Deceiving Defender: Making nc.exe viable again
nc.exe is a powerful utility that allows for cross-platform connections. Many modern antivirus definitions detect nc.exe and prevent its use for Red Team operations
Last updated
nc.exe is a powerful utility that allows for cross-platform connections. Many modern antivirus definitions detect nc.exe and prevent its use for Red Team operations
Last updated
Netcat is often referred to as the "swiss army knife" networking because of its robust capability to read and write to network connections on either TCP or UDP. This capability makes it an essential part of any Red Team's tool suite, and if you've ever participated in a CTF you've likely used netcat at some point in the competition.
One of the most interesting capabilities netcat provides is the ability to connect a Windows target system to a Linux attacker machine. This cross-platform connection allows an attacker to deploy an arsenal of tools that are not necessarily readily available on other platforms.
We begin this project by looking for the standard nc.exe that a quick web (Google) search retrieves for us. We find the nc.exe project by @int0x33
Looking at this project, we notice that the last commit was in 2019, which is an eternity in internet time. AV technologies have come a long way since then, and without a doubt, there are going to be issues with this binary on a modern end-user system.
Let's download the project and try to drop the default nc.exe into a fully updated Windows 10 (x64) virtual machine.
Note: it appears the nc64.exe goes undetected on disk and at runtime at least at the time of this writing so we'll focus on nc.exe (32-bit).
We rename the nc.exe to nc_32bit_orig.exe to maintain clarity in our modification workflow.
If we try to compile a 32-bit version of nc_32.exe out of the box, we get the following error:
There's several ways to fix this error, but a quick reference to the Microsoft Reference Source gives us the const int value we need to replace "ERROR_BROKEN_PIPE".
So we make the change to doexec.c and compile our program.
C:\MinGW\bin\mingw32-gcc.exe -DNDEBUG -DWIN32 -D_CONSOLE -DTELNET -DGAPING_SECURITY_HOLE getopt.c doexec.c netcat.c -s -lkernel32 -luser32 -lwsock32 -lwinmm -o nc_32.exe
We immediately notice that our newly compiled 32-bit nc_32.exe is not identical to the precompiled nc.exe (32-bit) binary provided by the original project author.
If we run our new nc_32.exe and nc_32bit_orig.exe side by side on our lab system we validate that both binaries are compiled for x86 architecture.
If we drop this newly compiled binary (nc_32.exe) onto our Windows 10 target, we find that AV does not detect this executable!
The last step is to ensure that our nc_32.exe can successfully start a connection with an attacker machine. If we setup a listener on a Kali attack machine, we see that we can connect from our target!
