Creating a Cyber Attack – Part 8 (Post Exploitation – Gaining Persistence 2)

In the final video of this series we continue with post exploitation using metasploit and meterpreter, using Windows commands to gain persistence.

We have created our new user and have remote desktop access. Now we ensure our backdoor is always running and even if it crashes or loses connection we have ways to restart it without having to interact with the victim machine.

We will then show you a post exploit module from metasploit which you can run against a machine you have access to which will test the victim for further vulnerabilities which you can use to dig deeper into the machine and possibly pivot around the network.

If you have not read the previous guides or watched the videos I recommend taking a look as all the steps to this point are shown and explained in detail, so if you are not sure about something shown here, go back and read the previous guides.

As with this entire series, the attacker machine is on the right with the victim on the left.

Windows commands used in this video are;

  • SCHTASKS /CREATE /TN BACKDOOR /SC HOURLY /ST 10:00 /F /RL HIGHEST /SD 22/12/2020 /ED 22/12/2030 /tr “C:\BACKDOOR.exe /RU testadmin-pc\backdoor /RP £@55w.rd
  • xcopy BACKDOOR.exe “C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup”

The metasploit commands are;

  • background
  • use post/multi/recon/local_exploit_suggester
  • sessions
  • set session
  • run

We are going to create a new task which will run hourly which runs our malicious exe which in this demo is stored in the root of the C Drive.

In our command we provide a valid username and password (if you are following along from the previous video this would be our “secretuser” account and the password you specified. We also provide a name, a start and end time, schedule, location of the exe, and the credentials.

We can see our new task created successfully below. This means if we lose connection as long as the pc is in use this task will run every hour and provide us with a connection.

Now we want to look at the users startup programs and add our BACKDOOR.exe to this folder so every time the user logs in our exe will run and provide us a connection.

Our exe is currently stored in the users documents folder which is where our prompt is running from so we just need to specify where the file is and where we want to copy it to using the xcopy command.

Success. Now our exe will run whenever the user logs in.

To run the metasploit exploit suggester we need to exit from Windows and meterpreter and load the module, so we use exit, and then background our session.

We load the module using use post/multi/recon/local_exploit_suggester then we want to show options

We need the session number so we use the sessions command to find the session we want, then use set session to add it. (In our case 12)

Once this is configured we can run the exploit. It will take a while to complete, but if it finds anything it will list them as below. You can then investigate each one without having to be connected to the victim machine.

Finally we test our meterpreter connection being disconnected when the victim machine restarts, but then see a new connection created once the user logs back in.

We restart our listener using exploit/multi/handler

We see our new session (13) connect as expected.

Congratulations if you have followed this series through. You should now have a much better idea of what you are up against. This has been a beginners look at a Cyber Attack from start to finish, but we will look at more complicated and in depth aspects of Cyber Security in the future. Thanks for joining us on this journey.