Hack Like a Pro: Metasploit for the Aspiring Hacker, Part 3 (Payloads)
Welcome back, my tenderfoot hackers!
As you know, Metasploit is an exploitation framework that every hacker should be knowledgeable of and skilled at. It is one of my favorite hacking tools available.
Metasploit enables us to use pre-written exploits against known vulnerabilities in operating systems, browsers and other applications and place a rootkit/listener/payload on the target system. These payloads are what enable us to connect to the victim system and use it as our own after we have exploited a vulnerability in its system. In this tutorial, we will look exclusively at the payloads built into Metasploit.
Metasploit has many types of payloads we can leave on the target system. We are most familiar with the generic/shell/reverse_tcp and the windows/meterpreter/reverse_tcp payloads, having used those in multiple hacks already. In this guide, we will look at such things as how the payloads work, how Metasploit categorizes the payloads, and what the types of payloads are. I hope this understanding will help you to better choose the appropriate payload for your hack.
Let's take a closer look at these payloads in Metasploit.
In the screenshot below, notice that there are 335 payloads in the current version of Metasploit (yours may be slightly different based upon your version of Metasploit). This is a huge number of payloads that can be used for multiple situations.
When we type:
msf > show payloads
Metasploit lists all 335 payloads as below.
Among these 335 payloads in Metasploit, there are 8 types of payloads.
These payloads are a single package of exploit and payload. They are inherently more stable, but because of their size, they can't always be used in small vulnerable memory areas.
These payloads essentially are able to fit into very small spaces and create a foothold on the system and then pull rest of the payload.
Is the all powerful payload that we most often want on a victim system. It works by .dll injection and resides entirely in memory, leaving no trace of its existence on the hard drive or file system. It has a number of specific commands and scripts developed for it, enabling us to largely work our will on the victim system.
This payload is for use when firewall rules restrict outbound traffic. In essence, it uses ActiveX through Internet Explorer to hide its outbound traffic and evade the firewall by using HTTP requests and responds just as any browser would.
In some CPUs, there is a built-in security feature called DEP (Data Execution Prevention). In Windows, it is referred to as No eXecute, or NX. The idea behind this security feature is to keep from data making its way to the CPU and being executed. The NoNX payloads are designed to evade this safety feature of modern CPU's.
These type of payloads work on nearly all Windows operating systems. These are extremely small, but somewhat unstable. They are dependent upon loading a .dll (dynamic link library) into the exploited process.
These payloads, as their implies, are designed to work on IPv6 networks.
These payload modules are injected directly into the target process while it is running in memory, thereby never writing anything to the hard drive and leaving little or no evidence behind.
If we look in the Metasploit directory the Linux terminal in Kali, we can see that Metasploit categorizes its payloads into three different types. Obviously, the eight types above are consolidated into these three directories in Metasploit.
kali > cd /usr/share/metasploit-framework/modules/payloads
kali > ls -l
Staged payloads use tiny stagers (see below) to fit into small exploitation spaces. In other words, if the victim's system exploitation buffer or other memory area is very small and only allows a small amount of code to be executed, first a small stager is placed in the memory area. The stager then "pulls" the rest of the payload after this foothold is made on the victim system.
These larger staged payloads include such complex payloads as the Meterpreter and VNC Injection, both of which include large and complex code. Generally, a staged payload will split the name of the payload between a "/", such as in the payload windows/shell/tcp_bind. The "tcp_bind" is the stager (see below) and "shell" is the staged.
Unfortunately, this convention is not used consistently in Metasploit, so one often has to go to the "info" section of the payload or find the directory it is in to determine if it is a staged payload.
Stagers are the small payloads whose only job is to fit into small memory area and then "pull" the larger staged payload along. They kind of "plant the flag" on the victim and then enable the larger payload to be loaded.
Often referred to as "inline payloads," singles are self-contained units that do not require a stager. They are generally more stable and preferred, but many times the code is too large to for the vulnerable memory area on the victim system.
Let's now take a look inside that singles directory.
kali > cd singles
kali > ls -l
As we can see, the singles are broken down by vulnerable platform. If we want to see the singles available for the Windows platform, we simply type:
kali > cd windows
kali > ls -l
Inside this directory we can see all the singles payloads available for Windows. I have highlighted one of these payloads, shell_reverse_tcp, that we have used in many of our hacks.
Payloads are key part of the Metasploit infrastructure and provide us with access once the exploit has been completed. The better we understand them, the better we will be as a hackers.
That's it for now. Make sure to check back in on my Metasploit Basics series for more tutorials on Metasploit. So, keep coming back, my tenderfoot hackers!