CON is a special device file on the Windows operating system. It’s short for CONSOLE and can be used at the command line to redirect standard in and standard out. But beware, sometimes CON may not be a console. It might just be a backdoor.
Last Thursday Dan Crowley from Core Impact presented the technical segment on the podcast. Dan discussed his Shmoocon presentation on Windows File Pseudonyms and the many different ways you can address a file on a Windows NTFS partition. Dan covered several interesting ways to twist your filenames to avoid string based filters. I pulled several of them together to create a Windows filename obfuscation cheat sheet based largely on Dan’s work. You can download the cheat sheet here.
Among the various windows pseudonyms Dan discussed the use of Windows devices such as CON, AUX, PRN and LPT1. These are reserved file names with a special purpose at the command prompt. Using these devices has been an interest of mine for some time. One interesting aspect of these devices is that they are not easily deleted or created.
Files that can not easily be deleted are interesting as an incident handler and as a penetration tester. If an attacker places these files on your drive you are going to have a hard time getting rid of them unless you know the trick that I’ll show you here. So what does it take to create, delete and execute files that use these device names? Here is a quick demonstration video of how an attacker can disguise a backdoor as the CON device and avoid being deleted.