RSS

Metasploit Metsvc Backdoor

28 Mar

Metasploit offers the ability to place a backdoor on the remote system in order to maintain access after your exploitation.In this article we will see how we can work with the metsvc backdoor and what are the limitations of it.

Lets say that we have already compromised the target by using a meterpreter service payload.We can have a look at the available options of the metsvc backdoor by executing the command run metsvc -h

Metsvc Help

 

As we can see there are only 2 options:The -A which automatically starts the multi/handler and the -r which uninstalls the service that the backdoor has created.

So we will execute the command run metsvc -A.This command will upload some files and it will create a windows service on the remote machine which will run on the port 31337.

Run the Metsvc Backdoor

 

As you can see from the image above we now have 2 sessions open on the remote machine.From the other hand on the remote machine we can notice that there is  a process name metsvc-server.exe.This process is the backdoor.

Metsvc process

 

If you want to remove the backdoor from the target machine you can use the command run metsvc -r in order to achieve that.

Remove the metsvc backdoor

 

This command is stopping the backdoor from running but it doesn’t delete the files that had created when we ran the backdoor the first time so we need to remove it manually in order to clean up the system.The files that we need to remove are the following:

Backdoor files

 

Conclusion

The metsvc backdoor runs as service on the remote system and requires no authentication so anyone that will find the backdoor can connect through it to our target.Also it can be discovered easily by using a simple port scanner so it is risky to use.From the other hand it is less noisy compared to the persistence backdoor.

Don’t try this backdoor in real systems.If you want to use it in order to expand your knowledge about backdoors use it on a safe and isolated environment.

About these ads
 
1 Comment

Posted by on March 28, 2012 in Maintaining Access

 

Tags: , ,

One response to “Metasploit Metsvc Backdoor

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
Follow

Get every new post delivered to your Inbox.

Join 687 other followers

%d bloggers like this: