Introduction:
Persistence is a Phase that’s included in all the popular Security Frameworks such as Cyber/Unified kill chain or MITRE ATT&CK. This phase is usually done after Exploitation (commonly) but it depends on needs & Roles of Engagements (ROE) & your approach framework Processes.
What is Persistence or Backdoors
Persistence is a technique used to maintain a connection with target systems even if the machine is rebooted, shut down, or whatever, we would still be able to have access to it.
Backdoor attack definition is using any malware/virus/technology to gain unauthorized access to the application/system/network while bypassing all the implemented security measures.
Why is it important?
It’s rare when performing a real-world penetration/red teaming test and after gaining an initial foothold to the system no disrupt or problem occurs such as the target computer gets shutdown or our exploit breaks down or our shell gets terminated for any reason so it’s suggested to install a backdoor immediately after gaining initial foothold/access to the target system to avoid these issues.
First, I’ll teach you some theory about Persistence/Backdoor technique & then do hands-on work on a machine. These techniques are helpful for both Red & Blue Teams.
Also, I refer to a lot from Tryhackme: Linux Backdoors
1. Persistence: SSH
Theory
SSH, also known as Secure Shell or Secure Socket Shell, is a network protocol that gives users, particularly system administrators, a secure way to access a computer over an unsecured network.
The SSH backdoor essentially consists of leaving our ssh key (public key) in the user’s home ssh directory.
Pre-Condition: SSH must be running at the user’s end & no root privilege is required
Post-Condition: We can access the target system anytime.
The SSH backdoor methodology is simple;
Generate new pair of keys (using ssh-keygen)
Drop your generated public key into target .ssh dir (if not then create this dir)
Rename your dropped public key file into authorized_keys.
Stealthy Level: This backdoor isn’t hidden at all. Anybody with the right permissions would be able to remove our ssh public key or the file authorized_keys entirely.
More Info: Every user has their .ssh dir in their home. This dir stored SSH keys of your (public & private) & other users (public keys).
Practical
Generate a pair of keys using the ssh-keygen command in SSH in your machine.
Placed your public key into target’s .ssh directory & rename it to authorized_keys.
SSH into the target machine using a recently generated private key (private key permission must be 600 or 700 otherwise key doesn’t work.)
2. Persistence: CronJob
Theory
The cronjob backdoor essentially consists of creating a malicious script & a cronjob of that script.
Pre-Condition: Cron must be running at the user’s end & no root privilege is required.
Post-Condition: We can access the target system at any time or our specific set time.
The CRONJOB backdoor methodology is simple;
Create or download a script (reverse shell or bind shell).
Drop your script into /etc/crontab or any other location where we can place cronjob & set the timing/conditions of the job.
Catch the incoming reverse shell of the cronjob.
Stealthy Level: This backdoor isn’t hidden at all. Anybody with the right permissions would be able to remove/detect our cronjob script
More Info: To make your Cronjob backdoor more hidden from the blue side then check this article.
Practical
Create a script with a simple bash reverse shell & give it execute permission on a target system.
Edit the /etc/crontab file, add your script & set the trigger conditions.
Every Minute this job executes
On the attacker’s side after One minute.
3. Persistence: Bashrc/zshrc
Theory
The .bashrc file is a script file that’s executed when a user logs in. The file itself contains a series of configurations for the terminal session. This includes setting up or enabling: coloring, completion, shell history, command aliases, and more.
The cronjob backdoor essentially consists of creating a malicious bash script & putting it inside a .bashrc file.
Pre-Condition: The user must have bash/zsh/csh or any other shell as their login/default shell & no root privilege is required.
Post-Condition: Can’t access anytime only when target login into its account (not during login only at the initial point of login)
The BASHRC backdoor methodology is simple;
Create or download a script (reverse shell).
Drop your script into the .bashrc file in the user’s home dir.
Catch the incoming reverse shell every time the user login.
Stealthy Level: This attack is very sneaky as nobody thinks about ever checking their “.bashrc” file.
More info: the listener must be always listening to the attacker side as you can’t exactly know when will the user’s login to their system, so you might wait a long period.
Practical
Created a simple bash reverse shell on the target’s .bashrc file.
When the target user login into his system the .bashrc file runs just like every time but this time it’ll connect with our system without alerting the target machine.
Malware Persistence on Windows
There’s a big difference between malware on Linux and Windows, but some of the same core concepts remain the same. Instead of a cronjob, you use a scheduled task on Windows for example. While SSH isn’t installed by default on Windows, you can drop a SSH_client.exe to disk and use that in the same way as on Linux for you reverse shell. On Windows the most common persistence methods are: Startup Folder, Run Registry Keys, Scheduled Tasks & WMI Persistence.
Ultimately many of the persistence methods rely on Windows Registry keys because that’s the major persistent config repository for Windows. WMI has become increasingly popular in the past 10 years along with Powershell. A lot of the same old tricks with a few layers of obscurity added on top, helps malware bypass antivirus. As always, it’s the constant cat and mouse game between attackers and defenders. To learn more read this short guide from our friends at Guided Hacking: Windows malware persistence techniques.