3 - MSF Targets & Payloads

# Targets - targets are unique OS identifiers taken from the versions of those specific OSs which adapt the selected exploit module to run on that particular version of the OS - `show targets` command issued within an exploit module view will display all available vulnerable targets for that specific exploit ![[images/Pasted image 20251003194132.png]] - there are a variety of target types - targets can vary from another by service pack, OS version, and even language version - To identify a target correctly, we will need to: - Obtain a copy of the target binaries - Use `msfpescan` to locate a suitable return address # Payloads - a payload refers to a module that aids the exploit module in (typically) returning a shell to the attacker - sent together with the exploit itself to bypass standard functioning procedures of the vulnerable service (`exploits job`) and then run on the target OS to typically return a reverse connection to the attacker and establish a foothold (`payload's job` - three (3) types of payload modules in MSF: singles, stagers, and stages - `windows/shell_bind_tcp` is a single payload with no stage - `windows/shell/bind_tcp` consists of a stager (`bind_tcp`) and a stage (`shell`) - located in `/usr/share/metasploit-framework/modules/payloads`![[images/Pasted image 20251004145507.png]] ## Payload Types - singles - self-contained payload that contains the exploit and the entire shellcode for the selected task - stager - work with Stage payloads to perform a specific task - stager waits on the attacker machine, ready to establish a connection to the victim host once the stage completes its run on the remote host - stager is typically used to set up a network connection between the attacker and victim and are designed to be small and reliable - stages - payload components that are downloaded by stager's modules - examples: Meterpreter, VNC Injection, and others - automatically uses a middle stager that performs a full download - the stager receives the middle stager |**Payload**|**Description**| |---|---| |`generic/custom`|Generic listener, multi-use| |`generic/shell_bind_tcp`|Generic listener, multi-use, normal shell, TCP connection binding| |`generic/shell_reverse_tcp`|Generic listener, multi-use, normal shell, reverse TCP connection| |`windows/x64/exec`|Executes an arbitrary command (Windows x64)| |`windows/x64/loadlibrary`|Loads an arbitrary x64 library path| |`windows/x64/messagebox`|Spawns a dialog via MessageBox using a customizable title, text & icon| |`windows/x64/shell_reverse_tcp`|Normal shell, single payload, reverse TCP connection| |`windows/x64/shell/reverse_tcp`|Normal shell, stager + stage, reverse TCP connection| |`windows/x64/shell/bind_ipv6_tcp`|Normal shell, stager + stage, IPv6 Bind TCP stager| |`windows/x64/meterpreter/

|Meterpreter payload + varieties above| |`windows/x64/powershell/

|Interactive PowerShell sessions + varieties above| |`windows/x64/vncinject/

|VNC Server (Reflective Injection) + varieties above| ## Staged Payloads - an exploitation process that is modularized and functionally separated to help segregate the different functions it accomplishes into different code blocks, each completing its objective individually but working on chaining the attack together - the scope of this payload is to be compact and inconspicuous to evade AV and IPS - for example, `Stage0` of a staged payload represents the initial shellcode sent over the network to the target machine's vulnerable service, which has the sole purpose of initializing a connection back to the attacker machine - examples `reverse_tcp`, `reverse_https`, and `bind_tcp` - rev connections are more likely to evade AV/IPS - Stage0 code also aims to read a larger, subsequent payload into memory once it arrives: Stage1 ## Meterpreter Payload - specific type of multi-faceted payload that uses `DLL injection` to ensure the connection to the victim host is stable, hard to detect by simple checks, and persistent across reboots or system changes - resides completely in the memory in the memory of the remote host and leaves no traces on the hard drive - scripts and plugins can be `loaded and unloaded` dynamically as required - once the Meterpreter payload is executed, a new session is created, which spawns up the Meterpreter interface - similar to the msfconsole interface, but all available commands are aimed at the target system - with Meterpreter, we can load in different Plugins to assist us with our assessment ```bash #after selecting an exploit module msf6 > show payloads #shows payload optoins based on selected exploit module msf6 > grep meterpreter show payloads #kind of like a backward grep filter in msfd msf6 > grep meterpreter grep reverse_tcp show payloads #chain g rep filters ``` ![[images/Pasted image 20251003200943.png]] ```bash msf6 > set payload N #set the payload for the currently selected module msf6 > options #shows configurable options for selcted payload and exploit module msf6 > ifconfig #show networking options for selcted payload and exploit module msf6 > run # run the selcted payload and exploit module meterpreter> help #shows available commands meterpreter> cd Users #change director meterpreter> ls liste current directory meterpreter> shell #drop into system shell ``` - channel 1 is created ![[images/Pasted image 20251003202540.png]]