Part 5 - Windows 7 Reverse Shell

Video Activity

In the first part of this module we examined how to create a payload and launch a reverse shell attack on a Linux target. In the final two videos of this module, we set our sights on attacking a Windows 7 host. For this example, instead of infecting a common application like a game, we simplify things by creating a standalone package from scratch t...

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
5 hours 38 minutes
Difficulty
Intermediate
Video Description

In the first part of this module we examined how to create a payload and launch a reverse shell attack on a Linux target. In the final two videos of this module, we set our sights on attacking a Windows 7 host. For this example, instead of infecting a common application like a game, we simplify things by creating a standalone package from scratch that will contain our payload. The basic steps are very similar to the Linux example. We execute Metasploit commands from the console and use msfvenom to create the payload. We then select characters to exclude in the output file and specify the host IP address and the port on which to listen for connections. In addition we specify encoder iterations in order to avoid detection by AV software on the target. Finally, we set up a handler just as with the Linux example on the local host to listen for connection requests from the target.

Video Transcription
00:03
>> Hello. Dean Pompilio here
00:03
>> for the Metasploit Cyber class.
00:03
>> In this section we're going to be looking at a way
00:03
to create a reverse connection on a Windows system.
00:03
We already did that on a Linux system using
00:03
an infected game called X-bar.
00:03
In this case, we're just going to
00:03
be sending a simple executable file to the victim.
00:03
Obviously, you could bundle this file,
00:03
this payload with the reverse connection to
00:03
some other program like a game.
00:03
You could basically create a Trojan by wrapping
00:03
a trusted program around this malicious payload.
00:03
But for the purposes of our demonstration,
00:03
we're just going to create
00:03
the payload and show that it works.
00:03
First of all, we need to be on our Kali system.
00:03
What we're going do is run
00:03
some of the Metasploit tools from
00:03
the command lines instead of going into the cancel.
00:03
This is a nice evolution
00:03
to make for the Metasploit practitioner
00:03
because you're going to want to work more
00:03
efficiently and perhaps scripts some of these things.
00:03
You have to start thinking ahead as to how you're
00:03
capturing what work you're doing for possible reuse.
00:03
We're going to run the MSFvenom
00:03
command to create a payload.
00:03
We covered this in the Linux tutorials.
00:03
Well, we're going to use it again.
00:03
Now, I've already saved
00:03
my command in my command history.
00:03
That way I don't have to type it all in
00:03
again. But here it is.
00:03
We start off with
00:03
the payload, windows/meterpreter/reverse_tcp.
00:03
Notice I'm not specifying
00:03
the platform with the architecture.
00:03
In many cases,
00:03
the program will figure out what you
00:03
want and we'll make some assumptions.
00:03
If you don't like the assumption,
00:03
then you have to adjust it.
00:03
I'm going to exclude null characters.
00:03
Dash B for bad bites or bad characters,
00:03
specify localhost, specify local port.
00:03
Another thing to start thinking about
00:03
is the encoder that you
00:03
use and how many iterations you want
00:03
to go through to try to evade antivirus.
00:03
That's a little bit beyond the scope of what
00:03
we're working at right here.
00:03
But I just included
00:03
a five iterations of the default encoder,
00:03
which will probably be Shikata ga nai.
00:03
Notice misspecifying a file format at EXE.
00:03
This is so the binary will run on a Windows 7 system,
00:03
it should run plenty of other Windows systems as well.
00:03
Then I just give it the output
00:03
that I want to call the file.
00:03
Maybe I shouldn't call it something so obvious.
00:03
Let's call it something a little bit
00:03
more appealing, secret.photos.exe.
00:03
Think about social engineering ideas.
00:03
We see that I
00:03
didn't specify a platform or an architecture,
00:03
but it figured it out from the payload.
00:03
Five iterations of Shikata ga nai, as I mentioned,
00:03
we see that our payload has been created.
00:03
It's good to be organized.
00:03
Keep all your files in one place if possible.
00:03
Now I've got the payload created.
00:03
My next task is to create a listener.
00:03
The nice thing about doing these reverse connections,
00:03
either through Linux or Windows,
00:03
is the fact that you should be able
00:03
to evade certain firewalls.
00:03
All you have to do is use a port that's
00:03
allowed through the firewall, like 80 or 443.
00:03
I'm just using 4444 out of force of
00:03
habit because that's a port that's not commonly used.
00:03
It's frequently a default port for a lot of
00:03
Metasploit payloads or exploits, I should say.
00:03
Now what I have to do is setup the handler.
00:03
Again, I've already typed this in.
00:03
Someone's going to bring it up from my command history.
00:03
What we see is I'm putting it in quiet mode again.
00:03
The dash x has execute whatever I put
00:03
between the double-quotes as a series of commands.
00:03
I tell it to use the multi-handler,
00:03
which is the most versatile one
00:03
for these types of connections.
00:03
I get the same payload that I put into
00:03
the exploit that I'm going to send to the victim.
00:03
Then the usual things are here, my local host,
00:03
my local port, again, port 4444.
00:03
Make sure this all matches
00:03
>> the payload that you created.
00:03
>> Otherwise, the connection won't work.
00:03
Then there's a run command,
00:03
which is basically the same thing as saying exploit.
00:03
It's a shortcut for exploit, they do the same thing.
00:03
Then exit dash y. Let's go
00:03
ahead and run this to create the listener.
00:03
It takes a few moments. Okay, there we go. Let's see.
00:03
I am actually running IVMs in host only mode.
00:03
I'm going to use a
00:03
thumb drive to get the file to the victim.
00:03
Let's take just a moment here.
00:03
Let's see, we want to go to
00:03
the directory route when
00:03
river show and there's my secret photos.
00:03
I'll copy that and move it to thumb drive.
00:03
This is a convenient way to move things
00:03
between VMs if you don't want to
00:03
enable other security features like copy and paste.
00:03
Just a little bit of extra work to
00:03
do the connect and disconnect.
00:03
Let's now look at our Windows system. That's strange.
Up Next