Maintaining access with Metasploit

Keeping access to the target system is a desired feature, especially when it comes to law enforcement agencies or by the red teams to test defenses deployed on the target. We can achieve persistence through Metasploit on a Linux server using the sshkey_persistence module from the post/linux/manage directory. This module adds our SSH key or creates a new one and adds it to all the users who exist on the target server. Therefore, the next time we want to login to the server, it will never ask us for a password and will simply allow us inside with the key. Let's see how we can achieve this:

We just need to set the session identifier using the set SESSION command followed by the session identifier. We will make use of the session with the highest level of privileges. Hence, we will use 3 as the SESSION identifier and directly run the module as follows:

We can see that the module created a new SSH key and then added it to two users on the target system, that is, root and claire. We can verify our backdoor access by connecting to the target on SSH with either root or the user claire, or both, as follows:

Amazing! We can see that we logged into the target system by making use of the newly created SSH key using the -i option, as shown in the preceding screen. Let's see if we can also log in as the user claire:

Yup! We can log in with both of the backdoored users.

Most of the servers do not permit root login. Hence, you can edit the sshd config file and change the root login to yes and restart the SSH service on the target.

Try to backdoor only a single user such as the root since, most of the folks won't log in through the root as default configurations prohibit it.