Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 28

Thread: Recompiling NetCat [In Windows] To Bypass AntiVirus

  1. #11
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default

    Quote Originally Posted by cybrsnpr View Post
    encryption is required for my version. You can't turn it off. If you create a socket with it, it will require some version of cryptcat (any should work since I'm still using cryptcat's std blowfish lib). You need to specify a key no matter what version of cryptcat you use since by default, there is a key built in. With most versions of cryptcat that I used, the key was "metallica". I'm not sure what your versions key is. Just specify the -k and a key (-k should be available in all versions of cryptcat). Any encryption will introduce delay, but I never really noticed a large lag when I xfered files.
    Yep, have no problems getting cryptcat working with another cryptcat, the nc<-> cryptcat connection was the only thing I couldn't get working, and it appears that explains why.

    My testing comparing a nc<->nc connection to a cryptcat-cryptcat connection involved copying a 1GB memory dump between a virtual machine and the host. It was seconds compared to minutes, probably exacerbated by the fact that the same physical CPU was doing both sets of cryptography operations.

    What Im basically after is a usable nc for Windows that is bound into a single executable (no dependencies on non core dlls), won't set off antivirus detection and will interoperate with the built in nc on most Linux distros as well as a basic TCP socket listener/sender written with something like perl. Ive found lots of nc clones on Windows but none so far have fulfilled all three criteria.

    Im going to use this for transferring memory and disk images off various system types for incident response and for penetration testing of Windows hosts. At the moment I have to use various different tools to perform these tasks, which is much less flexible.
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  2. #12
    Just burned his ISO
    Join Date
    May 2009
    Posts
    6

    Default

    I am not sure if this will help, but you can use Windows built in iexpress or similar apps like splice or glue to fuse net cat into another program, like calculator or ff browser. the icon can also be changed to look like whatever app you want.

  3. #13
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default

    Quote Originally Posted by Pen_PWN View Post
    I am not sure if this will help, but you can use Windows built in iexpress or similar apps like splice or glue to fuse net cat into another program, like calculator or ff browser. the icon can also be changed to look like whatever app you want.
    I think iexpress needs to extract to a temporary directory to run the programs it includes. Less than ideal from a forensic perspective when performing incident response, because it introduces additional changes to the filesystem. Will look into splice and glue - they do seem interesting but they may not be appropriate for this particular use, as Im not really looking to hide nc when using it for incident response, however it may be good in a pen test scenario.

    I think Im going to modify the original nc.exe using the following method to get around the AV detection.

    http://packetstormsecurity.org/paper...ack_Netcat.pdf
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  4. #14
    Junior Member
    Join Date
    Feb 2007
    Posts
    74

    Default

    Quote Originally Posted by lupin View Post
    I think iexpress needs to extract to a temporary directory to run the programs it includes. Less than ideal from a forensic perspective when performing incident response, because it introduces additional changes to the filesystem. Will look into splice and glue - they do seem interesting but they may not be appropriate for this particular use, as Im not really looking to hide nc when using it for incident response, however it may be good in a pen test scenario.

    I think Im going to modify the original nc.exe using the following method to get around the AV detection.

    http://packetstormsecurity.org/paper...ack_Netcat.pdf
    This was the method I used as well, it got it by Norton. However, be aware that different AV use different virus signatures, what works on one AV might not on another. To totally evade AV detection you would have to have a copy of all the AV programs out there and repeat the steps in that document for each one individually, which would take a long time. During my research into this area, I came across a great site (http://www.virustotal.com) which uses about 50 of the most popular AV programs' signature to detect if a file is clean or not. This would be a better substitute than downloading every copy of AV protection out there.

  5. #15
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default

    Quote Originally Posted by aspekt9 View Post
    This was the method I used as well, it got it by Norton. However, be aware that different AV use different virus signatures, what works on one AV might not on another. To totally evade AV detection you would have to have a copy of all the AV programs out there and repeat the steps in that document for each one individually, which would take a long time. During my research into this area, I came across a great site (http://www.virustotal.com) which uses about 50 of the most popular AV programs' signature to detect if a file is clean or not. This would be a better substitute than downloading every copy of AV protection out there.
    Yep, have been using virustotal for a while now. Its a great resource when performing incident response for malware infections (to rule out false positive detections, which can happen with the Symantec products), or for checking binaries you just aren't sure about.

    On a related note Threatexpert, Anubis and CWSandbox can also be helpful when analysing unknown binaries.
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  6. #16
    Moderator theprez98's Avatar
    Join Date
    Jan 2010
    Location
    Maryland
    Posts
    2,533

    Default

    You might also try using dsplit.
    "\x74\x68\x65\x70\x72\x65\x7a\x39\x38";

  7. #17
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default

    Quote Originally Posted by theprez98 View Post
    You might also try using dsplit.
    Good tip, looks like a useful tool for use in bypassing AV detection.
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  8. #18
    Junior Member
    Join Date
    Apr 2009
    Posts
    43

    Default

    Quote Originally Posted by cybrsnpr View Post
    I have a modified version of crypcat HERE that compiles fine under windows and linux. The windows version requires Visual Studio 6. As for using VC 2008, I think that may be your problem since netcat is pretty old.
    Just want to point out to anyone else trying to check out mocat that previously posted the link is dead, but I dug around and found it was moved to

    csr-group.com/csr-group/resources/mocat.html

  9. #19

    Default

    Quote Originally Posted by Wolfbane View Post
    Just want to point out to anyone else trying to check out mocat that previously posted the link is dead, but I dug around and found it was moved to

    csr-group.com/csr-group/resources/mocat.html
    The original link is working again. My hosting provider had a server crash that messed things up.

  10. #20
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    Recompiling NetCat [In Windows] To Bypass AntiVirus
    I know a bizarrely high number of people have already replied, and it is an interesting topic, but cmon people think about this, do you really want to help someone do such a thing?

    No it's not impossible, maybe it's even trivial, but why promote such a tactic?
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

Page 2 of 3 FirstFirst 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •