Okay, So we've seen Cem Cem methods for maintaining access to the system, including setting up a persistent Metcalf connection
key loggers to try to get information like, well, Windows, Loggins or website Loggins
system Loggins. That the victim's system is engaging in another option is to actually
the MMA trip. Ritter shell itself as a service, and we can do this by using the persistence command.
If I run persistence Dash H,
we can see all of our options here.
We could all that. We start him on an exploit multi handler to connect to the agent running back on our Callie system.
We specify the system that's listening for the connection. And then we have other options, like starting agent
when the user logs in starting agent in the system boots.
useful parameters. Also, we can see how many seconds we wanna wait in between checking for a connection attempt.
So for you useful, um, and you'll notice that
I am locked in his administrator. I'm not system for this,
but it should still work.
and I'm gonna do this. When the usual logs on
I like that idea better
and check every five seconds
I will specified Port 443
the system listening for the connection is my Callie instance.
And so we see what happened here.
Crave a payload. Uh, when does interpreter reverse TCP Nice. My local host.
It showed they were created the visual basic script that does the actual work.
And then also, it's put this into
auto run. So same location we used for neck at earlier.
Actually, not the same Kate location is a c K U h.
Okay, see you instead of h k l m.
So it's not local machine, its current user instead.
the net effect will still be the same.
So now that that persistent script has been installed, when the user logs into the system,
this will run, and we should be able to set up a handler
back on our Callie's sister instance, in order to, uh,
received the connection.
Since I'm administrator, I do have the privilege to run the reboot command. I know I didn't cover this earlier, but I can reboot
the victim's machine, which is kind of handy.
All right, so it says my session has died.
the vector machine, I can see that it's rebooting
and should probably come right back up and log itself. And
now, if I go back to my Callie instance,
my old interpretive session is closed. Of course, but I can
used the same hand large. Been using
exploit multi handler. This is the most versatile handler for receiving connections.
My local host is already set, but local port is already set.
Noticed this This must match the same port that I used when I
ran the persistent script to begin with. So pity you have to pay attention to those details.
this is a little bit different than the connections we've been making before. We've been doing stage connections. Where
The victim must either have a
which which tries to connect to our handler.
Ah, that depending on how you how you do that, that maybe a little bit less reliable.
So this connection is is allowing us to, um,
rely on the fact that we installed the auto run
code Thio allow this connection to be basically trying every five seconds until the handler starts up
on the Cali system. And here we go. So I caught. It looks like a couple of seconds before the next run.
And now I've got my mature precession. Let's see what,
and I'm logged in as administrator.
Now, this connection will check every five seconds as long as the system is up and running. If it gets rebooted,
the auto run will will launch the MMA trip. Ritter.
Ah, connection. Attempt again. And I'll have that available to me as the pen tester. Until that,
uh, register intricate, discovered and removed.
Obviously, if you were
if you're on the, um,
the victim's system,
you might, you might say, Well, you know what? What are some of these processes that are running here? Why, Why do I have connections?
Maybe someone decides to,
too, you know, poke around a little bit
and we see that I do have an established connection
back to Cali. Instance, which is what we see here, 1 29
So if if you're the person who is
you know the victim. You'd have to be paying attention to look for these connections. I think we'll head. Is that supposed to be there?
Maybe. Maybe I was connected to a website for four threes. Kind of, Ah, port that blends in because it's normally associated with SSL connections to websites. But it is still something to think about.
the victim discovers the connection, We can see how easy it is to create this. And now this is here Anytime I want. I just started a handler and the connection should happen within a five second interval.
All right, that ends a section. Thank you.