GIAC Penetration Tester (GPEN) — Question 6

While reviewing traffic from a tcpdump capture, you notice the following commands being sent from a remote system to one of your web servers:
C:\>sc winternet.host.com create ncservicebinpath- "c:\tools\ncexe -I -p 2222 -e cmd.exe"
C:\>sc vJnternet.host.com query ncservice.
What is the intent of the commands?

Answer options

• A. The first command creates a backdoor shell as a service. It is being started on TCP2222 using cmd.exe. The second command verifies the service is created and itsstatus.
• B. The first command creates a backdoor shell as a service. It is being started on UDP2222 using cmd.exe. The second command verifies the service is created and itsstatus.
• C. This creates a service called ncservice which is linked to the cmd.exe command andits designed to stop any instance of nc.exe being run. The second command verifiesthe service is created and its status.
• D. The first command verifies the service is created and its status. The secondcommand creates a backdoor shell as a service. It is being started on TCP

Correct answer: A

Explanation

Option A is correct because it accurately describes the creation of a backdoor shell service on TCP2222 using cmd.exe and the verification of that service. Options B and D are incorrect due to the misidentification of the protocol (TCP vs. UDP) and the incorrect sequence of commands. Option C misrepresents the purpose of the service and its functionality.