All right, So let's talk a little bit more about payloads than,
uh, go back out of this one.
a payload for windows for a binding TCP shell. So we'll start typing used
payload. And when I know what windows I'm doing, tab complete on these
and I'll start with show
All right, So if I abiding TCP Shell means that I I'm gonna be bound to a port,
and I should be able to get a shell command shell on that window system
when this actually connects.
One of the things that you you'll find when you're doing this kind of work is that you need to frequently generate shell coat
payload as is. We'll get detected by anti virus. And that's going to stop your your pen testing its tracks.
So we have a command called generate.
Once you're within a payload or an exploit
or a module, you can use the Dash H Command to get help information.
I can use help by itself,
of course, like I showed earlier, and you'll notice that the generate command is within the payload category,
stash age to see what my options are,
and I can see that I've got some encoding options here
so I can force the encoding. I can tell it. E avoid certain character and we'll see what that looks like here in a minute.
I can tell how many generations to to perform because the more times I encode something, the more likely it is to remain undetected. That's the theory anyway.
I can also specify the size of the *** sled. There's lots of different options and then a lot of different output formats.
See, I got quite a few different categories.
Pearl Java, power show, raw ruby
visual, basic script. So there's lots of different
different possibilities there.
All right, so the first thing we're gonna do is just do a generate command without any options
without any arguments
and you'll see have generated shell code for this shell bind. TCP
ah, payload that I'm using.
Oh, you can see it gives me some parameters. I can see how many bites. The payload is a 328 bites.
I've got my local port specified. The remote
host is not specified,
but obviously you want it you would wantto prepare those settings
during the process of
building your payload.
So, for instance, I could go back and do a set G for my
Shortly options. I could see where my road host is now set. Now, if I were the generate command again,
I'll see that That is encoded in the payload.
So there it is. It knows what my local host is. My local port is.
And I've got some kind of Shoko that I could try to
uses a payload when I get connected to a victim system.
But there might be certain bites in this payload that are
known to trigger the anti virus,
and I'm just gonna randomly pick something here. So
the process of figuring out what those bites are is a little bit beyond the scope of what we're doing. But the basic idea is that
take your payload and analyze it and see what portion of it is actually triggering a signature on an idea. Maybe I know that this this X FF
hex code here is part of the problem
and I might want to get rid of this. I want to filter it out and replace it with something else
try to get my shell code passed the anti virus so I can run the generate command with the dash B.
We saw that earlier. I'll do the dash H again. The Dash B says. These are the characters to avoid.
I'll just use the ones I see here I've got except for which I want to get rid of. I also want to get rid of, Let's say,
Those are both problematic.
Now you'll notice that my payload sizes different. It's 350 bites.
Previously, it was only 328.
Memory serves there it is,
and you'll notice I have X 50 on the at the end of the first line before
now that next 50 is gone and I shouldn't be able to find X 50 anywhere in here. I also should not be able to find xfff.
it waas somewhere there. Waas. So now that I filter that out,
it replaces it with other
shell code, which provides that same functionality.
So that's why the size of the payload grew a little bit because I needed other codes to compensate for the fact that I removed these two from the payload.
Other things to think about would be You could, you know, certainly generate a much longer list I could
Let's say all of these,
these off coats are these parts of the shell code.
no, uh, extra my shell, my size not changed. Still stayed 3350 bites, which is unusual. I thought it would probably have gone up,
but you get the basic idea you're
of these by codes that maybe
problematic. Now, if you go too far,
I'll show this as an example,
you might say, Well, I've got some money that I need to get rid of. I'm just going to
pick this entire line
and that actually work. If you do too many, though, you may get an error message that says you cannot generate the payload.
And that basically means that you've you've tried to eliminate too many
options that you you've got available to you.
And now the software can,
the municipal eight encoder
when it's generating the payload, cannot basically put that together. So there's there's limits to how far you can go with removing objectionable
bites from your from your payload.
All right, so another thing we want to look at
is the encoders themselves.
So within this shell buying TCP, I can do a show and coders
and I can see all the ones I've got available to me.
Some of these air excellent, like power. Shelby 64
So a little description here, polymorphic exclusive or added to feedback encoder.
Uh, that sounds impressive,
and what it means is that there are ways to
pay a little less likely to get detected. There's also other things like, for instance, we can say we want a non
encoder or one that doesn't use any upper character. So now on upper.
There's lots of different choices here for customizing your payload for the task in hand.
So, for instance, maybe I want to use the
the night off as an example.
Actually, I don't want to use the I'll use the shikata
so I can go ahead and run my generate command again.
No. This time I'm going to use the dash e foreign code
all Using a copy and paste
tab complete usually works, but there may be certain instances within the framework where doesn't work, so just be aware of that.
All right, so now I use the this encoder,
and it tells me 355 bites with this shell buying TCP for
Or Windows. There's my encoder.
My local port. My remote host. These are all part of the
But I could also do compound statements. For instance, I've got I know I I don't want
except for half, and I don't want x 50.
All right, so I could make sure I can get rid of those
so I can add multiple options to the command line. We go back up to arm
we conceive for generate. We also have ways to I can specify my standard up. What if I want to save this information?
I can use templates. I can also pick the number of iterations. So let's experiment with that a little bit. I've got the encoder. I'm going to get rid of these two characters. Let me add one more list. I'll get a X
Charlie, not because I see that at the corner of the table there.
All right, let's in code again.
I got air so I can't get rid of that money,
that many characters.
Let's just try these two.
all right? So I can only give her the vaccine. Fact that shows you some of the limits off what the encoders
s. So what? We end up with 355 bites.
Now, what if I want to go code this a few times to get make it more complex? I could encode it three times
and you'll notice that it doesn't actually give me three outputs it. It does it three times and then I get the outfit.
It grew quite a bit. Now it's up to 409 bites, But still, I've excluded xfff and I'm still using this particular encoder.
And again, this this multiple passes that you're doing with the dash I makes your,
you're you're encoding that much more difficult for the anti virus of the victim machine to detect,
and they're they're probably limits. Here is well as faras,
What kinds of how many iterations you want to go through or some of the other things that you want to thio set. So let's go back to our
We can see we've got the dash. Oh, option.
some of my options are available here, I could do something like I'll do up, Eric, go back to my generate.
Let's say I want to change my when I'm doing my generator. Want to change my local poor to something else?
So I'll goto. I'll change it to 5555
Possibly it is. Oh, I forgot to put the equal sign, that's what.
little details matter.
We can see now that,
uh, it went down for 2 409 bites Still showing my encoder.
My local poor is now 5555 because I have encoded a different version of this.
So for these, this gets goes to show you how flexible the syntax as I can
change my encoding method, I can change a number of times. I do the encoding. Aiken set some variables and encode a payload all in one step,
which which makes your life a lot easier when you're trying to evade
And lastly, let's look at our dash T option. This gives us
So bear C C. Sharp hacks, Java and so on. I can allow different,
so we can experiment with this.
I got my last command there. Let's say I want to,
do this in bash format.
So that's what bash shell code looks like. You know, it's a little different. I've got some
The characters look old a little bit different. Perhaps.
Let's see, I can use I can try one with Power Shell
who didn't like partial.
All right, so there's a different
encoding method using C sharp.
So you get the basic idea. I've got lots of options
and other things here that might be useful depending on your environment that you're going after Andy, maybe a visual basic script
you're dealing with binary Z axes,
so just kind of showing some of the possibilities
A V avoidance, and we'll get into more detail about that