Part 6 - Persistent Backdoor with NetCat

Video Activity

This lesson covers how to use persistent backdoor with NetCat. Participants receive step by step instructions in how to create a persistent backdoor using the NetCat tool. It allows you to use the port of your choice and pick a program you'd like to run on another computer and then you can connect whenever you want. NetCat is included in the metasp...

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
5 hours 38 minutes
Difficulty
Intermediate
CEU/CPE
6
Video Description

This lesson covers how to use persistent backdoor with NetCat. Participants receive step by step instructions in how to create a persistent backdoor using the NetCat tool. It allows you to use the port of your choice and pick a program you'd like to run on another computer and then you can connect whenever you want. NetCat is included in the metasploit framework.

Video Transcription
00:03
>> Now, we're going to go a little bit further.
00:03
What I'm trying to do at
00:03
this point is to create a backdoor.
00:03
We have really seen some backdoors,
00:03
but they're not persistent.
00:03
It relies on the victim running a program,
00:03
running a file, trying to put that into
00:03
a place, and the system where
00:03
to load every time they boot,
00:03
for instance, would be a good technique.
00:03
Trying to get a virus in the Master Boot Record,
00:03
or somewhere else in the startup folder,
00:03
perhaps, you can get that to run.
00:03
But what I want to try to do in
00:03
the meantime is use a tool called Netcat.
00:03
Netcat is very useful because
00:03
you can set up a listener on
00:03
a victim's system, and pick
00:03
a port number of your choice
00:03
and pick a program that you'd like to run,
00:03
and that lets you connect anytime
00:03
you want to that system,
00:03
assuming that Netcat is running.
00:03
Netcat is included in
00:03
the Metasploit framework, I should say.
00:03
What I'm going to do is run the upload command.
00:03
I think I've got this saved in my video.
00:03
This is the path, user/share/windows-binaries/nc.exe.
00:03
Notice, I'm using double backslashes,
00:03
>> and I mentioned before,
00:03
>> there are some passing issues
00:03
so double backslashes gets us around that problem.
00:03
But what I want to do first is upload
00:03
the Netcat executable to
00:03
the Windows directory on
00:03
the victim system. Can you see it?
00:03
Let me do that because again,
00:03
I am the system account.
00:03
If you're not system, you won't be able
00:03
to put the file in that directory,
00:03
you have to try to put it somewhere else.
00:03
But I want to run it from this directory
00:03
because that's my first choice.
00:03
Now, what we want to do is to
00:03
edit a registry key so that we can
00:03
get this program to run every time the system boots.
00:03
From my Meterpreter shell,
00:03
I need to type this in very carefully,
00:03
HKLM\\software\\microsoft
00:03
>> \\windows\\currentversion\\run.
00:03
>> I'm missing one of my backslashes.
00:03
As I said before, that will cause problems.
00:03
>> There we go.
00:03
>> It's my VMware, a user process.
00:03
I've got another command I need to run.
00:03
I'm going to up arrow to bring back my last one.
00:03
Instead of registering a num key,
00:03
I'm going to run the set val command,
00:03
and that should
00:03
be
00:03
HKLM\\software\\microsoft\\
00:03
>> windows\\currentversion\\run.
00:03
>> Then I need to do a little bit after this.
00:03
Netcat-d is the value that I'm setting in this key,
00:03
and I'm going to give it the path to Netcat, nc.exe.
00:03
Then I'm telling it which port I'd like
00:03
the listener to run on, 445.
00:03
Then run command.exe as
00:03
the actual command when the listener is connected to.
00:03
Now, I can query the value that I've just set.
00:03
Get rid of all this.
00:03
Then I'll change set val to query val.
00:03
This lets me confirm that indeed,
00:03
I have the right parameter set here.
00:03
I'm running Netcat persistent.
00:03
This is the path to it,
00:03
listening port 445,
00:03
and the command will be command.exe.
00:03
Our next task is to go ahead
00:03
and create the firewall
00:03
so that we can allow this 445 traffic through.
00:03
It's a lot of typing here.
00:03
We're going to run nutshell advanced firewall,
00:03
firewall module, and then we want to add a rule.
00:03
We're going to call the rule
00:03
Netcat just for now, that's fine.
00:03
We'd have to specify several parameters here,
00:03
but all this should make sense if
00:03
you've worked with firewalls before.
00:03
We're specifying the protocol as TCP,
00:03
the local port is 445.
00:03
Direction is inbound.
00:03
The action is allow.
00:03
The program that's being referenced
00:03
is c:\Windows\system32\nc.exe.
00:03
It's a lot of typing. Well,
00:03
the reason that didn't work is
00:03
because I'm not in a command shell.
00:03
Hold on one second.
00:03
Verify that I'm still system.
00:03
Now, I can run that command.
00:03
Give me my okay statement,
00:03
show me that the firewall rule worked.
00:03
Now, since I've put the registry key into this key,
00:03
software\\microsoft\\windows\\currentversion\\run,
00:03
that means that
00:03
when I reboot the virtual machine,
00:03
it should load that Netcat program
00:03
listening on port 445.
00:03
We'll go ahead, and pause so I can reboot.
00:03
We lost our Meterpreter session which is
00:03
expected when we reboot.
00:03
I'm going to go ahead, and go to another command shell.
00:03
Now, I'm going to see if
00:03
my Netcat connection actually works.
00:03
Netcats built into Kali,
00:03
you don't need to specify its path.
00:03
I'm going to use the verbose option.
00:03
I'll give it the address of
00:03
my victim system, and the port number.
00:03
This might take a moment. There we go.
00:03
It give me a message about
00:03
inverse host lookup failure, that's fine.
00:03
Who am I? I'm logged
00:03
in as an administrator, which is good.
00:03
Now, this is a persistent connection
00:03
that I have to this system.
00:03
Anytime I want to log in,
00:03
I just simply use Netcat, and go to this port.
00:03
Very cool. That's it for the Netcat section. Thank you.
Up Next