Professional Documents
Culture Documents
Maintaining Presence and Living Out of Land Technique
Maintaining Presence and Living Out of Land Technique
We will use a simple and efficient method used by many attackers and run a command that invokes a
Netcat creating a backdoor command shell access on the target device.
In the Tools directory, there is a file called ncexer.bat that will create two terminal windows for you in
different colors. Run ncexer.bat with admin privileges.
The yellow screen will be our Attacker and the grey screen will be our Victim.
Victim (grey):
Attacker (yellow):
This is a simple and very efficient backdoor shell access for any Windows machine. The problem is that
this access stops once we kill the session. So how do we make it permanent? Create a service!
Attacker (yellow):
C:\> hostname
(here you will see your machine hostname)
Attacker (yellow):
This is the same syntax we would be using if we were trying to execute a command on a remote computer.
Attacker (yellow):
In your Victim window, your netstat command should begin displaying output, indicating that TCP port
4444 is LISTENING. After 30 seconds, the sc command finishes with error message "The service did not
respond to the start or control request in a timely fashion".
Then delete the original ncservice so that we can replace it with one that is more persistent, listening
beyond the 30-second timeout:
Attacker (yellow):
Victim (grey):
Attacker (yellow):
If we stop the Netcat client and drop the connection it will stop the Netcat because we invoked Netcat
with the -l option. This option creates a listener that listens for one connection and then stops running.
To make it persistent we need to invoke the command with a -L.
Kill Netcat client by pressing CTRL-C in both windows. Also delete ncservice2 with this command:
Attacker (yellow):
C:\> sc \\Your_hostname delete ncservice2
Victim (grey):
C:\> netstat -nao | find ":4444"
WMIC
Lets launch Netcat with wmic. We will now show that wmic is more efficient and has a smaller footprint
on the target. You should note that the new process we invoke will not have local SYSTEM privileges (as
previous) and it will run with administrator privileges.
Victim (grey):
Attacker (yellow):
Attacker (yellow):
A console window opened when we invoked Netcat using wmic. This is not good as it might alert the
target. Lets try a new approach.
Attacker (yellow):