I recently had an Admin password and wanted a persistent backdoor on a x64 Windows7 box I had physical access to for a limited amount of time.
I thought about putting a bind shell on the box, but then not only would I have to open a port up through the firewall, but also if I killed the session my bind shell would exit, and I'd lose my ability to connect back in. So I ditched the bind shell idea.
A reverse shell seemed like the way to go. This had the benifit of if I moved off the LAN, I could get back in through the NAT firewall.
The question was, how do I make a persistent reverse shell? Even though I was Admin, when my trojan connected back to my attack platform, it only had User privs, so I couldn't 'run scheduleme' in Meterpreter to set up a service (darn Windows7!). I tried using the Windows Scheduler, creating a task to run my trojan to connect back to me every 10 minutes. This worked OK at first. I was worried that if I scheduled it to connect back to me every 10 minutes, that the victim would get a new session process every 10 minutes, and I'd fill up the box... but in testing, if I wasn't listening when the session tried to connect back to me, it would simply exit cleanly. So I thought I was done. But then, I noticed that even though I had the task in the scheduler, and even though it would work for a while, it would always quit connecting back to me (even though the task was still scheduled). I played with the scheduler, and no matter how I scheduled the task, it seemed that it would quit calling back to me. The reason is unknown, but the symptoms persisted... I couldn't get the scheduler to keep calling back to me, even though it SAID it was scheduled. I added this to my list to research later on, but needed a quick solution.
As a quick work-around, and since I had physical access and the victim was on the LAN with my attack box, ssh seemed like a good solution. Ssh is robust, and I could use it to run my payload anytime I wanted the victim to connect back to me. I tried to install OpenSSH. However, Openssh doesn't work well (at all?) with Windows 7. So instead I used CopSSH (ver 4.1). When you install it, a control pannel comes up to configure it. To get CopSSH to run as a service (every time the PC boots up), you have to create a new user. That is a major downside, as this user will show up in the logon menu.
Don't forget to run the CopSSH Control Panel as Admin, or your service won't run every time you boot the box!
After I made the new user, ran the CopSSH Control Panel as Admin, and told it to start with this User, I then hid the user from the logon screen with the below.
[Hide User Accounts in windows Vista and Windows 7 (from technet forums):
at Run type regedit
Once in regedit go to HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon
In the left panel, right click on Winlogon and click New and click Key.
Type SpecialAccounts and press Enter
In the left panel, right click on SpecialAccounts and click New and click Key.
Type UserList and press Enter.
In right panel of UserList, right click on a empty area and click New then click DWORD (32bit) Value.
Type in the name of the user account that you want to hide and press Enter.eg: Everyday Account.
In the right panel, right click on the user account name and click Modify.
To hide the user account ? Type 0 and click OK. (number zero not the letter)
Whenever you want to use the account just unhide the it by typing 1 instead of zero.]
Now I have a box that I can SSH into, and then click on my payload to create a session back to my box.
If anyone knows how to fix the scheduler so that it actually reliably runs my task, or if you know how to get my trojan to run with Admin privs (and right-click 'run as Admin' didn't work) please let me know!
I thought about putting a bind shell on the box, but then not only would I have to open a port up through the firewall, but also if I killed the session my bind shell would exit, and I'd lose my ability to connect back in. So I ditched the bind shell idea.
A reverse shell seemed like the way to go. This had the benifit of if I moved off the LAN, I could get back in through the NAT firewall.
The question was, how do I make a persistent reverse shell? Even though I was Admin, when my trojan connected back to my attack platform, it only had User privs, so I couldn't 'run scheduleme' in Meterpreter to set up a service (darn Windows7!). I tried using the Windows Scheduler, creating a task to run my trojan to connect back to me every 10 minutes. This worked OK at first. I was worried that if I scheduled it to connect back to me every 10 minutes, that the victim would get a new session process every 10 minutes, and I'd fill up the box... but in testing, if I wasn't listening when the session tried to connect back to me, it would simply exit cleanly. So I thought I was done. But then, I noticed that even though I had the task in the scheduler, and even though it would work for a while, it would always quit connecting back to me (even though the task was still scheduled). I played with the scheduler, and no matter how I scheduled the task, it seemed that it would quit calling back to me. The reason is unknown, but the symptoms persisted... I couldn't get the scheduler to keep calling back to me, even though it SAID it was scheduled. I added this to my list to research later on, but needed a quick solution.
As a quick work-around, and since I had physical access and the victim was on the LAN with my attack box, ssh seemed like a good solution. Ssh is robust, and I could use it to run my payload anytime I wanted the victim to connect back to me. I tried to install OpenSSH. However, Openssh doesn't work well (at all?) with Windows 7. So instead I used CopSSH (ver 4.1). When you install it, a control pannel comes up to configure it. To get CopSSH to run as a service (every time the PC boots up), you have to create a new user. That is a major downside, as this user will show up in the logon menu.
Don't forget to run the CopSSH Control Panel as Admin, or your service won't run every time you boot the box!
After I made the new user, ran the CopSSH Control Panel as Admin, and told it to start with this User, I then hid the user from the logon screen with the below.
[Hide User Accounts in windows Vista and Windows 7 (from technet forums):
at Run type regedit
Once in regedit go to HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon
In the left panel, right click on Winlogon and click New and click Key.
Type SpecialAccounts and press Enter
In the left panel, right click on SpecialAccounts and click New and click Key.
Type UserList and press Enter.
In right panel of UserList, right click on a empty area and click New then click DWORD (32bit) Value.
Type in the name of the user account that you want to hide and press Enter.eg: Everyday Account.
In the right panel, right click on the user account name and click Modify.
To hide the user account ? Type 0 and click OK. (number zero not the letter)
Whenever you want to use the account just unhide the it by typing 1 instead of zero.]
Now I have a box that I can SSH into, and then click on my payload to create a session back to my box.
If anyone knows how to fix the scheduler so that it actually reliably runs my task, or if you know how to get my trojan to run with Admin privs (and right-click 'run as Admin' didn't work) please let me know!
Comments
Post a Comment