Metasploit payloads as backdoors?

[cr1spyj0nes]

Hi there i hope people with programing knowledge or even just ruby knowledge read this.
iv got this idea for metasploit payloads, why not implement then to have backdoor capabilities, like once exploited the payload you just used beds it self in to
system32 dir,
and reg,
you no what i mean, i love meterpreter my self and im trying to accomplish this, its not easy for me because i have next to no knowledge of programing but im learning very fast, of the top of my head if i could get rid of that error message
" blah blah has stoped woking"
after you disconnect you could loop it so when you close the connection it re-opens a listener again, i dont no just trying so messaround a bit, i'm shaw aomeone has done it.
please reply if you have anyideas,

[barbsie]

You don't need programming skillz to do this.
Once you have a shell you can download/install any program as a service backdoor, including metasploit payloads.
(You probably know that you can generate metasploit "exe" payloads, right?)

hint: the "sc" command in windows. I leave the rest of the fun up to you

[cr1spyj0nes]

yes i no how to do that, im not that noob, will sc command elimanate the error message?

[lupin]

Am I right in thinking you just want to create a persistent backdoor on an exploited Windows host?

If so, then barbsie is correct, the easiest way to do this will be to upload a backdoor executable, run it, and optionally use some sort of persistence mechanism to keep it running. If the backdoor executable itself keeps running and re-listens after disconnect (as would a nc listener using the -L "listen harder" switch) you only need to use a persistence mechanism if you want the backdoor to restart after a system reboot. If the backdoor executable doesn't re-listen after disconnect, you could write a batch file to keep restarting it.

Regards restarting the backdoor after a system reboot...

Windows has a number of ways to autostart programs at boot time - the SysInternals autoruns tool will show you where the great majority of these methods are. Use of Windows Services (which can be controlled by the "sc" command line tool mentioned by barbsie) is one of the easiest way to achieve this.

However, there is a caveat with the use of Windows "Services" - it will kill programs after 30 seconds unless the program is written to respond to the Windows Service Control Managers API request to determine if the service is running correctly. You can get around this by using a tool to "servify" the command (using something such as the "ServifyThis" tool), or you could use a command prompt to spawn your executable in a new process (cmd.exe /k "command"). Alternatively, another method to start the process and keep it running is to use the task scheduler (at or schtasks from the command line).

Be careful using persistent backdoors on a pen test - you will need to clean up after yourself when the test is done.

If you really want to do this inside Metasploit, you're going to need to learn to write shellcode, and I don't think doing what you suggest would be particularly easy. Even if you do manage it, you will also lose access to your backdoor once the exploited process restarts (unless you modify the program binary - which is a whole other kettle of fish).

[cr1spyj0nes]

yeah iv got meterpreter bind shellcode and put it in .c and compiled it, now is there any way to loop the process in C so you dont get the " met.exe has stoped working " message. or will i have to change the shell code, iv got backdoor that i made and work verry well but i like meterpreter, how can i work around this?

[lupin]

yeah iv got meterpreter bind shellcode and put it in .c and compiled it, now is there any way to loop the process in C so you dont get the " met.exe has stoped working " message. or will i have to change the shell code, iv got backdoor that i made and work verry well but i like meterpreter, how can i work around this?

I just tried adding a while loop around the function calling shellcode in a C program (the Win32 Bind Shell from the Metasploit Shellcode page) and couldn't get it to work. Id suggest running the program from a batch file which keeps restarting it (as mentioned in my previous post).

[imported_Deathray]

This is just a guess, but I think the reason metasploit has no persistent backdoor capabilities is maybe because of antivirus software.
Try creating a meterpreter executable and upload it to www.virustotal.com. Last time I tried, I believe none of the products detected it.
But that probably wouldn't stay the same if it had persistent capabilities.
I don't know, what do the professionals say?
But to the OP, one thing I like to do is from windows try going to start -> run -> iexpress.exe
That program allows you to create a self extracting exe file which can silently execute a file once unzipped. So I like to compress a batch together with the meterpreter.exe and the batch file basically copies the meterpreter.exe to for example system32, and then adds a key value to "Run" which automatically starts meterpreter upon boot, and finally executes netsh firewall XXXX to allow the program through windows firewall. You configure the compressed .exe with iexpress.exe to execute the batch once compressed.
The only disadvantage is that you have to remember the port it is set to listen on, because doing an nmap scan on the port meterpreter is listening on, will cause it to crash.
So after a successful penetration, upload the compressed file and execute it - then you have permanent access.

[cr1spyj0nes]

but once you connect to it and disconect it print of an error message blah blah has stoped working?

[imported_Deathray]

but once you connect to it and disconect it print of an error message blah blah has stoped working?

Yes, unfortunately.
I just found this, not sure if it will work, http://www.phreedom.org/software/metsvc/

[cr1spyj0nes]

yeah iv try'd that prog il try it ox xp but i dont think its working right tho,, or i cant work it,lol if any one has got this rogram workng please let me no ,,