Msfconsole Payloads Encoding and Uncommon Wifi Hacking Methods

Hi Everyone!

This is my first post here , but I've been reading Null-Byte for a long time, learning ang getting better and better. Thanks especially to OTW, CIUFFY and Hacker|Cracker I love your posts! Today I've finished reading articles and manuscripts about evading AV. That knowledge brought me some questions so I decided to sign up and join this great community.

1. Can I change/add custom template to PAYLOAD (for example reversetcp for windows) and then use it in msfconsole with built-in exploit/or created myself?
2. Can I encode all PAYLOADS at once (using for example 40 times interation of x86 shikataganai) and save them for later and use it with msfconsole? I was reading great OTW's posts, searching in the Internet, but the most common example is making encoded exe file. I know, that I can hijack and "patch" some updates to deliver my code, but I wanted to deliver it with some exploits from msf trunk. For example 067netapi exploit.

Now I wanted to ask about some advanced WiFi hacking methods and problem with subnets.

I know, that this might be really stupid question, my english is not very good, sometimes I do not know how to ask google. If it is discussed subject, please just give me right query, I will find it myself, I am not lazy! :) So:

Let's assume, that we are in StarCaffe or McBurger, with login required to "sell" our email/privacy. That's ok, I can bypass it by icmpt tunneling, or dns. But I want to discover hosts. The problem is, that clients join to other subnets and not all of them are in my subnet (for example I am the only one). Is it possible, to implement such solution? And it is possible to scan it with nmap? For example what kind of command I am supposed to use to scan range from 192.168.0.1 to 192.168.16.254 ? Simple hyphen doesn't work for me. Of course if this is not possible without login, I can simply use 10minute mail.

This is the part I am most excited about. Not everyone knows, that Windows 7 and above can create software AP with built-in commands (netsh). You can do it simple by compromising system and using simple commands, but I was thinking about something different. Let's assume situtation, that I have to compromise bad guy files. Let's assume:

• he uses WPA/WPA2 encrypted WiFi at "work"
• he has Windows 7 laptop with encrypted container
• I did my homework, a little espionage and I know where he lives, where he works, where he eats.

Now, I can:

1. Steal his notebook and try to crack encryption, bad idea, I can use biosmemige just after shutdown, to recover encryption passphrase and then try to get files, but this could compromise my operation.
2. Secon option is much better. Let's say, I can park my car nearby, bump him off his network, using karma on my kali linux machine auto-create ESSID he tries to connect with, his system auto-connets to my network. Now I can start exploitation, but there is possibility of connection lost and stuff like that. So I have 5 minutes to do something. I can compromise his browser by autopwn2 and inject somehow reversetcp payload, or create a gateway to future exploitation:

• run netsh on his box, adding script to autorun

Now I have Internet connection with his network even after reboot. He is our gateway. We can compromise his computer, and use it to compromise whole network. Have anybody tried that? So far I am making come configurations on my win 7 and 8.1 boxes and tomorrow I will apply this attack. If you have any advices, please share it, because as you know, I am new to hacking, but I am learning quickly. If you have never thought about that exploitation, just let me to know, if you are interesed. I will try to write post after success :)

Thanks for any replay, If I've screwed something I am really sorry.