Time
5 hours 38 minutes
Difficulty
Intermediate
CEU/CPE
6

Video Description

In this final video for creating and launching the reverse shell attack on a Linux target, we review the steps involved and wrap things up by establishing the connection. The handler is started via msfconsole will listen on port 443 for the remote connection. The infected installation package is then unwittingly downloaded and installed by the victim on the target machine. The reverse shell is then launched once the handler on the client has established a connection with the target.

Video Transcription

00:04
All right. So our next task, then, is to actually build the package. Now that we've modified some of the files created the payload,
00:11
and they're all the proper folders.
00:13
Ah, that the package
00:14
build process expects we can actually build or rather rebuild this package so that we can then have it sent to the victim
00:25
by putting it into the proper folder
00:28
of my Web server running on my Callie instance.
00:32
All right, so I'm gonna run the D package.
00:37
Deb Command, I was told I wanna build,
00:41
and
00:42
we're gonna call when I tell the folder where the
00:46
package files are located
00:53
on. And I want to call the chef. I have to use worked. Er that's where I have put everything.
01:00
So when a *** and found this folder and call created a package called Worked er, Doctor,
01:08
I don't really give my
01:12
or leave that name, so I'm gonna rename this
01:17
and I could just call something simple like ex bomb dot
01:23
Now this ex pop dot Exe bombed, Deb found needs to be put into the proper
01:30
folder.
01:30
And so what I can do is copy
01:34
ex bomb dot tub
01:38
too far dub dub Doug
01:41
html. This should be the default root of
01:44
my Apache Web server. Instance running on my
01:49
Callie system
01:51
and I already have the Web server running.
01:57
I could double check that.
01:59
I just
02:00
going to my local host and there's my
02:01
default page. So that's good. Always wanna double check that that's in place before you
02:07
try to do this work.
02:12
All right, So I already ran my MSF council command
02:20
to start the
02:22
the handler for the show.
02:25
So it's a quick review. MSF council. We ran it quiet mode.
02:30
The command I'm executing at the Dash X telling you to use the multi handler
02:36
with this particular payload for a Lennox River shell.
02:39
And then I just simply tell it what my local host addresses. What my book report is that it runs the exploit. Now we can see that it's listening on this I p address on this port,
02:53
then are my victim machine.
02:54
What I need to do here is to actually get the fun
02:59
so I can run w get
03:02
which would be the you know, the same, the same as the
03:07
the link that you would present to the victim.
03:09
And I know that it's called ex bomb dot Deb.
03:14
So that would have to create the link to create that has the same text,
03:19
and we can see that it's connected to the Web server.
03:23
Notice a connected, imported. It really doesn't matter,
03:27
because it's a non s s S S L page
03:32
the port four for three years for the reverse shell.
03:35
And we want to use a port that is
03:38
commonly seen so that it doesn't look suspicious.
03:43
All right, so now the victim has the file on their machine,
03:46
and what I can do is ah, go ahead and install
03:53
ex mom Dr
03:55
my running D package dash I for install
03:59
ex bomb dot Deb.
04:02
So give me your message. Saying it could help my display. That's not really nothing too much to worry about.
04:09
Uh, the user probably would
04:11
try to figure that out. Why? That's happening,
04:14
But we can see back on
04:19
back on the attacker machine,
04:23
the stage was sent
04:25
for to the victim machine, and I've got a command shell open between the victim and myself.
04:31
Notice it doesn't give me a prompt or anything of that nature. But Aiken type some simple commands to verify that I am indeed connected.
04:39
The I D command tells me I am logged in his route.
04:43
That rude group.
04:46
And because I'm route, I can run any commands. I like, uh,
04:49
for instance, I'm looking at
04:53
the root file system on that remote system. I can run the config command to double check.
04:59
Indeed, that I am on 1 28
05:01
That is the victim's machine.
05:04
So there are a few steps that we had to go through here. We first had to download the package. We had to extract it to get the directory structure and a local folder which we could work from.
05:18
Then I had to modify
05:21
or create a couple of the
05:30
the files that are also needed.
05:34
And those were the controls script,
05:36
which I will just review real quick.
05:40
It just gives parameters for the package itself
05:43
and then the post installation which changes the
05:46
permissions
05:47
and properly tries to run the game
05:51
as as it's built. When you do the install
05:56
and then on the victim machine, we gave them a link which would have
06:00
included this information. They download the file that tried to install it,
06:05
and we get our route shell.
06:09
And once you have the root shell, then you could do things like trying thio. Maybe use other tools
06:15
to create a perm or permanent presence like net cat, for instance, You could run that can't listener
06:21
and try to give yourself ah, shell on a permanent basis that you could return to this victim to machine anytime you wish.
06:32
You can see it's a debian eight and so I dont longer need this shelf for right now. So I'm just gonna go ahead and long out
06:41
and I get back to my prompt. I hope you enjoy this demonstration.
06:45
Stay tuned for the next segment. Where? Well,
06:48
don't try to do something similar with the window system.
06:51
Thank you.

Up Next

Metasploit

This Metasploit tutorial will teach you to utilize the deep capabilities of Metasploit for penetration testing and help you to prepare to run vulnerability assessments for organizations of any size.

Instructed By

Instructor Profile Image
Dean Pompilio
CEO of SteppingStone Solutions
Instructor