Friday, June 10, 2016

METASPLOIT - Windows 7 - Reverse TCP Shell


- Layout for this exercise:

- As seen in previous case bind_tcp.exe is detected by Windows Firewall, and its action blocked unless the victim allows it to be run. It happens that firewalls are usually more aware watching INBOUND than OUTBOUND connections. So, for real world scenarios, using payloads working on OUTBOUND connections would be more successful, for instance creating reverse shells from the victim to the attacker. 

- The procedure would be similar than before, with the only difference that now the reverse_tcp would be used:

- As done with previous case, for this example the Windows Firewall is also connected at the victim computer, because the goal is to show how reverse_tcp.exe is not detected and blocked by the normal inbound firewall:

The attacker Kali sets up a web server on port 8000:

- The victim Windows 7 downloads the executable reverse_tcp.exe:

Then, the attacker uses a multihandler exploit and a meterpreter payload, waiting until the victim executes the reverse backdoor. It is important to notice than LHOST option corresponds to the attacker's IP:

- The victim runs reverse_tcp.exe:

Though the executable is running on the victim, no sign of firewall detection appears:

- At the Kali attacker side a meterpreter session is succesfully achieved, allowing post exploitation of the victim Windows 7:

- However, Windows 7 has also a so called Windows Firewall with Advanced Security, whichs allows to create special rules for OUTBOUND connections. In this specific case, it would be possible to create a rule to block the action of reverse_tcp.exe, because the advanced firewall would detect the executable.

- Let's create a rule which blocks OUTBOUND connections to the remote port 4444 (generally used by Metasploit):

The new rule takes the port as a parameter to be controlled:

- The rule applies to port TCP 4444, remote port used by the attacker Kali with Metasploit:

- The action to be taken by the new rule would be to block the OUTBOUND connection to remote port TCP 4444:

- The rule applies to any type of domain or network location:

- The name for the rule is "Blocking reverse_tcp.exe":

- From the attacker side, a handler is waiting for the client connection:

The victim runs the executable reverse_tcp.exe:

- However, nothing happens in this case because of the presence of the new rule created by the Windows Firewall with Advanced Security, and the attack is unsuccessful:

- Anyway, it is not very usual that System Administrators create OUTBOUND rules on firewalls, so this late case of an specific rule blocking a reverse shell connection is not very common, although desirable, of course.