Using the Metasploit Framework - Payloads

#readwise # Using the Metasploit Framework - Payloads ![rw-book-cover](https://readwise-assets.s3.amazonaws.com/static/images/article2.74d541386bbf.png) ## Metadata - Author: [[Hack The Box]] - Full Title: Using The Metasploit Framework - Payloads - URL: https://academy.hackthebox.com/module/39/section/407 ## Summary A Single payload combines an exploit and shellcode for tasks like adding a user or starting a process on a target system. Meterpreter payloads are designed to maintain a stable and stealthy connection to the victim host. Users can search for specific payloads, making it easier to find the right one for their needs. The process includes setting parameters like the target IP address before executing the exploit. ## Highlights A `Payload` in Metasploit refers to a module that aids the exploit module in (typically) returning a shell to the attacker. The payloads are sent together with the exploit itself to bypass standard functioning procedures of the vulnerable service (`exploits job`) and then run on the target OS to typically return a reverse connection to the attacker and establish a foothold (`payload's job`). ([View Highlight](https://read.readwise.io/read/01jqsf9rxfe8v1adxrr6a0jng2)) ^kx0uoq --- There are three different types of payload modules in the Metasploit Framework: Singles, Stagers, and Stages. Using three typologies of payload interaction will prove beneficial to the pentester. It can offer the flexibility we need to perform certain types of tasks. Whether or not a payload is staged is represented by `/` in the payload name. For example, `windows/shell_bind_tcp` is a single payload with no stage, whereas `windows/shell/bind_tcp` consists of a stager (`bind_tcp`) and a stage (`shell`). ([View Highlight](https://read.readwise.io/read/01jqsfb4p6ghhc6e6t35yt44x7)) ^jza4mc --- A `Single` payload contains the exploit and the entire shellcode for the selected task. Inline payloads are by design more stable than their counterparts because they contain everything all-in-one. However, some exploits will not support the resulting size of these payloads as they can get quite large. `Singles` are self-contained payloads. They are the sole object sent and executed on the target system, getting us a result immediately after running. A Single payload can be as simple as adding a user to the target system or booting up a process. ([View Highlight](https://read.readwise.io/read/01jqsfc9jphdrbqy6dvsq4878t)) ^lkm0se --- `Stager` payloads work with Stage payloads to perform a specific task. A Stager is waiting on the attacker machine, ready to establish a connection to the victim host once the stage completes its run on the remote host. `Stagers` are typically used to set up a network connection between the attacker and victim and are designed to be small and reliable. ([View Highlight](https://read.readwise.io/read/01jqsfdwtzjp6q7k1tw9nnvje1)) ^6rfmci --- `Stages` are payload components that are downloaded by stager's modules. The various payload Stages provide advanced features with no size limits, such as Meterpreter, VNC Injection, and others. ([View Highlight](https://read.readwise.io/read/01jqsfgtc5d95w28bhad6t94jr)) ^keko5i --- A staged payload is, simply put, an `exploitation process` that is modularized and functionally separated to help segregate the different functions it accomplishes into different code blocks, each completing its objective individually but working on chaining the attack together. This will ultimately grant an attacker remote access to the target machine if all the stages work correctly. The scope of this payload, as with any others, besides granting shell access to the target system, is to be as compact and inconspicuous as possible to aid with the Antivirus (`AV`) / Intrusion Prevention System (`IPS`) evasion as much as possible. `Stage0` of a staged payload represents the initial shellcode sent over the network to the target machine's vulnerable service, which has the sole purpose of initializing a connection back to the attacker machine. This is what is known as a reverse connection. As a Metasploit user, we will meet these under the common names `reverse_tcp`, `reverse_https`, and `bind_tcp`. ([View Highlight](https://read.readwise.io/read/01jqsfk4wp9d3mnn9fdymzh6qh)) ^pvnsrq --- Stage0 code also aims to read a larger, subsequent payload into memory once it arrives. After the stable communication channel is established between the attacker and the victim, the attacker machine will most likely send an even bigger payload stage which should grant them shell access. This larger payload would be the `Stage1` payload. We will go into more detail in the later sections. ([View Highlight](https://read.readwise.io/read/01jqsfnqs0yxgh81ef1g21yzkh)) --- The `Meterpreter` payload is a specific type of multi-faceted payload that uses `DLL injection` to ensure the connection to the victim host is stable, hard to detect by simple checks, and persistent across reboots or system changes. Meterpreter resides completely in the memory of the remote host and leaves no traces on the hard drive, making it very difficult to detect with conventional forensic techniques. In addition, scripts and plugins can be `loaded and unloaded` dynamically as required. Once the Meterpreter payload is executed, a new session is created, which spawns up the Meterpreter interface. It is very similar to the msfconsole interface, but all available commands are aimed at the target system, which the payload has "infected." It offers us a plethora of useful commands, varying from keystroke capture, password hash collection, microphone tapping, and screenshotting to impersonating process security tokens. ([View Highlight](https://read.readwise.io/read/01jqsfqgrqzpadx5dn48w828t4)) --- The table below contains the most common payloads used for Windows machines and their respective descriptions. ^m1ubpu | Payload | Description | | --------------------------------- | ---------------------------------------------------------------------- | | `generic/custom` | Generic listener, multi-use | | `generic/shell_bind_tcp` | Generic listener, multi-use, normal shell, TCP connection binding | | `generic/shell_reverse_tcp` | Generic listener, multi-use, normal shell, reverse TCP connection | | `windows/x64/exec` | Executes an arbitrary command (Windows x64) | | `windows/x64/loadlibrary` | Loads an arbitrary x64 library path | | `windows/x64/messagebox` | Spawns a dialog via MessageBox using a customizable title, text & icon | | `windows/x64/shell_reverse_tcp` | Normal shell, single payload, reverse TCP connection | | `windows/x64/shell/reverse_tcp` | Normal shell, stager + stage, reverse TCP connection | | `windows/x64/shell/bind_ipv6_tcp` | Normal shell, stager + stage, IPv6 Bind TCP stager | | `windows/x64/meterpreter/

| Meterpreter payload + varieties above | | `windows/x64/powershell/

| Interactive PowerShell sessions + varieties above | | `windows/x64/vncinject/

| VNC Server (Reflective Injection) + varieties above | ^rq8t5t ([View Highlight](https://read.readwise.io/read/01jqsg9bwsjcef73b8cf5zr4fr)) ---