Working with Payloads

Metasploit has a large collection of payloads designed for all kinds of scenarios.

The purpose of a reverse shell is simple: to get a shell. This is most likely everybody’s first choice. There are many different reverse shells available, and the most commonly known and stable has been the windows/meterpreter/reverse_tcp payload. However, windows/meterpreter/reverse_https is actually a much more powerful choice because of the encrypted channel, and it allows you to disconnect the payload (and exit msfconsole) without terminating it. And then the payload will automatically get back to you as soon as you set up the handler again.

Now, let’s talk about download-exec a little bit. The thing about download-exec is that it gives the attacker the option to install whatever he wants on the target machine: a keylogger, a rootkit, a persistent shell, adware, etc, which is something we see in the wild quite a lot. There are several versions of download-execs in the Metasploit repo, one that’s highly popular is windows/download_exec.

Single and Staged Payloads

If you look at Metasploit’s payload list, you will also notice that some payloads actually have the exact same name, but in different formats. For example: windows/shell/reverse_tcp and windows/shell_reverse_tcp. The one with the forward slash indicates that is a “staged” payload, the one with the underscore means it’s “single”. So what’s the difference?

A staged payload means that your payload consists of two main components: a small stub loader and the final stage payload. When you deliver windows/shell/reverse_tcp to the target machine, for example, you are actually sending the loader first. And then when that loader gets executed, it will ask the handler (on the attacker’s end) to send over the final stage (the larger payload), and finally you get a shell.

A single payload means it’s meant to be a fire-and-forget kind of payload. This can be used when the target has no network access.

Generally, Meterpreter is the most popular payload type for Metasploit. If you are testing a Windows exploit, it’s better to use windows/meterpreter/reverse_tcp. If you’re on Linux, try linux/meterpreter/reverse_tcp. You should always choose a native Meterpreter if you can, but if you are unable to, you should try a cross-platform one, such as java/meterpreter/reverse_tcp.

Viewing Payloads

There are tons of payloads that are available in Metasploit, so it might be overwhelming to figure out which payloads you can use for specific exploits. Luckily, you can easily view the payloads that are supported for an exploit.

After you choose an exploit, you can run the following command to view the payloads that are available:

msf > use exploit/windows/smb/ms08_067_netapi
msf exploit (ms08_067_netapi) > show payloads

Manually Selecting a Payload

To manually select a payload for an exploit, you can run the following:

msf > use exploit/windows/smb/ms08_067_netapi
msf exploit (ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp

Auto Selecting a Payload

You don't have to set a payload for an exploit. You can let Metasploit do it for you. There is a preference list that Metasploit uses to select a payload if there isn't one set for the exploit.

Here's the list, sorted by the order in which they will be selected:

  • windows/meterpreter/reverse_tcp
  • java/meterpreter/reverse_tcp
  • php/meterpreter/reverse_tcp
  • php/meterpreter_reverse_tcp
  • ruby/shell_reverse_tcp
  • cmd/unix/interact
  • cmd/unix/reverse
  • cmd/unix/reverse_perl
  • cmd/unix/reverse_netcat_gaping
  • windows/meterpreter/reverse_nonx_tcp
  • windows/meterpreter/reverse_ord_tcp
  • windows/shell/reverse_tcp
  • generic/shell_reverse_tcp