Time
5 hours 38 minutes
Difficulty
Intermediate
CEU/CPE
6

Video Description

A key component of the reverse shell exploit is a handler that runs on the client machine listening on a designated port for connection requests from the infected target. In this video we review the steps for generating the payload and then packaging it up into an infected installation file. The objective is to trick personnel with access to the victim host into installing the infected xbomb game on the target machine. This is typically achieved by a social engineering attack whereby the victim is tricked into clicking on a link, which in turn downloads and installs the infected game on the target.

Video Transcription

00:04
Okay, so now we're gonna use the MSF venom command.
00:14
Do help real quick. We can see what kind of options this command takes.
00:18
So as we can see, this is a standalone payload. Generator
00:23
replaces MSF payload, understaffed and coat.
00:26
Uh, it's got a kind of bundled that the other functionality into this one, this one tool
00:33
So we can specify which Palin we want to use. We can look a different. Uh, I'll put four minutes. Choose the architecture.
00:40
We can also eliminate characters to avoid which we do have to do for this particular example.
00:47
And the command is kind of lengthy to type in.
00:50
Make my window a little bit bigger
00:52
wrap around anyway.
00:54
But I'll explain the options that we that we need as we go through this.
01:00
All right, so I'm sf
01:02
them,
01:12
and I need to tell it that market texture is X 86 looks
01:19
and the platform
01:22
is Lennox
01:25
and I will specify my p load. So it's a linens payload,
01:29
and
01:30
I already looked up this path, so I know this is here, but you might have to, uh,
01:36
go into your payloads and do some searches to find the right payload to use this should work on a debian Linux system
01:45
that as long as it's x 86 architecture. If it was a nd architecture or not, specify different architecture for Dash A as well as the payload would be different.
01:55
Now I'm gonna specify my local host
02:00
and that is 100 to 1 68
02:01
26 1 29
02:06
They I'm gonna specify the local port
02:08
and I'm gonna use 443 That way, it doesn't look like a suspicious port. When the victim's systems connected to this website,
02:15
I'm going to exclude
02:19
Hex zero.
02:22
This example needs this. It's kind of a technical discussion to why we need to exclude that. But sometimes when you're encoding a payload, certain characters cause problems with compatibility.
02:32
So this one I know I need to exclude this. You may have to do your own research, And although the trial and error to get
02:38
you're encoding process to work correctly,
02:43
my output format is going to be elf.
02:46
I can run the
02:50
well, Well, look at the, uh that this help for four minutes to look at the list after I generate the payload.
02:57
And then my output file. So route
03:00
the back door
03:02
work dir
03:06
and then I want user games.
03:08
Ex bomb scores.
03:12
So this file now.
03:14
Well, that's part of the package. I'm replacing it with my file
03:17
that has this payload bundled into it.
03:27
So running the command, this takes a few seconds, and it tells me that it was able Thio encode
03:34
with the Chicago again. I
03:37
encoder, they're popular. Encoder works quite often, and it tells me that it was 98 bites
03:43
and was able to, uh,
03:46
create the work.
03:47
Crazy, huh?
03:52
Payload. So look at the four natural quick.
03:58
So there's executed all formats
04:00
and then transformation formats.
04:03
So execute formats. I've got a lot of different options here.
04:08
LF it just happens to be the one that works correctly for this example, So just gonna have to trust me on that.
04:15
All right? Now what I need to do is start my Web server.
04:23
You want to make sure that I've got the web page
04:26
in place, or rather available? When I want Thio
04:33
get the victim to click a link which helps them to visit the website.
04:41
All right, so now mine. My next step is to create a handler. So the victim's system is going to be. When they install the package, they will generate a
04:51
a reverse shell back to the attacker machine. So I need to have a handler to listen for this connection.
04:57
And I could do this from a
04:59
another command command line option using MSF Counsel
05:04
do help for this real quick
05:10
and we see For NSF Consul, I can specify lots of different options
05:15
to run commands from the command line without having to get into the console framework itself.
05:21
And we're gonna tell a, for instance, that it wanted to be in a quiet mode, So we don't see the start of banner and then I'll specify the commander want to execute.
05:32
And you, I'll enclose that adult quote so so runs as a complete grant.
05:40
So quiet mood,
05:42
and I'm gonna say use exploit,
05:47
multi
05:50
handler.
05:53
And if I can, if I separate my commands with a semi colon, I can run several commands on
06:00
and on one line effectively. So it's a nice way to to do
06:04
a lot of work with one simple command. Of course, if you were doing this kind of work regularly, you would save these commands and
06:11
in a file which you so you can just copy and paste them. Or you can find them in your shell history as well.
06:17
All right, so now I want to set the payload.
06:21
Helps if you spell right.
06:26
Okay. Payload is going to be Lennox because we know it's a Lennox machine.
06:31
And
06:32
my, uh, shell, if you recall, was an x 86 shell
06:39
reverse TCP. So this has to match the people that I encoded so that the handler a shovel connect to the proper handler. Then the connection should work.
06:51
I need to sent my local host.
06:56
And that's gonna be 1 to 1 68 1 Oops. 26 1 29 So that's the attacker system.
07:04
Another semi colon.
07:06
You sent my local port.
07:09
And that's gonna be 443 Have we previously seen
07:13
that I'm gonna run
07:15
the export itself?
07:19
And then lastly, I will exit with the dash. Why? So that it doesn't prompt me for
07:25
a, um,
07:28
connection.
07:31
All right,
07:38
so when this finishes running, it should tell me that it's binding to my current address.
07:45
So my local hoses want 194443
07:48
I see which pay for what? I've got my local host, my local port. And now the handler is running
07:56
on that,
07:59
um,
08:00
website because I started up my default Apache service
08:03
on port 443
08:07
Now, what I need to do is go to my victim system
08:13
and start up my web browser. So go ahead and launch ice weasel.
08:18
I can verify that the Web server is there by
08:22
typing in its address.
08:26
And there's my default pains that you get when Debbie installs Apache.
08:33
So I know the websites reachable
08:35
and has an engine before, through social engineering techniques, you would send an email to the victims. Say, Hey, uh, try this new mind sweeper came that I created call X bomb was a lot of fun. Maybe show some screen shots, make it look interesting.
08:50
What we're gonna do is, uh,
08:52
get the file directly by using the W get command.
08:56
So I'm going to specify my address.
09:01
This could be in the link, of course, that you would send to your
09:05
your victim.
09:07
I have to make sure I get this exactly right.
09:13
Tue dot to a dash one.
09:18
Underscore I 3 86 dot Deborah.
09:24
Well, you double check that.
09:37
That looks correct.
09:46
All right, so on the victim machine, they click the link.
09:52
It's not what I was expecting.

Up Next

Metasploit

This Metasploit tutorial will teach you to utilize the deep capabilities of Metasploit for penetration testing and help you to prepare to run vulnerability assessments for organizations of any size.

Instructed By

Instructor Profile Image
Dean Pompilio
CEO of SteppingStone Solutions
Instructor