Part 4 - Establishing the Reverse Shell

Video Activity

In this final video for creating and launching the reverse shell attack on a Linux target, we review the steps involved and wrap things up by establishing the connection. The handler is started via msfconsole will listen on port 443 for the remote connection. The infected installation package is then unwittingly downloaded and installed by the vict...

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
5 hours 38 minutes
Difficulty
Intermediate
CEU/CPE
6
Video Description

In this final video for creating and launching the reverse shell attack on a Linux target, we review the steps involved and wrap things up by establishing the connection. The handler is started via msfconsole will listen on port 443 for the remote connection. The infected installation package is then unwittingly downloaded and installed by the victim on the target machine. The reverse shell is then launched once the handler on the client has established a connection with the target.

Video Transcription
00:03
>> Our next task then is to actually build the package.
00:03
Now that we've modified
00:03
some of the files, created the payload,
00:03
and they're all in the proper folders that
00:03
the package build process expects,
00:03
we can actually build or rather rebuild
00:03
this package so that we can then have it
00:03
sent to the victim by putting it
00:03
into the proper folder of
00:03
my webserver running on my Kali instance.
00:03
I'm going to in the d-package, deb command,
00:03
I will [NOISE] store what I want to build,
00:03
and we're going to tell the folder
00:03
where the package files are located.
00:03
I forgot, I have to use
00:03
workdir that's where I put everything.
00:03
I went again and found this folder
00:03
and Kali created a package called workdir.dab.
00:03
I don't know, really give my or leave that name,
00:03
so I want to rename this,
00:03
and I can just call it something simple like xbomb.dab.
00:03
Now, this xbomb.dab
00:03
file needs to be put into the proper folder,
00:03
and so what I can do is
00:03
copy xbomb.dab to var/dab/dab/dab/html.
00:03
This should be the default route of
00:03
my Apache web server instance running
00:03
>> on my Kali system.
00:03
>> I already have the web server running.
00:03
I can double-check that by just going into
00:03
my local host and there's
00:03
my default page, so that's good.
00:03
I just want to double-check that that's in place
00:03
before you try to do this work.
00:03
I already bring my MSF console command
00:03
to start the handler for the shell.
00:03
As a quick review, MSF Council for rent and quiet mode,
00:03
the command I'm executing as the -x,
00:03
target to use the multi handler
00:03
with this particular payload for a Linux reverse shell.
00:03
Then I just simply tell it
00:03
what my local host address is,
00:03
what my local port is,
00:03
and then it runs the exploit.
00:03
Now I can see that it's listening
00:03
on this IP address, on this port.
00:03
Then, my victim machine.
00:03
What I need to do here is to actually get
00:03
the font so I can run wget,
00:03
which would be the same as
00:03
the link that you would present to the victim.
00:03
I know that it's called xbomb.dab,
00:03
so that would have to create the link
00:03
that has the same text.
00:03
We can see that it connected to the web server.
00:03
Notice a connected on port a really doesn't
00:03
matter because it's a non SSL page.
00:03
The port 443 is for
00:03
the reverse shell and we want to use a port
00:03
that is commonly seen
00:03
>> so that it doesn't look suspicious.
00:03
>> Now the victim has the file on their machine.
00:03
What I can do is go ahead and install
00:03
xbomb.dab by running d-package-I for install xbomb.dab.
00:03
Give me an error message saying
00:03
it couldn't help my display,
00:03
that's not really a thing too much to worry about.
00:03
The user probably would
00:03
try to figure that out why that's happening.
00:03
But we can see back on the the attacker machine.
00:03
The stage was sent to the victim machine,
00:03
and I've got a command shell open
00:03
between the victim and myself.
00:03
Notice it doesn't give me a prompt
00:03
or anything of that nature,
00:03
but I can type some simple commands to
00:03
verify that I'm indeed connected.
00:03
The ID command tells me,
00:03
I'm logged in as root by
00:03
that route group and because I'm route,
00:03
I can run into commands I like.
00:03
For instance, I'm looking
00:03
at the root file system on that remote system,
00:03
I can run the fconfig command to
00:03
double-check indeed that I am on 128,
00:03
that is the victim's machine.
00:03
There are a few steps that we had to go through here.
00:03
We first had to download the package.
00:03
We had to extract it to get
00:03
the directory structure in
00:03
a local folder which we can work from.
00:03
Then I had to modify or create a couple of
00:03
the files that are also needed.
00:03
Those were the control script,
00:03
which I will just review real quick.
00:03
It just gives parameters for the package
00:03
itself and then the post-installation,
00:03
which changes the permissions and properly
00:03
tries to run the game
00:03
as it's built when you do the install.
00:03
Then on the victim machine,
00:03
we gave them a link which would
00:03
have included this information.
00:03
They download the file they try to install
00:03
it and we'd get our root shell.
00:03
Once you have the root shell,
00:03
then you could do things like try to maybe use
00:03
other tools to create
00:03
a permanent presence like Netcat for instance,
00:03
you can run Netcat listener and try to give yourself
00:03
a shell on a permanent basis
00:03
like you can return to this
00:03
victim machine anytime you wish.
00:03
[NOISE] You can see it's a O.bian.8.
00:03
I don't want to view the shell for right now,
00:03
so I'm just going to go ahead and log
00:03
out and I get back to my prompt.
00:03
I hope you enjoyed this demonstration.
00:03
Stay tuned for the next segment where
00:03
we'll try to do something
00:03
similar with a Windows system. Thank you.
Up Next