/dev/tcp forgotten linux delicacy

Most of use nmap , ping ,ping ,wget curl , nc …. when need use or diagnose network from linux command line.
I want show you how  to use bash for fast diagnostic , scanning ,send or download files, open websites , check services and create simple backdoor.

Lets Begin

/dev/{tcp,udp}/ it’s pseudo device file ,opening tcp connection to socket

How its work


But wait there isn’t exist  device  /dev/tcp

Yes this is virtual function bash . If bash was compiled with –enable-net-redirections, it has the capability of using a  TCP and UDP redirections to 30,36 devcie 🙂 .

What is 30 36 device

Traditionally, the major number identifies the driver associated with the device. For example, /dev/null and /dev/zero are both managed by driver 1, whereas virtual consoles and serial terminals are managed by driver 4; similarly, both vcs1 and vcsa1 devices are managed by driver 7. Modern Linux kernels allow multiple drivers to share major numbers, but most devices that you will see are still organized on the one-major-one-driver principle.This is id using minor and mainor


Look to documentation :

>30 char iBCS-2 compatibility devices
0 = /dev/socksys Socket access
1 = /dev/spx SVR3 local X interface
32 = /dev/inet/ip Network access
33 = /dev/inet/icmp
34 = /dev/inet/ggp
35 = /dev/inet/ipip
36 = /dev/inet/tcp
37 = /dev/inet/egp
38 = /dev/inet/pup
39 = /dev/inet/udp
40 = /dev/inet/idp
41 = /dev/inet/rawip

Additionally, iBCS-2 requires the following links:

/dev/ip -> /dev/inet/ip
/dev/icmp -> /dev/inet/icmp
/dev/ggp -> /dev/inet/ggp
/dev/ipip -> /dev/inet/ipip
/dev/tcp -> /dev/inet/tcp
/dev/egp -> /dev/inet/egp
/dev/pup -> /dev/inet/pup
/dev/udp -> /dev/inet/udp
/dev/idp -> /dev/inet/idp
/dev/rawip -> /dev/inet/rawip
/dev/inet/arp -> /dev/inet/udp
/dev/inet/rip -> /dev/inet/udp
/dev/nfsd -> /dev/socksys
/dev/X0R -> /dev/null (? apparently not required ?)

Under minor 30 mainor 36 exist /dev/tcp and 30 , 39 udp

if you can’t run example 1 you can create node for this device .

 mknod /dev/tcp c 30 36
mknod /dev/udp c 30 39 

Examples :

Port scanners :

Simple port scanner added timeout parameter for  scan all from {1..100}


Multi thread port scanner

This script scan port from 1..100 do not waiting for finish scan port but tun next thread . if you run to manny  port or host you can frozen  system .

1024 ports – 0.01s user 0.11s system 12% cpu 0.930 total
6000 ports – 18.05s user 29.40s system 216% cpu 21.949 total

is fast :).

Last is variations with multi thread hosts  and ports =LAN scanner

Script example5 scan group popular ports  in all ip from mask


Web browsing

Open fd read write(<>) sent http reqest to fd (15)   use cat for read fd 15

Files Download


Backdoor reverse shell

First option ( fd to exec )

left window listening server right target sharing shell . 

First step create lisining server on selected port.We use netcat for or create server  open port 303 on localhost

nc -l -p 303 -vvv

On target machine we don’t need netcat only bash 🙂 we open  read write (<>) file descriptor with exec must be bigger >2 example 98 , net step read   file descriptor line by line and forward standard input and redirect standard output and standard error to shell in fd 98 .

Second options

left window listening server right target sharing shell  You can run directly interactive shell and redirect standard input and standard error to stdin/


remember for close opened fd (exec)

 exec {file-descriptor}>&-
 exec {file-descriptor}<&-;


Screenshot from 2017-03-27 09-45-27

fd 66 have opened socket in current shell exec 66>&-

Screenshot from 2017-03-27 09-46-45

Links & Bibliography



Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s