Part 6 - Establishing the Win Shell

Video Activity

The final step in the Win7 reverse shell exploit is to get the file onto the victim's system. In this example, the attack vector is a USB thumb drive. Once the victim has been enticed to run the executable on the target, the handler running on the client detects the connection requests and establishes a connection with the target. From there, we ha...

Join over 3 million cybersecurity professionals advancing their career

Sign up with

Required fields are marked with an *

or

Sign up with Google

Sign up with Apple

Sign up with Microsoft

View all SSO options

Already have an account? Sign In »

Course

Difficulty

Intermediate

Video Description

The final step in the Win7 reverse shell exploit is to get the file onto the victim's system. In this example, the attack vector is a USB thumb drive. Once the victim has been enticed to run the executable on the target, the handler running on the client detects the connection requests and establishes a connection with the target. From there, we have full shell access and can perform a host of potentially malicious actions: examine the process list, run the sysinfo command, migrate the connection to another process in order to keep it running, as well as escalate privileges on the target.

Video Transcription

00:02

>> Now on our Windows machine,

00:02

we will catch that thumb-drive [NOISE].

00:02

I don't know why it's saying that.

00:02

Now I can drag this to the desktop.

00:02

As I said before, the trick is to

00:02

get this file to the victim.

00:02

I'm just demonstrating the concept

00:02

>> of getting connected.

00:02

>> The victim thinks they're going

00:02

>> to look at a slide show,

00:02

>> they go ahead and run the program.

00:02

If we go back to Kali,

00:02

we see that we have a connection.

00:02

The handler was listening for this connection.

00:02

It sent the stage over to the remote host,

00:02

and it got connected on the port that I expected to.

00:02

Once I'm connected,

00:02

there's a lot of things I can do, for instance,

00:02

I can look at a process list.

00:02

I could run the sysinfo command,

00:02

shows me a lot of information about

00:02

my remote system, pretty handy.

00:02

Then once you're connected, of course

00:02

you can do other things too,

00:02

like migrate your process somewhere else.

00:02

Let's say the program,

00:02

the payload, that we just generated was

00:02

part of an application, you bundled it in.

00:02

If the person quits the application then

00:02

the connection may die.

00:02

What we can do is migrate

00:02

the connection to another process.

00:02

It looks like it's spawned notepad.exe process,

00:02

and now it's moved

00:02

to process ID 1388 when it was previously 992.

00:02

It's pretty obviously what we just done there.

00:02

We can also try to escalate

00:02

our privileges. I'll try to load it.

00:02

There's other things we can get into,

00:02

but the concept here is to see how

00:02

>> the connection worked.

00:02

>> The trick is to get the infected file

00:02

to the pen testing victim.

00:02

That's all for this section.

00:02

See you in the next one. Thank you.

Up Next

Part 1 - Explore Meterpreter

Part 2 - Screenshot

Part 3 - Privilege Escalation on Win7-32

Part 4 - Clearing Windows Event Logs

Part 5 - Using Incognito

Instructed By

Dean Pompilio

CEO of SteppingStone Solutions

Similar Content

Metasploitable

This assessment is designed to validate students understanding of the Metasploit framework. These challenges will ...

Metasploit Skill Assessment

Metasploit Skill Assessment

One of the largest penetration tools out there, Metasploit is a penetration testing platform that ...

Advanced Penetration Testing

Advanced Penetration Testing

The Advanced Penetration Testing course teaches the cyber attack lifecycle from the perspective of an ...

15CEUs