Welcome back, my tenderfoot hackers!
As you know, Metasploit is an exploitation framework that every hacker should be knowledgeable of and skilled at. It is one of my favorite hacking tools.
Metasploit enables us to use pre-written exploits against known vulnerabilities in operating systems, browsers and other applications and place a rootkit/listener/payload on the target system. These payloads are what enable us to connect to the victim system and use it as our own, after we have exploited a vulnerability in its system. In this tutorial, we will look exclusively at the payloads built into Metasploit.
Metasploit has many types of payloads we can leave on the target system. We are most familiar with the generic/shell/reverse_tcp and the windows/meterpreter/reverse_tcp payloads, having used those in multiple hacks previously.
In this guide, we will look at such things as how the payloads work, how Metasploit categorizes the payloads, and what the types of payloads are. I hope this understanding will help you to better choose the appropriate payload for your hack.
Let’s take a closer look at these payloads in Metasploit.
Step 1: Fire Up Kali Linux & Open Metasploit
When we open the Metasploit console in Kali Linux, we immediately see that Metasploit lists the number of exploits, auxiliary modules, post exploitation modules, payload modules, encoders, and nops.
kali > msfconsole
In the screenshot below, notice that there are 455 payloads in the current version of Metasploit (yours may be slightly different based upon your version of Metasploit). This is a huge number of payloads that can be used for multiple circumstances.
Now, when we type:
msf > show payloads
Metasploit lists all 455 payloads as seen below.
Step 2: Types of Payloads
Among these 455 payloads in Metasploit, there are 8 types.
Inline
These payloads are a single package of exploit and payload. They are inherently more stable, but because of their size, they can’t always be used in small vulnerable memory areas.
Staged
These payloads essentially are able to fit into very small spaces and create a foothold on the system and then pull rest of the payload.
Meterpreter
Is the all powerful payload that we most often want on a victim system. It works by .dll injection and resides entirely in memory, leaving no trace of its existence on the hard drive or file system. It has a number of specific commands and scripts developed for it, enabling us to largely work our will on the victim system.
PassiveX
This payload is for use when firewall rules restrict outbound traffic. In essence, it uses ActiveX through Internet Explorer to hide its outbound traffic and evade the firewall by using HTTP requests and responds just as any browser would.
NoNX
In some CPUs, there is a built-in security feature called DEP (Data Execution Prevention). In Windows, it is referred to as No eXecute, or NX. The idea behind this security feature is to keep data making its way to the CPU and being executed (a common technique for exploits). The NoNX payloads are designed to evade this safety feature of modern CPU’s.
Ord
These type of payloads work on nearly all Windows operating systems. These are extremely small, but somewhat unstable. They are dependent upon loading a .dll (dynamic link library) into the exploited process.
IPv6
These payloads, as their implies, are designed to work on IPv6 networks.
Reflective DLL Injection
These payload modules are injected directly into the target process while it is running in memory, thereby never writing anything to the hard drive and leaving little or no evidence behind.
Step 3: Payload Modules
If we look in the Metasploit directory the Linux terminal in Kali, we can see that Metasploit categorizes its payloads into three different types. Obviously, the eight types above are consolidated into these three directories in Metasploit.
Let’s take a look inside the payloads directory.
kali > cd /usr/share/metasploit-framework/modules/payloads
kali > ls -l
As you can see, Rapid7 divides the payload modules into three (3) types.
Stages
Stage payloads use tiny stagers (see below) to fit into small exploitation spaces. In other words, if the victim’s system exploitation buffer or other memory area is very small and only allows a small amount of code to be executed, first a small stager is placed in the memory area. The stager then “pulls” the rest of the payload after this foothold is made on the victim system.
These larger staged payloads include such complex payloads as the Meterpreter and VNC Injection, both of which include large and complex code. Generally, a staged payload will split the name of the payload between a “/”, such as in the payload windows/shell/tcp_bind. The “tcp_bind” is the stager (see below) and “shell” is the staged.
Unfortunately, this convention is not used consistently in Metasploit, so one often has to go to the “info” section of the payload or find the directory it is in to determine if it is a staged payload.
Stagers
Stagers are the small payloads whose only job is to fit into small memory area and then “pull” the larger staged payload along. They kind of “plant the flag” on the victim and then enable the larger payload to be loaded.
Singles
Often referred to as “inline payloads,” singles are self-contained units that do not require a stager. They are generally more stable and preferred, but many times the code is too large for the vulnerable memory area on the victim system.
Let’s now take a look inside that singles directory.
kali > cd singles
kali > ls -l
As we can see, the singles are broken down by vulnerable platform. If we want to see the singles available for the Windows platform, we simply type:
kali > cd windows
kali > ls -l
Inside this directory we can see all the singles payloads available for Windows. These single payloads include such singular task payloads as adduser, format_all_drives, some meterpreter payloads and powershell_bind.
Summary
Payloads are key part of the Metasploit infrastructure and provide us with access once the exploit has been completed. The better we understand them, the better we will be as a hackers.
That’s it for now. Make sure to check back in on my Metasploit Basics series for more tutorials on Metasploit. So, keep coming back, my tenderfoot hackers!
To learn more about Metasploit and become a Metasploit Expert, sign up for my next Metasploit Kung-Fu course here.