well, it isn't in German. Welcome to the post exploitation, hacking, persistence and continued access Course. We are currently in the actual persistence and continued access portion of the course.
Uh, the name's sake, obviously of it in this video is obvious by what you see on your screen will be discussing Windows, particularly. We're going to be discussing using Net Cat as a persistent backdoor for Windows.
Ah, that cat has been around forever. It's
really a very, very, really cool most of the time when you see it. Now you're actually seeing N Cat, which was a new tool similar to and to Net cat. Originally
that was developed by end map
sort of act as a replacement just about how popular the original tool was. It wasn't really being updated or maintained and needs grow. If your products don't grow with those needs, then someone's gonna have to step in for you.
we'll be using en tat, which is the new version of Net Net.
it's a pretty straightforward tool. We've actually used it before the test network connectivity, so I'll give you a demonstration over right now, so we're gonna do
net tat. Listen verbose, blah, blah, blah, And we'll go through the specific instructions here in a moment when we actually start using it
for back door. But here, I just want to give you a basic idea of what it's gonna look like when you
so it's very simple, straightforward demands.
We start. The listener says, we're listening. We're ready to go
connect in. Send data
it has received. Send it back. Data received
Net and cat net cat is very useful. For one main reason I noticed that we are using Lennox syntax.
So you can't really get away with doing that. You have to use the linen syntax because this is originally Olympics. Ah, Lenox, uh, application.
So despite the fact that run windows, we actually do have to use the dashes, which I know can be quite annoying. But we gotta work with what we've got.
Seriously, the options for not cat. Um, and we see all the interesting things that night Kate couldn't do
See here it can actually answer. Tell no negotiation, which is an interesting ability, so we can actually connect to net tat using telnet
attack l We used a moment ago, which is Listen,
it sets it up. Is a listener is a server instead of a client. That's how it knows which one you wanted to be
Here. You've got the verbosity setting. I usually said it to two VI's beacon. Set it up to three. If you really want to know everything going on
do not resolve host names
Ah, that basically just means just directly go to the I p I hand you
you can't have it resolved Host names, really Not a huge deal either way. And then pee actually specifies the port,
However, and the reason why net tent is such an incredibly useful backdoor method.
if you give it the tak e,
it will execute a command
on the receiving of a connection.
Now, a lot of times, this command could be something like Give it you give the user data, give them, you know, information you might see and cat L B M p
and then you have someone connect in and it's a okay. And the cat,
obviously they probably night kept it low close, but whatever. Let her 45
you see it will execute Echo. Hello, world.
Now, actually, there's some slight difficult and the difficulty in that I gave it a junk command because you didn't need to see anything important. But the idea is pretty straightforward
what we're looking for. Is it executed or attempted to execute this command?
Anyway, so that's all well and good. And you can use it for, you know, basic start up information, or you can use it. You know, when you receive a connection, start something, start some program,
it could do all sorts of stuff.
One of the cooler things that could do one of my personal favorite things it can do.
And really, the big reason why it's so handy
is this. 12345 for a regular port execute, see, MD dot e x e.
So what's gonna happen? Well,
start of our listener,
and we see here we're in the C drive. This is gonna be important. This is going to be immediately relevant in a moment.
See here we're in C users, Perry,
and we're gonna end cat on the local host. 12345
and there you have it, folks.
We end Cap toe the local host on that port.
And we've got a different location on this drive where specifically were actually operating
under the privileges of this window. So if when we first exploited in, we managed to get an admin window, we create our net cat listener.
That means we've got and I have been window now.
So we're gonna go ahead and try out the ah, just a quick test command. Make sure thing works.
Sure enough, we're seeing the C drive. We could do a task list
and we get all the tasks that are currently running and see that this machine is doing quite a bit of the work right now.
just sort of generally
struggling, you know, doing its stuff. It's being a host between lots of encapsulates, the different things running.
But this is handy. Obviously.
Ah, net tat were able to gain execution. We could do really anything from this show that we get from this one.
So very commonly, if you use ah, like an interpreter, pay loader. If you use an MSF payload very often, is it essentially just like this? It's like a net tat that just connects back to you with Execute Herbal.
It's very straightforward, very simple, but it's also very handy. It's something that's been used for a long time because it's kind of timeless.
It's just good, solid backdoor.
However, there is one issue with and get us back door
and you may see that issue, which is this right here.
It's not really great. Believe a command problems or to leave something up and running
you might ask, do we
actually use en tat without keeping this going without keeping this window up?
Our problem is essentially
will run on Lee in this window and only when we started up. So it's not really that useful
s o. The trick that we're gonna do is we're actually gonna go back to the registry and we're gonna make some edits again. We've got a long monstrosity of a command. So well, Philip
screen with this prompt.
Ah, you see here that
it's another Reggie Add this particular Reggie ad is ah, kind of a quirky one
because we're actually going to be putting something in
the run, which is under H K L M Software Microsoft Windows
current version run. This value they were putting in is a kind of malicious, and it's something that's going to be executed every time this machine starts up.
Essentially, what it's designed to do
is to open up a port. Specifically, in this case, we're gonna be doing 12345 as you see here
and to initiate a connection or not to initiate a connection, but to listen for a connection. And when that connection comes in a specific man, prompt
nice and easy, simple diet.
What's really Hindi about that is that this is in the run. Like I said, every time the machine starts up, it's going to spit this out. We named it again with the tag Be the value option. We named it Win 32 admin. Just something sort of generic and windows sounding on this one's a little bit too obvious.
I'm a big fan of sort of garbled names. Just win 32.
well, no, no. Put that there
Event of something Like when? 32
anyone who really knows what they're looking at knows that
these last nine characters or so are pretty much junk data or pretty much junk and obviously not correct. But to normal, user, this is a string of vaguely windows sounding letters, and we need to leave it alone.
So we create this register key. This is again, one that we need to do with admin privileges. See that up here. See that up here?
Because we are modifying the registry.
And by doing so, we're basically saying that every time
you run, you're going to be running Not only net cat, you're gonna be running that as an administrator. It gets all of the privileges, you can give it,
However, that doesn't quite mean we're done yet. See, the thing is, generally speaking, when this night cat starts up, it's gonna spit out a window. And it doesn't right now because we've been doing lots of administrator. Everything's and I've already been using it. Just gonna spit out a window and say, Hey, Windows firewall has blocked part or all of this program.
The reason for that is pretty straightforward.
Windows doesn't like you opening up listeners with this kind of power for no good reason. Especially not it is an administrator.
So the Windows firewall is going to something we have to deal with. So we're gonna bring my car, old command, our Net Shogunate show. Basically.
And this time we're gonna do Net show firewall, cause again. We're talking two Windows firewall. All those cases just viral. Um,
rather than advanced firewall,
we're going to do net S H firewall
show up mode. Just say what mode? Show me how the firewalls configure. Basically, show me what it's doing right now.
Soc Operational Motors enabled Exception was enabled. Everything's enabled.
And it also yells at us that we should be using the advanced firewall either way. So we see that everything's enabled in good to go
and that the firewall is operating normally. We want to change that.
So we're gonna do net. Shh. And we will do advance viral this time.
We'll do windows admin
Now, this is essentially saying on port 12345 There's something called windows admin and we need to enable everything for it.
we actually get rid of the advanced firewall. Silly me for listening to Windows yelling,
And of course, it gets mad at us because we didn't have advanced firewall. But that's okay. No one cares.
Now, whenever Net Cat operates, it's going to be completely safe. And we can double check that
by simply doing a net S H firewall
And here we see that. Hey,
well, that's just right. Nifty. Also, you see that I play war thunder.
anyway for 12345 is open and it's named Windows admen. Who in the world's going to say something about a Windows admin port being enabled? No one. Of course the viral hasn't enabled.
We want to use a slightly less obvious sport than 12345
So this goes back to one of the things that we've sort of discussed is we went the whole way,
when you're going for a port and you're trying to enable a port always want something that seems in line with what they've been doing. You also in general would check this before you started because you see Oh, wow. This guy has, ah bunch of war Thunder ports open. He's already enabled I game.
He's not gonna notice a thing.
put that fire will rule in
we can actually do one better.
So War Thunder is now. The name
blends in pretty well,
that's not what we can do.
If we really wanted to be fancy, we could go back through everything
and we can actually change.
Check that out. We see worth under service after t x c
and we can move it. We can place it instead of putting it just in the c drive.
Okay. What else? What else? All in here. We see program files.
Program files were looking obviously for war thunder.
You don't see it in there. Let's try praying 56 86 steam.
so now we can actually dropped this
and we see worth underserved. Sap is just sitting right here now who in the world is that? We're gonna judge that. Who's going to say anything about that? But we've got to go back. There's one more thing we've got to change.
Ah, we've got a Yes. Here we go. We've got actually change this path right here
in a registry so that now it's going to read C
and it completed. So now it runs. Now, whenever this person starts at their computer, it's going to start up War Thunder Service application Don t x c and the war thunder file under a firewall Rule of war thunder
with the name of war Thunder,
Nothing in the world would ever suggest to this person that they're being had. They've been taken down,
which means this has now been successfully obfuscated very, very, very, very easily using a simple application that anyone has access to and use registry values and just kind of going through manipulating the system so that everything looks normal.
And this is where we get back into like I was talking about earlier. The more you do during information gathering, the more you actually look into during information gathering, the better you're going to do,
the more you know about the system. All those tedious details, the boring net cat. And
they're not going to get the boring net stat. And I peek and fig and are full of things you did that
you really don't want to do. There aren't the cool hacker parts. Those are the sorts of things that are going to tell you. The information that show fire The Net show advanced firewall
and firewall commands are showing us you know what ports are available on the firewall because it thinks this is okay.
So it's definitely something to consider. And it's definitely something you always want to look at and make youself
by gathering information. We've managed to really hide an app that's going to be practically impossible to find
really impossible for a normal user to recognize
and practically impossible, even for a very good one.
With that, we're gonna go ahead and finish this net tat backdoor video.
I hope you've learned a little bit about net cat in a little bit about how it can function. And I hope also, of course, that you've learned,
a little bit about how you can actually obfuscate your practice or your steps and kind of hide the fact that you've been doing things.
We'll get more into that in covering tracks and, well,
you know, show you Maur as to what files and where you can safely hide things most commonly. But it's something that deserves notice right now. And it's something that certainly will help you in the long run until the next time I'm residents. Me, Joseph Perry, You been watching this on cyber and, uh, get out there and hack some stuff.