Time
7 hours 47 minutes
Difficulty
Advanced
CEU/CPE
10

Video Description

This lesson focuses on using Ncat as a persistent backdoor for Windows. Participants see basic examples on how to use the command via screen by screen instructions.

Video Transcription

00:04
well, it isn't in German. Welcome to the post exploitation, hacking, persistence and continued access Course. We are currently in the actual persistence and continued access portion of the course.
00:13
Uh, the name's sake, obviously of it in this video is obvious by what you see on your screen will be discussing Windows, particularly. We're going to be discussing using Net Cat as a persistent backdoor for Windows.
00:26
Ah, that cat has been around forever. It's
00:29
really a very, very, really cool most of the time when you see it. Now you're actually seeing N Cat, which was a new tool similar to and to Net cat. Originally
00:38
that was developed by end map
00:41
sort of act as a replacement just about how popular the original tool was. It wasn't really being updated or maintained and needs grow. If your products don't grow with those needs, then someone's gonna have to step in for you.
00:53
So
00:54
we'll be using en tat, which is the new version of Net Net.
00:58
Uh,
00:59
it's a pretty straightforward tool. We've actually used it before the test network connectivity, so I'll give you a demonstration over right now, so we're gonna do
01:07
net tat. Listen verbose, blah, blah, blah, And we'll go through the specific instructions here in a moment when we actually start using it
01:17
for back door. But here, I just want to give you a basic idea of what it's gonna look like when you
01:22
so it's very simple, straightforward demands.
01:25
We start. The listener says, we're listening. We're ready to go
01:29
connect in. Send data
01:30
it has received. Send it back. Data received
01:36
very, very simple.
01:38
However,
01:38
Net and cat net cat is very useful. For one main reason I noticed that we are using Lennox syntax.
01:47
So you can't really get away with doing that. You have to use the linen syntax because this is originally Olympics. Ah, Lenox, uh, application.
01:56
So despite the fact that run windows, we actually do have to use the dashes, which I know can be quite annoying. But we gotta work with what we've got.
02:04
Seriously, the options for not cat. Um, and we see all the interesting things that night Kate couldn't do
02:08
See here it can actually answer. Tell no negotiation, which is an interesting ability, so we can actually connect to net tat using telnet
02:17
attack l We used a moment ago, which is Listen,
02:23
it sets it up. Is a listener is a server instead of a client. That's how it knows which one you wanted to be
02:29
Here. You've got the verbosity setting. I usually said it to two VI's beacon. Set it up to three. If you really want to know everything going on
02:36
and
02:38
do not resolve host names
02:40
Ah, that basically just means just directly go to the I p I hand you
02:45
you can't have it resolved Host names, really Not a huge deal either way. And then pee actually specifies the port,
02:53
However, and the reason why net tent is such an incredibly useful backdoor method.
03:00
Because of this,
03:02
if you give it the tak e,
03:06
it will execute a command
03:08
on the receiving of a connection.
03:10
Now, a lot of times, this command could be something like Give it you give the user data, give them, you know, information you might see and cat L B M p
03:23
12345 Tak e
03:28
echo. Hello?
03:30
Worried
03:34
and then you have someone connect in and it's a okay. And the cat,
03:38
obviously they probably night kept it low close, but whatever. Let her 45
03:44
and then
03:46
you see it will execute Echo. Hello, world.
03:49
Now, actually, there's some slight difficult and the difficulty in that I gave it a junk command because you didn't need to see anything important. But the idea is pretty straightforward
03:58
what we're looking for. Is it executed or attempted to execute this command?
04:09
No.
04:10
Anyway, so that's all well and good. And you can use it for, you know, basic start up information, or you can use it. You know, when you receive a connection, start something, start some program,
04:21
it could do all sorts of stuff.
04:24
One of the cooler things that could do one of my personal favorite things it can do.
04:28
And really, the big reason why it's so handy
04:30
is this. 12345 for a regular port execute, see, MD dot e x e.
04:39
So what's gonna happen? Well,
04:41
start of our listener,
04:43
and we see here we're in the C drive. This is gonna be important. This is going to be immediately relevant in a moment.
04:48
See here we're in C users, Perry,
04:51
and we're gonna end cat on the local host. 12345
04:56
and there you have it, folks.
04:58
We end Cap toe the local host on that port.
05:00
And we've got a different location on this drive where specifically were actually operating
05:06
under the privileges of this window. So if when we first exploited in, we managed to get an admin window, we create our net cat listener.
05:15
That means we've got and I have been window now.
05:18
Yeah,
05:23
So we're gonna go ahead and try out the ah, just a quick test command. Make sure thing works.
05:28
Sure enough, we're seeing the C drive. We could do a task list
05:33
and we get all the tasks that are currently running and see that this machine is doing quite a bit of the work right now.
05:40
Um,
05:43
just sort of generally
05:46
struggling, you know, doing its stuff. It's being a host between lots of encapsulates, the different things running.
05:53
But this is handy. Obviously.
05:55
Ah, net tat were able to gain execution. We could do really anything from this show that we get from this one.
06:01
So very commonly, if you use ah, like an interpreter, pay loader. If you use an MSF payload very often, is it essentially just like this? It's like a net tat that just connects back to you with Execute Herbal.
06:15
It's very straightforward, very simple, but it's also very handy. It's something that's been used for a long time because it's kind of timeless.
06:23
It's just good, solid backdoor.
06:26
However, there is one issue with and get us back door
06:29
and you may see that issue, which is this right here.
06:32
It's not really great. Believe a command problems or to leave something up and running
06:36
on jury machine,
06:40
So C. L s. So how
06:44
you might ask, do we
06:46
actually use en tat without keeping this going without keeping this window up?
06:53
Our problem is essentially
06:56
that en tat
06:57
will run on Lee in this window and only when we started up. So it's not really that useful
07:01
s o. The trick that we're gonna do is we're actually gonna go back to the registry and we're gonna make some edits again. We've got a long monstrosity of a command. So well, Philip
07:12
screen with this prompt.
07:14
Ah, you see here that
07:16
it's another Reggie Add this particular Reggie ad is ah, kind of a quirky one
07:21
because we're actually going to be putting something in
07:25
the run, which is under H K L M Software Microsoft Windows
07:30
current version run. This value they were putting in is a kind of malicious, and it's something that's going to be executed every time this machine starts up.
07:40
Essentially, what it's designed to do
07:43
is to open up a port. Specifically, in this case, we're gonna be doing 12345 as you see here
07:49
and to initiate a connection or not to initiate a connection, but to listen for a connection. And when that connection comes in a specific man, prompt
07:58
nice and easy, simple diet.
08:00
What's really Hindi about that is that this is in the run. Like I said, every time the machine starts up, it's going to spit this out. We named it again with the tag Be the value option. We named it Win 32 admin. Just something sort of generic and windows sounding on this one's a little bit too obvious.
08:16
I'm a big fan of sort of garbled names. Just win 32.
08:22
Deal. Uh,
08:22
well, no, no. Put that there
08:26
Event of something Like when? 32
08:30
MSC, Diello, that
08:33
xy,
08:35
um
08:35
anyone who really knows what they're looking at knows that
08:39
these last nine characters or so are pretty much junk data or pretty much junk and obviously not correct. But to normal, user, this is a string of vaguely windows sounding letters, and we need to leave it alone.
08:52
So we create this register key. This is again, one that we need to do with admin privileges. See that up here. See that up here?
09:00
Because we are modifying the registry.
09:03
And by doing so, we're basically saying that every time
09:07
you run, you're going to be running Not only net cat, you're gonna be running that as an administrator. It gets all of the privileges, you can give it,
09:16
enter
09:16
and it completes.
09:20
However, that doesn't quite mean we're done yet. See, the thing is, generally speaking, when this night cat starts up, it's gonna spit out a window. And it doesn't right now because we've been doing lots of administrator. Everything's and I've already been using it. Just gonna spit out a window and say, Hey, Windows firewall has blocked part or all of this program.
09:35
The reason for that is pretty straightforward.
09:37
Windows doesn't like you opening up listeners with this kind of power for no good reason. Especially not it is an administrator.
09:45
So the Windows firewall is going to something we have to deal with. So we're gonna bring my car, old command, our Net Shogunate show. Basically.
09:52
And this time we're gonna do Net show firewall, cause again. We're talking two Windows firewall. All those cases just viral. Um,
10:01
rather than advanced firewall,
10:03
we're going to do net S H firewall
10:07
show up mode. Just say what mode? Show me how the firewalls configure. Basically, show me what it's doing right now.
10:15
Soc Operational Motors enabled Exception was enabled. Everything's enabled.
10:18
Ah,
10:20
so we see.
10:22
And it also yells at us that we should be using the advanced firewall either way. So we see that everything's enabled in good to go
10:31
and that the firewall is operating normally. We want to change that.
10:35
So we're gonna do net. Shh. And we will do advance viral this time.
10:39
Firewall
10:41
Ad port opening
10:43
It will be
10:46
TCP
10:48
12345
10:50
We'll do windows admin
10:56
Enable,
10:58
huh?
10:58
Now, this is essentially saying on port 12345 There's something called windows admin and we need to enable everything for it.
11:05
So hit that
11:09
we actually get rid of the advanced firewall. Silly me for listening to Windows yelling,
11:16
and there we go.
11:16
And of course, it gets mad at us because we didn't have advanced firewall. But that's okay. No one cares.
11:22
Now, whenever Net Cat operates, it's going to be completely safe. And we can double check that
11:28
by simply doing a net S H firewall
11:33
show
11:37
Port opening.
11:39
And here we see that. Hey,
11:41
well, that's just right. Nifty. Also, you see that I play war thunder.
11:46
Don't judge me
11:46
anyway for 12345 is open and it's named Windows admen. Who in the world's going to say something about a Windows admin port being enabled? No one. Of course the viral hasn't enabled.
11:56
We want to use a slightly less obvious sport than 12345
12:01
So this goes back to one of the things that we've sort of discussed is we went the whole way,
12:05
which is
12:07
when you're going for a port and you're trying to enable a port always want something that seems in line with what they've been doing. You also in general would check this before you started because you see Oh, wow. This guy has, ah bunch of war Thunder ports open. He's already enabled I game.
12:24
He's not gonna notice a thing.
12:26
Not only can we
12:28
put that fire will rule in
12:31
as war thunder,
12:33
we can actually do one better.
12:37
So War Thunder is now. The name
12:39
blends in pretty well,
12:41
but
12:45
that's not what we can do.
12:46
If we really wanted to be fancy, we could go back through everything
12:50
and we can actually change.
12:54
And cat
12:56
not e x e
12:56
to war thunder
13:03
service. Uh,
13:05
application
13:07
dot t x c.
13:13
Check that out. We see worth under service after t x c
13:16
and we can move it. We can place it instead of putting it just in the c drive.
13:22
Gonna actually find
13:24
Okay. What else? What else? All in here. We see program files.
13:28
Program files were looking obviously for war thunder.
13:33
You don't see it in there. Let's try praying 56 86 steam.
13:39
And what's that?
13:41
War thunder.
13:43
Okay,
13:45
so now we can actually dropped this
13:48
into
13:48
see
13:50
program files
13:52
X 86
13:54
or thunder
14:01
and we see worth underserved. Sap is just sitting right here now who in the world is that? We're gonna judge that. Who's going to say anything about that? But we've got to go back. There's one more thing we've got to change.
14:15
Ah, we've got a Yes. Here we go. We've got actually change this path right here
14:22
in a registry so that now it's going to read C
14:26
program files
14:31
X 86
14:33
War thunder
14:37
over at it
14:39
and it completed. So now it runs. Now, whenever this person starts at their computer, it's going to start up War Thunder Service application Don t x c and the war thunder file under a firewall Rule of war thunder
14:52
with the name of war Thunder,
14:54
Nothing in the world would ever suggest to this person that they're being had. They've been taken down,
15:01
which means this has now been successfully obfuscated very, very, very, very easily using a simple application that anyone has access to and use registry values and just kind of going through manipulating the system so that everything looks normal.
15:13
And this is where we get back into like I was talking about earlier. The more you do during information gathering, the more you actually look into during information gathering, the better you're going to do,
15:24
the more you know about the system. All those tedious details, the boring net cat. And
15:31
they're not going to get the boring net stat. And I peek and fig and are full of things you did that
15:35
you really don't want to do. There aren't the cool hacker parts. Those are the sorts of things that are going to tell you. The information that show fire The Net show advanced firewall
15:45
and firewall commands are showing us you know what ports are available on the firewall because it thinks this is okay.
15:54
So it's definitely something to consider. And it's definitely something you always want to look at and make youself
16:00
by gathering information. We've managed to really hide an app that's going to be practically impossible to find
16:07
really impossible for a normal user to recognize
16:11
and practically impossible, even for a very good one.
16:15
With that, we're gonna go ahead and finish this net tat backdoor video.
16:21
I hope you've learned a little bit about net cat in a little bit about how it can function. And I hope also, of course, that you've learned,
16:26
Ah,
16:27
a little bit about how you can actually obfuscate your practice or your steps and kind of hide the fact that you've been doing things.
16:34
We'll get more into that in covering tracks and, well,
16:37
you know, show you Maur as to what files and where you can safely hide things most commonly. But it's something that deserves notice right now. And it's something that certainly will help you in the long run until the next time I'm residents. Me, Joseph Perry, You been watching this on cyber and, uh, get out there and hack some stuff.

Up Next

Post Exploitation Hacking

In this self-paced online training course, you will cover three main topics: Information Gathering, Backdooring and Covering Steps, how to use system specific tools to get general information, listener shells, metasploit and meterpreter scripting.

Instructed By

Instructor Profile Image
Joe Perry
Senior Technical Instructor at FireEye, Inc
Instructor