Time
5 hours 38 minutes
Difficulty
Intermediate
CEU/CPE
6

Video Description

This lesson is about running metasploit as service. In this lesson, participants receive step by step instructions in how to accomplish this using the run persistence command which offers a number of options.

Video Transcription

00:04
Okay, So we've seen Cem Cem methods for maintaining access to the system, including setting up a persistent Metcalf connection
00:12
and also, uh,
00:15
using
00:17
key loggers to try to get information like, well, Windows, Loggins or website Loggins
00:23
system Loggins. That the victim's system is engaging in another option is to actually
00:29
install
00:31
the, uh,
00:32
okay,
00:34
the MMA trip. Ritter shell itself as a service, and we can do this by using the persistence command.
00:40
If I run persistence Dash H,
00:43
we can see all of our options here.
00:46
We could all that. We start him on an exploit multi handler to connect to the agent running back on our Callie system.
00:53
We specify the system that's listening for the connection. And then we have other options, like starting agent
01:00
when the user logs in starting agent in the system boots.
01:04
So these are
01:07
useful parameters. Also, we can see how many seconds we wanna wait in between checking for a connection attempt.
01:15
So for you useful, um, and you'll notice that
01:22
I am locked in his administrator. I'm not system for this,
01:26
but it should still work.
01:29
So what I can do is
01:30
run persistence,
01:34
and I'm gonna do this. When the usual logs on
01:38
I like that idea better
01:42
and check every five seconds
01:45
I will specified Port 443
01:48
and then my
01:51
the system listening for the connection is my Callie instance.
02:02
And so we see what happened here.
02:06
Crave a payload. Uh, when does interpreter reverse TCP Nice. My local host.
02:13
4443
02:15
It showed they were created the visual basic script that does the actual work.
02:20
And then also, it's put this into
02:23
auto run. So same location we used for neck at earlier.
02:28
Actually, not the same Kate location is a c K U h.
02:31
Okay, see you instead of h k l m.
02:35
So it's not local machine, its current user instead.
02:40
But in any case,
02:43
the net effect will still be the same.
02:46
So now that that persistent script has been installed, when the user logs into the system,
02:53
uh,
02:55
this will run, and we should be able to set up a handler
03:00
back on our Callie's sister instance, in order to, uh,
03:05
received the connection.
03:07
Since I'm administrator, I do have the privilege to run the reboot command. I know I didn't cover this earlier, but I can reboot
03:14
the victim's machine, which is kind of handy.
03:21
All right, so it says my session has died.
03:23
And if I go to
03:25
the vector machine, I can see that it's rebooting
03:34
and should probably come right back up and log itself. And
03:38
and it did. Okay,
03:45
now, if I go back to my Callie instance,
03:51
my old interpretive session is closed. Of course, but I can
03:55
used the same hand large. Been using
04:00
exploit multi handler. This is the most versatile handler for receiving connections.
04:05
My local host is already set, but local port is already set.
04:10
Noticed this This must match the same port that I used when I
04:15
ran the persistent script to begin with. So pity you have to pay attention to those details.
04:20
No,
04:21
this is a little bit different than the connections we've been making before. We've been doing stage connections. Where
04:30
where the
04:31
The victim must either have a
04:34
payment running,
04:36
which which tries to connect to our handler.
04:40
Ah, that depending on how you how you do that, that maybe a little bit less reliable.
04:46
So this connection is is allowing us to, um,
04:50
rely on the fact that we installed the auto run
04:55
code Thio allow this connection to be basically trying every five seconds until the handler starts up
05:02
on the Cali system. And here we go. So I caught. It looks like a couple of seconds before the next run.
05:11
And now I've got my mature precession. Let's see what,
05:15
and I'm logged in as administrator.
05:17
Now, this connection will check every five seconds as long as the system is up and running. If it gets rebooted,
05:27
the auto run will will launch the MMA trip. Ritter.
05:30
Ah, connection. Attempt again. And I'll have that available to me as the pen tester. Until that,
05:39
uh, register intricate, discovered and removed.
05:42
Obviously, if you were
05:44
if you're on the, um,
05:46
the victim's system,
05:49
you might, you might say, Well, you know what? What are some of these processes that are running here? Why, Why do I have connections?
05:58
Maybe someone decides to,
06:04
too, you know, poke around a little bit
06:10
looking for
06:12
established connections,
06:16
and we see that I do have an established connection
06:19
back to Cali. Instance, which is what we see here, 1 29
06:25
on 4443
06:27
So if if you're the person who is
06:30
you know the victim. You'd have to be paying attention to look for these connections. I think we'll head. Is that supposed to be there?
06:35
Maybe. Maybe I was connected to a website for four threes. Kind of, Ah, port that blends in because it's normally associated with SSL connections to websites. But it is still something to think about.
06:47
Regardless
06:49
of whether the
06:53
the victim discovers the connection, We can see how easy it is to create this. And now this is here Anytime I want. I just started a handler and the connection should happen within a five second interval.
07:04
Very handy.
07:06
All right, that ends a section. Thank you.

Up Next

Metasploit

This Metasploit tutorial will teach you to utilize the deep capabilities of Metasploit for penetration testing and help you to prepare to run vulnerability assessments for organizations of any size.

Instructed By

Instructor Profile Image
Dean Pompilio
CEO of SteppingStone Solutions
Instructor