Part 2 - Running Metasploit as a Service

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
5 hours 38 minutes
Difficulty
Intermediate
CEU/CPE
6
Video Transcription
00:03
>> We've seen some methods
00:03
for maintaining access to the system including
00:03
setting up a persistent Netcat connection and
00:03
also using key loggers
00:03
to try to get information like what are
00:03
Windows logins or website logins,
00:03
system logins that the victim system is engaging in.
00:03
But another option is to actually install
00:03
the meterpreter shell itself as a service.
00:03
We can do this by using the persistence command.
00:03
If I run persistence dash h,
00:03
we can see all of our options here.
00:03
We can on that to start an exploit multi handler
00:03
to connect to the agent running back on our Kali system.
00:03
We specify the system that's
00:03
listening for the connection and then we have
00:03
other options like starting
00:03
the agent when the user logs in,
00:03
starting the agent when the system boots.
00:03
These are useful parameters.
00:03
Also, we can see how many seconds we want to
00:03
wait in between checking for a connection attempt.
00:03
It's pretty useful.
00:03
You'll notice that I am logged in as administrator,
00:03
I'm not system for this,
00:03
but it should still work.
00:03
What I can do is run
00:03
persistence and I'm going to do
00:03
this when the user logs
00:03
on because I like that idea better.
00:03
I'm going to check every five seconds.
00:03
I will specify port 443 and
00:03
then the system listening
00:03
for the connection is my Kali instance.
00:03
We see what happened here, it created a payload,
00:03
Windows meterpreter, Reverse TCP,
00:03
my local host, port 443.
00:03
It shows me where I created
00:03
the visual basic script that does the actual work.
00:03
Then also it's put this into autorun,
00:03
so same location we use for netcat earlier.
00:03
Actually not the same location,
00:03
it's HKCU instead of HKLM.
00:03
It's not local machine,
00:03
it's current user instead.
00:03
But in any case,
00:03
the net effect will still be the same.
00:03
Now that persistent script has been installed,
00:03
when the user logs into the system,
00:03
this will run and we should be able to set up
00:03
a handler back on our Kali instance,
00:03
in order to receive the connection.
00:03
Since I'm administrator, I do have
00:03
the privilege to run the reboot command.
00:03
I know I didn't cover this earlier,
00:03
but I can reboot the victim's machine, which is handy.
00:03
It says my session has died
00:03
and if I go to the vector machine,
00:03
I can see that it's rebooting
00:03
and should probably come right back up and log itself
00:03
in and it did.
00:03
Now if I go back to my Kali instance,
00:03
[NOISE] my old meterpreter session is closed of course,
00:03
but I can use the same handler I've been using.
00:03
Exploit multi handler,
00:03
this is the most versatile handler
00:03
for receiving connections.
00:03
My local host is already set,
00:03
my local port is already set.
00:03
Notice this must match the same port that I
00:03
used when I ran the persistent script to begin with.
00:03
You have to pay attention to those details.
00:03
But now, this is little bit
00:03
different than the connections we've been making.
00:03
Before we've been doing stage connections where
00:03
the victim must either have a payload running,
00:03
which tries to connect to a handler.
00:03
Depending on how you, how you do that,
00:03
that may be a little bit less reliable.
00:03
This connection is allowing us
00:03
to rely on the fact that we installed
00:03
the autorun code to allow this connection to be
00:03
basically trying every five seconds
00:03
until the handler starts
00:03
up on the Kali system.
00:03
Here we go. I caught it,
00:03
looks like a couple of seconds before
00:03
the next run and now I've got my meterpreter session.
00:03
I'm logged in as administrator.
00:03
Now, this connection will
00:03
check every five seconds as long
00:03
as the system is up and running.
00:03
If it gets rebooted, the autorun will
00:03
launch the meterpreter connection attempt again and
00:03
I'll have that available to me as the append tester
00:03
until that register entry gets discovered and removed.
00:03
Obviously, if you were on the victim system,
00:03
you might say, "Well, what are
00:03
some of these processes that are running here?
00:03
Why do I have connections?"
00:03
Maybe someone decides to
00:03
poke around a little bit
00:03
looking for established connections.
00:03
We see that I do have an established connection
00:03
back to the Kali instance,
00:03
which is what we see here,
00:03
129 on port 443.
00:03
If you're the person who is the victim,
00:03
you'd have to be paying attention
00:03
to look for these connections and I think,
00:03
why does that supposed to be there?
00:03
Maybe I was connected to a website 443 is
00:03
a port that blends in because it's
00:03
normally associated with SSL connections to websites.
00:03
But it is still something to think about.
00:03
Regardless of whether
00:03
the victim discovers the connection,
00:03
we can see how easy it is
00:03
to create this. Now this is here.
00:03
Anytime I want, I just start up
00:03
a handler and the connection
00:03
should happen within a five second interval.
00:03
Very handy. That ends this section. Thank you.
Up Next