Metasploit Persistence

Monday, September 24, 2012

f8lerror

71d85bb5d111973cb65dfee3d2a7e6c9

During penetration tests and red team versus blue team engagements sometimes you need your shells to always be available.

Let’s say you pop a box, get your meterpreter shell which always happens right at the end of the day. You leave your shell, only to come back in the morning and find out the connection dropped because the system rebooted.

Now you have to exploit all over again or worst case scenario if you used a password to compromise a system and the person changed it and now you’re stuck without a shell. That would be very sad, luckily @Carlos_Perez/Darkoperator made a persistence script that is included in Metasploit.

It’s awesome too, get your shell and run persistence.
 

imageNow, if there is an unexpected reboot you will get your shell back, to clean up the shell all you need to do is run the clean up by running the multi_console_command script and point it at the cleanup file which is given to you when you run the persistence command.

One thing I found lacking though was the use of random file names. While normally that is not an issue, I found that sometimes I needed to give the files a name. Either so I could tell a point of contact ‘here is the registry key or service I created WRPIQDAHVMHJ’ also at times I felt that this string of random characters would look odd if you were trying not to get caught.

 I took it upon myself to alter the built in script to suit my needs. I added functionality to the persistence script to take a new parameter ‘-N’ which allows you to specify a name for the service or registry key. If you don’t specify the switch it will just default to random. 

Now you can name it whatever you want. Give it a name like Microsoft-Active-Switch or something relevant to the company and it will be harder to detect and easier to relay as information to a point of contact.  I needed the option and I hope it can be useful to you as well.
  image  
While I have written in python, I have never tried to alter a ruby script before. This was my first attempt it is posted at my blog http://infosecsee.com.

Possibly Related Articles:
13422
Network->General
Information Security
Penetration Testing Metasploit Network Security Meterpreter Tutorial
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.