Friday, June 10, 2016

METASPLOIT - Windows 7 - Bind TCP Shell


- Layout for this exercise:

msfvenom converts Metasploit payloads into executable or binary files. In this case, the 
windows/meterpreter/bind_tcp payload is converted into a Microsoft executable file (.exe) with these options:

-a x86 = architecture x86
-f exe = format executable

- The command file checks that bind_tcp.exe is of PE32 type. PE (Portable Executable) is a file format for executables, object code, DLLs, Font files, and others used in 32 and 64 bits versions of Windows operating systems. 

From the Kali attacker side, a SimpleHTTPServer is run, accepting connections on port 8000:

- The victim Windows 7 connects to the attacker's web server and downloads bind_tcp.exe:

- The client or victim Windows 7 has downloaded bind_tcp.exe, a backdoor that in case of being executed will trigger an undesired Internet connection between attacker and victim.

The attacker detects that bind_tcp.exe has been downloaded on the client side, from IP

Then, the attacker sets up a handler exploit with the payload meterpreter, waiting until the victim runs the executable. The RHOST is the IP, corresponding to the victim: 

- On the client side, the victim executes bind_tcp.exe:

- Now, Windows 7 is running bind_tcp.exe:

- As a consequence, on the attacker side a meterpreter session is automatically created by the handler:

- Running netstat on both Windows 7 and Kali shows how a connection has been established between the victim and the attacker:

- However, the bind_tcp.exe executable would be stopped in case of presence of firewall. Let's see what happens if Windows Firewall is "on":

- If the victim runs bind_tcp.exe Windows Firewall immediately detects and blocks its execution:

- Only if the victim clicked Allow access option (which would be unwise) , the executable would be run.

-  The conclusion is that Bind Shell payloads don't work with firewalls, because these programs or devices are usually configured to detect INBOUND connections. The solution would be to use OUTBOUND connections, like those provided by Reverse Shell payloads.