Understanding What’s Behind the Exploitation Scene in Metasploit

November 3, 2015 | Views: 4879

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Welcome Back!

Here, we’ll analyze and understand the mechanism behind the exploitation scene, especially in Metasploit.

Let’s start with a scenario: an attacker executes the exploit + payload against the vulnerable service on the victim’s machine.

 

Scenario

Figure 1.0

 

Above, Fig 1.0, shows a single line diagram, just to give you an idea how exploit + payload can be used to compromise any victim you encountered during research or pentesting.

 

BEHIND THE SCENE —{ HOW PAYLOADS WORK }

For a better understanding, let’s have a look at how payload works:

High Level Diagram - How Payload Works

High Level Diagram – How Payloads Work Figure 2.0

 

In my previous article i.e “Understanding the Metasploit Framework“, we came across three different type of payloads in Metasploit.

  1. Singles
  2. ii. Stagers
  3. iii. Stages

 

Let’s have a visual look at how stagers and stages payload work together:

How Stager and Stages Payload Work Together

Figure 3.0

Metasploit is basically used as a jumble of staged and stage-less payloads, and that jumble gives anthology to penetration testers for selecting options when performing exploitation.

Staged Payload

* Compact as possible

* Perform single task

* Provide means for an attacker to upload something big. (Refer: Figure 3.0)

In Metasploit, the payload can be “reverse_tcp” and second stage (Stage 1) might be something more complex i.e Meterpreter Shell or VNC.

 – Thanks –

Stay Linked !

Ali Tabish

Share with Friends
FacebookTwitterGoogle+LinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterGoogle+LinkedInEmail
Ready to share your knowledge and expertise?
8 Comments
  1. can you explain what is second stage payload DLL injection means? we only set one payload and it connects back to us and the metasploit send the second Dll for server client establishment. what is this second stage DLL injection? please reply

    • When we set PAYLOAD windows/Meterpreter/… ,, We are basically asking Metasploit to prepare a payload that is broken into two stages i.e (Stage0 and Stage1). The second stage payload gives a Meterpreter session.

      When attacker sends data (Contains stage0 and a bit of exploit-specific code) bigger than the target expects will overflow the target buffer & exploit-specific code allows attacker to gain control over the pointer.

      Stage0(reverse_tcp) connects back to the attacker on the defined port which is ready and waiting with stage1 (Second stage payload). In case of Meterpreter, Stage1 (Second stage Payload) is a DLL called metsrv.

      Once stage1 is in memory, stage0 passes control to metsrv. At that time MSF pushes up two meterpreter extension DLLs, both reflectively loaded in the same way as the original metsrv DLL was.

      Refer Fig: 4,5,6 with description.

      Thanks !

  2. I get a prompt $
    after that I type several commands but nothing seems to happen. Session and connection is established, victims test setup is compromised. I talk about a connection through the Internet, not LAN.
    Metasploit keeps coming with surprises.

  3. good explanation

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel