Sunday, September 23, 2012

Metasploit Persistence

During penetration tests and red team versus blue team engagements sometimes you need your shells to always be available. Let’s say you pop a box, get your meterpreter shell which always happens right at the end of the day. You leave your shell, only to come back in the morning and find out the connection dropped because the system rebooted. Now you have to exploit all over again or worst case scenario if you used a password to compromise a system and the person changed it and now you’re stuck without a shell. That would be very sad, luckily @Carlos_Perez/Darkoperator made a persistence script that is included in Metasploit. It’s awesome too, get your shell and run persistence.

Now, if there is an unexpected reboot you will get your shell back, to clean up the shell all you need to do is run the clean up by running the multi_console_command script and point it at the cleanup file which is given to you when you run the persistence command.

One thing I found lacking though was the use of random file names. While normally that is not an issue, I found that sometimes I needed to give the files a name. Either so I could tell a point of contact ‘here is the registry key or service I created WRPIQDAHVMHJ’ also at times I felt that this string of random characters would look odd if you were trying not to get caught.

I took it upon myself to alter the built in script to suit my needs. I added functionality to the persistence script to take a new parameter ‘-N’ which allows you to specify a name for the service or registry key. If you don’t specify the switch it will just default to random.  Now you can name it whatever you want. Give it a name like Microsoft-Active-Switch or something relevant to the company and it will be harder to detect and easier to relay as information to a point of contact.  I needed the option and I hope it can be useful to you as well.

While I have written in python, I have never tried to alter a ruby script before. This was my first attempt here it is.