As you know, Metasploit is an exploitation framework that every hacker should be knowledgeable of and skilled at. It is one of my favorite hacking tools available.
Step 1Fire Up Kali Linux & Open Metasploit
When we open the Metasploit console in Kali Linux, we immediately see that Metasploit lists the number of exploits, auxiliary modules, post exploitation modules, payload modules, encoders, and nops.
In the screenshot below, notice that there are 335 payloads in the current version of Metasploit (yours may be slightly different based upon your version of Metasploit). This is a huge number of payloads that can be used for multiple situations.
When we type:
msf > show payloads
Metasploit lists all 335 payloads as below.
Step 2Types of Payloads
Among these 335 payloads in Metasploit, there are 8 types of payloads.
These payloads are a single package of exploit and payload. They are inherently more stable, but because of their size, they can’t always be used in small vulnerable memory areas.
These payloads essentially are able to fit into very small spaces and create a foothold on the system and then pull rest of the payload.
Is the all powerful payload that we most often want on a victim system. It works by .dll injection and resides entirely in memory, leaving no trace of its existence on the hard drive or file system. It has a number of specific commands and scriptsdeveloped for it, enabling us to largely work our will on the victim system.
This payload is for use when firewall rules restrict outbound traffic. In essence, it uses ActiveX through Internet Explorer to hide its outbound traffic and evade the firewall by using HTTP requests and responds just as any browser would.
In some CPUs, there is a built-in security feature called DEP (Data Execution Prevention). In Windows, it is referred to as No eXecute, or NX. The idea behind this security feature is to keep from data making its way to the CPU and being executed. The NoNX payloads are designed to evade this safety feature of modern CPU’s.
These type of payloads work on nearly all Windows operating systems. These are extremely small, but somewhat unstable. They are dependent upon loading a .dll (dynamic link library) into the exploited process.
These payloads, as their implies, are designed to work on IPv6 networks.
Reflective DLL Injection
These payload modules are injected directly into the target process while it is running in memory, thereby never writing anything to the hard drive and leaving little or no evidence behind.
Step 3Payload Modules
If we look in the Metasploit directory the Linux terminal in Kali, we can see that Metasploit categorizes its payloads into three different types. Obviously, the eight types above are consolidated into these three directories in Metasploit.
kali > cd /usr/share/metasploit-framework/modules/payloads
kali > ls -l
Staged payloads use tiny stagers (see below) to fit into small exploitation spaces. In other words, if the victim’s system exploitation buffer or other memory area is very small and only allows a small amount of code to be executed, first a small stager is placed in the memory area. The stager then “pulls” the rest of the payload after this foothold is made on the victim system.
These larger staged payloads include such complex payloads as the Meterpreter and VNC Injection, both of which include large and complex code. Generally, a staged payload will split the name of the payload between a “/”, such as in the payload windows/shell/tcp_bind. The “tcp_bind” is the stager (see below) and “shell” is the staged.
Unfortunately, this convention is not used consistently in Metasploit, so one often has to go to the “info” section of the payload or find the directory it is in to determine if it is a staged payload.
Stagers are the small payloads whose only job is to fit into small memory area and then “pull” the larger staged payload along. They kind of “plant the flag” on the victim and then enable the larger payload to be loaded.
Often referred to as “inline payloads,” singles are self-contained units that do not require a stager. They are generally more stable and preferred, but many times the code is too large to for the vulnerable memory area on the victim system.
Let’s now take a look inside that singles directory.
kali > cd singles
kali > ls -l
As we can see, the singles are broken down by vulnerable platform. If we want to see the singles available for the Windows platform, we simply type:
kali > cd windows
kali > ls -l
Inside this directory we can see all the singles payloads available for Windows. I have highlighted one of these payloads, shell_reverse_tcp, that we have used in many of our hacks.
Payloads are key part of the Metasploit infrastructure and provide us with access once the exploit has been completed. The better we understand them, the better we will be as a hackers.
via Hack Like a Pro: Metasploit for the Aspiring Hacker, Part 3 (Payloads) « Null Byte :: WonderHowTo