In this example, instead of looking up information on the remote system, we will be installing a netcat backdoor. This includes changes to the system registry and firewall.
First, we must upload a copy of netcat to the remote system.
Afterwards, we work with the registry to have netcat execute on start up and listen on port 445. We do this by editing the key ‘HKLM\software\microsoft\windows\currentversion\run’.
使用命令行自带的reg命令也行, 前提是系统杀毒软件不出提示:
Next, we need to alter the system to allow remote connections through the firewall to our netcat backdoor. We open up an interactive command prompt and use the ‘netsh’ command to make the changes as it is far less error prone than altering the registry directly. Plus, the process shown should work across more versions of Windows, as registry locations and functions are highly version and patch level dependent.
We open up port 445 in the firewall and double-check that it was set properly.
So with that being completed, we will reboot the remote system and test out the netcat shell.
Wonderful! In a real world situation, we would not be using such a simple backdoor as this, with no authentication or encryption, however the principles of this process remain the same for other changes to the system, and other sorts of programs one might want to execute on start up.
.使用sc创建自定义服务,留下后门, 但是有个问题是360还是会提示, 防止注册表被写入
