PC Owned

[L3arn3r]

I was just playing with netcat on cmd. trying to backconnect something and it was successfully connected and then starting browsing then again i looked on cmd backconnect was disconnected so again i tried to connect but this time it say's "nc.exe not found" then i check my floder nc.exe was not there :S sounds like someone deleted.

I have checked all Established port but there were no extra port.

is it possible to do this sort of task without port? (I mean rat meta both use port)

is there anyway to find logs on win that which user deleted my file?

How would you find rat keylogger etc... in your PC without format the whole disk?

Edited August 27, 2013 by L3arn3r

[digip]

What is the OS you are/were using it on? Try a netstat command to look for listening ports, in case someone put a bind shell up and renamed nc to something else somewhere on your system. In windows you can do "netstat -anb" to show ports established and listening, in use, etc. On linux, netstat -antp (for TCP) and netstat -anup (for UDP ports).

I would also suggest firing up wireshark, and closing all apps and non essential services/daemons needed specifically, and let it run for a while, then see what kind of traffic you are seeing going to foreign hosts. Ignore arp and ntp stuff for the most part, but also be careful not to miss local arp replies to nodes not known to be your machines if you use a wifi network, since someone could be on your lan, be sure to identify the mac address of each machine you own to rule them out, although one of them could be compromised and being used to pivot off of with a reverse connection via net cat.

[L3arn3r]

Solved

Edited October 12, 2013 by L3arn3r

[digip]

is it possible to do this sort of task without port?

All traffic in some manner of networking, requires ports to talk, whether it be a specific service, ie: http on port 80 or otherwise, so no, can't do anything on a network without something going through a specific port, even spoofed traffic on common ports.

is there anyway to find logs on win that which user deleted/renamed my file?

Not really, but you can right click My Computer, then click manage, and check the event viewer. Someone hacking you could also clear those logs though, so aside from using a tool to see if it was deleted, like HandyRecovery to check for deleted files, not sure what to tell you other than checking event viewer and your AV if you have one installed. Would be vigilant in using Wireshark in the meantime to keep an eye on your network traffic just in case someone or something is running and calling home if you did get whacked.

Antivirus programs will remove netcat from pretty much any machine unless whitelisted though. nc.exe is often removed by damn near everything unless explicitly allowing it to stay on your system. ncat however can do some of the same things as netcat, which comes with nmap, and can be set to whitelist it but is often not even quarantined, but usually prompts you if you want to leave it on your system, but if you aren't using an antivirus, and behind nat, hard to say what happened to it other than you maybe doing something to kill or delete it.

If NOT behind a router or NAT, and you had it set as a listener with a shell prompt for testing, someone from the internet could have taken control of the machine, but if behind a router, they'd have to get past NAT or be able to have remote code execution to exploit you somehow, which if they could do that, you got bigger problems than misplacing nc.exe and I would consider the machine compromised without having looked at it personally. If paranoia is getting to you, boot in safe mode, create a new user, move old files over, then delete the old user profile. Export and backup important bookmarks and files and such, but other than a full wipe and reinstall, its generally frowned upon to run tools like that on your main machine. If anything, always setup a second user, as a lower privlileged account and use that, which will always prompt you(aside from getting hacked and privilege escalation) for your password to install and make OS changes. Won't prevent a hack, but much easier to boot in as admin, create new user, and delete hacked users account so long as they weren't able to escalate to admin or system level access.

Also, windows 7 firewall can sometimes block it, but should prompt you to allow or deny when it sees it, but it can't delete files. Only thing that I can see deleting it would have been an antivirus on your system, or you got hacked in some manner. Something as simple as windows defender might even remove it if it sees it or if running microsoft security essentials.

Also, some nc.exe equivalents, are RAT's to begin with(remote admin tools) and you have to be careful of fake clone! Not knowing where you got the file, could have been the case and you opened yourself up to attack if you didn't have a legit copy of it to begin with. On the BT5 disc is both a netcat program(real netcat / nc) which I would suggest playing with in a VM, or using the encrypted clone of it, also on BT, SBD.exe and installed for BT as well. Comes with both versions, for linux and a windows binary, and SBD will/can send traffic using AES encryption, and might be better to play with so no one, if they were on your box, could see the traffic in plain text going back and forth on your lab/test network between the two.

Good luck figuring out what happened. If you do have an antivirus installed, check its logs or see if it quarantined it.

[L3arn3r]

Solved

Edited October 12, 2013 by L3arn3r

[digip]

compressed or encrypted? If compressed such as gzip, add display filter "data-text-lines" and apply, and then you should be able to see the plain text data. If compressed, follow the stream, read as raw, from your machine to foreign target, and save the conversation as a zip file, if you see a header of pk or such, and you are certain its a zipped file, but more than likely, its encrypted traffic if you can't read it or ssl. Would need more info, but don;t suggest posting a pcap here since it could contain your cookies, email passwords, etc, for sites you are on. You'll need to do some reading up on wireshark and digging into this one on your own a bit. Without access to your box, we'd have no idea whats going across your network. Sorry.

[L3arn3r]

Solved

Edited October 12, 2013 by L3arn3r

[digip]

ZoneAlarm is an anti virus. It looks up definitions on files for things like hash matches, sends them data, checks for updates, checks to make sure ZoneAlarm gets restarted if it crashes, etc. I think it also shows up under services.msc and will always start with the PC if ZoneAlarm is set to start with windows. The IP's are Akamai, which I know from using ZoneAlarm years ago, is also hosts ZoneAlarm used to store definitions on, so it may be checking for new updates to virus definitions at those urls too.

[L3arn3r]

digip Thank you for your cooperation.

I have sort it out finally that was on Exception list by my anti and accidently that was removed by me so this is why it was automatically removed.

"digip" If i wasted your time then accept my apologies. it was not my fault but was crap psychology.

Issue Solved

Edited October 12, 2013 by L3arn3r