Generating Reverse Shell using Msfvenom (One Liner Payload)

Hello friends!! Today you will learn how to spawn a TTY reverse shell through netcat by using single line payload which is also known as stagers exploit that comes in Metasploit.

Basically, there are two types of terminal TTYs and PTs. TTYs are Linux/Unix shell which is hardwired terminal on a serial connection connected to mouse or keyboard and PTs is sudo tty terminal, to get the copy of terminals on network connections via SSH or telnet.

Let’s start!!

Attacker: Kali Linux

Target: Ubuntu

Open the terminal in your Kali Linux and type msfconsole to load Metasploit framework, now search all one-liner payloads for UNIX system using search command as given below, it will dump all exploit that can be used to compromise any UNIX system.

From given below image you can observe that it has dumped all exploit that can be used to be compromised any UNIX system. In this tutorial, we are going to use some of the payloads to spawn a TTY shell.

Bash Shell

In order to compromise a bash shell, you can use reverse_bash  payload along msfvenom as given in below command.

 Here we had entered the following detail to generate one-liner raw payload.

-p: type of payload you are using i.e. cmd/unix/reverse_bash

lhost: listening IP address i.e. Kali Linux IP

lport: Listening port number i.e. 1111 (any random port number which is not utilized by other services)

R: Its stand for raw payload

As shown in the below image, the size of the generated payload is 67 bytes, now copy this malicious code and send it to target. After that start netcat for accessing reverse connection and wait for getting his TTy shell.

For example when the target will open

malicious code in terminal, the attacker will get a reverse shell through netcat.

As you can observe the result from given below image where the attacker has successfully accomplish targets system TTY shell, now he can do whatever he wishes to do.

For example:

whoami: it tells you are the root user of the system you have compromised.

Netcat Shell

In order to compromise a netcat shell, you can use reverse_netcat payload along msfvenom as given in below command.

 Here we had entered the following detail to generate one-liner raw payload.

-p: type of payload you are using i.e. cmd/unix/reverse_netcat

lhost: listening IP address i.e. Kali Linux IP

lport: Listening port number i.e. 2222 (any random port number which is not utilized by other services)

R: Its stand for raw payload

As shown in the below image, the size of the generated payload is 104 bytes, now copy this malicious code and send it to target. After that start netcat for accessing reverse connection and wait for getting his TTY shell.

when the target will open

malicious code in terminal, the attacker will get a reverse shell through netcat.

As you can observe the result from given below image where the attacker has successfully accomplish targets system TTY shell.

Perl shell

In order to compromise a Perl shell, you can use reverse_perl payload along msfvenom as given in below command.

 Here we had entered the following detail to generate one-liner raw payload.

-p: type of payload you are using i.e. cmd/unix/reverse_perl

lhost: listening IP address i.e. Kali Linux IP

lport: Listening port number i.e. 3333 (any random port number which is not utilized by other services)

R: Its stand for raw payload

As shown in the below image, the size of the generated payload is 232 bytes, now copy this malicious code and send it to target. After that start netcat for accessing reverse connection and wait for getting his TTY shell.

Now again when the target will open malicious code in terminal, the attacker will get a reverse shell through netcat.

As you can observe the result from given below image where the attacker has successfully accomplish targets system TTY shell. Here we found target IP address: 192.168.1.1106 by executing the ifconfig command in his TTY shell.

Python Shell

In order to compromise a python shell, you can use reverse_Python payload along msfvenom as given in below command.

 Here we had entered the following detail to generate one-liner raw payload.

-p: type of payload you are using i.e. cmd/unix/reverse_python

lhost: listening IP address i.e. Kali Linux IP

lport: Listening port number i.e. 4444 (any random port number which is not utilized by other services)

R: Its stand for raw payload

As shown in the below image, the size of the generated payload is 533 bytes, now copy this malicious code and send it to target. After that start netcat for accessing reverse connection and wait for getting his TTY shell.

Again when the target will open the following malicious code in his terminal, the attacker will get the reverse shell through netcat.

As you can observe the result from given below image where the attacker has successfully accomplish targets system TTY shell, now he can do whatever he wishes to do.

For example:

ifconfig: it tells IP configuration of the system you have compromised.

Ruby Shell

In order to compromise a ruby shell, you can use reverse_ruby payload along msfvenom as given in below command.

 Here we had entered the following detail to generate one-liner raw payload.

-p: type of payload you are using i.e. cmd/unix/reverse_ruby

lhost: listening IP address i.e. Kali Linux IP

lport: Listening port number i.e. 5555 (any random port number which is not utilized by other services)

R: Its stand for raw payload

As shown in the below image, the size of the generated payload is 131 bytes, now copy this malicious code and send it to target. After that start netcat for accessing reverse connection and wait for getting his TTY shell.

Again when the target will open 

malicious code in his terminal, the attacker will get a reverse shell through netcat.

As you can observe the result from given below image where the attacker has successfully accomplish targets system TTY shell, now he can do whatever he wishes to do.

For example:

ifconfig: it tells IP configuration of the system you have compromised.

Netcat Gaping (Traditional)

In order to compromise a command shell, you can use reverse_netcat_gaping payload along msfvenom as given in below command.

 Here we had entered the following detail to generate one-liner raw payload.

-p: type of payload you are using i.e. cmd/unix/reverse_netcat_gaping

lhost: listening IP address i.e. Kali Linux IP

lport: Listening port number i.e. 6666 (any random port number which is not utilized by other services)

R: Its stand for raw payload

As shown in the below image, the size of the generated payload is 533 bytes, now copy this malicious code and send it to target. After that start netcat for accessing reverse connection and wait for getting his TTY shell.

In order to access /bin/sh shell of the target system for compromising TTY shell firstly, we had access PTs terminal  of the target through SSH and then paste the malicious code

From given below image you can observe that we had successfully access TTY shell of the target system.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

6 Ways to Hack PostgresSQL Login

In this article, we will learn how to gain control over our victim’s PC through 5432 Port use for Postgres service. There are various ways to do it and let take time and learn all those because different circumstances call for a different measure.

Table of Contents

  • Hydra
  • X-Hydra
  • Medusa
  • Ncrack
  • Patator
  • Metasploit

Let’s starts!!

Hydra

Hydra is often the tool of choice. It can perform rapid dictionary attacks against more than 50 protocols, including telnet, Postgres, http, https, smb, several databases, and much more

Now, we need to choose a word list. As with any dictionary attack, the wordlist is key. Kali has numerous wordlists built right in.

Run the following command

-L: denotes path for username list

-P:  denotes path for the password list

Once the commands are executed it will start applying the dictionary attack and so you will have the right username and password in no time. As you can observe that we had successfully grabbed the Postgres username as Postgres and password as postgres.

xHydra

This is the graphical version to apply dictionary attack via 5432 port to hack a system. For this method to work:

Open xHydra in your kali And select Single Target option and there give the IP of your victim PC. And select Postgres in the box against Protocol option and give the port number 5432 against the port option.

Now, go to Passwords tab and select Username List and give the path of your text file, which contains usernames, in the box adjacent to it.

Then select Password List and give the path of your text file, which contains all the passwords, in the box adjacent to it.

After doing this, go to the Start tab and click on the Start button on the left.

Now, the process of dictionary attack will start. Thus, you will attain the username and password of your victim.

Medusa

Medusa is intended to be a speedy, massively parallel, modular, login brute-forcer. It supports many protocols: AFP, CVS, POSTGRES, HTTP, IMAP, rlogin, SSH, Subversion, and VNC to name a few

Run the following command

Here

-U: denotes path for username list

-P:  denotes path for the password list

As you can observe that we had successfully grabbed the Postgres username as Postgres and password as postgres.

Ncrack

Ncrack is a high-speed network authentication cracking tool. It was built to help companies secure their networks by proactively testing all their hosts and networking devices for poor passwords. 

Run the following command

 Here

-U: denotes path for username list

-P:  denotes path for the password list

As you can observe that we had successfully grabbed the Postgres username as Postgres and password as postgres.

Patator

 Patator is a multi-purpose brute-forcer, with a modular design and a flexible usage. It is quite useful for making brute force attack on several ports such as POSTGRES, HTTP, SMB and etc.

From given below image you can observe that the process of dictionary attack starts and thus, you will attain the username and password of your victim.

Metasploit

This module attempts to authenticate against a PostgreSQL instance using the username and password combinations indicated by the USER_FILE, PASS_FILE, and USERPASS_FILE options. Note that passwords may be either plaintext or MD5 formatted hashes.

Open Kali terminal type msfconsole Now type 

 From given below image you can observe that we had successfully grabbed the POSTGRES username and password.

AuthorRahul Virmani is a Certified Ethical Hacker and the researcher in the field of network Penetration Testing (CYBERSECURITY).  Contact Here

5 Ways to Hack MySQL Login Password

In this article, we will learn how to gain control over our victim’s PC through mysql service via port 3306. There are various ways to do it and let take time and learn all those because different circumstances call for different measure.

Medusa

Medusa is intended to be a speedy, massively parallel, modular, login brute-forcer. It supports many protocols: AFP, CVS, FTP, HTTP, IMAP, rlogin, SSH, Subversion, and VNC to name a few

Run the following command

 Here

-U: denotes path for username list

-P:  denotes path for password list

As you can observe that we had successfully grabbed the mysql username as root and password as toor.

Ncrack

Ncrack is a high-speed network authentication cracking tool. It was built to help companies secure their networks by proactively testing all their hosts and networking devices for poor passwords. 

Run the following command

 Here

-U: denotes path for username list

-P:  denotes path for password list

As you can observe that we had successfully grabbed the mysql username as root and password as toor.

xHydra

This is the graphical version to apply dictionary attack via 3306 port to hack a system. For this method to work:

Open xHydra in your kali. And select Single Target option and their give the IP of your victim PC. And select MYSQL in box against Protocol option and give the port number 3306 against the port option.

Now, go to Passwords tab and select Username List and give the path of your text file, which contains usernames, in the box adjacent to it.

Then select Password List and give the path of your text file, which contains all the passwords, in the box adjacent to it.

After doing this, go to Start tab and click on Start button on the left.

Now, the process of dictionary attack will start. Thus, you will attain the username and password of your victim.

Hydra

Hydra is often the tool of choice. It can perform rapid dictionary attacks against more than 50 protocols, including telnet, ftp, http, https, smb, several databases, and much more

Now, we need to choose a wordlist. As with any dictionary attack, the wordlist is key. Kali has numerous wordlists built right in.

Run the following command

-L: denotes path for username list

-P:  denotes path for password list

Once the commands are executed it will start applying the dictionary attack and so you will have the right username and password in no time. As you can observe that we had successfully grabbed the mysql username as root and password as toor.

Metasploit

This module simply queries the MySQL instance for a specific user/pass (default is root with blank).

This will start brute force attack and try to match the combination for valid username and password using user.txt and pass.txt file.

From given image you can observe that our mysql server is not secure against brute force attack because it is showing matching combination of username: root and password: toor for login.

Once the attacker retrieves the valid credential he can directly login into mysql server for stealing or destroying the database information.

AuthorRahul Virmani is a Certified Ethical Hacker and the researcher in the field of network Penetration Testing (CYBER SECURITY).   Contact Here

Bypass SSH Restriction by Port Relay

Today we are going to access the ssh port which is blocked by the firewall and is forwarded to another port through Port relay tool. Netcat relay is quite a useful tool to connect with any remote system by evading the firewall restriction.

Attacker: Kali Linux (IP: 192.168.1.2)

Victim: Ubuntu Server (IP: 192.168.1.7)

Connect to SSH via port 22

Lets first try to get the normal SSH shell.  As you can see in the given screenshot we successfully get the ssh shell on the port 22 of the Server 192.168.1.7.

Block Port 22 for Incoming TCP Packet

Now let’s block SSH service Port 22 for Incoming TCP Packet using Iptables. Here we are making an inbound rule to block the TCP packets on the port 22 if the packet source is Kali (192.168.1.2)

After Blocking the port let’s try to get a shell. From given below image you can observe that we got a Connection Time Out Error as the packets are dropped by the firewall.

Allow TCP Packets on another port

Now let’s make a rule in the firewall to accept the TCP packets on the port 4444 if the packet source is Kali (192.168.1.2).

Check Netcat communication between Attacker and Client

Let’s check if we can get a netcat session on the port 4444 to the Kali (192.168.1.2).

As you can see in the given Image that we have received a netcat session on the port 4444 from SSH server on the Kali (192.168.1.2).

Use Netcat Relay backpipe to access SSH service

Now we will have to make a Relay. But first, let’s understand, what the commands depicted below do?

The First command makes a special type of file called a FIFO or named pipe. We call it backpipe because it is going to carry our responses back through the relay.

Now the second command makes a netcat listener that is allowed through the firewall. This Netcat listener will connect its standard input (0<) to the backpipe. We then forward the standard output of this Netcat listener to Netcat client, which connects to our localhost (127.0.0.1) on TCP port 22 where sshd listens. We then use the forward pipe (1>) to send data and receive responses simultaneously. We need a back and forward pipe because Netcat provides two-way communication.

Here,

[p]: Tells the mknod to create a FIFO

Here,

[-l]: Listener

[-p]: Port

Access SSH through Netcat Relay

Now let’s try to connect the ssh connection through the port 4444.

Here,

[-p]: To specify Port

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester Contact here