Part 5 - Windows 7 Reverse Shell
Video Activity
In the first part of this module we examined how to create a payload and launch a reverse shell attack on a Linux target. In the final two videos of this module, we set our sights on attacking a Windows 7 host. For this example, instead of infecting a common application like a game, we simplify things by creating a standalone package from scratch t...
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or
Already have an account? Sign In »
Video Description
In the first part of this module we examined how to create a payload and launch a reverse shell attack on a Linux target. In the final two videos of this module, we set our sights on attacking a Windows 7 host. For this example, instead of infecting a common application like a game, we simplify things by creating a standalone package from scratch that will contain our payload. The basic steps are very similar to the Linux example. We execute Metasploit commands from the console and use msfvenom to create the payload. We then select characters to exclude in the output file and specify the host IP address and the port on which to listen for connections. In addition we specify encoder iterations in order to avoid detection by AV software on the target. Finally, we set up a handler just as with the Linux example on the local host to listen for connection requests from the target.
Video Transcription
00:04
Hello, Team Pompilio here for the mess, polite cyber class
00:10
and this section We're going to be looking at a way to create a reverse connection on a little window system. We ready? Did analytic system
00:19
using an infected?
00:22
Oh,
00:23
a game called Expo.
00:25
Uh, this case,
00:26
we're just gonna be sending a simple, executed all file to the victim.
00:31
Obviously, you could bundle this this file this payload with the reverse connection to some other kind of ah program. Like like a game
00:39
you could,
00:41
you know, basically created Trojan by wrapping a trusted program around this malicious payload.
00:46
The purposes of our demonstration. We're just going to create the payload and show that it works.
00:52
All right, so first of all,
00:57
we need Thio be honor Callie system,
01:00
and we're gonna do is run
01:03
some of the medicine Lloyd tools from the command lines that going into the council
01:07
and this is a a nice evolution to make for the medicinally practitioner because you're going to want to work more efficiently and perhaps script some of these things.
01:19
So you have to start thinking ahead
01:21
as to how you're capturing what work you're doing for ah, possible reuse
01:27
All right. So we're gonna run the MSF Benham Command
01:34
to create a payload,
01:37
and we come of this in the linen tutorials. Well, we're gonna use it again.
01:42
Now, I've already saved my command in my career in history.
01:49
That waiter have to type of Ellen again.
01:52
But I hear it. It's so
01:53
we start off with Ah, platform. I'm sorry. The payload. When doesn't interpret reverse TCP
02:00
notice? I'm not specifying the platform of the architecture. And in many cases,
02:06
uh, program will figure out what you want and we'll make some assumptions. And if you don't like the assumption, then you have to adjust it.
02:13
I'm gonna exclude known characters. So dash B for bad bites or bad characters Specify local host. That's by the port.
02:22
And
02:23
And nothing to start thinking about is the encoder that you use and how many generations you want to go through to try to evade anti virus.
02:31
Absolutely beyond the scope of what we're working that right here. But I just included five generations
02:38
of the default encoder which will probably be shikata Good night.
02:43
Notice miss Specifying a file format. E x e.
02:46
This is so the binary will run on eight Windows seven system Children, Plenty of other windows systems as well.
02:53
And then I just give it the output.
02:55
But I want to call the
02:58
file. Maybe I shouldn't call it something so obvious. Let's call
03:04
something a little bit more
03:07
appealing.
03:14
All right, Secret photos on T X. C.
03:16
So think about, you know, social engineering ideas.
03:21
All right, we see that
03:23
I didn't specify a platform or or an architecture, but it figured it out from the payload.
03:30
Five generations of
03:32
she got a gun. Eyes I mentioned, and we see that are
03:38
our payload has been created.
03:42
Actually,
03:53
it's good to be organized. Give all your files in one place, if you if possible.
03:59
All right. So now I've got the, uh, the payload created. So my next task is to create a listener.
04:08
And the next thing about doing these reverse
04:10
connections, either through linens or windows, is
04:13
the fact that you should be able to evade certain firewalls. All you have to do is you support that's allowed to the firewall, like, 80 or 443
04:23
Um,
04:24
I'm just using 4444 on a force of habit because that support that's not commonly used. It's frequently a default port for a lot of medicine. Boy,
04:31
um, pellets.
04:34
You're, um, exploits. I should sit.
04:36
Okay. So now what I have to do is set up the handler.
04:41
And again, I've already typed this in. Someone's gonna bring it up for my command history.
04:47
So what we see is
04:50
I'm putting in quiet mode again. And the dash access, actually cute, whatever. I put between the double quotes as a series of commands.
04:57
So I tell it, uh, to use the multi handler, which is the most versatile one
05:01
for these types of connections.
05:03
I get the same payload that I put into the
05:09
the exploit that I'm going to send to the victim.
05:11
And then the usual things air here in my local host, my will comport again. Poured 4444 Make sure this all matches
05:16
the payload that you created. Otherwise the connection will work.
05:19
And then there's a run command,
05:21
which is basically the same thing as saying exploit.
05:25
That's a, uh,
05:27
a shortcut for the for exploit. They do the same thing,
05:30
then exit dash y.
05:33
So let's go ahead and run this to create de listener
05:43
takes a few moments. Okay, there we go.
05:45
Let's see. So I'm I am actually running
05:48
ivy, EMS and
05:53
host only mode. So
05:55
I'm gonna use a thumb drive to get the file to the victim.
06:08
Take a moment here.
06:10
So let's see if you want to go to directory
06:15
route
06:16
when rivers show and there's my secret photos.
06:20
So copy that.
06:25
And
06:27
with a thumb drive,
06:31
this is a convenient way to move things between V EMS. If you don't want enable other security features like copy and paste
06:39
just a little bit extra work to do the connect and disconnect.
06:47
Oh, no.
06:49
All right. That's no look at it on our window system.
06:59
That's strange.
Up Next
Similar Content
