search

Modules, targets

triangle-exclamation

It is important to note that payloads and exploits HIGHLY depends on the target's environment, architecture. Etc since it is based on the return addresses of the functions and registers so at times we will be crafting our own.

hashtag
Modules

<No.> <type>/<os>/<service>/<name>
794   exploit/windows/ftp/scriptftp_list

  • Type:

    • Auxiliary: Scanning, fuzzing...etc

    • Encoders: Encoding the payloads.

    • Exploits:

    • NOPs: No Operation Code, padding for the payload.

    • Payloads:

    • Plugins:

    • Post: Post exploitation; pivoting deeper...etc

hashtag
Navigating in msfconsole modules

msf6 > search type:exploit platform:windows cve:2021 rank:excellent microsoft
msf6 > use 0
msf6 exploit(windows/smb/ms17_010_psexec) > options
msf6 exploit(windows/smb/ms17_010_psexec) > info
msf6 exploit(windows/smb/ms17_010_psexec) > set RHOSTS 10.10.10.40
msf6 exploit(windows/smb/ms17_010_psexec) > setg RHOSTS 10.10.10.40 # Kepp it the same for all the next work.
msf6 exploit(windows/smb/ms17_010_psexec) > run

hashtag
Targets

Simply the targets available for a specific selected exploit. Potentially victims.

hashtag
Payloads

The code that gets executed to exploit a certain vulnerability. The exists three types of payloads in metasploit:

  • Singles: windows/shell_bind_tcp, it contains the entire shellcode for the selected task, so they're more stable than the staged ones since they are AIO which makes them heavier than other types of payloads.

  • Stagers: windows/shell/bind_tcp, These work alongside stages, they are waiting on the attacker's machine to establish a connection to the victim host once the stage completes its task on the target. Small in size.

    • Faces a huge issue when dealing with NX bits and DEP measures.

    • Stagers that are NX-aware are bigger in size.

  • Stages: windows/shell/bind_tcp, payload components that are loaded by the loader.

hashtag
Staged Payloads

As mentioned earlier, they're an exploitation process that is decomposed and modularized to help in the segmentation of the exploitation in action to be less detectable and picked by AV or IPS. If all the stages work with no issues, the attacker will gain his beloved remote access.

The meterpreter payload for example uses DLL injection in order to ensure a communication with the target. Once we successfully infect the target, we see a meterpreter interface that looks like the msfconsole except that the commands that we will be executing are aimed at the target.

hashtag
Searching, Selecting and using payloads

Payload

Description

generic/custom

Generic listener, multi-use

generic/shell_bind_tcp

Generic listener, multi-use, normal shell, TCP connection binding

generic/shell_reverse_tcp

Generic listener, multi-use, normal shell, reverse TCP connection

windows/x64/exec

Executes an arbitrary command (Windows x64)

windows/x64/loadlibrary

Loads an arbitrary x64 library path

windows/x64/messagebox

Spawns a dialog via MessageBox using a customizable title, text & icon

windows/x64/shell_reverse_tcp

Normal shell, single payload, reverse TCP connection

windows/x64/shell/reverse_tcp

Normal shell, stager + stage, reverse TCP connection

windows/x64/shell/bind_ipv6_tcp

Normal shell, stager + stage, IPv6 Bind TCP stager

windows/x64/meterpreter/$

Meterpreter payload + varieties above

windows/x64/powershell/$

Interactive PowerShell sessions + varieties above

windows/x64/vncinject/$

VNC Server (Reflective Injection) + varieties above

Other critical payloads that are heavily used by penetration testers during security assessments are Empire and Cobalt Strike payloads. These are not in the scope of this course, but feel free to research them in our free time as they can provide a significant amount of insight into how professional penetration testers perform their assessments on high-value targets.

PreviousMetasploitNextExternal Modules

Last updated