Payload Customization with Metasploit

June 21, 2016 | Views: 14789

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Why would we need custom payloads? Likely in situations where we launched Metasploit, but no session is created or it seems like the Antivirus software got popped.

Being a penetration tester, you have to overcome. It always seems like antivirus software is a hurdle. The best possible way to avoid antivirus software is to use custom payloads.

Create your own custom payload, and then you won’t have to worry about an antivirus signature catching your payload! It gives you the litheness to go after any target.

Note: These tools and Tools and articles are there for helping you doing so, including the Veil framework.

I’ll cover Veil Framework in this custom payload series.

 

Let’s begin…

You’ve built your custom payload, so what’s next? What’s the procedure for making it operational? What about delivery and execution at victim’s machine?

Start with Download/Exec Payload available in Metasploit. It’s a tremendous option for delivering a custom payload to a target. You can even use it with memory corruption exploits i.e. Buffer Overflow, authenticated attacks like PSEXEC. In this Metasploit payload, you can use your custom payload with the Meterpreter.

You need three things for the usage of Download/Exec payload:

  1. Setup website from which the victim can download your custom Trojan/Backdoor.
  2. Setup a Metasploit handler to receive the connection from your custom backdoor.
  3. Create an exploit to deliver your custom payload.

 

Let’s take a look at the steps:

1 – Provide “Download” in the Exec payload

Quick and easy steps for websites. I use Python. Start the Python web server to change the directory that contains the files you want to make available for download. The files in that directory can then be downloaded using any web browser. You can set up this server on any computer that has Python installed.

2 – Set up the Metasploit handler to receive your connection

Start multi/handler and configure the parameters. Set your payload to one that’s well-matched with the custom payload you created. If your payload contains meterpreter, you’ll type:

“set payload windows/meterpreter/reverse_tcp”

If it is a command prompt then you would type

“set payload windows/shell/reverse_tcp”

My Python backdoor sends a command prompt, so I’ll use:

“windows/shell/reverse_tcp”

This “single” payload doesn’t use a stagger and expect a connection from a shell. Do not confuse this with the “windows/shell_reverse_tcp” since “windows/shell_reverse_tcp” which expects a connection from a stagger, not a shell.

For better understanding, check my write-ups on:

https://www.cybrary.it/0p3n/metasploit-advanced/

https://www.cybrary.it/0p3n/metasploit-advanced-part-ii/

https://www.cybrary.it/0p3n/metasploit-advanced-part-iii/

 

Let’s continue…

Setting lhost to 127.0.0.1, set your lport like 80 – as my payload is set to send a command prompt to port 80. Start multi-handler as a background task. You can use “-j” options that will start the multi-handler as a “job” that runs in the background.

fig 1 for metasploit article

 

3 – Exploit and deliver the payload

With your handler in the background waiting to receive a connection, you’re ready to exploit the target. I’ll use PSEXEC.

Initially, I use “windows/smb/psexec” and set it up with the correct user and password for the target. Then, I set my payload “set PAYLOAD download/exec”

The options are simple. You set the URL to point to the custom payload on you web server in step 1. You can change the name of the file that will be saved to the target if you like.

fig 2 for metasploit article

 

Finally, type “exploit” and you’ll see it download from your website. A shell will appear in your handler.

 

Please Note: For those who want greater understating on PSEXEC, I’ll cover this in my next write-up.

Stay Linked!!!
Ali Tabish

Share with Friends
FacebookTwitterGoogle+LinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterGoogle+LinkedInEmail
Ready to share your knowledge and expertise?
2 Comments
  1. Good tutorial….Thanks

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel