Windows Post Exploitation - Persistence With Metasploit
Key Takeaways
The video demonstrates how to establish persistence on Windows systems using Metasploit modules, covering various techniques for post-exploitation.
Full Transcript
[Music] hey guys hackersploit here back again with another video welcome back to the pen testing boot camp in this video we will be exploring the process of setting up or maintaining access to a windows target via metasploit of course uh in the red team series we explored you know windows persistence techniques primarily through empire but now we're going to be taking a look at how this can be facilitated through you know various metasploit post exploitation modules so again as i said in the previous video we're going to be skipping over the process of you know generating a payload with msf venom then transferring it etc and we're also going to ignore this these techniques listed here the main objective is to maintain access to the target system in the event the target system is rebooted shut down or you know our rdp credentials are changed so once you've gained access you need to ensure that you continue to have access to the target system irregardless of what happens so as i said one of the one of the techniques that you can do or can perform is the ability to create a backdoor user which again is something that has its own advantages and disadvantages and then of course if you have access to the target system via a meterpreter session uh what i'll do is i'll put this in the background so i'm going to be resuming from the previous video i can search for you know the persistence module so i'm just going to say uh the type of the platform is a windows and we will search for persistence module so i'll hit enter now you can see that the default module that is recommended is this particular module here which is the exploit windows local persistence module and you know it says you know windows persistent registry startup payload installer which essentially sets up assistance via the registry so you can take a look at that if you want the one that i really like or the one that i wanted to highlight in this particular video is obviously going to be the persistent service module as well as the uh a few others like um for example uh you remember we don't want to have any artifacts on the system but one that is uh uh you know really really uh one that really works well is the persistent service for various reasons one of which is the fact that you'll always get a session on the target system irregardless of whether or not the system is shut down or not so for example if i lose access to the target uh you know via you know session two via my meterpreter session i'll be able to gain access in a few seconds without the system uh you know having to be restarted or anything like that now as i said you can explore any of the other ones uh any of the other modules one of them that again i really recommend is the authenticated wmi xx via powershell module here which works really well but in this case let's take a look at the persistent service module so i'm going to say copy and use i'm going to paste that in there we're going to set the payload we leave it as windows interpreter reverse tcp the 32-bit payload because we can always upgrade our meter you know session to a 64-bit session um so i'll say show options and again if we list out our sessions uh the ports that we currently have running are port four four four four and four four two two so we need to change l port there and the lhost option so i'll say ifconfig and we'll just copy the tunnel zero interface ip so i'm going to say set l host to the following and then we'll set the l port to maybe three three four four show the options again and uh yeah so we can essentially modify the actual remote victim uh name for the executable as well as the path so again uh this will utilize the temp directory by default if you don't specify one which is great and then you can set the retry time and this is of course used to specify the retry time that the shell will connect to so after five seconds you know and then of course we can give it a service name so this is usually recommended if you want it to look as clandestine as possible so again in this case because the the target is windows server and of course a windows or rather servers in general are not frequently accessed or you don't have users you know frequently logging on to them then you know we can pretty much stay under the radar unless uh we're actually identified but we're really not at the evasion stage of things yet although i will be covering that so we'll set the service name to maybe something like um let me you know type that in again we can set the service name to uh you know something like lsas something that can blend in really well uh so we can say lsas ls1 lss2 you know just something basic so else t or whatever um again in this case i'm just trying to make it blend in so i'll set the service name there and then i'll set the session to session two and again if i type in info this will give you an idea of what this module will do as you can see this module will generate and upload an executable to a remote host next it'll make it a persistent service now i know that this is touching the disk as i said in this particular case i'm really interested in convenience it'll then create a new service which will start the payload whenever the service is running admin or system privileges are required as with most of the persistence modules for windows so i can just hit run or exploit i'll just type in exploit here then we also is going to run the module against a domain controller and there we are it also generates an rc file for us that we can use and i'll get into rc files in a few seconds it's going to send the stage and we should get a session and then what i'm going to do is i'm going to terminate that particular session or all of the sessions and you'll be able to see that we'll be able to gain access really simply so again i'm just going to give this a couple of seconds to actually send a stage all right so we get materpreta session three opened and again says info you can see it's a 32-bit interpreter session as expected so if i put this in the background and i'm just going to copy the path to the rc file because i want to explore that in a few seconds by the way take or you know take note of the actual module options that you specified with this persistence module so for example the l host and the l port option so i'm just going to take note of that because again the likelihood that i'll forget that is uh very high so the only option that i usually forget is the actual l port option the payload i know is the 32-bit interpreter payload um right okay so if i list out the sessions you can see that we have three sessions so i'm just going to kill all of them so sessions kill uh type that in correctly there we are and i'll just exit and i'm pretty sure i have a few jobs running so let me just exit out of all of that so again if we kept the contents of that particular rc file um it looks like that's stored under root so probably need to say sudo but what we can do is create our own rc file so an rc file in the context of medisploit stands for a resource script a resource script can be used to air to automate various aspects of metasploit primarily through msf console so in this case what this rc script was going to do is it was going to set up uh you know the multi handler for us at the payload l port and l host options that we specified uh with the persistent service module so we can create our own so i'm just going to head over onto my desktop and i'm just going to say vim and we'll call this handler.rc so again this works very similar to a windows batch script where each command is specified sequentially based on the order that you want them to be executed so in this case we're going to say use multi-handler we're going to say set the payload i can't type that in correctly for some reason set the payload to windows interpreter reverse tcp that's what we used and then we're going to set the lhost option to uh that was uh hmm do i have to get that again yeah i do so let me just type in knifeconfig here there we go and let me just close that tab there so lhost is the the our ip the cali ip and then l port is three three four four let me make sure that's correct there we are three three four four and then run so what's going to happen is when i uh you know specified that i want to use this resource script with msf console it's going to automate the process of you know loading the multi-handler module it's going to set the payload automatically for us it's going to set the lhost option l port option and then it's going to run so i can just type in write and quit and then to use a resource script with msf console you simply type in msf console and then r for resource script and then specify the name of the resource script which in this case is handler.rc and we hit enter now we should get a meterpreter session immediately because we use the persistent service module so after five seconds you know we should get a session on the target system so it's going to start up msf console it's going to automate the process of setting up you know multi-handler setting the payload there we are starts the reverse tcp handler and it sends the stage immediately so we are able to gain access to the target system almost immediately and we do so you know sysinfo there we are you can see it's a 32-bit meterpreter session if we you know say pgrep explorer um we can migrate to explorer or any other process any other 64-bit process and yeah we can essentially you know upgrade our interpreter session to a 64-bit interpreter session but in this case we don't need to do that right so uh that's essentially what i wanted to cover and again that's in my case that's how i would have built this particular task because uh this is fairly uh you know fairly menial uh in regards to you know the actual process of generating a payload and then of course transferring it to the target executing it setting up the handler so hopefully i've uh i've helped you uh you know save a lot of time when it comes down to establishing or setting up assistance on a target system and of course i've also gone over you know the resource scripts and how they can be used to automate that process so it's fairly simple to understand and we are at the end of the windows post exploitation room or the post exploitation basics room on try hack me so again we're going to be exploring other you know post exploitation techniques for both windows and linux and then of course we'll explore privilege escalation as we move on once we're done with that we'll then move on to web app pen testing which is something that i'm really really excited for so we'll just hit complete and we'll head over into the conclusion and it complete and we should be done with this room all right fantastic so that is done i know that took a while and it coincided with the release of the red team series so i apologize for that but that should be done now and we can begin exploring you know some of the other techniques and complete the penetration testing boot camp so that's gonna be it for this video let me know if you guys any had any questions or suggestions if you do leave them in the comment section or you can join our discord server the link is in this the description and yeah if you like this video or you found value in it please leave a like down below and i'm going to be seeing you guys in the next video peace a huge thank you to all of our patreons your support is greatly appreciated and this is a formal thank you so thank you shamir douglas ryan carr sandor michael busby sits up doozy defean barry dustin on press and michael hubbard your support is greatly appreciated and you keep us making even more high quality content for you guys so thank you [Music]
Original Description
In this video, I cover the process of establishing persistence on Windows systems through the use of various Metasploit modules.
-----------------------------------------------------------------------------------
BLOG ►► https://bit.ly/3qjvSjK
FORUM ►► https://bit.ly/39r2kcY
ACADEMY ►► https://bit.ly/39CuORr
-----------------------------------------------------------------------------------
TWITTER ►► https://bit.ly/3sNKXfq
DISCORD ►► https://bit.ly/3hkIDsK
INSTAGRAM ►► https://bit.ly/3sP1Syh
LINKEDIN ►► https://bit.ly/360qwlN
PATREON ►► https://bit.ly/365iDLK
MERCHANDISE ►► https://bit.ly/3c2jDEn
-----------------------------------------------------------------------------------
CYBERTALK PODCAST ►► https://open.spotify.com/show/6j0RhRiofxkt39AskIpwP7
-----------------------------------------------------------------------------------
We hope you enjoyed the video and found value in the content. We value your feedback, If you have any questions or suggestions feel free to post them in the comments section or contact us directly via our social platforms.
-----------------------------------------------------------------------------------
Thanks for watching!
Благодарю за просмотр!
Kiitos katsomisesta
Danke fürs Zuschauen!
感谢您观看
Merci d'avoir regardé
Obrigado por assistir
دیکھنے کے لیے شکریہ
देखने के लिए धन्यवाद
Grazie per la visione
Gracias por ver
شكرا للمشاهدة
-----------------------------------------------------------------------------------
#Pentesting#Cybersecurity
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from HackerSploit · HackerSploit · 0 of 60
← Previous
Next →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
How To Install Kali Linux 2.0 On Virtual Box
HackerSploit
100 Subscriber Q&A! - How I Learned Ethical Hacking
HackerSploit
BlackArch Linux Review - Better Than Kali Linux?
HackerSploit
How to Access the Deep Web Safely | Deep Web Starter Guide 1.0
HackerSploit
Wireshark Tutorial for Beginners - Installation
HackerSploit
Wireshark Tutorial for Beginners - Overview of the environment
HackerSploit
Wireshark Tutorial for Beginners - Capture options
HackerSploit
Wireshark Tutorial for Beginners - Filters
HackerSploit
Complete Ethical Hacking Course - Become a Hacker Today - #1 Hacking Terminology
HackerSploit
Complete Ethical Hacking Course #2 - Installing Kali Linux
HackerSploit
Parrot OS 3.5 Review | The Best Kali Linux Alternative
HackerSploit
Nmap Tutorial For Beginners - 1 - What is Nmap?
HackerSploit
Katoolin | How To Install Pentesting Tools On Any Linux Distro
HackerSploit
Nmap Tutorial For Beginners - 2 - Advanced Scanning
HackerSploit
Nmap Tutorial For Beginners - 3 - Aggressive Scanning
HackerSploit
Zenmap Tutorial For Beginners
HackerSploit
How To Setup Proxychains In Kali Linux - #1 - Stay Anonymous
HackerSploit
How To Setup Proxychains In Kali Linux - #2 - Change Your IP
HackerSploit
How To Change Mac Address In Kali Linux | Macchanger
HackerSploit
How To Setup And Use anonsurf On Kali Linux | Stay Anonymous
HackerSploit
Ubuntu 17.04 "Zesty Zapus" Review - Bye Unity
HackerSploit
VPN And DNS For Beginners | Kali Linux
HackerSploit
Tails OS Installation And Review - Access The Deep Web/Dark Net
HackerSploit
Steganography Tutorial - Hide Messages In Images
HackerSploit
The Lazy Script - Kali Linux 2017.1 - Automate Penetration Testing!
HackerSploit
Best Linux Distributions For Penetration Testing
HackerSploit
Netcat Tutorial - The Swiss Army Knife Of Networking - Reverse Shell
HackerSploit
Gaining Access - Web Server Hacking - Metasploitable - #1
HackerSploit
Web Server Hacking - FTP Backdoor Command Execution With Metasploit - #2
HackerSploit
How To Install Kali Linux On VMware - Complete Guide 2018
HackerSploit
Q&A #1 - Best Cyber-security Certifications?
HackerSploit
Terminator - Kali Linux - Multiple Terminals
HackerSploit
Shodan Search Engine Tutorial - Access Routers,Servers,Webcams + Install CLI
HackerSploit
Q&A #2 - Mr Robot?
HackerSploit
Metasploit Community Web GUI - Installation And Overview
HackerSploit
Linux Expl0rer - Forensics Toolbox - Installation & Configuration
HackerSploit
QuasarRAT - The Best Windows RAT? - Remote Administration Tool for Windows
HackerSploit
Metasploit For Beginners - #1 - The Basics - Modules, Exploits & Payloads
HackerSploit
Metasploit For Beginners - #2 - Understanding Metasploit Modules
HackerSploit
Kali Linux Quick Tips - #1 - Adding a non-root user
HackerSploit
Metasploit For Beginners - #3 - Information Gathering - Auxiliary Scanners
HackerSploit
Spectre Meltdown Vulnerability - How To Check Your System
HackerSploit
Metasploit For Beginners - #4 - Basic Exploitation
HackerSploit
ARP Spoofing With arpspoof - MITM
HackerSploit
WordPress Vulnerability Scanning With WPScan
HackerSploit
Generating A PHP Backdoor with weevely
HackerSploit
Nikto Web Vulnerability Scanner - Web Penetration Testing - #1
HackerSploit
How To Install Kali Linux On Windows 10 - Windows Subsystem For Linux
HackerSploit
Stacer - System Optimizer And Monitoring Tool For Linux
HackerSploit
Kali Linux 2018.1 - Kernel Updates & Patches
HackerSploit
MITM With Ettercap - ARP Poisoning
HackerSploit
Password Cracking With John The Ripper - RAR/ZIP & Linux Passwords
HackerSploit
How To Detect Rootkits On Kali Linux - chkrootkit & rkhunter
HackerSploit
Channel Updates - How To Post Questions & Video Suggestions
HackerSploit
Web App Penetration Testing - #1 - Setting Up Burp Suite
HackerSploit
Web App Penetration Testing - #2 - Spidering & DVWA
HackerSploit
Cl0neMast3r - GitHub Repository Cloning Tool
HackerSploit
Kali Linux On Windows 10 Official - WSL - Installation & Configuration
HackerSploit
DoS/DDoS Protection - How To Enable ICMP, UDP & TCP Flood Filtering
HackerSploit
Web App Penetration Testing - #3 - Brute Force With Burp Suite
HackerSploit
More on: Defensive AI
View skill →Related Reads
📰
📰
📰
📰
ECB Gives Banks Four Months to Prepare for AI-Powered Cyber Threats
Medium · Cybersecurity
A hospital network went dark at 2 AM. Here is what the next 72 hours looked like.
Medium · Cybersecurity
Cyber Security Training with Placement Assistance
Medium · Cybersecurity
The Part of Cybersecurity No One Talks About
Medium · Cybersecurity
🎓
Tutor Explanation
DeepCamp AI