# Deceiving Defender: Making nc.exe viable again ### Part Zero: Introduction Netcat is often referred to as the "swiss army knife" networking because of its robust capability to read and write to network connections on either TCP or UDP. This capability makes it an essential part of any Red Team's tool suite, and if you've ever participated in a CTF you've likely used netcat at some point in the competition. One of the most interesting capabilities netcat provides is the ability to connect a Windows target system to a Linux attacker machine. This cross-platform connection allows an attacker to deploy an arsenal of tools that are not necessarily readily available on other platforms. ### Part One: Getting Started We begin this project by looking for the standard nc.exe that a quick web (Google) search retrieves for us. We find the nc.exe project by [@int0x33](https://github.com/int0x33/nc.exe)

Looking at this project, we notice that the last commit was in 2019, which is an eternity in internet time. AV technologies have come a long way since then, and without a doubt, there are going to be issues with this binary on a modern end-user system. Let's download the project and try to drop the default nc.exe into a fully updated Windows 10 (x64) virtual machine. **Note: it appears the nc64.exe goes undetected on disk and at runtime at least at the time of this writing so we'll focus on nc.exe (32-bit).**

We rename the nc.exe to nc\_32bit\_orig.exe to maintain clarity in our modification workflow.

### Part Two: Fixing Errors If we try to compile a 32-bit version of nc\_32.exe out of the box, we get the following error:

There's several ways to fix this error, but a quick reference to the Microsoft Reference Source gives us the const int value we need to replace "ERROR\_BROKEN\_PIPE".

So we make the change to doexec.c and compile our program. `C:\MinGW\bin\mingw32-gcc.exe -DNDEBUG -DWIN32 -D_CONSOLE -DTELNET -DGAPING_SECURITY_HOLE getopt.c doexec.c netcat.c -s -lkernel32 -luser32 -lwsock32 -lwinmm -o nc_32.exe` We immediately notice that our newly compiled 32-bit nc\_32.exe is not identical to the precompiled nc.exe (32-bit) binary provided by the original project author.

### Part Three: Testing If we run our new nc\_32.exe and nc\_32bit\_orig.exe side by side on our lab system we validate that both binaries are compiled for x86 architecture.

If we drop this newly compiled binary (nc\_32.exe) onto our Windows 10 target, we find that AV does not detect this executable!

### Part Four: ??? ```xml [Intentionally Left Blank] ``` ### Part Five: Profit The last step is to ensure that our nc\_32.exe can successfully start a connection with an attacker machine. If we setup a listener on a Kali attack machine, we see that we can connect from our target!

### References {% embed url="" %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://steve-s.gitbook.io/0xtriboulet/archive/notice/deceiving-defender/deceiving-defender-making-nc.exe-viable-again.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.