metasploit

 

Previous posts i explained how to exploit and gain access in window OS , after gaining access its important to create a backdoor to exploit again.

 

If you have succeed to exploit a system you may consider to place a back-door in order to connect again easily with your target.For example if the user decides to install a patch or to remove the vulnerable service in his system then you will need to figure out an alternative way for getting again access to the remote system.That’ss why back-doors are important because they can maintain access to a system that you have compromised.

 

 

 

The Metasploit Framework comes with two options for backdooring a system.

 

  • Persistence
  • Metsvc

 
The metsvc backdoor runs as service on the remote system and requires no authentication so anyone that will find the backdoor can connect through it to our target. Also it can be discovered easily by using a simple port scanner so it is risky to use.From the other hand it is less noisy compared to the persistence backdoor.

 

 

So , In this article we will look at the persistent backdoor of Metasploit Framework which is actually a meterpreter script that can create a service on the remote system that it will be available to you when the system is booting the operating system.

 

Lets say that we have already compromised the target by using a meterpreter reverse TCP connection and we need to place the persistent backdoor.

 

 

First we can execute the command run persistence -h in order to see the available options that we have for the backdoor.

 

 

Screenshot from 2014-05-24 12:18:00

 

 
As we can see there are different options for the persistent backdoor.The help file is very clear so we will only explain the options that we will choose.

 

The -A parameter will automatically start the multi handler.

 

Another option is the -L which allows us to specify the location on the target host that the payload will be.For our scenario we have chosen the C:\\ as the path in order to find the backdoor easily.

The -X option is because we want to start the backdoor when the system boots.

Alternatively there is the -U option.For the interval option we have set it to 10 sec and for the port that the backdoor will listen the 443 which in most windows environments is open.

Finally the -r option is for our IP address.

 

 

 

You can see in the next image the process of the persistence backdoor and the options that we have select.

 

 

Screenshot from 2014-05-09 16:54:42

 

 

As we can see we have opened a new Meterpreter session on the remote machine.

 

Now its time to check if the backdoor will open for us a new session every time that the system will boot.So we will reboot the system in order to see what happens.

 

 

Command for reboot

 

 

Screenshot from 2014-05-09 16:57:50

 

 

Windows is shutting down

 

 

Shutdown-windows7

 

 

After the reboot we will execute the command sessions -i in order to check if the backdoor have connected with our system.

 

We can see that the backdoor is working perfectly.So we can use the sessions -i 3 command in order to interact again with our target and to execute commands.For example we can use the getuid and the ipconfig commands in order to discover the IP address and the name of the user that is running the operating system.