β Weβre obscuring netcat as another file in this case.
Step 2. On the attacker machine, simply start up a netcat listener with the same you defined in the xinetd_server.sh script before running it. In the below example, weβre using 4444:
step 3. For the final step, we will use a tool called hping3 to send a single UDP packet to port 65534 on the target host, at which point, our custom βservices-udpβ netcat binary will be triggered, and send us a reverse shell. The hping command we will use is:
Last updated
